SIL Methodology

Page 1 of 16
 CONTENTS

1.0 PURPOSE..............................................................................................3

2.0 SCOPE.................................................................................................3

3.0 ABBREVIATION.......................................................................................3

4.0 REFERENCES.........................................................................................3

5.0 Responsibility and authority......................................................................3

6.0 description of activities...........................................................................4

6.1 General.............................................................................................................................4
6.2 Roles and Responsibilities...............................................................................................4
6.3 SIL Team Composition....................................................................................................5
6.4 SIL Study Schedule and Pre-requisites............................................................................5
6.5 SIL Methodology.............................................................................................................6
6.5.1 Risk Graph Technique...............................................................................................6
6.5.2 Layer of Protection Analysis.....................................................................................9
6.6 SIL Target Level............................................................................................................11
6.7 SIL Assessment Report..................................................................................................12

7.0 SIL VERIFICATION..................................................................................12

8.0 FOLLOW-UP AND CLOSE-OUT...................................................................13

9.0 Records..............................................................................................13

10.0 Appendices........................................................................................13

...........................................................................................................13

APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA..........................................14

Page 2 of 16
1.0 PURPOSE

The purpose of this procedure is to describe the recommended practice for

performing Safety Integrity Level (SIL) assessment & verification studies of
identified Instrumented Protective Functions.

2.0 SCOPE

This procedure applies to the performance of SIL Studies on Oil & Gas facilities
projects. The recommended practice outlined in this procedure shall be adopted
on a project where client’s specific guidelines are not available.

3.0 ABBREVIATION

C&E Cause and Effects

E/E/PE Electrical, Electronics and Programmable Electronics
ESD Emergency Shutdown System
HSE Health Safety & Environment
IEC International Electro technical Commission
IPF Instrumented Protective Function
PCS Process Control System
PFD Probability of Failure on Demand
PEM Project Engineering Manager
PLC Programmable Logic Controller
QRA Quantitative Risk Assessment
SIL Safety Integrity Level
SIS Safety Instrumented System
SIF Safety Instrumented Function

4.0 REFERENCES

 IEC 61508, Functional safety of electrical/electronic/programmable

electronic safety-related systems

 IEC 61511, Functional Safety – safety instrumented systems for the

process industry sector

 PFD data from vendors

 Safety Equipment Reliability Handbook, by OREDA or any other handbook

for generic data.

5.0 RESPONSIBILITY AND AUTHORITY

N/A

Page 3 of 16
6.0 DESCRIPTION OF ACTIVITIES

6.1 General

Instrument and control systems play a significant role in the management of

hazards on oil and gas installations. Shutdown systems are traditionally
recognised as safety systems which contribute to reducing the likelihood and
consequences of dangers to personnel, but also limiting risks to environment, to
assets and to continued production. Therefore, instrumented protective
functions need to be reviewed through a systematic assessment process to
determine any requirement for increased reliability and/ or higher integrity and
hence reducing risks.
The main objective of the SIL study is to assess the integrity level for all
instrumented protection functions that have been provided for all process
systems, in accordance with IEC 61511.
SIL study workshop is conducted to perform a systematic review of plant process
systems to identify failures in E/E/PE safety related control systems at each
plant, which have the potential for harm to personnel (through illness and injury
or loss of life) or to the environment (temporary or permanent). A secondary
objective will be to identify where such failures have the potential to cause
significant economic loss due to production loss and/or damage to capital
equipment. The safety and environmental harm and the economic loss will
generally arise due to loss of containment, either of the product or of a
substance hazardous to health.

6.2 Roles and Responsibilities

The SIL team should consist of the following persons:

Chairman Responsible for chairing the SIL review meeting
and ensuring the process runs smoothly in
accordance with the procedure. The Chairman
shall ensure the team remain focussed and do not
deviate from the objective of the study. The
chairman shall have experience of conducting a SIL
or similar studies. The Chairman shall bring the SIL
Assessment software. The SIL Assessment and SIL
Verification report shall be prepared by the
Chairman.
Secretary Responsible for recording the discussion of the
meeting, using the worksheets. It is preferable
that the SIL Secretary has a technical background
in Instrumentation.
Lead HSE Design Engineer The Lead HSE (Design) Engineer on the project
shall to ensure that the SIL is performed to the
standards set out in this procedure. The Lead HSE
Page 4 of 16

Lead Instrument Engineer
Lead Process Engineer
Follow-up
Engineer shall ensure the administrative tasks
necessary to perform the SIL study completed
(organisation of team, distributing the documents,
Chairman Selection, selection of venue, etc).
Lead Instrument Engineer shall be responsible to
ensure completion of Project design documents
necessary prior to SIL study including vendor
documents. He shall provide Chairman the list of
tags, initiating devices, final elements and service
description for each SIF to include into the
worksheets.
Lead Process Engineer shall ensure that the P&ID’s
are updated in line with the recommendations
given in the HAZOP.
The Follow-up Coordinator shall be nominated by
Project Engineering Manager (PEM) who can make
project decisions on the conflicting requirements.
The co-ordinator shall act on behalf of the PEM to
facilitate and expedite the satisfactory close-out
of recommendations raised by the SIL study. The
overall responsibility of SIL close-out process lies
with PEM.

6.3 SIL Team Composition

Presence of following team members both from Contractor and the Operating
Company is essential during the full duration of the review:

• Process Engineer

• Control and Instrumentation Engineer

• HSE/ Safety Engineer

• Operation Representative

• Other discipline engineers( Mechanical, Civil, layout etc.) shall be

available on need basis

6.4 SIL Study Schedule and Pre-requisites

The SIL study should be scheduled after completion of HAZOP study and
incorporation of major HAZOP recommendations onto the P&IDs and Cause &
Effects Charts.
The following project specific documents (latest revisions) shall be made
available prior to the SIL workshop:

Page 5 of 16
 • Piping & Instrumentation Diagrams

• Cause and Effects Chart

• HAZOP Report

• QRA Reports

• Plot plans

6.5 SIL Methodology

The common methods used for Target Safety Integrity Level determination are:

• Risk Graph

• Layer of Protection Analysis (LOPA)

Both these methods are included in the IEC61508 and IEC61511 standard.
The risk graph is a qualitative technique, the results tend to be quite subjective
and lead to SIL levels biased on the high side. The Layers of protection analysis
technique is quantitative and more accurate and it is becoming the widely
accepted technique for SIL determination.
It is advisable to consider Risk Graph method at the FEED stage and LOPA
technique during detail design phase. Appropriate methodology should be
chosen by the Project group after considering client guidelines or advice. In the
absence of Client guideline follow LOPA methodology for Detailed Design.

6.5.1 Risk Graph Technique

The risk graph method is a qualitative approach to determine the level of

integrity required for the identified Instrumented Protective Functions (IPF) for
the project. The approach is based on the International Electro technical
Commission standard, IEC61511 [Ref. 2]
Risk graph analysis uses four parameters to make a SIL selection. These
parameters are consequence (C), occupancy (F), probability of avoiding the
hazard (P), and demand rate (W).
Consequence represents the average number of fatalities that are likely to
result from a hazard when the area is occupied, and should include the
expected size of the hazard and the receptor’s vulnerability to the hazard.
Occupancy (Exposure Time Parameter) is a measure of the amount of time that
the area that would be impacted by the incident outcome is occupied.
The probability of avoiding the hazard will depend on the methods that are
available for personnel to know that a hazard exists and also the means for
escaping from the hazard.

Page 6 of 16
The demand rate is the likelihood that the accident will occur without
considering the effect of the SIF that is being studied, but including all other
non-SIS protection layers.
A combination of consequence, likelihood, occupancy, and probability of
avoidance represents a level of unmitigated risk. Once those categories have
been determined, the risk graph is used to determine that SIL that will reduce
the risk by the appropriate amount. Figure 1 contains a typical risk graph, as
presented in IEC 61511-3. The SIL is selected by drawing a path from the
starting point on the left to the boxes at the right by following the categories
that were selected for consequence, occupancy and probability of avoidance.
The combination of those three determines the row that is selected.

Page 7 of 16
 Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511, Ref. 1)

1.1.1.1 Steps
Prior to the assessment, the risk graphs will be calibrated according to Client
Risk criteria. For each loop, the SIL is determined and recorded on worksheets
as follows.
1. Identify the loop to be examined, and record the tag and P&ID number.
2. Agree the function of the loop (i.e. what is it for?).
3. Determine the cause of demand of the loop (most commonly control
failure).
4. Identify the output actions (e.g. close specified valves).
5. Agree the consequence if the loop fails on demand. At this point no
credit is taken for other relevant risk reduction measures.
6. Having gathered the above information, use combined judgement to
agree the four parameters C, F, P and W on the safety risk graph.
7. W is the frequency of the cause of demand identified in step 3.
8. Apply the safety risk graph to determine the SIL required on safety risk
considerations.
9. Agree the economic loss parameter L and use the economic risk graph to
determine the SIL required on economic risk considerations.
10. Agree the environmental loss parameter E and use the environmental risk
graph to determine the SIL required on environmental risk
considerations.
11. Determine the SIL required for the function identified in step 2 as the
highest of the three SILs determined in steps 7, 8, and 9.
The above listed Steps are repeated for each of the IPF loops.

Page 8 of 16
 The risk graph parameters and criteria to be used for this assessment are
outlined in Appendix-I of this document.

6.5.2 Layer of Protection Analysis

LOPA is one of the techniques developed in response to a requirement within

the process industry to be able to assess the adequacy of the layers of
protection provided for an activity. Initially this was driven by industry codes of
practice or guidance and latterly by the development of international standards
such as IEC61508 [Ref 1] and IEC61511 [Ref 2].
Within the LOPA methodology the concept of the Independent Protective Layer
(IPL) is well defined and important.
“An IPL is a device, system or action which is capable of preventing a scenario
from proceeding to its undesired consequence independent of the initiating
event or the action of any other layer of protection associated with the
scenario. The effectiveness and independence of an IPL must be auditable.”
The SIL Selection is based on establishing a tolerable frequency for each
consequence resulting from an initiating event. This tolerable risk guideline
needs to be reviewed and accepted by the Company at the start of the SIL
review process.
Once the tolerable frequency for a SIF is established, all causes of the initiating
event are listed. For each cause of the initiating event, its likelihood is
established. The layers of protection and associated PFD for each cause are then
listed. The mitigated event frequency for each cause is determined. After each
cause is analyzed the total event frequency due to all causes for the initiating
event is determined. The SIL is determined by comparing the established
tolerable frequency (goal) with the total mitigated event frequency.
1.1.1.2 Steps
Following are the important steps, which shall be addressed during SIL
assessment sessions
1. Identify and list all Safety Instrumented Functions for the unit(s)
2. For each SIF identified:
• Define the worst consequence if the SIF failed to operate when a demand
occurs.

• Categorize the consequence severity and tolerable frequency based on

the Company Risk guidelines. The tolerable frequency will be selected
from the reducible frequency band as per the table

• List all causes and likelihood for the initiating event

• For each cause identify all available layers of protection and assign
failure probabilities for each layer

Page 9 of 16
 • For each cause calculate the mitigated event frequency considering all
the layers i.e. F = Fe*PA*PB*PC*PD where F is the mitigated event
frequency, Fe is non-mitigated event frequency based on the best
industrial practices and PA/PB/PC/PD are the PFD values for each
protection layer.

• Calculate the total event frequency due to all causes

• Compare the tolerable frequency goal with the total event frequency

• Assign the required SIL based on the additional risk reduction required

• Document the results of each analysis in the SIL Selection and Analysis
worksheet. Include any notes and recommendations in the worksheet.
Typical SIL Assessment worksheet format is given in Appendix II.

1.1.1.3 Independent Protection Layers (IPL)

An Independent Protection Layer is a specific category of safeguard.
Independent protection layers must meet the following criteria.
Specificity – An independent protection layer must be specifically designed to
prevent the consequences of one potentially hazardous event.
Independence – The operation of the protection layer must be completely
independent from all other protection layers, no common equipment can be
shared with other protection layers.
Dependability – The device must be able to dependably prevent the
consequence from occurring. The probability of failure of an independent
protection layer must be demonstrated to be less than 10%.
Auditability – The device should be proof tested and well maintained. These
audits of operation are necessary to ensure that the specified level of risk
reduction is being achieved.
1.1.1.4 Typical Protection Layers
While no two situations are the identical, there are a few protection layers and
mitigating events that should always be considered when performing a layer of
protection analysis in the process industries. These protection layers are shown
below:

• PCS Controls – In many cases the PCS control system is designed to

automatically move the process to a safe state under abnormal
conditions (Control loop or an On/Off loop). The criteria most used to
determine whether the PCS system could be used, as a layer of
protection is that a failure of the PCS system did not contribute in
causing the initiating event. (Maximum Risk reduction credited shall be 1
in 10).

Page 10 of 16
 Many times, independent alarm in the PCS with operator action is
provided to mitigate certain risks. In such a situation, credit for Alarm
can be given only if the alarm signal is connected to an entirely
independent initiator and I/O, other than the one carrying out the
automatic controls. This will considerably reduce any common mode
failures. (Maximum Risk reduction credited shall be 1 in 10).
For PCS to be credited with Two (2) IPLs, initiators, I/O cards and final
control elements must be independent of each other. Only the logic
solver part could be shared provided, logic solvers are redundant.
If the initiating or enabling event involves the failure of a PCS loop, then
no more than one PCS loop should normally be credited as an IPL for the
same scenario.
Maximum total risk reduction credited for PCS as an independent layer
shall be no more than 1 in 100.

• Operator Intervention – Operator intervention to manually shut down a

process when abnormal conditions are detected is a common safeguard.
In order for this safeguard to meet the level required of an independent
protection layer, the operator must always be present, be alerted to the
abnormal situation, be trained in the proper reaction to the abnormal
situation, and have ample time to consider the alarm and respond.
(Maximum Risk reduction credited shall be 1 in 10)

• Mechanical Integrity of Piping or Vessel – In many cases, piping or a

vessel will be designed to withstand the highest temperatures and
pressures generated as the result of abnormal conditions. In these cases,
the mechanical integrity of the vessel is a protection layer. (Maximum
Risk reduction credited shall be 1 in 100)

• Physical Relief Device – Physical relief devices are common safeguards

and include such devices as relief valve, rupture disks, and thermal
fusible plugs. (Maximum Risk reduction credited shall be 1 in 100)

• Ignition Probability – When a flammable material is released to the

atmosphere the probability that the release will ignite will depend on
factors such as auto-ignition temperature and source of ignition present

• Other layers to be considered – Use factor, Explosion Probability,

Occupancy and External risk reduction facilities like F& G systems, Dikes,
etc.

6.6 SIL Target Level

For each of the safety instrumented function operating in demand mode, the
required SIL shall be specified in accordance with levels as stated in table below
(Ref. 2):

Page 11 of 16
 Table 1: Probability of Failure on Demand for the SIL1, 2, 3 and 4

Target average Probability of Failure

Safety Integrity Level (SIL)
on Demand
SIL 4 10-5to< 10 –4

SIL 3 10-4 to< 10 –3

SIL 2 10-3 to< 10 –2

SIL 1 10-2to< 10 –1

6.7 SIL Assessment Report

The SIL Assessment Report shall be prepared by Chairman using the company
format and shall include the following as a minimum:

• Executive Summary

• The scope of SIL Study

• List of Participants

• The systems examined

• The results as captured in the worksheets

• Conclusions and Recommendations

7.0 SIL VERIFICATION

During EPC phase of the project, SIL verification study will be performed if it
required contractually or any specific instruction from the Company. SIL
validation is not covered under this document as it is normally carried out
during operation phase.
The outcome of the SIL assessment is followed by a SIL verification study, where
the design of the safety instrumented system (SIS) is verified. The risk reduction
performance of any given SIF depends on the equipment chosen and the
redundancy levels. The safety performance evaluation is called SIL verification
and requires reliability analysis of the equipment with a view toward a
particular failure mode titled "failure to function on demand" or "fail danger." A
piece of equipment used to implement a SIF has a certain probability that it will
not successfully protect a process if a dangerous condition (a demand) occurs.
This average "probability of failure on demand" (PFD) is calculated and
compared with the PFD average table to obtain a "design SIL." If the design SIL is

Page 12 of 16
 not greater than or equal to the target SIL, better technology or more
redundancy is required.
The first step in SIL verification is gathering failure rate data and failure mode
data for the equipment selected. Thereafter, the designer calculates PFD sub
avg using simplified equations, fault-tree analysis, or Markov analysis. There
are two fundamental challenges faced during SIL verification:

• Gathering the failure rate/mode data and

• Building a PFD sub avg model.

Failure rate data is available in a generic sense from several industry databases,
including AIChE and OREDA. Failure rate data is also available from some
manufacturers, although it is often difficult to source.

8.0 FOLLOW-UP AND CLOSE-OUT

Upon completion of the SIL assessment workshop, the Chairman will present the
findings of the study in the form of a SIL Assessment report. Recommendations
of the SIL assessment will be generally closed out by Instrumentation discipline.
It is important that Project allocate adequate resources to not only perform the
SIL study but to ensure that the recommendations raised in the SIL report are
satisfactorily closed out. The PEM shall be responsible to ensure that the
adequate resources are available for timely completion of SIL study. In general
almost all SIL actions belong to instrument group, therefore as a general
practice PEM will nominate instrument engineer to own the SIL close-out
responses. The PEM nominee shall prepare & issue the SIL Close-out report.

9.0 RECORDS

N/A

10.0 APPENDICES

Page 13 of 16
APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA

(1) - IEC 61511 Safety Parameters

Personnel Safety Risk parameter Classification Comments

Consequence (C) Average number of CA Minor injury 1. The classification

Fatalities This can be calculated by system has been
determining the average numbers developed to deal
CB
present when the area is occupied Range 0.01 to 0.1 with injury and
and multiplying by the vulnerability death to people.
to the identified hazard. CC
Range >0.1 to 1.0 2.For the
The Vulnerability will be determined interpretation of CA,
by the nature of the hazard being
CD CB, CC and CD, the
protected against. The following Range > 1.0 to 10
consequences of the
factors are proposed
accident and normal
V=0.01 Small release of flammable healing shall be
or toxic material taken into account.
V=0.1 Large release of flammable or
toxic material
V=0.5 As above but with a high
chance of igniting or highly toxic.
V=1 Rupture or explosion

Exposure probability in the FA In the hazardous 3. See comment 1

hazardous zone (F) zone. Occupancy less above.
than 0.1
This is calculated by determining
the length of time the area is
occupied during a normal working
Frequent to
period. FB
permanent exposure
NOTE - If the time in the hazardous in the hazardous
area is different depending on the zone. Occupancy
shift being operated then the more than 0.1
maximum should be selected.
NOTE - It is only appropriate to use
FA where it can be shown that the
demand rate is random and not
related o when occupancy could be
higher than normal. The latter is the
case with demands which occur at
equipment start-up

Possibility of avoiding the hazardous PA Adopted if all 4. PA should only be

event (P) if the protection system conditions in column selected if all the

Page 14 of 16
Personnel Safety Risk parameter Classification Comments

fails to operate. 4 are satisfied following are true:-

PB Adopted if all the • Facilities are
conditions are not provided to alert the
satisfied
operator that the
protection has failed
• Independent
facilities are
provided to shut
down such that the
hazard can be
avoided or which
enable all persons to
escape to a safe area
• The time between
the operator being
alerted and a
hazardous event
occurring exceeds 1
hour or is definitely
sufficient for the
necessary actions.

Demand rate of the unwanted W1 Demand rate less 5. The purpose of

occurrence (W) given no protection than 0.03 per year the W factor Is to
system. estimate the
frequency of the
To determine demand rate it is
Demand rate hazard taking place
necessary to consider all sources of W2
between 0.3 and without the addition
failure that will lead to a demand
0.03 per year of the SIS
on the protection system. In
determining the demand rate, 6. If the demand rate
limited credit can be allowed for W3 Demand rate is very high (e.g., 10
control system performance and per year) then use
between 3 and 0.3
intervention. The performance failure rate and
which can be claimed if the control per year continuous demand
system is not to be designed and method.
maintained according to IEC61508,
is limited to below the performance
ranges associated with
SIL1.

(2) - IEC 61511 Asset Loss Parameters

Page 15 of 16
Asset Loss Classification Comments
Consequence (C) CA Minor operational upset or Monetary values can be
equipment damage assigned to each
CB Moderate operational upset or consequence
CC equipment damage parameter
Major operational upset or
CD equipment damage
Damage to essential equipment,
major economic loss
Possibility of PA Adopted if all conditions in NOTE.
avoiding the column 4 are satisfied The same conditions as
hazardous event (P) PB Adopted if all the conditions are personnel safety apply
if the protection not satisfied
system fails to
operate.

(3) - IEC 61511 Environmental Parameters

Environmental Classification Comments

Consequence (C) CA A release with minor damage
that is not very severe but is
large enough to be reported to
plant management or local
authorities
CB
Moderate damage e.g. Release
within the fence with
CC significant damage
Substantial damage e.g.
Release outside the fence with
CD major damage which can be
cleaned up quickly without
significant lasting
consequences
Serious damage e.g. Release
outside the fence with major
damage which cannot be
cleaned up quickly or with
lasting consequences
Possibility of PA Adopted if all conditions in
avoiding the column 4 are satisfied
hazardous event (P) PB Adopted if all the conditions
if the protection are not satisfied
system fails to
operate.
A moderate leak from a
flange or valve Small
scale liquid spill
Small scale soil pollution
without affecting ground
water
A cloud of obnoxious
vapour travelling beyond
the unit following flange
gasket blow-out or
compressor seal failure
A vapour or aerosol
release with or without
liquid fallout that causes
temporary damage to
plants or fauna
Liquid spill into a river or
sea
A vapour or aerosol
release with or without
liquid fallout that causes
lasting damage to plants
or fauna
Solids fallout (dust,
catalyst, soot, ash) Liquid
release that could affect
groundwater
NOTE.
The same conditions as
personnel safety apply

Page 16 of 16