Safety Integrity Level (SIL)

Determination Course

January 2019 (Rev. 2)

Safety Escape routes are indicated by:

• Issues (local) ???

Fire alarm
An intermittent tone
means:
leave the building via
Please No Mobile Phones the nearest exit!
Go to the assembly
point (Parking place)

Please do not smoke!

Please do not use the mobile phone!

Participants introduction
• Name
• Company
• Background
• Function
• Length of service - previous postings
• What are your objectives for this course
• Any specific questions ?
Timing and breaks
• To be agreed
You will learn:
1. Introduction to IEC 61511 and the Safety Lifecycle.

2. Safety Instrumented System (SIS)

3. Safety Instrumented Functions (SIF)

4. SIL Determination by Qualitative Methods (Risk

Graph).

5. SIL Determination by LOPA

6. Safety Requirements Specification (SRS).

7. Risk Tolerability Criteria for SIL

Exit Criteria
Upon the successful completion of this course, participants will:

 Gain an understanding of the principles and concepts of the safety instrumented systems
(SIS) and safety integrity level (SIL).

 Gain a basic understanding of how to set up, use and apply the safety integrity level (SIL)
risk assessment methods such as risk graphs, and layers of protection analysis (LOPA).

 Appreciate the role of human error and equipment failure in accident causation.

 Gain a basic understanding about setting tolerable risk targets for SIL determination, and
methods to achieve these targets.

 Gain an understanding of the concepts of Risk and Reliability Engineering.

References
 CCPS, Layer of Protection Analysis; Simplified Process Risk Assessment, First Edition, American Institute of Chemical
Engineers, NY 2001

 Kenexis, Safety Instrumented Systems Engineering Handbook, Kenexis Consulting Corporation , Columbus, USA, 2010

 Gruhn, P, Safety Instrumented System Design: Lessons Learned, Process Safety Progress (Vol 18, No.2), American Institute of
Chemical Engineers, NY 1999

 Baybutt, P, Allocation of Risk Tolerance Criteria, Process Safety Progress (Vol.00, No.00), American Institute of Chemical
Engineers, NY 2013

 Baybutt, P, An Improved Risk Graph Approach for Determination of Safety Integrity Levels (SILs), Process Safety Progress
(Vol.26, No.1), American Institute of Chemical Engineers, NY 2007

 Rodríguez, J.A; The Role of Functional Safety in the Enhancement of the Safety, Productivity, and Performance Levels, VII
INGEPET Conference, Lima, Perú, 2011.

 Bridges, K; Key Issues with Implementing LOPA (Layer of Protection Analysis) – Perspective from One of the Originators of
LOPA, American Institute of Chemical Engineers, NY 2009
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

O&G Industry Environment

Unplanned
shutdowns
Public Economic
perception downturn

Fines,
Increased
lawsuits,
complexity
insurability

Risk to
personnel, O&G Aging /
assets, unskilled
environment,
business, etc
Industry workforce

8
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Increasing ROI Drives Process Safety

Optimized process reliability
• Optimal safety integrity and availability
• Meet the specific needs of the process
Flexibility to meet project needs
• Staged implementation
• Phased maintenance/testing
Reduced engineering and complexity
• Simplify and standardize
• Reduction of over-engineered designs
• Isolation of process equipment
Easier regulatory compliance
• Simplified management of change
• Practical document management 9
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

PS & OS
Process Occupational
safety safety
Mechanical Structural
Integrity Design Fall
Inherently Prevention
Facility Policies &
Safer
Siting Procedures
Design Ergonomics Work
Functional Safety Schedules
Safety Audits Personal
Emergency
Protective
Response Employee
Risk Equipment
Assessments Training
Total
Management Recordables
Of Change 10
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Where Does FS Fit?

Process safety
Mechanical
Integrity
Inherently
Facility Policies &

Functional
Safer
Siting Procedures
Design
Functional Safety

Safety
Safety Audits
Emergency
Response Employee
Risk
Assessments Training

Management
Of Change
11
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Key Regulatory Standards

AK Ratings for EN 54, Part 2 NFPA 8501 Aimed at Suppliers
Logic Solvers
IEC 61508
NE 31 ANSI/ISA S84.01
DIN V 19251 Aimed at End
NFPA 8502 Users
DIN V VDE 0801
IEC 61511
S84 2004

DIN V 19250

1989 1992 1995 1998 2001 2003

Has been replaced by

The Same!
IEC 61511 standard 12
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Status & Fundamentals of IEC 61511 & 61508

 Both are published and official  Know your hazardous situations
international standards.
 Evaluate the acceptability of the risks of those
hazardous situations.
 Both reviewed in 2015
 Classify the required Safety Integrity of the
protective measures, i.e. establish the Safety
 Accepted by ANSI and ISA SP84.01-2003 Integrity Level, SIL

 Regarded by authorities as best practice.  Implementation and testing to be based on SIL

 Implement and maintain a Safety Management

 E.g. to comply to Seveso II directive (EC), System
IEC 61511 will be regarded as best  Documentation
practice.
 Auditing (assessment and verification)
 Same for OSHA directive 29 CFR 1910.119  Procedures & Planning
(USA)
 Control of Human Factors
13
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

What’s in the New Version of IEC 61511?

There are many changes in the new version of
IEC 61511. However, we shall emphasize in only
one substantive:

1. Demand mode functions are no longer

separated into mitigation and preventive
functions.

2. Main reason for this change being that SIF, as

they are designed in accordance with IEC61511
and its associated approaches, are necessarily
preventive.

3. Everything in the standard and associated

annexes and technical reports assumes that if
the SIF operates properly, then no consequence
will occur.

4. Even something as fundamental as the Risk

Reduction Factor is invalidated by a SIF that is
not preventive.

5. Mitigation systems require a much more

rigorous analysis if they are to be quantitatively
designed. Simple techniques such as LOPA are
useless in assessing the requirements of these
types of systems. 14
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

The IEC 61511 Safety Lifecycle

The safety lifecycle is defined as an engineering
process that includes all of the steps necessary
to achieve required functional safety. The
lifecycle addresses all necessary activities
involved in the implementation of safety-related
systems, occurring during a period of time that
starts at the concept phase of a project and
finishes when all of the E/E/PE safety-related
systems, other technology safety-related systems
and external risk reduction facilities are no longer
available for use.

Verification ensures that at each stage of the

lifecycle the correct process has been followed
and the inputs/outputs are valid.

Validation (in phase 5) is the final testing of the

system against the SRS, before hazards are
introduced. In very general terms it can be
considered as FAT (Factory Acceptance
Test)/SAT 15
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

About SIF & SIL

 Safety Instrument Functions (SIFs)
are used to reduce process risk Probability of failure on
Safety Integrity
demand per year Risk Reduction Factor
Level
 If there is no process risk, there is (Demand mode of operation)

no need for an SIF.

SIL 4 >=10-5 to <10-4 100000 to 10000
 If the risk is high, the risk need to
be reduced a lot, if small, the risk SIL 3 >=10-4 to <10-3 10000 to 1000
is only to be reduced a ‘little’.
SIL 2 >=10-3 to <10-2 1000 to 100
 The Safety Integrity Level (SIL) is a
measure for the amount of risk
reduction required. SIL 1 >=10-2 to <10-1 100 to 10

16
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

About Risk
Risk can be mapped on a graph
• Risk is the frequency of an event times the
severity of the consequences. Increasing
Lines of equal risk
risk
• The frequency is expressed as times per year

Frequency
(e.g. 0.2/yr.)
• The severity of consequences is expressed in
terms of consequences to people, environment
and the business ($).
• For SIFs the risks are assessed for each
hazardous event to be protected against, e.g.
burner flame-out leads to furnace explosion.
Flame out happens about 0.2/yr, consequence
will be 5M$ + possible casualties. Severity of consequences

17
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Semi-Quantified Risk Assessment

• Risk can be semi-quantified in a matrix

• This is handy for SIL assessments

High Risk
Frequency

Low Risk
Consequence 18
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Risk Reduction Using SIFs

Preventive and Mitigating SIF effects
Base Risk = Demand rate (F) x consequence = F x CQ1
End Risk = F x PFDtarget x CQ1 Mitigating SIF
(F&G)
End Risk = F x PFDtarget x CQ2

Frequency High Risk

Preventive
(normal SIF)
Low Risk

CQ2 CQ1
Consequence
19
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIL, PFD, Risk Reduction & Implementation

SIL PFD Risk Reduction Typical Implementation
a No No minimum (BPCS or alarm action)
requirements
1 < 0.1 >10 Trip separate from
BPCS
2 <0.01 >100 Trip separate from
BPCS
3 <0.001 >1000 Redundant trip
separate from BPCS
3 <0.001 >1000 Redundant/diverse trip
separate from BPCS
4 <0.0001 >10000 Dual Redundant trip
separate from BPCS 20
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

A Word of Advise
To have a SIL rated safety loop is not a success, it’s a failure. Success is not
the presence of SIL-rated loops, it is a design that is sufficiently safe in its own
right not to need them

You’ve probably never thought of it that way but it really is true: To have an SIL-rated
loop is a failure.

An SIL-3 safety loop means that the layers of safety that we as engineers have put in
place in the process design are inadequate to such an extent that the risk of the
fatality is 1000 times the wrong side of tolerable.

The failure, therefore, is a failure of the engineer to design a process that has
sufficient layers of safety to not require an SIL-rated loop.

21
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Fundamental Concepts

22
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Demand & Hazardous Events

Demand: An event or a condition that
requires a SIF to be activated
 To prevent an undesired event from
occurring or
 To mitigate the consequences of an
undesired event.
In the O&G industry, a demand is also
called a process upset or a process
deviation.

Hazardous event: The first event in a

sequence that, if not controlled, will lead to
a consequences to people, environment or Note the difference between a demand and hazardous
assets. event. A demand for a barrier can be the hazardous
Hazardous events are the results of event generated upon failure of an earlier (in
barriers not being able to stop all sequence) barrier.
demands.
23
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Basic Process Control System (BPCS) Workstation

BPCS. System which responds to input signals from
the process, its associated equipment, other Controller
programmable systems and/or an operator and
generates output signals causing the process and its
associated equipment to operate in the desired
manner but which does not perform any safety
instrumented functions with a claimed SIL ≥ 1

BPCS Protective Function. Any action, initiated by Control

Instrumentation, a BPCS, equipment failure or human element
response, which is intended to achieve or maintain a
safe state of the process in respect to a specific
hazardous event. This includes all instrumented non- Transmitter
"Safety Instrumented Functions" identified in LOPA.

24
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety Instrumented Function (SIF) & Safety Instrumented System (SIS)

Safety Instrumented Function (SIF) Logic
Safety function with a specified safety integrity level solver
which is necessary to achieve functional safety and
which can be either a safety instrumented protection
function or a safety instrumented control function, or
in simple terms:

The complete action which the SIS is designed to

perform from sensing to the final control element Transmitter

Safety Instrumented System (SIS) Final

Instrumented system used to implement one or more element
SIFs. An SIS is composed of any combination of
sensor(s), logic solver(s), and final elements(s),
arranged for the purpose of taking the process to a
safe state when predetermined conditions are
violated
25
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

BPCS & SIS Working

Emergency Shutdown
SIS

Operator Alarm IPL

ALARM

BPCS

Tiempo 26
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Failure & Fault Failure= Event (f /yr)

Failure. The termination of the ability of an item to perform a
required function. The failure may sometimes be:
Manifested a certain time after the failure occurred (i.e.,
when the function is demanded)
Revealed and corrected before it is manifested (i.e., when
STATE 0 Fault=ESTATE 1
the function is tested)
Duration
Time
Fault. The state of an item characterized by inability to T years
perform a required function.

Error. Discrepancy between a computed, observed, or

measured value or condition and the true, specified, or
theoretically correct value or condition.

An error is present when the performance of a function

deviates from the target performance (i.e., the theoretically
correct performance), but still satisfies the performance
requirement. An error will often, but not always, develop into a
failure.
Tiempo 27
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Failure Classification
Safe Failure (S).
 The item may operate without any demand
 Faiure which does not have the potential to put
the safety-related system in a hazardous or
fail-to function state

Dangerous Failure (D).

 The item does not operate upon a demand
 Failure which has the potential to put the
safety-related system in a hazardous or fail-to
function state

Non-Critical Failure.
Failures where the main functions of the item are
not affected.
Tiempo 28
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety Availability & Safety Integrity

 Safety Availability. The probability that
an item, under the combined influence of SIS OPERTING PROPERLY
its reliability, maintainability, and the
maintenance support, will be able to fulfil State 1
its required function over a stated period PLANT UP
of time or at a given point in time (1- SIS Suffers SIS Suffers
PFD). In other words: Uptime/Total Time. Undetected Detected
Failure (Dangerous Failure (Safe
Failure) Failure)
 Safety Integrity. Average probability of a State 2
SIS satisfactorily performing the required
safety instrumented functions under all PLANT
the stated conditions within a stated DOWN
PLANT UP
period of time

Tiempo 29
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Sources of Dangerous Failures

44%

Sensor
Final Control
8% Element

Logic
Solver
(Hardware and Software) 48%

Tiempo 30
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Redundancy
Redundancy (Identical or
diverse)
Logic Solver
Common Mode Failure. 2oo3

Voting

Hardware Fault Tolerance.

Sensors Valves
31
2oo3 1oo2
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

From Steady State to Consequences…

IEC 61511: An SIF is intended
Process under control
to achieve or maintain a safe
Disturbance or
state for the process, in
Initiating event respect of a specific hazardous
event.
Process out of control Demand scenario
Find the hazardous situation
Design intent:
and you will find the IPF.
Hazardous situation “prevent <hazardous event>”
Do not define the hazardous
SIF situation as a consequence.
Hazardous event
SIF´s intent to prevent the
Consequences
hazardous event.
Consequences of
failure on demand

32
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Demand Scenario

Describe (narrative) the Process under control

initiating events and how Disturbance or

these lead to a demand Initiating event

on the SIF, e.g. High Demand scenario

Process out of control
liquid level leading to
liquid carryover to
compressor 132-K-1101,
causing damage to
compressor.

33
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Design Intent

 Describe the hazardous event to be averted, e.g. overpressure of V1234

 A hazardous event is a situation with the potential to cause harm,

including ill health and injury, damage to property, products or the
environment, production losses or increased liabilities.

 Be specific (“prevent liquid ingress into the compressor”)

 Design intent is not the consequences (hazardous events 

consequences)!
34
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Consequences of the Hazardous Event

Describe in a narrative how the developing events will ultimately lead to the
consequences, e.g. LALL-1052A/B/C fails reading high causing gas (pressure = 19 barg) blowby to Oily Water Degassing
Drum 132-C-1309 (design pressure = 3.5 barg). Over-pressurizing 132-C-1309, leading to rupture. Potential gas release, leading
to fire and explosion.

Describe the potential credible consequences (realistic worst case).

If the consequences are normally nil i.e. potential incredible, describe the mitigation
that should be taken into account, e.g. consequences will only occur if the vapor cloud ignites. Ignition
is only expected in less than 1oo1000 cases of release.

Describe in terms of: estimated downtime (repair time), personnel safety and
environmental consequences. 35
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Initiators (Sensors) Furnace Feed

Low flow – assume :-
60% by pump trip 10% by backflow (not pump trip
initiated) 30% Flow control failure
 All sensors that detect one or more Furnace low flow success criterion: 60% Pump trip
+10% back flow +30%FSLL
initiating event or the hazardous
situation. In complex situations,
describe how the hazardous
situation is detected by the
initiators.
Backflow protection
 In case of multiple sensors, define
the success criterion.
LSLL dPLL FSLL
 Success criterion is a (Boolean)
statement that defines when the
sensors have successfully
detected the hazardous situation or
the initiating event. P-trip

 Weight factors may be needed in BFvlv

case of partial redundancy in FC
initiators. (see HDT example).
Pump protection
Fuel gas
Cascaded trips Furnace coil protection

36
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Final Elements
 All final elements that are
Syngas reactor
required to avert the Syngas (CO, H2)
hazardous event. Describe
how and why this is done.
 In case of multiple final
elements, define the success
TSHH
criterion.
 Success criterion is a High temperature trips both
(Boolean) statement that Syngas
O2 and CH4 supply
defines when the final reactor
elements have successfully
averted the hazardous event.
 Weight factors may be needed
in case of: Not tripping CH4 will
Not tripping O2 will
• Different modes of burn-down the reactor damage the downstream
operation require different synthesis reactor
FE’s act.
• Different streams
contribute differently to
the hazard.
O2 CH4 37
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Example 1-Pump Protection

 LL fails on high liquid level. Operator

closes ROV, or ROV fails closed
 Low liquid flow on pump suction Describe:
 To protect pump from low flow in LL • Initiating event(s)?
suction
 Gas blow-by to downstream, possibility • Demand Scenario?
of leaks and gas cloud formation • Design Intent
 Possibility of F&E with fatalities, and
possible damage to the pump. • Hazardous Event ?
HZ ROV
• Consequences ?

trip

38
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Example 2-Flowline Protection LSH

14 Barg
MSV (Main Stop Valve) PSH
15 Barg
 PSH1 increases ESP pressure, or MSV
PSH 2 fails on LL, or PCV fails open, 30 Barg
or LSH fails on LL, or LCV fails open,
originating high pressure on the ESP PSH
vessel. PSH
 Overpressure on flow-line downstream
the MSVs, and on the vessel
40 Barg
 To protect flow-line and vessel from
overpressure
 Potential leaks/rupture of flow-lines,
and/or vessel PSH
 Possibility for F&E leading to fatalities.

Describe:
• Initiating event(s)?
• Demand Scenario?
PSH
• Design Intent
• Hazardous Event?
• Consequences ? To test separator 39
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Principles

40
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Why SIL Studies? Specification – 44%

Design – 15%
Accident
Causes
Changes after Commissioning – 20%
Operations and Maintenance – 15%
Commissioning – 6%
 44% of all SIS/SIF related errors occurred during the
hazards assessment/specification phase of the lifecycle.
 Many of these errors occurred because the SIF/SIS
designer incorrectly considered the interactions of one SIF
to the rest of the process. In essence, the activation of one
SIF whether demand or spuriously based which then
caused unforeseen demands, and hazards in other areas
of the process.
Additionally, worldwide statistics indicate that 37% of all
ESD loops are over-designed, 6 % under-designed, and
57% correct design.
41
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Framework for Process Risk Reduction

SIL Determination. The process of coming up with a SIL requirement for a SIF
 SIL allocation is an iterative process in order to optimize the design to
meet the various requirements
 SIL allocation methods may be qualitative, quantitative, or semi-
quantitative

EUC Risk (Process Risk). The risk of having specific hazardous events within
the boundaries of the EUC, when taking into account the EUC control system,
but without considering any effects of safety systems.

Necessary Risk Reduction. Risk reduction to be achieved by the SIS(s) and/or

other protection layers to ensure that the tolerable risk is not exceeded.

Tolerable Risk
 Risk which is accepted in a given context based on the current values
of society
 Company Criteria are defined in specific standards & Procedures

Residual Risk. Risk remaining after the actual risk-reduction measures have
been taken

Actual Risk Reduction. The risk reduction achieved, when considering the
implemented protection layers
 What should be the actual risk reduction may be determined with basis
in the ALARP principle.
 The actual risk reduction may be equal to the necessary risk reduction,
or slightly higher
42
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Bridging the Gap

L Non-SIS
Mitigating
Inherent Risk of
Process
Baseline Risk
i Safeguards

k SIS Risk
Reduction
e
Overall Risk
l SIL1
Overall Risk
Non-SIS
Preventive
i Safeguards

h SIL2 ALARP Risk

Region
oOverallSIL3
Risk
Overall Risk
Unacceptable
Risk Region
o Overall Risk Negligible
d Risk Region

Consequence
43
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Tolerable and Acceptable Risk

risk
SIL at least required to make the risk
‘tolerable; the minimum solution, e.g.
intolerable
SIL 1

SIL required to make the risk more

‘tolerable’; an intermediate
Overall Risk solution, e.g.SIL 2
tolerable

SIL required to make the risk

Overall Risk
Overall Risk ‘acceptable’; the normal solution (if
‘broadly ALARP), e.g. SIL 3
acceptable’

SIF classification aims to reduce the risk to

“broadly acceptable”
44
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Government Mandates for RTC

10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9

Australia -

Hong Kong -

Netherlands -

United Kingdom -

The United States does not set tolerable risk levels, or offer guidelines.
45
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

O&G Industry Benchmark for RTC

10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9

Company I -

Company II -

Company III -

Small companies -

• Large, multinational O&G companies tend to set levels consistent

with international mandates
• Smaller companies tend to operate in wider ranges and implicitly, at
higher levels of risk 46
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Layers of Protection
Layers of Protection (“the onion”) is a Plant and
concept often used in industries where Emergency Emergency response layer
risk reduction is distributed to several Response
barriers, rather than one or very few.
 This approach indicates that Mitigate Containment,
protection layers are organized Dike/Vessel
Passive protection layer
according to their efficiency and
closeness to the source of
demand. Fire and Gas
System Active protection layer
 A similar concept to layers of Incident SIS
protection is defense-in-depth. Emergency
Shutdown Safety layer
Key Questions for Layers of System Emergency
Protection. Trip level alarm shutdown

 How safe is safe enough? Prevent

 How many protection layers are
Operator Process control layer
needed? Intervention
Operator
intervention
 How much risk reduction should Process alarm
each layer provide? BPCS
Process Process control layer
Value Normal behavior
47
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Independent Protection Layers (IPLs)

IPL. A layer of protection that will prevent an unsafe scenario from
progressing regardless of the initiating event or the performance of another
layer of protection.

IPL Requirements.

 Is independent of other IPLs and the IE

 Functions in a way that prevents or mitigates the consequence of

concern

 Has sufficient integrity to be capable of completely preventing the

consequence of the scenario

 Can be relied upon to operate as intended, under stated conditions, for a

specified time period.

 Can be audited to ensure that the management systems to support the

IPL are in place and effective

 Is protected by access security, with controls in place to reduce the

chance of impairment

 Is covered by a MOC process to review, approve, and document

changes 48
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

IPLs-Time dependency

A critical aspect of functionality is

Process Variable
that the response of the IPL be Consequence Realised
timely. It is important to confirm that
the IPL can successfully complete Trip Setting
its action and that the process can
return to a safe operating condition Pre-alarm Setting
within the Process Safety Time.

Process Safety Time (PST) can be

defined as the period of time the
process can be operated without Process Safety Time
protection, and with a demand
present, without entering a
dangerous condition Time

49
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Preventive vs. Mitigation IPLs (1)

Some layers stop a process deviation from
exceeding the equipment safe operating
limit. The inherently safer design, control,
supervisory, preventive and mitigation
layers proactively avert loss of containment
or equipment damage (Figure).

A well-designed function acting to prevent

the hazardous event can have a high
certainty of effectiveness, as the function
can be designed specifically for the purpose
and the outcome can be predicted using
engineering principles.

50
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Preventive vs. Mitigation IPLs (2)

Functions acting to moderate the hazardous
situation have more uncertainty in their outcome,
because their effectiveness is impacted by the
specific hazardous situation.

For example, the explosion barrier must be

designed to withstand a specified degree of
overpressure. Overtime, how will be this capability
be validated?

Limitation functions principally act to reduce the

severity of the hazardous situation by monitoring
for unacceptable atmospheres and taking action
to isolate/de-inventory and/or to evacuate
nonessential personnel.

These layers are evaluated against guidelines

and managed as IPLs. For example, in a LOPA,
the layer would be treated as an IPL against a
potentially higher consequence severity (i.e., the
consequence without the layer) and assigned an
appropriate PFD value. 51
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Preventive vs. Mitigation IPLs (3)

Finally, a properly executed
emergency response plan can reduce
the harm caused by the hazardous
situation by preventing escalation of
the situation (Figure).

For example, putting out a fire stops

the exposure to surrounding
equipment and structures, preventing
further damage. ERP activities have
the highest uncertainty, as they act
when the hazardous situation has
already started causing harm.
Essentially, these activities prevent a
bad situation from getting worse.

52
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

IPLs & SIS Do Fail Sometimes……

frequency of failure (y -1)

Early life failures (‘infant mortality’)

Late life failures (‘ageing’)

Combined (‘the bath tub curve’)

time

53
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

….and They Fail Randomly…

frequency of failure (y -1)

Failure rate is regarded
constant and random during
mission time
(e.g. ldu = 4E-2 per year)

time
Testing & ‘Mission time’ Replacement/
commissioning overhaul
54
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Initiating Events (IEs)

Definition. An IE is a device failure, system failure,
external event, or improper human action that
begins a sequence of events leading to one or more
undesired consequences of definable severity.

It is necessary to differentiate initiating events from

latent causes. Initiating events are distinctly different
from latent causes. In general, root or latent causes
create latent weaknesses in a system. When a
challenge arises or a demand is made on the
system, these weaknesses give rise to an initiating
event. For example:
“Inadequate operator training” is not an initiating
event, but is a potential underlying cause of an
initiating event of the ‘human failure’ type.
“Inadequate test and inspection” is not an
initiating event, but is a potential underlying cause
of an initiating event of the ‘equipment failure’ type

55
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Enabling Conditions
An enabling condition is a condition that makes the beginning of a scenario possible. An enabling condition
is neither a failure nor a protection layer. It consists of an operation or condition that does not directly cause
the scenario, but that must be present or active in order for the scenario to proceed to a loss event.

Note that mitigating factors, such as the probability of personnel presence or of emergency evacuation, are
conditional modifiers and not enabling conditions.

The term enabling event is sometimes used for enabling condition. The term enabling condition is preferred,
since enabling conditions are not generally events but rather conditional states.

A bypassed safety system may enable a scenario to occur because it is unavailable and will not function to
prevent a scenario if a demand is placed on it. A sufficiently low ambient temperature may enable process
or utility lines or instrumentation to freeze following failure of designed freeze protection. Extreme high
ambient temperature may affect cooling capacity or a low-humidity condition may allow static electricity
accumulation and discharge.

An enabling condition is expressed as a probability. The combination of the enabling condition probability
with the initiating event frequency must always be a frequency that represents the times per year an
abnormal situation would be encountered that could lead to a loss event.

Note that most LOPA scenarios will not have enabling conditions. 56
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Conditional Modifiers
Other conditions which must be true for the scenario to fully develop:
 Probability of ignition
 Probability of occupancy
 Probability of fatality

The value assumed for any conditional modifier should be justified by analysis and the basis documented to support plant policies and procedures.

Operating modes, conditional modifiers, and IPLs are highly interrelated, so the consideration of these factors in the risk analysis should be
performed by a skilled analyst to ensure that the factors are not taken into account multiple times.

Consequence severity is often used to screen events for more rigorous frequency analysis, which usually leads to consider various factors that
influence the severity, including operating modes, IPLs, and conditional modifiers. The analyst should ensure that the estimated consequence
severity does not take these factors into account before using them for frequency reduction. For example, if the consequence severity associated
with a release of a toxic material (H2S) considered the presence of H2S gas detection systems that prevent entry into an area, the likelihood
estimate should not also consider the system’s presence.

It is also important to ensure the independence of IPLs and the conditional modifiers, as they are often interrelated. For example, a F&G detection
system may be used to initiate evacuation of personnel, thereby reducing occupancy. The risk evaluation should not use both a lower probability of
occupancy term and the fire and gas system as an IPL, as the reduced occupancy is the outcome of the successful activation of the F&G system.
Likewise, the use of classified equipment could be part of the basis for the likelihood of ignition but then cannot also be considered as a separate
protection layer.

Because of the complexity of distinguishing the IPLs from the conditional modifiers, procedures must consider how IPLs and conditional modifiers
will be treated in the risk assessments.
57
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Some Questions……
 Which one of the following is an enabling condition?
A. Safety system is bypassed
B. Control valve fails closed
C. Transfer pump fails on

 Is the likelihood of dependent failures lower than independent failures?

 Which one of the following is a conditional modifier?

A. Disabled alarm
B. Extreme temperature
C. Possibility of ignition

 Is a process safety valve always an IPL?

 Do additional protection layers always result in less risk?

 What percentage of CSB investigations found inadequate safeguards?

A. 10 - 20%
B. 50 - 60%
C. 80 - 90%

58
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Some Answers (1)…..

 Which one of the following is an enabler?
A. Safety system is bypassed
B. Control valve fails closed
C. Transfer pump fails on
Answer: A) Safety system is bypassed
An enabler is an event or condition that must be present or active for a hazard scenario to proceed. Enablers do not, by themselves,
initiate a scenario. Thus, a bypassed safety system may enable a scenario to occur because it is unavailable and will not function to
prevent a scenario if a demand is placed on it. Failures of control valves and pumps may be initiating events for scenarios.

 Is the likelihood of dependent failures lower than independent failures?

Answer: No. Consider two independent failure events each with a failure probability of 0.1. The probability of both occurring is the product
of their probabilities, i.e. 0.01. If they were dependent events, the probability of the first failure would be 0.1 but the probability of the
second failure would be 1.0. Thus, the probability of the two dependent failures is 0.1 which is greater than the probability of the two
independent failures.

 Which one of the following is a conditional modifier?

A. Disabled alarm
B. Extreme temperature
C. Possibility of ignition
Answer: C) Possibility of ignition
Any one of these may be an enabler. However, conditional modifiers are a special type of enabler that impact the scenario consequences
directly. Probabilities of conditional modifiers are used to reduce the estimated probability of the consequences. They include the
probability of ignition, the probability that a person will be exposed to a hazard, and the probability of harm if exposed.
59
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Some Answers (2)…..

 Is a process safety valve always an IPL?
Answer: No. In order to be considered an IPL, a device, system or action, at a minimum, must be effective, independent and auditable. A
process safety valve may or may not meet these criteria depending on the circumstances.

 Do additional protection layers always result in less risk?

Answer: No. At a certain point, added protection layers increase the complexity of a process such that new hazard scenarios may be
possible that go unrecognized. Also, the added protection layers will require more testing and maintenance, increasing the amount of
people exposed to the risk, thus potentially increasing risk.

 What percentage of CSB investigations found inadequate safeguards?

A. 10 - 20%
B. 50 - 60%
C. 80 - 90%
Answer: B) 50 - 60%
For incidents investigated by CSB through 2015, 56% of the incidents involved processes that were not adequately protected by
safeguards

60
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Principles

Commonly used methods for SIL Determination What method to select depends on a number of factors:
are:  Complexity of application
1. Qualitative:
 Hazard Matrix  Guidelines from regulatory authorities
 Consequence Only
 Risk Graph  Experience and skills of personnel to undertake the
work
2. Semi-Quantitative
 LOPA  Information available about parameters of relevance to
support the application of the method
3. Quantitative
 FTA  SIL-level (a high SIL requirement may indicate that it
 ETA should be verified also by using another method)
 Method Type

Semi-quantitative is used to denote that values are

assigned, but they are not necessarily based on
any exact measurements. 61
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Procedure (1)

In order to follow a sound and well planned process that ensures a successful study, the following steps
shall be completed to perform the SIL Determination Study:
 Define the sequencing of the SIL Determination study and the HAZOP. In any case, the SIL
Determination study shall be conducted before instrumentation and control equipment is ordered.

 The scope of the study and its limitations are to be clearly defined, including the documentation
requirements, before the beginning of the study.

 The study team must be formed by knowledgeable personnel. As guidance, the team must be formed
consisting of a knowledgeable and competent process engineer, instrument and control engineer, senior
operations engineer and safety engineer. The team leader shall be the Functional Safety Consultant,
who must comply with all the requirements set up by Company.

 The Risk Tolerability Criteria to be used for the SIL study shall be based on Company´s IR criteria.

 Define the failure rate data to be used for SIL Determination Studies.

62
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Procedure (2)

Supporting project documentation to be available for the SIL study and required by the team are P&ID's, SIF list, and
Cause-and-Effect Charts. Also, Process Flow Diagrams (PFDs) which show both, key control and shutdown
instrumentation shall be available to assist the team in overviewing the process

Supporting software packages should be available (if needed) and understood by the team members.

Acceptable SIL Determination Techniques and Software Packages

o Semi-quantitative Risk Graph and LOPA may be used for SIL determination at project stage, or modification
projects during operational stage. However, the Risk Graph methodology shall be used as a first screening tool,
followed by a LOPA study for those SIFs which have resulted in SIL 2 or above, during the Risk Graph study. This
will allow for completeness of analysis, and will also save some time and effort.
o The application of the Risk Graph Technique (if needed) shall follow the requirements established in IEC61511-Part
3. The application of LOPA technique, including the identification and evaluation of IPLs, shall follow the
requirements established in the CCPS book mentioned in section 6.0 below.
o Those SIFs that have resulted in a SIL 3 classification after the LOPA study, shall be further studied through a fully
quantitative SIL assessment using consequence modeling, plus Event Tree Analysis (ETA) and Fault Tree Analysis
(FTA) for frequency estimation.
o Company approved consequence modelling software packages shall be used for consequence modeling. Using
these software will assist in the documentation and consistency of the SIL determination process.

63
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Procedure (3)

It is not acceptable a SIL 4 classification for Company facilities. A SIL 4 classification indicates that the
design of the process is not adequate. Consequently, the design of the process and/or the mechanical
design shall be reviewed and modified to reduce the residual risk required by a SIF to SIL 3 or below.

Once the SIL has been determined for a particular SIF, then the SRS for each SIF shall be produced and
documented.

Documentation of Calculations. All assumptions and the source of data used, consequence and frequency
model calculations and any information necessary to support the SIL determination process shall be
documented and maintained with the project documentation as specified in attachment V of this
procedure.

64
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Procedure (3)

Kuwait Oil Company (KOC) Risk Tolerability Criteria (RTC) for Safety
Integrity Level (SIL) Determination (For a single hazardous scenario)
Decreasing Consequence
Categories
Negligible Minor Marginal Critical Severe Major
People No injury or Minor employee Employee Single Multiple Multiple third
damage to injury or damage serious injury or employee employee party fatalities
health to health not health effect that fatality or fatalities, and
affecting work can result in lost permanent some impact on
performance nor workdays (Loss total disability, third parties
requiring Time Injury),
treatment restricted work,
beyond first aid. or irreversible
health effects
Environment No or slight Minor effect or Localized effect Severe Persistent Catastrophic
effect/damage contamination within the plant damage to be damage damage to
within a system within the fence fence with extensively extending over a pristine/virgin
with no limited damage restored with large public area areas that had
permanent effect and no significant or in not been
on the spontaneous lasting environmentally explored
environment recovery consequences sensitive areas before
Single Repeated Extended with significant
exceedance of exceedance of exceedance of lasting
statutory or statutory or statutory or consequence
prescribed limit prescribed limit prescribed with major loss
limits Constant, high
exceedance of
statutory or
prescribed limits.
Assets Slight damage Minor damage Partial damage Major damage Significant Total loss of
and/or and/or and/or and/or damage and/or facility. Cost
operational operational operational operational operational above KD10
impact with costs impact with impact with impact with impact with million
up to KD10 K costs up to costs up to KD1 costs up to costs up to
KD100 K million KD5 million KD10 million
Reputation No impact and Slight impact Regional public National public International International
no public and no public or media or media public or media public and
concern concern. Public attention, attention, with attention, with media
or media causing potentially potentially attention with
awareness may considerable restrictive severe impact catastrophic
exist impact impact impact
RTC (yr-1) 10-2 10-3 10-4 10-5 10-6 10-7
About this criteria:
o The risk tolerability criteria are given for a single hazardous scenario.
o These risk tolerability criteria are endorsed for use across KOC.
o The non-monetary severity columns (People, Environment and Reputation) are independent of any monetary relationships
and are not intended to be proportionally related to the other Consequence Severity Categories.
o These risk tolerability criteria are only to be used for SIL determination and by competent personnel.
Notes: REQUIREMENTS:
o Damage to assets includes capital loss, business o SIL 4. Redesign of the process system required.
interruption, production deferment, legal liability and o SIL3. Fully quantitative SIL determination is required.
emergency response costs.
o In applying these criteria, select the category with
highest RTC and the consequence which applies
o The consequence scenarios referred to in this matrix
are those fully developed, e.g. VCE, fire, toxic vapor

65
cloud, etc.
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

SIL Determination Documentation

It is important to document the results, and its underlying

assumptions, including:

Values used for parameters of the allocation method

Drawings and revision number of all documents used

References to failures that lead to demands

Reference to data sources used to determine demand rates and the

risk reduction suggested for protection layers

66
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Qualitative Methods

67
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Hazard Matrix

High
Likelihood
2 3 3
Moderate 1 2 3
Low NR 1 3

Extensive
Serious
Minor
Severity
68
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Consequence Only
SIL SEVERITY

People: No injury or damage to health.

Environment: No impact
0 Assets: No damage, only operational upset. Cost less
than $100.000
People: Employee injury or damage to health.
1 Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
People: Employee fatality.
2 Environment: Localized effect affecting neighborhood.
Assets: Partial shutdown. Cost up to $25 million
People: Employee multiple fatalities and some impact on
third parties.
3 Environment: Severe damage to environment to be
extensively restored by Company.
Assets: Partial operation loss. Costs up to $500.000.000
People: Employee and third parties fatalities.
Environment: Contamination over a public large area.
4 Major economic loss to Company.
Assets: Significant or total loss of facility. Costs above
$500.000.000 69
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph
Some key “words” about risk graph: W3 W2 W1
 Qualilitative or semi-quantitative method CA X1
a --- ---
PA X2
 First introduced in the German standard DIN V 19250 FA 1 a ---
CB PB X3
 An extension of risk matrix that addresses occupancy CC
FB
PA P
2 1 a
X4
and ability to escape FA B

Starting FB PA P
3 2 1
B X5
FA
 Initially used for machinery (and it is sometimes CD PA
4 3 2
argued that this is the most suitable application) X6
FB
PB b 4 3
C = Consequence parameter
 The approach has been adopted by the process F = Exposure time parameter --- = No safety requirements
industry, through standards like IEC 61508 and IEC P = Possibility of failing to avoid hazard A = No special safety requirements
61511. W = Demand rate assuming no protection B = A single E/E/PS is not sufficient
1,2,3,4 = Safety Integrity Level

 The risk graph has a kind of graph layout.

 x1,. . . , x6 are referred to as risk graph entry points,

and the other parameters are explained on the
following slides
70
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph
The following is a brief description of the Risk Graph parameters:

1. Starting point: The hazardous event, that if not handled, may develop into an accident. Corresponds to what we have introduced as a
demand, e.g. a type of demand that requires a response by a SIF

2. Consequence (C): Consequence of hazardous event. Four categories, CA which is the least severe one and CD which is the most
severe. Typically, CA is minor injury, CB has the range 0.01 to 0.1 fatalities, CC has the range 0.1 to 1 fatalities, and CD is greater than 1
fatality. Note these numbers come from the number of persons exposed to the hazards multiplied by the vulnerability (i.e. likelihood of
being killed if exposed).

3. Frequency (F): Frequency and exposure time risk. Two categories, FA which denotes rare to more often exposure in the hazardous
zone, and FB which denotes frequent to permanent exposure in this zone. Typically, FA less than 10% of the time, and FB more than
10%

4. Possibility (P): Possibility of avoiding the hazardous event. Two categories, PA denotes that it is possible under certain (given)
conditions, and PB denotes that it almost impossible. PA if provisions for altering the personnel, for avoiding , for shutting down and
thereby giving personnel in the area more time and chance to escape, and that there is sufficient time to act (i.e. evacuate) before the
situation escalates. PB if criteria for A is not fulfilled, PA may be set to a value, e.g. 30%

5. Frequency hazardous event (W): Frequency of hazardous event (W), or demand rate. Three categories, W1 which denotes a very
slight probability of occurrence, W2 denotes a probable occurrence, and W3 denotes a high probability of occurrence. W1 less than 0.1D
per year, where D is a calibration parameter (D=1), W2 is between 0.1D per year and 1D per year, and W3 is from 1D to 10D per year.
71
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph Calibration

Calibration means adapt the risk graph to a given set of risk tolerability criteria.

Why? Because using the “default” setup of the risk graph does not necessarily give the correct SIL
requirements.

 The underlying assumption of the default set-up is that a consequence of CA is tolerated < E-
03/yr. and CB is tolerated < E-04/yr. etc.

 In fact, this is sometimes the biggest criticism against the use of risk graph (that it is used as
shown in the standard without considering that that is just an example of how it may look like)

 So how do you align the risk graph with your acceptance criteria? In this case you need to
calibrate the risk graph to suit your criteria.

 Identify the tolerable risk for each of the consequence categories, and redefine the values for C,
F, P & W.
72
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification
Frequency of Exposure Classification

Calibrated Risk Graph FA Rare to more frequent exposure in the hazardous zone.
Occupancy less than 10%
Consequence Description

FB Frequent to permanent exposure in the hazardous zone.

CA  People: Employee injury or damage to health.

 Environment: Minor and inside the fence. Possibility of Avoiding Comments
 Assets: Minor damage. Cost less than $1 million

PA PA should be selected if all the following are true:

CB  People: Employee fatality. o Facilities are provided to alert the operator that the
 Environment: Localized effect affecting
neighborhood.
SIS has failed.
 Assets: Partial shutdown. Cost up to $25 million o Independent facilities are provided to shutdown such
that the hazard can be avoided or which enable all
CC  People: Employee multiple fatalities and some persons to escape to a safe area.
impact on third parties.
 Environment: Severe damage to environment to
o The time between the operator being alerted and a
be extensively restored by Company. hazardous event occurring exceeds 1 hour or is
 Assets: Partial operation loss. Costs up to definitely sufficient for the necessary actions.
$500.000.000
Freq. Haz. Event Frequency (yr-1 ) Description
CD  People: Employees and third parties multiple
fatalities. W1 <1 x 10-6 Very Low. Never heard of in industry.
 Environment: Contamination over a public large
area. Major economic loss to Company.
 Assets: Significant or total loss of facility. Costs W2 1 x 10-3 to 1 x 10-6 Medium. Incident has occurred in Company.
above $500.000.000
W3 >1 x 10-3 High. Happens several times per year in
Company.

73
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph Example PS-21

Consider the simplified schematic of the fired heater depicted in the figure, which was
operating in a stable fashion for a significant period of time, when a cold spell occurred
in the area, dropping the ambient temperature below the freezing point for a significant
period of time. During this time period the insulation bag fell off the flow transmitter (via
differential pressure) taps, which proceeded to freeze, locking in the pressure at the
transmitter diaphragm and effectively isolating it from the process. Soon after, the
operational situation of the plant called for a decrease in production rates through the
unit, resulting in the flowrate set point being decreased. Since the set point was lowered
below the measured variable (which was now frozen in place) the controller took action
to close off the flow control valve in an attempt to decrease the flow. Since the taps of
the flow transmitter were frozen, closure of the valves did not change the measurement
that the controller received causing the controller to “wind up” and set the controller
output (and valve position) to zero – completely stopping flow through the heater
passes.
The plant designers foresaw that loss of flow was a dangerous condition and
implemented a low flow shutdown which is intended to stop fuel gas to the heater upon UC-21
detection of low flow. Unfortunately, the same flow transmitter was implemented in this
design to take the SIS action. Since the SIS input “appeared” normal, no safety action
was taken. Loss of flow through the heater tubes resulted in the tubes overheating
beyond the limits of their mechanical integrity. The tubes subsequently ruptured causing XV-21 XV-22
release of the flammable hydrocarbons on the process side to be dumped into the
firebox.
There are normally around 5 people working in the vicinity of the heater.
This same incident has happened in the past, but while there was significant damage
to the heater and appurtenances (>$10 Million) and a loss of production, luckily there
were no injuries.
Perform the SIL determination of this loop using the Risk Graph 74
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph Example • FT-101 gets frozen, and isolated

from the process. FIC-101 closes
Describe: FIV-101

• Initiating Event(s)? • No HC flow and overheating of

heater tubes.
• Demand Scenario?
• Stop fuel gas to the heater upon
• Design Intent? detection of low HC flow, and
protect the tubes against
• Hazardous Event? overheating.

• Consequences ? • Tube rupture by overheating,

and massive HC LOC.
Perform the SIL determination of this
loop using the Risk Graph • F&E with fatalities and loss of the
heater.
75
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification
Frequency of Exposure Classification

Risk Graph Example FA Rare to more frequent exposure in the hazardous zone.
Occupancy less than 10%
Consequence Description

FB Frequent to permanent exposure in the hazardous zone.

CA  People: Employee injury or damage to health.

 Environment: Minor and inside the fence. Possibility of Avoiding Comments
 Assets: Minor damage. Cost less than $1 million

PA PA should be selected if all the following are true:

CB  People: Employee fatality. o Facilities are provided to alert the operator that the
 Environment: Localized effect affecting
neighborhood.
SIS has failed.
 Assets: Partial shutdown. Cost up to $25 million o Independent facilities are provided to shutdown such
that the hazard can be avoided or which enable all
CC  People: Employee multiple fatalities and some persons to escape to a safe area.
impact on third parties.

o The time between the operator being alerted and a
Environment: Severe damage to environment to PB
be extensively restored by Company. hazardous event occurring exceeds 1 hour or is
 Assets: Partial operation loss. Costs up to definitely sufficient for the necessary actions.
$500.000.000
Freq. Haz. Event Frequency (yr-1 ) Description
CD  People: Employees and third parties multiple
fatalities. W1 <1 x 10-6 Very Low. Never heard of in industry.
 Environment: Contamination over a public large
area. Major economic loss to Company.
 Assets: Significant or total loss of facility. Costs W2 1 x 10-3 to 1 x 10-6 Medium. Incident has occurred in Company.
above $500.000.000
W3 >1 x 10-3 High. Happens several times per year in
Company.

76
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph Example Solution

W3 W2 W1
CA X1
a --- ---
PA X2
FA 1 a ---
CB PB X3

CC
FB
PA P
2 1 a
Starting FA B X4
FB PA P
3 2 1
B X5
FA
CD PA
4 3 2
X6
FB
PB b 4 3
C = Consequence parameter
F = Exposure time parameter --- = No safety requirements
P = Possibility of failing to avoid hazard A = No special safety requirements
W = Demand rate assuming no protection B = A single E/E/PS is not sufficient
1,2,3,4 = Safety Integrity Level

77
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph Example Solution

FINAL
Safety Environment Assets
SIL

Initiating Hazardous Event

Item SIF Id. C&E Diagram P&ID SIF Description C F P W SIL C P W SIL C P W SIL SIL Remarks
Event Description

78
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA

79
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Protection Layer Concept

Layer of Protection Analysis (LOPA):
Approach that lists and quantifies the joint
effects of existing independent protection
layers, and that identifies the necessary
risk reduction of additional SIFs, if
needed.
Approach developed by CCPS and later
adopted by IEC 61508 and IEC 61511

Builds on the results from a hazards

and operability study (HAZOP)

Applicable to determine SIL

requirements of low-demand systems

A semi-quantitative approach.
80
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Why LOPA?
LOPA addresses the following issues: Concept of closing the Protection Gap

 Have I defined my risk tolerability criteria or target?

 Does my system ensure my criteria are met?

 Do I need a Safety Instrumented System?

 Are there Alternatives ?

 What is the required risk reduction to be achieved by each

SIF?

 What other layers of protection may be taken into account?

 Global Consistency & Industry Standards

 Internal Requirements for risk management

 Competent Authority/Regulator Requirements

81
81
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Uses of LOPA
 MOC

 Mechanical integrity programs or risk-based inspection/risk-based maintenance

 Risk-based operator training

 SCE identification (together with QRA)

 Determining a credible design basis for overpressure protection

 Evaluating the need for emergency isolation valves

 Evaluating the removal of a safety system from service

 Incident investigations

 Determining SIL for SIF.

82
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (1)

Step 0: Identify/Define all the SIFs to be
analyzed. The purpose of SIF definition is
to create a list of all the functions that
need to be analyzed in the remaining
steps of the Safety Lifecycle including SIL
selection, Safety Requirement
Specification, Functional Test Procedure
development, and so on. The result of
SIF definition is a Safety Instrumented
Function List, or SIF list.

Step 1: Identify an scenario and its

potential consequence. Identify the
Target Risk for that scenario.

Express the risk target quantitatively,

but remember that many risks exist
(total risk is sum)
83
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (2)-The SIF List

The following steps shall be completed to produce the SIF list:
1. Collect all the design information required for SIF identification. This includes but is not limited to: PHA report, Cause
and Effect Diagrams (C&ED), and Piping and Instrumentation Diagrams (P&ID)
2. Identify each SIF on a hazard-by-hazard basis, i.e. each hazard must be assigned a SIF
3. For each SIF, provide a description of the intention of the function and the action that is required to move the process to
a safe state
4. List all the safety critical inputs, specifically all the sensors that can detect the hazard being prevented.
5. List all the safety critical outputs, i.e. list all the outputs that are necessary and sufficient to move the process to a safe
state
6. List the location of the SIF, designating the logic solver that is utilized to implement the SIF.
7. List the voting arrangements of the equipment necessary to prevent the concerned hazard.
8. Document the SIF. As per previous steps, the SIF list shall document/define each SIF including the following:
 Tag names for input devices
 Description of SIF intention
 Input voting
 Tag names for output devices
 Output voting
 Location of SIF logic
 Interlock numbers, P&ID drawing numbers, C&E identification.

84
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (3)

Step 2: Select an accident
X is the frequency of the
scenario.
LOPA is applied to one scenario initiating event Unsafe,
at a time, which describes a Yn
single cause–consequence pair Yi is the probability of unsafe
failure on demand (PFD)
I
Step 3: Identify the initiating for each IPL   P
event of the scenario and
L
determine the initiating event n
frequency (events per year). Unsafe,
I
Y2 P
Step 4: Identify the IPLs and L
estimate the probability of failure 3
Unsafe,
on demand of each IPL. I
Y1 P
L
Step 5: Estimate the risk of the
2
scenario by mathematically Initiating I Safe/
combining the consequence, event, X P
initiating event, and IPL data. tolerable
L
1

85
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (4)

Step 5: Estimate the risk of the scenario by mathematically combining the consequence, initiating event, and IPL data.

As it's indicated in CCPS' LOPA book, chapter 7, under "Summing Up Frequencies For Multiple Scenarios" title:

"Some companies sum the frequencies of all the scenarios that give the same consequence (see Section 11.3). Note: many companies do not
sum the individual scenario frequencies for the same consequence, but rather choose the highest scenario frequency for that consequence (high
risk initiating event–consequence pair). The company’s LOPA rules should specify which approach to take; the approach must be consistent with
company’s risk tolerance criteria".

And it finally notes:

"CALCULATE EACH SCENARIO INDIVIDUALLY

An analyst may attempt to combine several initiating events that lead to the same consequence in one calculation step. This calculation assumes
that the IPLs apply to each of the initiating events. Such a practice is not LOPA. The authors strongly recommend that each scenario (initiating
event–consequence pair) be evaluated separately with its respective IPLs".

86
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (5)

• How do we determine the initiating HAZOP

events?
• How do we determine the Company, industry
frequency of the initiating event, X experience

• How do we determine the Company, industry

probability that each IPL will experience
function successfully?
• How do we determine the target Depends on consequence.
Derive from RTC for IRPA
level for the system?

87
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (6)

Step 6: Evaluate the
risk to reach a
decision concerning The LOPA is performed using a table for data entry.
the scenario.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes, restricted
access, etc.)

Likelihood = X Probability of failure on

demand = Yi

Mitigated likelihood = (X)(Y1)(Y 2)  (Yn)

88
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

How LOPA Works (7)

Step 7: Completely document scenario, Initiating Event, Conditional Modifiers,
IPLs. Justify and address uncertainties and sensitivities. Document the SIS
requirements AND the requirements for the other Safety Related Protection

Description of the Severity Level Initiating Frequency of Conditional General BPCS: Alarms, Passive Active Administrative Estimated Risk Risk PFD SIL
consequences of Event (IE) the IE Modifiers: Process Design etc. Protective Protective Protective (yr-1) Tolerance
the hazardous (yr-1) Ignition, Spec: Pressure (Probability) System: Systems: PSV, Systems: Criterria
event Occupancy, rating for Fireproofing, F&G, BD, etc. Access Control,
(yr-1)
Fatality vessel/piping, Dykes, etc. (Probability) PPE, etc.
(Probability) etc. (Probability) (Probability)
(Probability)

89
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

QRA & LOPA

 QRA, if done properly, should provide 'higher quality' input data, and it should
be routinely required for LOPA.

 Use the consequence analysis results to determine the LOPA hazardous

scenario consequence .

 Use the frequency analysis results to determine the LOPA hazardous scenario
initiating causes frequency and risk reduction factor provided by other IPLs.

90
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA Exercise 1 (Flash drum for “rough” component separation)

Data is as follows:
 FC-1 Loop fails 1/yr.
 The Pressure Control PC-1 fails 3/yr.
cascade
 The Level Control LC-1 fails 1/yr.
 Pump fails 0.1/yr.
 Ignition probability is 0.1 PAH Vapor
 The area is occupied by 4 people 10% Split range TC-6 PC-1 product
of the time
 The Alarm Probability of failure is: 0.1
 The Operator can handle 9 out of 10
situations
 RTC is as established in table below T5
Feed T1 T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam
fluid

91
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

• FC-1 fails in low, or FCV fails

LOPA Exercise 1 open, or LC-1 fails in high, or
LCV fails closed or PC-1 fail low,
Describe: or PCV fails closed, or pump
stops
• Initiating Event(s)?
• High liquid level and vessel over-
• Demand Scenario? presurization.

• Design Intent? • Protect vessel against high liquid

level and over-pressurization.
• Hazardous Event?
• Leaks, possible vessel rupture,
• Consequences ? and LOC

Perform SIL Determination for vessel • Possible F&E within the process
overpressure. area, leading to fatalities and
asset loss.
92
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA Exercise 1-Solution

Severity Level Initiating Frequency of Conditional General BPCS: Alarms, Passive Active Administrative Estimated Risk Risk PFD SIL
Event (IE) the IE Modifiers: Process Design etc. Protective Protective Protective (yr-1) Tolerance
(yr-1) Ignition, Spec: Pressure (Probability) System: Systems: PSV, Systems: Criterria
rating for Fireproofing, F&G, BD, etc. Access Control,
Occupancy, (yr-1)
Fatality vessel/piping, Dykes, etc. (Probability) PPE, etc.
(Probability) etc. (Probability) (Probability)
(Probability)
Estimated Risk
-1
Occupancy & Operator (yr )
Comment Comment Comment Comment Comment
Ignition Intervention
FC-1 fails open 1,00E-06 1,00E-03

1,00E+00 0,01 1,00 1,00 1,00 1,00 0,10 1,00E-03

Estimated Risk
-1
Occupancy & Operator (yr )
Comment Comment Comment Comment Comment
PC-1 fails on Ignition Intervention
1,00E-06 3,33E-04
low
Safety 3,00E+00 0,01 1,00 1,00 1,00 1,00 0,10 3,00E-03

Estimated Risk SIL 3

-1
Occupancy & Operator (yr )
Comment Comment Comment Comment Comment Comment
Ignition Intervention
LC-1 fails on low 1,00E-06 1,00E-03

1,00E+00 0,01 1,00 1,00 1,00 1,00 0,10 1,00E-03

Estimated Risk
Occupancy & Operator -1
(yr )
Comment Comment Comment Comment Comment
Ignition Intervention
Pump stops 1,00E-06 1,00E-02

1,00E-01 0,01 1,00 1,00 1,00 1,00 0,10 1,00E-04

3,33E-04

93
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA Exercise 1-Solution

Some observations about the design.
 The vessel pressure controller uses only one sensor; when it fails, the pressure is
not controlled.

 The same sensor is used for control and alarming. Therefore, the alarm provides
no additional protection for this initiating cause.

 No safety valve is provided (which is a serious design flaw).

 No SIS is provided for the system.

94
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA Exercise 2
So, now we have added a PAH and a PSV as
recommended by the previous SIL. Perform the SIL
Determination for vessel overpressure considering the
following data: cascade
 FC-1 Loop fails 1/yr.
 The Pressure Control fails 3/yr.
 The Level Control fails 1/yr. Vapor
Split range product
 Pump fails 0.1/yr. TC-6 PC-1
 Ignition probability is 0.1
 The area is occupied 10% of the time
 The Alarm Probability of failure is: 0.1 PAH
 The Operator can handle 9 out of 10 situations P-2
 The Relief Valve Probability of failure is: 0.01 Feed T1 T5
 RTC is as established in table below T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam
fluid
95
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

LOPA Exercise 2-Solution

Severity Level Initiating Frequency of Conditional General BPCS: Alarms, Passive Active Administrative Estimated Risk Risk PFD SIL
Event (IE) the IE Modifiers: Process Design etc. Protective Protective Protective (yr-1) Tolerance
(yr-1) Ignition, Spec: Pressure (Probability) System: Systems: PSV, Systems: Criterria
rating for Fireproofing, F&G, BD, etc. Access Control,
Occupancy, (yr-1)
Fatality vessel/piping, Dykes, etc. (Probability) PPE, etc.
(Probability) etc. (Probability) (Probability)
(Probability)

Occupancy & PAH & Operator Estimated Risk

FC-1 fails Comment Comment Comment PSV Comment -1
Ignition Intervention (yr ) 1,00E-06 5,00E-02
open
0.5 0,01 1,00 0,20 1,00 0,01 1,00 2,00E-05
Occupancy & PAH & Operator Estimated Risk
PC-1 fails on Comment Comment Comment PSV Comment
Ignition Intervention (yr-1) 1,00E-06 5,00E-02
low
1.5 0,01 1,00 0,20 1,00 0,01 1,00 2,00E-05
Occupancy & PAH & Operator Estimated Risk SIL 1
LC-1 fails on Comment Comment Comment PSV Comment -1
Ignition Intervention (yr ) 1,00E-06 5,00E-02
low
0.5 0,01 1,00 0,20 1,00 0,01 1,00 2,00E-05
Occupancy & PAH & Operator Estimated Risk
Comment Comment Comment PSV Comment
Pump stops Ignition Intervention (yr-1) 1,00E-06 5,00E-01
1,00E-01 0,01 1,00 0,20 1,00 0,01 1,00 2,00E-06
5,00E-02

96
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Basic Rules for IEs

 Process control software should not be an
initiating event. Testing and simulation must be in Process under control
place to eliminate it as a source. Management of
Change must be robust enough to avoid Disturbance or
corrupting the operating program. Initiating event

 An IPL cannot be the initiating event. The only Process out of control
exceptions are failed elements of BPCS and
Alarms – if they can create the scenario.
Hazardous situation
 IEs are single events, but may be modified by
the probability of a Conditional Modifier occurring
(e.g., an ignition occurring). SIF
Hazardous event

Consequences
Consequences of
failure on demand

97
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Basic Rules for BPCS & Alarms

Workstation
 If a BPCS (whole loop) is an Initiating Event, no credit is taken for the BPCS or Alarm
IPL unless they are completely separate systems.
Controller
 If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL only.

 The Alarm IPL requires a formally recorded and auditable operator action to prevent
the scenario.

 Sharing of BPCS and SIS elements may be allowed when there is evidence of
adequate independence.

 Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.

 If an Alarm is an IPL, the operator must have time to prevent the scenario. No credit
Control
shall be taken if the operator has less than 15 minutes to respond. May be able to element
take credit if this is a recognized case in the Emergency Response plan.

 If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or Alarm
IPL, unless the Alarm IPL is a completely separate system.
Transmitter
 If a final element failure is the Initiating Event, BPCS and Operator action on Alarm
IPL are not valid credits if they require the failed final element to function. (most
common could be a control valve.

 If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid credits if
they require the failed sensor to function.
98
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Basic Rules for PRDs

 The Pressure Relief Device either
protects or it doesn’t. Partial credit is
not allowed.

 If the Pressure Relief Device

discharges to the atmosphere
creating a 2nd hazard (to people,
the environment or equipment), no
credit is allowed. If the release to
the atmosphere has an acceptable
risk, credit may be taken

 If the Pressure Relief Device

discharges to a flare, tank, or
scrubber, credit is taken

 This is not a tool for deciding “No

Overpressure Protection Device
Needed”.

99
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Basic Rules for SIS

1. SIS entries are considered last and then only if necessary to
close the protection gap.
2. A non-zero, positive value in the Protection Gap column
indicates a SIS is needed.
3. The required SIL of the SIS is the value which closes the
Protection Gap
4. A SIL value equal or greater than 3 should not be allowed.
This would indicate that there is something wrong with the
process design. For SIL 3 situation, a process review together
with an additional fully quantitative SIL assessment should be
performed, and additional non-SIS IPL’s should be
incorporate as required. SIL 4 should not be allowed under Valves
any circumstances.
5. A zero or negative value in the Protection Gap column 1oo2
indicates a SIS is not needed.
6. A SIS with a SIL of 2 or 3 can be replaced with a combination
of lower SIL provided they are independent from each other.
Logic Solver
SIL 1 + SIL 1 = SIL 2 ; SIL 1 + SIL 2 = SIL 3 2oo3
7. Two (2) SIS IPL’s used in the same case require separate
sensors, logic solver and final element. Independent paths Sensors
through the same SIS logic solver must be used.
2oo3 100
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

IPL Validity
IPL checklist

Name of IPL
Description

Is it an IPL? Judgement Comments

Does it detect the condition?
Does it decide to take action?
Does it deflect the undesired event?
Is it enough?

Is it big enough?
Is it fast enough?
Is it strong enough?
Is it reliable?
Can any circumstances arise that will reduce its
effectiveness?
Can it be tested and be auditable?
Is it
independent?

Of the initiating event and any enabling event?

Of any other device, system or action that is

already credited with being an IPL?

Note - Standards only allows one credit for the BPCS. Two are allowed under certain circumstances, and should not credit a PFD better than 0.1 unless carefully justified.

IPL checks
Consider the following three "D" factors to help decide if a safeguard is an IPL:
Detect Most IPLs detect a condition that is leading to the loss scenario
Decide Many IPLs make a decision whether or not to take action
Deflect All IPLs must deflect the loss event by preventing it
Then consider the following three "E" factors to help decide if the safegualrd will be an effective IPL:
Big enough?
Fast enough?
Strong enough?
Finally, ensure that the safeguard is INDEPENDENT of the initiating event and all the other IPLs so that it can be assumed to work every time (assuming it is operational)
101
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

IE Frequency Data, Availability & Relevance

102
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Frequency for Some IE & Operator Error

Operator error
Event Generic Frequency for LOPA
Probabilities in table should be multiplied by the number of opportunities, e.g. Error in routine operation where care is required when
(if no specific plant carried out daily = 0.001/opportunity * 365 opportunities / yr = 0.37/yr.
experience) Frequency

1.1Control Loop fail to

danger 0.1/yr 1.15 General rate for errors involving very high stress levels 0.3 probability
1.2 Loss of cooling water supply 0.1/yr 1.16 Complicated non-routine task, with stress 0.3 probability
1.3 Regulator failure 0.1/yr
1.4 Single Pump failure (if no MTBF data available) 0.1/yr 1.17 Supervisor does not recognise the operation’s error 0.1 probability

1.5 Dual pump failure if autostart and run status provided 0.01/yr 1.18 Non-routine operation, with other duties at the same time 0.1 probability
1.6 Significant pump seal 1.19 Operator fails to act correctly in the first 30 minutes of stressful emergency
leak 0.1/yr situation 0.1 probability

1.7 Electrical Failure 0.1/yr 1.20 Errors in simple arithmetic with self-checking 0.03 probability
1.8 N2 or instrument air
1.21 General error rate for oral communication 0.03 probability
failure 0.1/yr
1.22 Failure to return the manually operated test valve to the correct configuration after
maintenance 0.01 probability
Mechanical failure (e.g. tube rupture, bellows failure, etc.)
1.9 No moving parts, no vibration, erosion, corrosion 0.001/yr 1.23 Operator fails to act correctly after the first few hours in a high-stress scenario 0.01 probability

1.10 Low vibration, erosion, corrosion 0.01/yr 1.24 General error of omission 0.01 probability
1.11 High vibration, erosion, corrosion 0.1/yr
1.25 Error in a routine operation where care is required 0.01 probability

1.26 Error of omission of an act embedded in a procedure 0.003 probability

1.27 General error rate for an act performed incorrectly 0.003 probability

1.28 Error in simple routine operation 0.001 probability

103
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Non-SIS Layers of Protection

Probability of failure on demand for Non SIS layers of Operator response to an alarm
protection:
1.38 Separately annunciated hard wired / safety
Protection Layer Probability of Failure on Demand PLC alarm specific to hazard, with 30 minute
response time and written procedures 0.01
1.29 Relief valve sized for scenario (Clean service) 0.01
1.30 Relief valve sized for scenario (Dirty service) 0.1
1.39 Hardwired alarm, stressful situation, action
Check valves less clear, 30 minute response time
1.31 Single 1 OR Hazard specific DCS alarm, no coincident
1.32 Dissimilar registered valves in series 0.1 upsets, 30 minute response time
OR Multiple DCS alarms that indicate the same
Bund wall (reduces frequency of large spills) hazard with hours of response time (discretion
1.31 Concrete well maintained 0.01 of study leader to use 0.01) 0.1
1.32 Earth 0.1
1.40 Other alarms
1.33 Underground drainage (reduced frequency of large spill) 0.1
(response time < 30 minutes, DCS alarm during other
upsets, etc.) 1
1.34 Independent control loop 0.1
(Note: Must be independent of initiating event, 0.1 is max credit
allowed)

1.35 Gas detection with automatic response

(independent of other protection layers) 0.1

1.36 Flare failure 0.01

Or estimate from plant experience based on pilots being
unavailable (e.g. if pilots are out 1 day/yr, PFD = 1 day/365
days = 0.003)

104
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Pressure Vessels
Probability of significant leak from pressure system:
Case Scenario Probability of significant release Comments
1.41 Pressurise vessel to 1.25 times design pressure – but check Case 5 does not apply. 0.02 – 0.1 Small potential – increases with “aged equipment” (corroded etc – see
Also use for vacuum cases. For SIL assessment use 0.05 Note 1)
1.42 Pressurise vessel to 1.5 times design pressure – but check Chase 6 dos not apply. 0.3 Some risk of flange leakage specially on heavily loaded nozzles, and
potential for crack at high stress location (e.g. nozzle) – see Note 3
1.43 Pressurise vessel to 2 times design pressure – but check Case 7 does not apply. 0.7 Even if high stress region / nozzle crack does not open and lead to
release, there is significant likelihood of flange leak
1.44 Pressurise vessel to 2.5 times design pressure. 1 Even if nozzle does not fail likelihood of other weld catastrophic failure is
significant – see Note 4
1.45 Pressurise vessel in fatigue service or carbon steel equipment which is 0.05 – 0.3 Probability will depend on years of service and quality of design
simultaneously exposed to sub zero temperature, or low chrome moly (up to 2 ¼ Cr)
o For SIL assessment use 0.2
in elevated temperature service that is pressurised when below 50 C - pressurised to
1.25 times design
1.46 Pressurise vessel in fatigue service or pressurise carbon steel equipment which is 0.5 – 0.7 Probability will depend on years of service and quality of design
simultaneously exposed to sub zero temperature, or low chrome moly elevated For SIL assessment use 0.7
o
temperature service that is pressurised when below 50 C - pressurised to 1.5 times
design.
1.47 Pressurise vessel in fatigue service or carbon steel equipment which is 0.8 – 1.0 Probability will depend on years of service and quality of design
o
simultaneously exposed to sub zero temperature that is pressurised below 50 C - For SIL assessment use 1
pressurised to 2 times design.
Notes:
1. An “aged vessel” here is one in service for 20 years of longer and where the following applies: subject to corrosion under insulation (-5oC to 200oC), or creep conditions (>330oC for carbon steel; >420oC for chrome moly steels
up to 12% Cr; >485oC for austenitic steel), or if significant internal corrosion / erosion is expected due to fluid conditions.
2. Above risks will apply to all BS vessels as well as ASME vessels built after 1998. Probabilities are based on the percentage of applied hoop stress to minimum yield strength and ultimate tensile strengths. The probabilities
quoted on this basis are directly comparable against European Code approaches (e.g. PD/BS 5500). For ASME VIII Division 1 equipment the probabilities quoted with tend to be conservative, and the degree of conservatism increases for
ASME vessels pre-dating 1998. However, in the case of ASME vessels, particularly older ones, there is a high potential that nozzles can be excessively loaded, as the code does not mandate consideration of piping loads onto nozzles.
3. This level of pressure (1.5 times design) will generate bulk membrane (hoop) stresses close to minimum yield strength in European code vessels. Although failure of the membrane from a few applications is unlikely, there is a
risk of opening a significant crack in highly stressed and localised regions such as nozzles.
4. This level of pressure (2.5 times design) will generate bulk membrane (hoop) stresses close to ultimate tensile strength in European code vessels. Failure could almost be guaranteed to European code vessels, and failure could
well be significant or catastrophic.
5. In the event of only a flange leak (1.5 to 2 times design pressure) the leak is likely to persist only while the pressure is elevated, and could diminish or cease when pressure returns below design pressure, whereas in the case of a
crack in a nozzle or other part, the leak will persist until plant shutdown / isolation.
6. These risk factors take no account of the fact that equipment may have been supplied with excess wall thickness versus the design requirement. It assumes the worst case, and that only nominal corrosion allowances have been
applied.
7. This document refer to EEMUA Pressure Vessels Committee: Risk Based Mechanical Integrity Work Item: Document No 3852-05. The EEMUA document covers some of these issues, and relates to likelihood of failure in terms
of Categories 1 to 5, ranging from 1 (negligible risk) to 5 (highly probable). These categories in turn derive from API Publication 581: Base Resource Document – Risk Based Inspection.

105
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Conditional Modifiers When the leak is not near an obvious ignition source or
Conditional modifiers
road:
Will it catch fire or explode? People exposure
Probability of being in the danger 1.50 LPG, liquid above its atmospheric boiling point, or material above its flash
Zoned or IS area area point released at height. No obvious ignition sources.
Ignition sources Employees
Inert gas Plant operators Mass released Release rate Immediate Delayed No
Pressure safety margin in pipes and vessels at (tonnes) (kg/s) ignition ignition ignition
actual temperature Other (maintenance etc) <1 <10 0.02 0.02 0.96
Visitors 2 20 0.05 0.05 0.9
Public 5 50 0.1 0.1 0.8
10 100 0.2 0.8 0
Probability of worst harm being Probability of leak (/problem) being >38.8 >388 0.9 0.1 0
realised undetected
1.51 Ignition inside a vessel (e.g. air ingress to a vessel by operation of vacuum
Release dispersion Secondary protection valves or landing a floating roof tank) 0.01 due to absence of ignition sources and
Weather Buildings fuel rich.
Prevailing wind Blast walls
Dense or light Topograph 1.52 Liquid hydrocarbon below its atmospheric boiling point and released near ground level. No obvious
vapour y ignition sources.
Toxicity,
bioactivity
Release rate No
Quantity and release rate Type of release (kg/s) Location Ignition ignition
<1 0.01 0.99
Can people avoid, or are they drawn to the event seeking to Liquid 1 – 50 General 0.03 0.97
ameliorate?
>50 0.08 0.92
Will they get involved in precursor
conditions
Person present
Safety time and response time
Local alarms
1.53 Large release, normally occupied area, operator
Refuges
present during the hazardous activity or local resident (off-
site potential) 1
1.54 Within the plant structure 0.1
Probability of ignition:
1.55 Normally unoccupied area (e.g. tank farms) 0.01

1.48 Near obvious ignition sources such as fired heaters 1 Note: Team can also estimate probability directly if information available (e.g. 1 hour operator tour of area every shift = 1 hours /
1.49 Near a road 0.5 12 hours = 0.08).
106
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Exercise 3 (Fuel Gas Scrubber) LOPA vs. Risk Graph

Data is as follows:
 PIC-0601 loop fails 0.1/yr.
 LIC-0601 loop fails 0.2/yr.
 Ignition probability is 0.1
 The area is occupied by 4 people
10% of the time
 The Operator can handle 9 out of
10 situations
 The PSV Probability of failure is:
0.01
 RTC is as established in table
below

107
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Exercise 3 (Fuel Gas Scrubber) LOPA vs. Risk Graph

Describe: • PIC, or LIC loops fail on low, or
PIC bypass valve open
• Initiating Event(s)?
• High liquid level and vessel over-
• Demand Scenario? presurization.

• Design Intent? • Protect vessel against high liquid

level and over-pressurization.
• Hazardous Event?
• Leaks, possible vessel rupture,
• Consequences ? and LOC

Perform SIL Determination for • Possible F&E within the process

scrubber overpressure, using Risk area, leading to fatalities and
Graph and LOPA. asset loss.

108
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Exercise 3 Solution
Frequency of Exposure Classification

(Risk Graph) FA Rare to more frequent exposure in the hazardous zone.

Occupancy less than 10%
Consequence Description

FB Frequent to permanent exposure in the hazardous zone.

CA  People: Employee injury or damage to health.

 Environment: Minor and inside the fence. Possibility of Avoiding Comments
 Assets: Minor damage. Cost less than $1 million

PA PA should be selected if all the following are true:

CB  People: Employee fatality. o Facilities are provided to alert the operator that the
 Environment: Localized effect affecting
neighborhood.
SIS has failed.
 Assets: Partial shutdown. Cost up to $25 million o Independent facilities are provided to shutdown such
that the hazard can be avoided or which enable all
CC  People: Employee multiple fatalities and some persons to escape to a safe area.
impact on third parties.

o The time between the operator being alerted and a
Environment: Severe damage to environment to PB
be extensively restored by Company. hazardous event occurring exceeds 1 hour or is
 Assets: Partial operation loss. Costs up to definitely sufficient for the necessary actions.
$500.000.000
Freq. Haz. Event Frequency (yr-1 ) Description
CD  People: Employees and third parties multiple
fatalities. W1 <1 x 10-6 Very Low. Never heard of in industry.
 Environment: Contamination over a public large
area. Major economic loss to Company.
 Assets: Significant or total loss of facility. Costs W2 1 x 10-3 to 1 x 10-6 Medium. Incident has occurred in Company.
above $500.000.000
W3 >1 x 10-3 High. Happens several times per year in
Company.

109
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Exercise 3 Solution (Risk Graph)

W3 W2 W1
CA X1
a --- ---
PA X2
FA 1 a ---
CB PB X3

CC
FB
PA P
2 1 a
Starting FA B X4
FB PA P
3 2 1
B X5
FA
CD PA
4 3 2
X6
FB
PB b 4 3
C = Consequence parameter
F = Exposure time parameter --- = No safety requirements
P = Possibility of failing to avoid hazard A = No special safety requirements
W = Demand rate assuming no protection B = A single E/E/PS is not sufficient
1,2,3,4 = Safety Integrity Level

110
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Exercise 3 Solution (LOPA)

Severity Level Initiating Frequency of Conditional General BPCS: Alarms, Passive Active Administrative Estimated Risk Risk PFD SIL
Event (IE) the IE Modifiers: Process Design etc. Protective Protective Protective (yr-1) Tolerance
(yr-1) Ignition, Spec: Pressure (Probability) System: Systems: PSV, Systems: Criterria
rating for Fireproofing, F&G, BD, etc. Access Control,
Occupancy, (yr-1)
Fatality vessel/piping, Dykes, etc. (Probability) PPE, etc.
(Probability) etc. (Probability) (Probability)
(Probability)
Estimated Risk
-1
Occupancy & (yr )
Comment Comment Comment Comment PSV Comment
PIC-0601 fails Ignition
1,00E-06 1,00E-01
on low
1,00E-01 0,01 1,00 1,00 1,00 0,01 1,00 1,00E-05
Estimated Risk
-1
Occupancy & (yr )
Comment Comment Comment PSV Comment
LIC-0601 fails Ignition
1,00E-06 5,00E-02
on low
2,00E-01 0,01 1,00 1,00 1,00 0,01 1,00 2,00E-05
Safety
Estimated Risk
Occupancy & -1 SIL 1
Bypass on Comment Comment Comment PSV Comment (yr )
Comment Ignition
PIC-0601 1,00E-06 1,00E-01
open
1,00E-01 0,01 1,00 1,00 1,00 0,01 1,00 1,00E-05

Comment Comment Comment Comment Comment Comment Comment Comment

Comment ----

1,00E+00 1,00 1,00 1,00 1,00 1,00 1,00 1,00E+00

5,00E-02

111
 Fundamental Modelling
SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative Hazard
LOPA Quantitative Remarks
Specification

Risk Graph LOPA

• Time consuming
• High subjectivity • Resource intensive
• Inconsistent results • Complex, difficult to use
• Hard to document rationale • Can produce same results via
• Not much resolution qualitative analysis???
between protection layers

• Easy to use
• Good for subjective • More rigorous
consequence assessment • Least conservative
• Good for screening and • Good for complex scenarios
categorizing hazards • Better quantification of
• Team approach provides incremental protection layers
better evaluations

112
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Quantitative Methods

113
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Scheme for Quantitative SIL Determination

EUC C
Target
Define IPLs
Hazards Scenarios Risk

F Risk

END NO SIS
Needed?

YES
SIL
114
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Logic Diagrams

INITIATING
EVENTS LOC SCENARIOS

FTA ETA

115
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

FTA Example F
QIC Fails

F
F O
I / P Fails
Trans. Ind. & Cont. Pne. Sw. Valve

QV Fails F Y F

QS Failed P

P O P F
QA Failed O Cl2 Emission
Switch Alarm

Operator Fails P

QT Fails F 116
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Event Trees – Example

Inmediate Delayed Explosion Scenario

Ignition Ignition given DI
Jet Fire
(3.6E-6/yr.)
YES 0.1
Pressurized
Gas Leak 0.1
YES VCE
3.6 E-5/yr.
(2.268E-6/yr.)
0.7
YES

0.9
NO NO Flash Fire
(2.0412E-5/yr.)
0.9

NO Toxic/Dispersion
(9.72E-6/yr.)
0.3
117
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Modelling the Effect of a Hazardous Fluid Release

Receptors can be influenced by hazardous material through various transport media,

including atmospheric dispersion, groundwater contamination, soil erosion, etc.
Atmospheric transport is the most important in risk assessments.

Hazard effects for materials are:

THERMAL RADIATION (I) – used for flammable materials.

OVERPRESSURE (P0) – used for determining blast wave consequences such as

deaths from lung haemorrhage.

CONCENTRATION (C) – used for toxic materials.

118
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Modelling the Effect of a Hazardous Fluid Release

TM
• EFFECTS
TM
• ARCHIE
TM
• ALOHA
TM
• PHAST
TM
• CANARY
TM
• QRA Pro
119
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Calculating Risk
Risk = Consequence x Frequency
Rh = Ci,h * Fc,i,h
Rh
Risk from an Consequence i, h of Frequency C, i, h of
undesirable undesirable event, h consequence i, h from
event, h event h

N
Total Risk = å Rh
h=1 120
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Example of Quantitative SIL Results

Prob that ESD PFD for SIL for
system will be Freq All Long Overall Overall
Freq HP with functional for Duration Increase % Increase Protection Protection
Freq HP SD Failure Freq All all release Releases (no Total over Base over Base System - all System - all
initiators (/yr) (/yr) Releases (/yr) case shutdown) Releases (/yr) Case Case layers layers
Scenario 1 0 6.32E-03 100% 9.83E-05 9.83E-05
Class 1500 piping with 2 layers of protection
Option 1 Scenario 2 0 1.34E-03 20% 1.07E-03 1.07E-03
(BASE CASE)
Scenario 3 0 1.50E-04 0% 1.50E-04 1.50E-04
Scenario 1 1.22E+01 1.89E-01 6.32E-03 100% 9.83E-05 1.89E-01 1.89E-01 192597% 1.555E-02 SIL 1
Option 2 Class 600 piping with 2 layers of protection Scenario 2 1.42E+01 1.58E-01 1.34E-03 20% 1.07E-03 1.59E-01 1.58E-01 14723% 1.110E-02 SIL 1
Scenario 3 4.24E+01 5.49E-03 1.50E-04 0% 1.50E-04 5.64E-03 5.49E-03 3660% 1.296E-04 SIL 3
Scenario 1 1.22E+01 6.78E-05 6.32E-03 100% 3.52E-08 6.79E-05 -3.04E-05 -31% 5.572E-06 SIL 4
Option 3 Class 600 piping with 3 layers of protection Scenario 2 1.42E+01 5.66E-05 1.34E-03 20% 1.07E-03 1.13E-03 5.36E-05 5% 3.979E-06 SIL 4
Scenario 3 4.24E+01 1.97E-06 1.50E-04 0% 1.50E-04 1.52E-04 1.97E-06 1% 4.644E-08 SIL 4
As Option 3, but with modified testing interval
Scenario 1 1.22E+01 9.83E-05 6.32E-03 100% 5.10E-08 9.83E-05 8.071E-06 SIL 4 -8.40E-13 -8.40E-07
Sensitivity for all components (except valves - SSV, SSSV
Scenario 2 1.42E+01 1.07E-03 1.34E-03 20% 1.07E-03 2.14E-03 7.540E-05 SIL 4 2.56E-11 2.56E-05
1 and ZV) to achieve freq HP scenarios = all
causes Scenario 3 4.24E+01 1.50E-04 1.50E-04 0% 1.50E-04 3.00E-04 3.540E-06 SIL 4 5.07E-10 5.07E-04

Notes:
1 Options 1 - 3 assume valves (SSV, SSSV and ZV) are tested every 12 months, remainder of components are tested every 6 months.
2 Sensitivity 1: CFI for all items (not valves)= 7.4 months for Scenario 1 26.1 months for Scenario 2 50.8 months for Scenario 3 CFT factor

121
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety
Requirements
Specification (SRS)

122
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Conceptual Design & SIL Verification

 After SIL determination, the next tasks in the SIS
Safety Lifecycle are “Conceptual Design of the SIS”
and “SIL Verification”.

 This stage is where verification that each of the

required SILs has been achieved by the system that
has been designed is accomplished.

 These two steps go hand-in-hand, and often they

are iterative in nature.

 The purpose of conceptual design evaluation is to

determine whether the equipment, and how it is
maintained, is appropriate for the selected SIL. The
result is a set of functional specifications of the
system that can be used in detailed design
engineering (i.e., safety requirements specifications
(SRS)). 123
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Procedure for SIL Verification

In order to follow a sound and well planned process that ensures a successful SIL Verification Study, the following steps shall be completed:

 SIL Verification Techniques. Simplified equations, Markov Models or Fault Tree Analysis may be used to provide the calculations for system availability and spurious trip
rate. Software packages which support these modeling techniques are recommended to assist in the documentation and consistency of the calculations.

 Documentation. All assumptions, data sources, and any other information necessary to define the final system availability and spurious trip rate shall be documented and
maintained with the SIS documentation.

 Assumptions Used for the Calculations

o Failure rate data shall be sourced from recognized industry sources such as those included in attachment III of this procedure.
o Components used in the SIS shall be technically acceptable per KOC “I” series standards and proven in use in KOC facilities and/or TUV certified.
o The calculated PFD shall be verified as better than the minimum required PFD value by a factor of 25%. That is: SIL1 PFD < 7.5x10-02, SIL 2 PFD < 7.5x10-03, SIL
3 PFD < 7.5x10-04.
o The PFD calculations may assume that the calibration and recover time (formerly repair time) is small compared to the MTTF.
o Shutdowns which are initiated manually via a push/pull button are exempt from SIL verification. These shutdown buttons require an operator intervention that is used
for both prevention and mitigation of hazardous events.
o The PFD calculations for SIL verification shall also take into account diagnostic coverage for the sensor or final element. Diagnostics is the capability to automatically
detect a dangerous failure. These calculations shall follow the method establish in annex C of IEC61508-Part 2. Credit for diagnostic coverage shall only be taken if
the process is brought to the safe state when a fault is detected, or if safety is maintained by different means
o The PFD calculations for SIL verification shall take into account the common cause factor (beta factor) for dangerous and safe failure robust configurations. This
beta factor is a measure on a 0-1 scale (or a percentage) of which failures will affect all channels in redundant architectures at the same time. Based on IEC 61508
part 5, the beta factor may be assumed to be as follows:
 5 % for identical robustness and.
 2 % for diverse robustness

124
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIF Typical Architecture SIL 1 (1oo1)

Switch
Logic
or
Solver
Transmitter

NOTES: S
1. Sensor: Single switch or transmitter
2. Logic Solver : Relay or Conventional PLC
AS
3. Final Element: Single Solenoid and valve
4. SIS fully independent of BPCS
5. The final design has to be verified via SIL verification calculations. SOV
6. It shall be noted that architectures alone cannot ensure meeting all
the requirements of IEC61511 . Other design requirements like HFT,
Diversity, Proof Test Frequency, Proven-In-Use, etc. also determine
whether a particular architecture meets a particular SIL.
7. The architecture shown here is for information purpose only and
shall not be taken as sufficient to meet any particular SIL.

ESDV 125
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIF Typical Architecture SIL 2 (1oo1)

Safety
Transmitter Logic
Solver

Smart
NOTES:
Positioner
1. Sensor: Single safety transmitter
2. Logic Solver : Safety PLC certified
3. Final Element: Single valve with partial stroke testing via smart positioner
4. SIS fully independent of BPCS
5. The final design has to be verified via SIL verification calculations.
6. It shall be noted that architectures alone cannot ensure meeting all the
requirements of IEC61511 . Other design requirements like HFT, Diversity,
Proof Test Frequency, Proven-In-Use, etc. also determine whether a
particular architecture meets a particular SIL.
7. The architecture shown here is for information purpose only and shall not
be taken as sufficient to meet any particular SIL. ESDV
126
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIF Typical Architecture SIL 3 (2oo3)

Transmitters

T1
Logic Solver
T2

T3
2oo3
Smart Smart
NOTES: Positioner Positioner
1. Sensor: 3 safety transmitters (2003 voting)
2. Logic Solver: Safety PLC certified
3. Final Element: Dual valves (1002 voting) with PST via digital valve
controller
4. SIS fully independent of BPCS
5. The final design has to be verified via SIL verification calculations.
6. It shall be noted that architectures alone cannot ensure meeting all the
requirements of IEC61511 . Other design requirements like HFT, Diversity,
Proof Test Frequency, Proven-In-Use, etc. also determine whether a
particular architecture meets a particular SIL.
7. The architecture shown here is for information purpose only and shall
ESDV 1 ESDV 2
not be taken as sufficient to meet any particular SIL. 127
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIS Design & Engineering

There are several parameters in the design of a SIS that could potentially affect the Select Iterate if
achieved SIL. technology requirements
1. Component Selection. Technology and ¨proven in use¨. The technology will are not met.
also affect other parameters such as failure rate, safe failure fraction, and
diagnostic coverage. Select
architecture
2. Fault Tolerance (HFT). The ability of the SIS to be able to perform its intended
actions (and not perform unintended actions) in the presence of failure of one
or more of the SIS components.
Determine test
3. Functional Test Interval. Functional testing of a SIF decreases its probability
of failure, and increases its effective SIL, by effectively reducing the fraction of
philosophy
time that a SIF is in the failed state.

4. Common Cause Failures. Common Cause recognizes that a potential single

event or stress on a SIF could result in multiple simultaneous failures of SIF
Reliability
components. Based on IEC 61508 part 5 D6, the beta factor may be assumed evaluation
to be 5 % for identical robustness and 2 % for diverse robustness

5. Diagnostic Coverage Factor (DCF). Proof tests of an individual SIS

component that occur rapidly and automatically, but only detect some of the Detailed
potential failures of the device. The fraction of the failures that can be detected design
is referred to as the diagnostic coverage.
128
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

SIL Verification (PFD Calculation)

 The overall PFD calculation considers
all of the previously described factors
1oo1 1oo2 2oo2 2oo3 “2oo4”
 It is performed using reliability models
such as FTA, simplified equations, or Probability of
Markov models to evaluate each SIF.

 Industry standards require

Failure on
Demand
1
ld Ti
1 2 2
ld Ti ld Ti 3 2 2
ld Ti
1 2 2
ld Ti
quantitative verification that the 2 4 4 2
selected SIL targets were achieved
for the selected design. Safe Failure
 Simplified equation options is
Rate l
s 2ls 2l2s  6l 
2
s
8l2s 
primarily used where possible. The
figure shows the simplified equations

ld
for PFD Calculation, and the
simplified equations for spurious trip = Dangerous failure rate
rate (STR)
n! 1
fdt = r tr ls = Safe failure rate
r1
 Calculation of the overall PFDavg of a
SIF begins with use of one of the r! (n-r)!
equations shown for each sensor, Ti = Test interval
logic solver, and final element.
 = Mean time to repair 129
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Exercise on PFD Calculation

 Failure Rates:
Design A Design B
o Pump fails 0.1/yr.
o LT 0,05/yr. in each direction
o LRC 0,02/yr. in each direction
o LV 0,01/yr. in each direction
o LA 0,02/yr. dangerous failure
o LS1 0,03/yr. dangerous failure
o LS2 0,5/yr. dangerous failure Pump
Pump
 Testing occurs once every 3 months
 Operator fails 1 in 50
 Demand. High Level
 Determine the PFD for each case

130
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Accuracy of SIL Verification Calculations

There are efforts to attempt to quantify the amount of error in SIL calculations. The objective of this effort is to
determine how much of a margin of error should be placed in the acceptance of a SIL verification calculation. For
instance, if a SIL 2 function is desired and the calculation shows a risk reduction factor of 102 was achieved, is that
good enough?

The theory being proposed is that you should establish a limit on what RRF value is acceptable based on the amount of
error that is present. So, for instance, if you determine that your SIL verification calculation has an error of +/- 5, then a
calculation of an RRF of 102 is really an RRF of between 97 and 107, since the 97 does not achieve the SIL 2 target
you should modify the design until the full range, including worst case error, is within the SIL band.

Problem is that the SIL verification process is already loaded with so many safety factors that adding another one here
is going to cross from very conservative over to comical.

Additionally, this approach violates the spirit and philosophy of how we have performed SIL verification calculations. SIL
verification calculations, since their inception, have used this approach of setting a confidence boundary. In IEC 61508
(and the current version of IEC 61511) there are several references to a 70% single-sided confidence limit when
determining failure rates. When using this approach, you are essentially saying that, for an instrument, I am confident
(to the degree of 70%) that the failure rate is below a certain number. This is different from claiming that I know exactly
what the failure rate is. It is this 70% confidence limit that is now, and always has been the “margin of safety” factor
employed to ensure that SIS designs are conservative and include a conservative factor to account for uncertainty in
numbers. Adding more uncertainty analysis is unnecessary and counter-productive. 131
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety Requirements Specification (SRS) (1)

The SRS development occurs at the end of the Conceptual Design/SIL Verification phase – after the proposed design has been
confirmed to achieve its target.

The objective of the SRS is to define both functional and performance related requirements for the SRS.

The IEC 61511 / ISA 84.00.01-2004 standard provides a listing of the information that should be documented, or at least
considered during this phase. This information includes the following items:

 A description of all the safety instrumented functions necessary to achieve the required functional safety

 Requirements to identify and take account of common cause failures

 A definition of the safe state of the process for each identified safety instrumented function

 A definition of any individually safe process states which, when occurring concurrently, create a separate hazard (for example, overload
of emergency storage, multiple relief to flare system)

 The assumed sources of demand and demand rate on the safety instrumented function

 Requirement for proof-test intervals

 Response time requirements for the SIS to bring the process to a safe state

 The safety integrity level and mode of operation (demand/continuous) for each safety instrumented function 132
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety Requirements Specification (SRS) (2)

 A description of SIS process measurements and their trip points

 A description of SIS process output actions and the criteria for successful operation, for example, requirements for tight shut-off valves

 The functional relationship between process inputs and outputs, including logic, mathematical functions and any required permissive

 Requirements for manual shutdown

 Requirements relating to energize or de-energize to trip

 Requirements for resetting the SIS after a shutdown

 Maximum allowable spurious trip rate

 Failure modes and desired response of the SIS (for example, alarms, automatic shutdown)

 Any specific requirements related to the procedures for starting up and restarting the SIS

 All interfaces between the SIS and any other system (including the BPCS and operators)

 A description of the modes of operation of the plant and identification of the safety instrumented functions required to operate within
each mode

133
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Safety Requirements Specification (SRS) (3)

 The application software safety requirements

 Requirements for overrides/inhibits/bypasses including how they will be cleared

 The specification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the SIS. Any such
action shall be determined taking account of all relevant human factors

 The mean time to repair which is feasible for the SIS, taking into account the travel time, location, spares holding, service contracts,
environmental constraints

 Identification of the dangerous combinations of output states of the SIS that need to be avoided

 The extremes of all environmental conditions that are likely to be encountered by the SIS shall be identified. This may require
consideration of the following: temperature, humidity, contaminants, grounding, electromagnetic interference/radiofrequency interference
(EMI/RFI), shock/vibration, electrostatic discharge, electrical area classification, flooding, lightning, and other related factors

 Identification of normal and abnormal modes for both the plant as a whole (for example, plant start-up) and individual plant operational
procedures (for example, equipment maintenance, sensor calibration and/or repair). Additional safety instrumented functions may be
required to support these modes of operation

 Definition of the requirements for any safety instrumented function necessary to survive a major accident event, for example, time
required for a valve to remain operational in the event of a fire

134
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification
SRS Specification Sheet

135
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Final Remarks

136
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Why do I need Functional Safety Management ?

If the SIL assessment says you need a SIL 1 safety loop then that means
that without that one safety loop the actual risk of fatality is more than 10
times the wrong side of what is tolerable.

A SIL 2 loop means that without that one loop the actual risk of a fatal
accident is more than 100 times the wrong side of your tolerable target

A SIL 3 ... actual risk is more than 1000 times the wrong side of tolerable
without that safety loop being fully functional

A SIL 4 ... it exists under the standard but does your company really want to
admit that without that one safety loop you have a risk that large?
137
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Why do I need Functional Safety Management ? (2)

Your safety ...

Everyone's safety ....

... depends on that one safety loop

functioning correctly

... That's why you need:

Functional Safety Management
138
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

So if I have Functional Safety Management in Accordance with IEC 61508

Group of Standards ... what will that show?
 Your company has a clear safety policy that includes the  The performance of the safety measures are assessed
measures and systems your company uses to achieve functional
safety.  Functional safety is audited

 There is a clear organization structure with clear responsibilities  Modifications are assessed, checked and reviewed
for safety
 Training and practice for emergency services and others (if this is
 Appropriate techniques and measures are in place complete with applicable)
a conformance plan
 The implementation of safety plans are monitored and progress is
 Non-conformances are identified and corrective actions are tracked and reviewed
implemented, recorded and documented
 The whole safety management is subject to regular reviews
 The competencies of everyone involved is assessed for their
roles, duties and job functions  Suppliers and sub-contractors are assessed

 If a hazardous incident occurs, or if a near-miss occurs, there is a  Risk evaluation and risk management is undertaken
reporting and assessment system in place (and records are kept
for others in the organization to learn from)  Safety planning

139
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Important Facts About Functional Safety Management

The presence of a certified expert is NOT proof of “Functional Safety Management”

... The functional safety management will review the competencies of everyone involved and it
identifies those who require particular expertise. Thus, the use of a functional safety expert may
sometimes be appropriate as a decision that comes out of a contractor's or supplier's Functional
Safety Management, but it is NOT a substitute for Functional Safety Management

... Functional Safety Management covers EVERBODY involved ... not just the expert ... not just
the technician

... it involves everybody involved with the safety system (including those overseeing the project !)

…so, don't accept the presence of an “expert” as proof of Functional Safety Management (there
are no certified experts mentioned in the standard)

140
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Important Facts About SIL (1)

A certified claim that a component is “SIL 2” (or any other SIL number) does
NOT mean that it is suitable for use in your “SIL 2” safety loop.

... The SIL number does not apply to the components in isolation

... The SIL rating applies to the whole loop and NOT just the individual
components in the loop

... The loop architecture also plays a part in the reliability required of an
individual component

... It is NOT at all unusual to find that a collection of “SIL 3” parts put together in
a loop only achieve SIL 1 or SIL 2 ... and the SIL rating is a safety LOOP value
not a component value 141
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Important Facts About SIL (2)

 The part of a safety instrumented system that is most likely to fail is ... the people

 Almost everyone will choose a certified PLC usually the MOST reliable part of the loop
even without a certificate

 A lot of people will ask for a certified transmitter less reliable than the PLC but usually
robust

 Some people will ask for a certificate with the valve ... an unreliable part of the loop

 Too many people fail to ask for the safety report ... the bit that is ESSENTIAL for the design
(they went away surprisingly happy with a certificate!)

 Hardly anyone asks about the people ... the LEAST reliable part (the part covered
by functional safety management)
142
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Be Careful What you Ask for…

Risk Management Triangle
 Proliferation of SIFs/SISs, given the perception that their installation
is easier than other more significant process design modifications to
reduce risk,
 There are several reasons for this increase of SIS/SIFs.
 The inherently safer design (ISD) approach has not been fully
embedded in new projects.
 SIS/SIFs are desirable for operational or environmental reasons
in some situations where they are not necessary for hazard
management.
 The use of API RP14C is mandated for US. Engineers like it
because it is prescriptive and avoids the need to address more
difficult questions, like:
o Is it safe?
o Are all the instrumented alarms and trips effective?
o Is the design less safe because of a higher rate of
unnecessary plant trips?
 The use of HIPPS for the development of high pressure
reservoirs in deep water.

The use of SIF/SIS should be applied only after first considering and
ruling out alternative approaches to eliminate the hazard, because,
besides being “add on” safety measures, they are “active” systems,
so come towards the bottom of the hazard management triangle
143
 Fundamental SIL Determination Methods Safety
Final
Overview Concepts Requirements
Principles Qualitative LOPA Quantitative Remarks
Specification

Thank You

144