Beruflich Dokumente
Kultur Dokumente
Chapter 20
IEC 6 1511 - 2003 (herein referred to as '6 1511'): Functional safety - Safety
Instrumented Systems For The Process Industry Sector
The IEC standards 6 1508 and 6 15 1 1 require that SIL be assigned to the safety
instrumented functions (SIF) of the safety instrumented systems (SIS) for processes,
that have insufficient mitigation fro111 the potential hazards. According to the IEC
standards, a SIF is a "safety function with a specified SIL which is necessary to achieve
functional safety and which can be either a safety instrumented protection function or a
safety instrumented control function." A SIS is an "instrumented system that is used to
implement one or more SIFs. It is colnposed of any combination of sensors, logic
solvers, and final elements." SIS is devoted to responding to an emergency situation.
SIS consists of instrumentation for emergency shutdown and thus brings the process to
a safe state in the event of an upset. Instrumented emergency shutdown systems
including flammable gas, toxic gas and fire protection systems are SIS.
Examples include;
High high level of liquid (LPG) in a knockout drum, which initiates shutdown
of emergency sl~utdown(ESD) inlet feed valve. This protects against liquid
)DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-3
Levels of SIL
There are four levels of SIL. SIL 1 is the lowest and SIL 4 is the highest level of safety
integrity. The assignment of SIL addresses the need to provide safeguards or mitigation
matching the potential hazards of the processes including the failure of the
instrumented systems. SIL is a measure of reliability of the respective SZS.
The terms 'SIL' and 'availability' represent the integrity of the SIS when a process
demand occurs. Consider that a particular SIF is assigned a value of SIL 1, as an
example. Assigning SIL 1 to a particular SIF means that the level of risk is considered
to be sufficiently low and that the SIF with a 10% chance of failure (90% availability)
is acceptable. The availability of 90% would mean that there would be one statistical
failure of that SIF out of every 10 demands for that function. If this risk is not
acceptable, the SIL may need to be raised to a level 2 or level 3. In other words it might
be more prudent to have a SIL corresponding to one failure in 100, 1,000, 10,000, or
more demands, if it can be justified.
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-4
The general sequence of steps in a typical SIL study as per the SLC are:
Identify the SIFs using previous PHA studies (PrHA, HAZOP, Hazard Analyses,
etc.) for 6 15 1 1, or the need for SIS if S84.0 1 is to be used.
Assign target SILs to the SIFs using one of the many methods (Risk Graph,
Consequence based, Risk Matrix, Layered Risk Matrix or Layer of Protection
Analysis, LOPA - Note that LOPA is only recommended in 6 15 1 1, but not by
S84.01. See Chapter 21 "Layer of Protection Analysis" for details of the
methodology), as per 615 1 1 (S84.01 does not include LOPA as does 615 1 1 ).
Verify the performance of the SIS with reference to the established target SILs. (SIS is
only one of the protective layers. It is important to make a comprehensive assessment
of the other layers of protection, as per 6151 1, that are relevant to the SIFs for SIL
estimation).
), DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-5
.
Manage- Safety Hazard and rlsk
ment of life-cydle assessment
functional structure
safety and and
functional planning
safety
assess-
. +-__
Allocation of safety
_-
ment and
auditing functions to protection
layers Clause 9
Safety requirements
for the SIS
Clauses 10 and 12
Stage 1
r- - -
Deslgn and development
li
Design and engineering
of SIS of other means of nsk
Clauses 11 and 12 reduct~onClause 9
Stage
u Installation, commissioning
and validation
Clauses 14 and 15
Stage &
r i o n and maintenance
Clause 16
Stage+--4
Modification
Clause 17 I
Clause 5 Clause Stage
6.2
Decommissioning
Ti- 7 Clause 18
Key:
-+ Typical direction of information flow
SIS safety life-cycle phases a n d functional safety assessment stages (IEC 61511-1, 2003, p. 33)
>
DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-6
1
Identify SlFs and
relevant safety
functions from
previous PHA
studies
1 6151 I I
- -
1-
-4
IEc el
-
51 A o
ANSIIISA
S84.01? -2
-
r
{
I
-- --
k t e r - i n e need
for SIS
-1
1 ldentify other PLs
- -- - - -- . - --
-- Risk graph,
Assign SlLs consequence based,
(1 to 4) r~skmatrix, layered
risk matrix, etc.
- -- - ..-.
.
. - i
Verify Verify
performance of performance
the SIS taking all (other PLs not
relevant lPLs into considered)
account
--
As per 615 11, SIL estimation also takes into account the other layers of protection (PL) in
the process. SILs are calculated for the SIF, which may include one or more protection
layers and may be dependent or independent of one another (clearly, greater protection is
afforded by totally independent as opposed to dependent protection layers identified for a
particular SlF). Setting and meeting S1L targets can be viewed in two basic ways. If the
user decides to use only ANSIIISA 84.01 and ignore other layers of protection, then SIL
targets can only be met by upgrading SIS components, e.g. upgrading emergency shutdown
systems (ESD). However this can be a very costly business and thus the wisdom of sticking
with ANSIIISA 84.01 and ignoring the other possible protection layers (offered by IEC
6151 1) is questionable. See "Typical risk reduction methods found in process plants" in
figure below:
MITIGATION
Mechanical mitigation systems
Safety instrumented control systems
Safety instrumented mitigation systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety instrumented control systems
Safety instrumented prevention systems
I I
CONTROL and MONITORING
Basic process control systems
Monitoring systems (process alarms)
Operator supervision
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-8
This method is not truly risk based as it only considers consequences. The disadvantage of
this technique is that it does not take into account likelihood, is ultra-conservative, and
limits the user, possibly prohibitively.
)
, DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-9
values are assigned throughout the study, excessive and unnecessary costs can be incurred.
This is most likely here because the simplicity of this technique allows this to happen.
The following table shows modified HAZOP-type entries, whereby the SIL values are
assigned based on risk ranking.
> DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-10
Table 20-4 Descriptions of Process Industry Risk Graph Parameters (IEC 6151 1-
3,2003, Annex D, p. 34)
Parameter Description
Consequence C Number of fatalities andlor serious injuries likely to result from
the occurrence of the hazardous event. Determined by
calculating the numbers in the exposed area when the area is
occupied taking into account the vulnerability to the hazardous
event.
Occupancy F Probability that the exposed area is occupied at the time of the
hazardous event. Determined by calculating the fraction of time
the area is occupied at the time of the hazardous event. This
should take into account the possibility of an increased likelihood
of persons being in the exposed area in order to investigate
abnormal situations, which may exist during the build-up to the
hazardous event (consider also if this changes the C parameter).
Probability of avoiding P The probability that exposed persons are able to avoid the
the hazard hazardous situation, which exists if the safety instrumented
function fails on demand. This depends on there being
independent methods of alerting the exposed persons to the
hazard prior to the hazard occurring and there being methods of
escape.
Demand rate W The number of times per year that the hazardous event would
occur in the absence of the safety instrumented function under
consideration. This can be determined by considering all
failures, which can lead to the hazardous event and estimating
the overall rate of occurrence. Other protection layers should be
included in the consideration.
), DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-11
Table 20-5 Example Calibration of General Purpose Risk Graph ( IEC 61511-3,
2003, Annex D, p. 37-38)
Risk parameter Classification Comments
Consequence (C) CA Minor injury 1. The classification system
Number of fatalities CB Range 0.01 to 0.1 has been developed to
deal with Injury and death
This can be calculated by determining the CC Range > 0.1 to 1.0 to people.
numbers of people present when the area Range, .0
CD 2. For the interpretation of
exposed to the hazard is occupied and
multiplying by the vulnerability to the identified CA,CB,CCand CD,the
hazard. consequences of the
accident and normal
The vulnerability is determined by the nature healing should be taken
of the hazard being protected against. The into account.
following factors can be used:
V = 0.01 Small release of flammable or
toxic material
V = 0.1 Large release of flammable or toxic
material
V = 0.5 As above but also a high probability
of catching fire or highly toxic material
V = I Rupture or explosion
Occupancy (F) FA Rare to more 3. See comment 1 above.
This is calculated by determining the frequent exposure
proportional length of time the area exposed in the hazardous
to the hazard is occupied during a normal zone. Occupancy
working period. less than 0.1
NOTE 1 If the time in the hazardous area is FB Frequent to
different depending on the shift being permanent
operated then the maximum should be exposure in the
selected. hazardous zone.
NOTE 2 It is only appropriate to use FA
where it can be shown that the demand rate
is random and not related to when occupancy
could be higher than normal. The latter is
usually the case with demands which occur at
equipment start-up or during the investigation
of abnormalities.
Probability of avoiding the hazardous event PA Adopted if all 4. PA should only be
(P) if the protection system fails to operate. conditions in selected if all the following
column 4 are are true:
satisfied. Facilities are provided to
PB Adopted if all the alert the operator that the
conditions are not SIS has failed;
satisfied. Independent facilities are
provided to shut down
such that the hazard can
be avoided or which
enable all persons to
escape to a safe area;
The time between the
operator being alerted and
a hazardous event
occurring exceeds 1 hour
or is definitely sufficient for
the necessary actions.
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-12
3 DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-13
Generalized arrangement
(in practical Implementations
the arrangement is specific to
the appllcatlons to be covered
by the risk graph)
Figure 20-4 Risk Graph: General Scheme (IEC 61511-3, Annex D, p. 37)
If the consequence based route (alone) is chosen as opposed to the risk based methods, it
makes mitigation options very limited as it discounts both frequency and probability of
unwanted occurrences as contributing factors. It is therefore preferable to consider using
the Risk Graph method, which is shown in Figure 20-4, above. This illustrates how the
four parameters (C, F, P, and W) generate the target SIL values in the table, as follows. As
per 6151 1, assume that no SIS exist, even though non-SIS may be in place for the process.
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-14
According to 6151 1, the required SIL values are matched with a combination of the
frequency and severity of impact of the hazardous events. See the tables and figure below.
2 DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-15
Table 20-8 Criteria for Rating the Severity of Impact of Hazardous Events (IEC
61511-3,2003, Annex C, p. 30)
Severity Rating Impact
Extensive Large-scale damage of equipment. Shutdown of a process for a long time.
Catastrophic consequence to personnel and the environment.
Serious Damage to equipment. Short shutdown of the process. Serious injury to
personnel and the environment.
Minor Minor damage to equipment. No shutdown of the process. Temporary injury to
personnel and damage to the environment.
pui
Number of SIL Required
. . . .
j Minor j Serious j j Extensive j
L-------------L--L-------------L--
I
I Hazardous Event Severity ----?
Rating I
L----,-,----------------------------------------J
Figure 20-5 Safety Layer Risk Matrix (IEC 61511-3,2003, Annex C, p. 31)
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-16
As introduced in the 615 11, the intent of safety functions is to achieve or maintain a safe
state for the specific hazardous event in a process. Only those safety functions that are
assigned to the SIS are called SIF. According to 6151 1, the BPCS, relief systems, and
other layers of protection may be defined as safety functions for SIL analysis. A SIS may
contain one or many SIFs and each is assigned a SIL. As well, a SIF may be achieved by
more than one SIS as may be accomplished using components (or systems) deemed to be
redundant. Safety functions may be performed by a non-SIS technology such as the basic
process control system (BPCS), safety valves, operator intervention, and alarms (these
alarms being independent of BPCS). However, there are limits to how much the SIL
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-17
component of the BPCS can be taken into account. The BPCS is not credited for a SIF
with a greater than SIL 1, as per 6 1511.
For an existing facility, where SIL values have not been assessed, the exercise is more
complex. Although, the "desired SILs" may be identified, the actual in situ SIL values can
only checked using reliability modeling, such as fault tree analysis (FTA) or reliability
block diagrams supported by applicable failure rate data.
It may not be mandated for an existing facility to assess SIL values as per the standards,
however, in the event of plant modifications or for the introduction of new units or
grassroots facilities SIL values almost certainly need to be assessed as per the standards. In
addition, if there is an incident (accident or near miss), which could be attributed to lack of
reliability of SIS, then the standards for assessing SILs are recommended.
SIL Verification
Compliance with ANSIIISA S84.0 1- 1996 and IEC 6 1511, requires verification of the
performance of SIS. Typically, it is practicable to study only the critical safety functions
for a SIL study as there are usually too many safety functions and only those that are
deemed important can be considered depending on the allocated resources. The
established SILs (from previous steps) are now used as measures for verification
purposes when complying with 6 1511. SIL verifications may require full quantitative
assessments (using fault tree analysis - FTA, failure rates, reliability block diagrams, etc.)
to check if the performance of the SIS exemplified by the overall ESD system indeed
meets the established target SIL values based on unit wide overall scenarios (e.g., fire,
toxic release etc.)
A simple example of one shutdown sequence consisting of detectors, logic solver, and
final elements is given below. Logic solvers are considered very highly reliable, thus
may not be a part of the failure rate calculation per se.
> DYADEM
Example:
PFD = 1 - Availability
Where:
RRF = Risk Reductio/?Factor. = I/PFD (to be tlseu' in the SIL Corr.elations table)
For Transmitters:
Hence,
Individual failure rate = 0.14 faults per year = 1.6 x faults per hour
Individual failure rate = 0.5 fiults per year (inc. solenoid) = 5.7 x 1o - faults
~ per hour
Thus, the overall failure rate calculated as follows:
)DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-19
=0.9997
PFD = 1 - Availability
= 0.0003
l/PFD =xEi2
This corresponds to a SIL 3 level (from the correlations table).
The above example is a simple illustration of the principle of SIL verification, which only
considers revealed failures, failures that can be immediately detected and repaired. In
practice, failure rate data used in SIL verification are affected by the type, size and
functionality of components being reviewed together with the corresponding failure modes.
The failure modes describe the loss of required system function(s) that result from failures.
The failure modes can be broken down into four types (Dowel1 and Green, 1998):
Hidden dangerous;
Hidden safe;
Revealed safe.
The dangerous failure modes result in loss of protection, but the revealed dangerous
failures can be immediately detected and repaired. The hidden dangerous failures can only
be revealed by a demand or a proof test. The two revealed modes usually result in a false
shutdown. A spurious trip is a trip of the ESD system that occurs without a demand.
Dowel1 and Green (1998) provide detail discussions on the concept of hidden and revealed
dangerous failures.
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-20 ,
For revealed failures, the downtime used to calculate the PFD (as illustrated in the
example) consists of the active mean time to repair plus any logistic delays. For unrevealed
failures, the downtime is related to the proof test interval plus the active mean time to
repair plus any logistic delays.
The earlier standard, 284.01, offers fewer options than the current (as of date)
61511 as (a) it does not recognize SIL 4 and (b) it does not permit/address the
contributions made by PLs.
9DYADEM
© 2003 by CRC Prcss LLC
Safety Integrity Levels (SILs) 20-21
www.inanufacturinrr.net/ctl/index.asp4?1aot=artc1e&artc1e1=CA185727&text=sil
www.manufacturina.net/ctl/index.asp?la~iceld=CA190350&text=sil
"The Complete Safety System", W.L. Mostia, Control for the Process Industries, December 4,
2000
www.controlmag.co~n~webfirst/ct.~~sf/ArticleID/RDAT-
4RPN79?0pei1Document&I lirr;hlial1t=0,Tl1e,Con1plete,Safcty,Systen1
"Ins and Outs of Partial Stroke Testing" by W.L. Mostia, Control for the Process Industries,
September 5,200 1
www.controln~an.com/web first/ct.nsf/ArticleID/PSTR-
4YOTAL?OuenDocument&Hi~hlicrl~t=0,The.Com~lete,Safetv,Svstem
9DYADEM
© 2003 by CRC Prcss LLC