sil determination guideline
TRANSCRIPT
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 1/36
Safety Integrity Level (SIL)Determination Guideline
– EPP-0263
30 May 2008
Level 12, 141 Walker Street, North Sydney NSW 2060, Australia+61 2 8923 6866+61 2 8923 6877
ABN 61 001 279 812
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 2/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
PROJECT - SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
REV DESCRIPTION ORIG REVIEW WORLEY-
PARSONSAPPROVAL
DATE CUSTOMER
APPROVAL
DATE
1 Issued for use
K Bahrami J Pohlner L Wheeler
30-May-08 N/A
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 2 of 36Rev 1 (30-May-08)
SYNOPSIS
This guideline presents the WorleyParsons methodology for undertaking a Safety Integrity Level (SIL)
determination study. The methodology follows the intent of ‘IEC 61511-3: Guidance for the
determination of the required safety integrity levels’, which requires that the SIL rating of Safety
Instrumented Functions (SIFs) to be determined.
This guideline has been developed to assist engineers, designers and other project decision makers
to deliver safe, reliable and sustainable design outcomes.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 3/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 3 of 36Rev 1 (30-May-08)
CONTENTS
1. INTRODUCTION ............................................................................................................ 5 1.1 Application ..................................................................................................................... 7 1.2 Roles and Responsibilities .............................................................................................. 7
2. ABBREVIATIONS AND TERMINOLOGIES .................................................................... 8 3. SIL DETERMINATION METHODOLOGY ..................................................................... 10 4. SIL DETERMINATION - PREPARATION ..................................................................... 12
4.1
Charter ......................................................................................................................... 12
4.2 Timing .......................................................................................................................... 12 4.3 Attendees ..................................................................................................................... 13 4.4 Workshop Duration ....................................................................................................... 13 4.5 Role of the Coordinator / Project Engineer .................................................................... 13
4.5.1 Before the Sessions ......................................................................................... 14 4.5.2 During the Sessions ......................................................................................... 14 4.5.3 After the Sessions ............................................................................................ 14
4.6 The Facilitator .............................................................................................................. 14 4.6.1 Before the Sessions ......................................................................................... 15 4.6.2 During the Sessions ......................................................................................... 15 4.6.3 After the Sessions ............................................................................................ 15
4.7 Technical Scribe ........................................................................................................... 16 4.8 Documentation Requirements ...................................................................................... 16
5. SIL DETERMINATION – WORKSHOP ......................................................................... 17 5.1 Workshop Procedure .................................................................................................... 17 5.2 SIF Assessment ........................................................................................................... 17
5.2.1 Establish Context for each System and the Safety Target of the Process ......... 17 5.2.2 Identify SIFs Needed ........................................................................................ 17 5.2.3 Determine required SIL of the SIF .................................................................... 18
5.3 Recording..................................................................................................................... 18 5.4 SIL Determination Report ............................................................................................. 18
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 4/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 4 of 36Rev 1 (30-May-08)
5.5 Archiving ...................................................................................................................... 19 6. LAYER OF PROTECTION ANALYSIS (LOPA) METHOD ............................................. 20
6.1 Protection Layers ......................................................................................................... 21 6.2 LOPA Steps ................................................................................................................. 22
7. SIL VERIFICATION ...................................................................................................... 25 8. REFERENCES ............................................................................................................. 26 APPENDIX 1 - EXAMPLE WORKSHEET FOR SIL DETERMINATION - LOPA METHOD (ANNEX
F - IEC 61511 PART 3) APPENDIX 2 - SIL DETERMINATION – SIL MATRIX METHOD (ANNEX C - IEC 61511 PART 3) APPENDIX 3 - SIL DETERMINATION - RISK GRAPH METHOD (ANNEX D - IEC 61511 PART 3)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 5/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 5 of 36Rev 1 (30-May-08)
1. INTRODUCTION
Phase 2 of the safety life-cycle defined in IEC 61511-1 requires the determination of a Safety Integrity
Level (SIL) for the design of a Safety Instrumented Function (SIF).
The objectives of the Clause 9 of Phase 2 are allocation of safety functions to protection layers and
for each safety instrumented function, determination of the associated safety integrity level. Inputs to
this phase are a description of the required safety instrumented function(s) and associated safety
integrity requirements and the outputs are description of allocation of safety requirements.
Determination of the SIL rating of a SIF is an important process in ensuring that the design is
adequate and that any risk associated with the SIF failure is tolerable (i.e. the residual risk is as lowas is reasonably practicable – ALARP).
Once the SIL rating has been established the SIF design must be analysed to ensure that it meets the
required level of reliability. This is termed SIL Verification and is covered by SIL Verification Guideline
EPP-0266.
The primary focus of the SIL determination process is Safety. However, the integrity level
determination process can also be used for any type of control that provides protection against
Environmental risks (EIL rating) and Asset (Business or Financial and Property) risks (AIL rating).
This guideline has been developed in accordance with the functional safety standard IEC 61511
which is process industry specific within the framework of IEC 61508 [Ref 1], [Ref 2]. Both of these
standards are recognized and generally accepted as good engineering practices for SafetyInstrumented Systems (SIS).
This guideline contains the minimum requirements for the SIL study determination conducted by or for
WorleyParsons to ensure that all the required information is available, the most suitable people are
involved, and the documentation meets WorleyParsons requirements.
The document assumes a reasonable working knowledge of the hazardous scenario identification
(HAZID and HazOp) studies and the use of qualitative and semi-quantitative Risk assessment
processes to determine risk and SIL ratings.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 6/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 6 of 36Rev 1 (30-May-08)
Figure 1-1: SIS safety life-cycle phases and functional safety assessment stages based on IEC
61511
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 7/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 7 of 36Rev 1 (30-May-08)
1.1 Application
The SIL determination process is applicable to all Customer Sector Groups (CSGs) and to the three
phases of project execution:
Define - Front End Engineering Design (FEED)
Execute - Detailed Engineering,
Operate - Asset Services, Maintenance, Upgrade,
1.2 Roles and Responsibi lities
This guideline makes reference to the following position titles:
Project Manager - The Project Manager is responsible for ensuring the SIL Determination
requirements are executed on the project in accordance with the Project Execution Plan. These
responsibilities include appointment of a SIL Determination Coordinator and a SIL Determination
Facilitator.
SIL Determination Coordinator / Project Engineer – This is the person in charge of organizing the
SIL Determination workshop, ensuring that the SIL Determination report is developed and circulated.
SIL Determination Facilitator – The person in charge of running the SIL Determination workshop
and developing the report.
Workshop Technical Scribe - For most workshops, an experienced technical scribe is preferred.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 8/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 8 of 36Rev 1 (30-May-08)
2. ABBREVIATIONS AND TERMINOLOGIES
AIL Asset Integrity Level
ALARP As Low As Reasonably Practicable
BPCS Basic Process Control System
E/E/PES Electrical/Electronic/Programmable Electronic safety-related systems
EIL Environment Integrity Level
ESD Emergency Shutdown
IPL Independent Protection Layer
LOPA Layer of Protection Analysis
PFD Probability of Failure on Demand
PHA Process Hazard Analysis
PLC Programmable Logic Controller
SRS Safety Requirements Specification
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
Safety Integrity Level (SIL): The IEC 61511 standard defines the Safety Integrity Level (SIL) as a
discrete value (one out of four) for specifying the safety integrity requirements of the safety functions
to be allocated to the safety instrumented functions. The higher the SIL, the higher the probability that
the safety function is correctly executed, the lower the average Probability of Failure on Demand.
A SIL 4 has the highest level of reliability and hence safety integrity and SIL 1 has the lowest.
Independent Protection Layer (IPL): A safeguard / layer of protection that (with certain probability)
will prevent an unsafe scenario from progressing regardless of the initiating event or the performance
of another layer of protection.
Safety Function: Function to be implemented by a safety instrumented system, other technology
safety-related system or external risk reduction facilities, which is intended to achieve or maintain a
safe state for the equipment, in respect of a specific hazardous event
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 9/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 9 of 36Rev 1 (30-May-08)
Mode of Operation: Safety Instrumented Systems are split into two types, based on the mode ofoperation in which the system is intended to be used, with respect to the frequency of demands made
upon it.
For SIS operating in a low demand mode of operation, the safety integrity measure of interest is the
average probability of failure to perform its designed function on demand. For SIS operating in a
continuous mode of operation, the safety integrity measure of interest is the frequency of a dangerous
failure per hour,
The SIL ratings and requirements relating to both systems and their application are shown below.
SIL Continuous
(High) Demand
Mode of
Operation
Low Demand Mode of Operation
Failure Rate /
hour
Probability of Failure on Demand Risk Reduction Factor
(RRF)
1 < 10-5
to 10-6
< 10-1 to 10
-2 < 1 in 10 to 1 in 100 10 – 100
2 < 10-6
to 10-7
< 10-2
to 10-3
< 1 in 100 to 1 in 1000 100 – 1,000
3 < 10-7
to 10-8
< 10-3 to 10
-4 < 1 in 1000 to 1 in 10000 1,000 - 10,000
4 < 10
-8
to 10
-9
< 10
-4
to
10
-5
Less than 1 in 10000 10,000 – 100,000
High Demand Mode: where the frequency of demands for operation made on the system is
greater than one per year or greater than twice the proof test frequency. An example of this
could be the braking system on a car. The safety integrity measure of interest is the frequency of
a dangerous failure per hour.
Low Demand Mode: where the frequency of demands for operation made on the system is no
greater than one per year and no greater than twice the proof test frequency. An example of this
could be an air bag within a car. The safety integrity measure of interest is the average
probability of failure to perform its designed function on demand.
Necessary Risk Reduction: Risk reduction to be achieved by the E/E/PE safety-related systems,
other technology safety-related systems and external risk reduction facilities in order to ensure that
the tolerable risk is not exceeded.
Intermediate Event Likelihood: The Intermediate Event Likelihood is calculated by multiplying the
Initiating Event Likelihood by the PFDs of the protection layers and mitigating layers.
Required (Target) Event Likelihood: Corporate (Customer) Criteria for Events of this Severity Level.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 10/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 10 of 36Rev 1 (30-May-08)
3. SIL DETERMINATIO N METHODOLOG Y
Safety function is implemented by an SIS, other technology safety related system or external risk
reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect
to a specific hazardous event. The safety functions in process industries are more often delegated to
electrical, electronic or programmable electronic (E/E/PE) Safety Instrumented Systems (SIS).
The functional safety standards IEC 61508 and IEC 61511 propose guidelines which can be used in
order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to
evaluate the actual availability of a SIS.
There are several methods that can be used for SIL determination for a specific safety instrumentedfunction. IEC 61511-3 presents information on a number of methods that have been used. The
method selected for a specific application will depend on many factors, including:
The customer
The complexity of the application
The guidelines from regulatory authorities
The nature of the risk and the required risk reduction
The experience and skills of the person available to undertake the work
The information available on the parameters relevant to the risk.
The following are basic and generic steps to determine a safety function SIL rating based on IEC
61511:
Perform a hazard and risk analysis to evaluate existing risk
Identify safety function(s) needed
Allocate safety function(s) to independent protection layers
Determine if a SIF is required
Determine required SIL of the SIF.
The methods presented in this guideline are based on IEC 61511 and utilise a Workshop approach:
Layer of Protection Analysis (LOPA)
SIL Matrix
Risk Graph
The LOPA methodology as covered in IEC 61508 Part 7 is one of the WorleyParsons preferred
methods as it provides a logical means of evaluating a large number of SIF, and includes means to
consider several key parameters (severity, likelihood, occupancy, and safeguards). As such LOPA
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 11/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 11 of 36Rev 1 (30-May-08)
methodology is described in this Guideline. For completeness, SIL Matrix and Risk Graph methodsare included in Appendices 2 and 3.
In some applications more than one method may be used. A qualitative method may be used as a
first pass to determine the required SIL of all the SIFs. Those which are assigned a high SIL by this
method should then be considered in greater detail using a quantitative method to give a more
rigorous understanding of their required safety integrity.
Note:
1. Some customers may have their own SIL determination guidelines. If this is the case, then
there needs to be clear agreement as to which process will be used before the SIL
determination proceeds.
2. There is commercial SIL determination / documentation software available which can
enhance the determination and documentation processes.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 12/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 12 of 36Rev 1 (30-May-08)
4. SIL DETERMINATIO N - PREPARATION
The SIL determination process is based on the principle that a team approach to risk assessment will
identify more problems than when individuals working separately combine results.
As such, the SIL determination should be conducted in a Brainstorming Workshop environment
similar to a HazOp or HAZID session.
The first major element for a successful SIL determination process is that it is well planned prior to the
workshop taking place.
This planning needs to ensure that:
The design is sufficiently progressed and that it can be understood and questioned by the SIL
workshop clearly and in sufficient detail to arrive at an appropriate SIL determination.
The SIL workshop attendees are invited early enough to be involved
Prior to the workshop, the responsible project designer (process or instrument) should produce a
concise list of SIFs to be reviewed. The facilitator can work with the designer but ultimately it is
their responsibility to generate the actual list of SIFs to be reviewed containing the following
information.
- SIF descriptor
- P&ID reference
The facilitator needs to ensure that these elements have been satisfactorily completed prior to
the workshop taking place. If necessary the facilitator should postpone or cancel the workshop
until he/she is satisfied.
4.1 Charter
The Safety Workshop Charter defines the scope of the SIL Determination, the attendees, the
proposed duration, location and date. The use of the Charter is MANDATORY for all SIL
Determination studies.
4.2 Timing
The SIL Determination study should be conducted after the process design (or equivalent) has been
finalized, P&IDs developed (basic or detailed design), the design review is conducted, and the
process design has been subjected to a process HazOp study.
The SIL Determination workshop should not be undertaken before the design is complete to the
extent required for the particular study and the HazOp study is done. The SIL Determination
facilitator should not proceed with the study with a poorly completed design and HazOp study not
done.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 13/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 13 of 36Rev 1 (30-May-08)
4.3 Attendees
The workshop team shall be multi-disciplinary and comprise representatives from major groups
involved. People should be selected for their knowledge of the process and/or equipment and/or
ability to make a technical contribution.
The attendees should include experienced project and/or operations personnel as set out in the
functional safety standards. This requires that the team involved in making the SIL decisions consists
of participants with certain types of expertise. It is generally appropriate to include the following
personnel:
Competent Facilitator
Technical Scribe/ secretary
Operator with experience in operating the process under consideration;
Process Engineer - Engineer with expertise in the process design;
Instrument/Control engineer with experience in the process under consideration;
Lead Safety and Risk engineer
Customer Safety Coordinator (if relevant)
The actual composition of the team depends on the particular study. The composition may also vary
from meeting to meeting within a study as various technical specialists, are utilized on an as needed
basis. The team composition shall be defined on the charter.
4.4 Workshop Duration
Duration of the SIL Determination workshop depends on the complexity and size of the project, as
well as the team size and composition. The expected duration of the SIL Determination should be
discussed and agreed with the SIL Determination Facilitator once they have had an opportunity to
review the project scope and drawings.
The typical duration for a Greenfield site is about 2 to 3 hours per Safety Instrumented Function (SIF).
SIL Determination must be planned with regular breaks and ideally they should be limited to 6 hrs per
day. This enables personnel to keep in touch with their normal workload and prevents fatigue.
Additionally it allows time for the facilitator and scribe to tidy up the existing records and plan for the
next session.
4.5 Role of the Coordinator / Project Engineer
Main responsibilities of the Coordinator / Project Engineer according to the different stages of the
study are described as follows:
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 14/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 14 of 36Rev 1 (30-May-08)
4.5.1 Before the Sessions
Book the facilitator and select the team members with advice from the Facilitator.
Organise a Scribe if appropriate. Note the scribe must have a technical background.
Set a date, time and duration for the workshop and book an appropriate location.
Arrange a data projector and computer for use (Though there are different ways to record the
minutes, WorleyParsons strongly advocates the projection of the minutes to ensure agreement
and understanding between the team. This may mean a laptop and data projector, or it may be
as simple as a printable whiteboard.)
Ensure the required documentation is available (see Section 5.6).
Issue the relevant document to the facilitator no less than 3-5 working days (depending on the
project size) prior to the session.
Prepare and distribute the Charter.
Organise catering if appropriate.
4.5.2 During the Sessions
Provide an introduction to the Project.
Provide guidance on the Scope of the study.
4.5.3 After the Sessions
Every project has its own document control system. Normally the following steps are followed:
Review the minutes of the meeting and circulate for review.
Distribute the Draft Report (Revision A) for review.
Gain sign-off on the Final Report (Revision 0).
4.6 The Facilitator
It is WorleyParsons requirement that an independent, competent facilitator and experienced in the
field of study is used. The SIL determination facilitator should not be closely associated with
designing or delivering the subject of the study, as there is a danger of real or perceived conflicts of
interest in identification of hazards, operability problems or design flaws. This will help ensure
compliance with the minimum required level of independence for carrying out SIL assessments (refer
to IEC 61508).
The major role of the facilitator is to guide the team in the process during the SIL determination
session. However the facilitator should assist with the defining of objectives for the study, reviewing
the Charter, choosing team members and adequately preparing for the study.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 15/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 15 of 36Rev 1 (30-May-08)
The responsibilities of the facilitator according to the different phases of the study are described asfollows.
4.6.1 Before the Sessions
Ensure the objectives and scope are clearly defined.
Ensure that the proposed team and facilities for the study are appropriate.
In conjunction with the Process / IE Engineer identify existing SIFs and determine a preliminary
description of each (to be confirmed with the Study Team during the workshop).
In conjunction with the Coordinator estimate the duration of the workshop.
Review any previous HazOp and any SIL study, Safety Case or Risk Assessment
documentation.
Plan the study sequence.
Calibrate the determination / recording software (if any)
4.6.2 During the Sessions
Ensure that the team members understand the method and their individual roles.
Guide the team in the technique.
Ensure that the full range of events are generated and that a full range of realistic causes and
consequences is developed.
Ensure that all team members participate in the discussions and that those who have the specific
technical knowledge or ability are given the opportunity to express their views, avoid one team
member dominating the discussions.
Keep the discussions to the topic under review, minimize side track discussions.
Keep track of time, if discussion of a particular issue is taking too long, record an “action” to
resolve outside of the meeting.
Ensure the results of the process are accurately recorded.
Note: The use of data projector to display the “minutes” as they are recorded allows the Facilitator to
advise that the minutes / Study records represent the consensus of the meeting and an already“accepted” set of minutes of the meeting.
4.6.3 After the Sessions
The minutes of the meeting are reviewed and circulated to workshop attendees
Prepare the Draft report (normally as Rev A) and issue to the Coordinator - for distribution and
review.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 16/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 16 of 36Rev 1 (30-May-08)
Incorporate any alterations and revise the minutes and reissue the Report as “Final” / “For Use” –normally as Rev 0.
4.7 Technical Scribe
For most workshops, an experienced technical scribe is preferred as part of the Study Team since
they can have a significant impact in terms of efficiency by enabling the facilitator to concentrate on
the process and not the records. For large studies there may be value in having more than one
scribe, using them in rotation to limit fatigue. For small and simple studies, the facilitator may elect to
take on the responsibility of the technical scribe or secretary.
4.8 Documentatio n RequirementsFor the LOPA study, it is required to have agreed tolerable risk criteria (specific limit per yr) for each
of the consequence categories studied before the workshop can be started. Also there needs to be a
list of proposed SIFs agreed and suitably documented.
The following documents need to be available during the study session to the team:
Basis of Design
Process Description
Process Flow Diagrams (PFDs - for process systems)
Utility Flow Diagrams (UFDs - for utility systems)
Piping and Instrumentation Diagrams (P&IDs -for both process and utility systems).
Plant / Equipment Layouts (preliminary)
Previous hazard study documents.
Cause and effect diagrams
In addition, the following documents should be available for reference, where applicable.
Control Philosophy
Shutdown Philosophy
Isolation Philosophy
Fire & Safety Philosophy
Fire & Gas Detection Philosophy
Hazardous Area Drawings
Relief and Blow down Philosophy
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 17/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 17 of 36Rev 1 (30-May-08)
5. SIL DETERMINATIO N – WORKSHOP
In order to determine the required SIL of the safety instrumented functions (SIFs), it is necessary to
define the customer’s tolerable risk target in terms of probability and consequence of the process
potential incidents. This would take place by discussion and agreement between the interested
parties before the workshop (for example safety regulatory authorities, those producing the risks and
those exposed to the risks).
The following sections outline the main sequence of events associated with the SIL determination
process as developed by WorleyParsons. This process is consistent with IEC 61511, IEC 61508 and
the concepts of Risk Management in AS/NZ 4360.
5.1 Workshop Procedure
The procedure for each meeting/session is as follows:
1. Introduction of team members and their responsibilities (an attendance sheet should be circulated
to formally record all attendees including their signature to confirm attendance).
2. Statement of the objectives and scope of the study (by the Coordinator and / or facilitator).
3. Brief outline of the plan for the study (by the facilitator). Going into the study process in more
detail if any team member is not familiar with the method.
4. SIF Assessment as next step
5.2 SIF Assessment
5.2.1 Establish Context for each System and the Safety Target of the
Process
Based on the information prepared for each identified system, the context and design intent of each
system or protective loop should be explained to the group. The responsible design person should
provide this step as background to the group prior to assessment.
The key issues to identify for each system or loop are:
The equipment being protected What it is being protected against (the hazard and incident)
What independent levels of protection exist
5.2.2 Identify SIFs Needed
This step drives from the risk analysis what safety functions are required and what risk reduction they
need to meet the safety target.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 18/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 18 of 36Rev 1 (30-May-08)
This step determines whether a safety instrumented function is required. Protection layers of othertechnologies should be considered prior to establishing the need for a safety instrumented function
implemented in a SIS. If no other non-SIS protection can meet the safety target level, a safety
instrumented function implemented in a SIS is required to protect against the identified hazards.
5.2.3 Determine required SIL of the SIF
The required SIL rating of the identified SIF is determined in this step.
Select first SIF (hazardous scenario) to be examined. The facilitator asks to explain the explicit
purpose and intent of the SIF including any safeguards available.
The facilitator assesses the first SIF
The SIL rating of each SIF will be identified
5.3 Recording
The SIL determination process should be recorded thoroughly using a computer software used for
SIL determination or MS Excel to ensure consistency.
Refer to SIL Determination Worksheet EPF-0267 Appendix 1 shows a typical example of how the
worksheet is used for LOPA.
It is highly recommended that a data projector is used during the workshop such that all participants
can view the record, recommend modifications and agree the minutes and actions, thereby
minimizing any revisions and modifications required later on.
The study team needs to agree on the similarity / equivalence of multiple units (in order to review only
one unit).
REMEMBER – The minutes of the study need to be understood by personnel who were NOT present
at the study!
5.4 SIL Determination Report
To comply with the standards the SIL determination process needs to be documented.
The facilitator and/or scribe need to formally document the SIL determination process, this need to
provide and contain information on;
Scope of the SIL study
The team involved
The systems examined
Assumptions made / data sources used
Methodology used (LOPA / Matrix / Risk Graph)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 19/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 19 of 36Rev 1 (30-May-08)
The results as captured in the meeting
The report should be formally submitted for review and subsequently used as the basis for the SIL
verification process.
A typical outline for a summary report is given below.
Standard WorleyParsons Report Cover pages
Standard WorleyParsons Report disclaimer
Introduction and project overview
Objectives and scope
Team composition
Recommendations and major outcomes
Attachments
- Drawings/ data used as the basis for the study;
- Full Minutes.
- Meeting attendance register with attendee’s signature included.
The Document Control for the report is per standard WorleyParsons procedure. Specifically, a
‘Revision A – Issued for Internal Review’ should be produced and distributed. Comments from this
should then be used to finalize the report as a ‘Revision 0 – Issued for Use’. This may vary between
projects depending on the customer’s project specific or document control procedures.
The Report should be saved in the project directory (in accordance with the project File Index) with an
appropriate file name as per the standard WorleyParsons or project specific document numbers.
5.5 Archiving
A hard copy of the SIL determination report must be retained in accordance with the location
archiving procedure.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 20/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 20 of 36Rev 1 (30-May-08)
6. LAYER OF PROTECTION ANALYSIS (LOP A) METHOD
The role that safety functions play in achieving the necessary risk reduction is illustrated in the figures
below taken from IEC 61511:
The Layers of Protection Analysis (LOPA) method requires that the customer’s tolerable risk level
(e.g. per scenario or cumulative) be stated explicitly as a numerical target. Once the tolerable risk
frequency target is known, the required risk reduction - in terms of Probability of Failure on Demand
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 21/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 21 of 36Rev 1 (30-May-08)
(PFD) of the SIF - can be determined. LOPA evaluates risk in order of magnitude of selectedunwanted event scenarios.
The information required for the LOPA is contained in the data collected and developed in the HazOp
study. Table below shows the relationship between the data required for LOPA and the data
developed during the HazOp study.
LOPA required information HazOp developed information
Impact event Consequence
Impact event severity level Consequence severity
Initiating cause Cause
Initiating likelihood Cause frequency
Protection layers Existing safeguards
Required additional mitigation Recommended new safeguards
LOPA provides basis for specification of Independent Protection Layers (IPLs) and support
compliance with good process safety practices as per IEC 61508 and IEC 61511.
A worked example for LOPA method is presented in Appendix 1.
6.1 Protection Layers
In a typical chemical process various layers of protection against incidents are in place. The main
purpose of the layers is to reduce the frequency of undesired consequences.
These layers consist of preventive, protective or mitigating measures. Examples are:
Inherently safe design features;
Basic Process Control System (BPCS);
Critical alarms and Operator intervention;
Safety Instrumented System (SIS) or Emergency Shutdown System;
Pressure Relief Device;
Mechanical Integrity of Vessel;
Fire Suppression System;
The layers of protection identified must be considered to be sufficiently independent to avoid common
cause failure. An Independent Protection Layer (IPL) is a device, system, or action that is capable of
preventing a scenario from proceeding to i ts undesired consequence independent of the initiating
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 22/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 22 of 36Rev 1 (30-May-08)
event or the action of any other layer of protection associated with the scenario to control, preventand/or mitigate process risk.
6.2 LOPA Steps
The method starts with data developed in the Hazard and Operability analysis (HazOp study) and
accounts for each identified hazard by documenting the initiating cause and the protection layers that
prevent or mitigate the hazard. The total amount of risk reduction can then be determined and the
need for more risk reduction analyzed. If additional risk reduction is required and if it is to be provided
in the form of a SIF, the LOPA methodology allows the determination of the appropriate SIL for the
SIF. The method is illustrated in the figure below.
Steps are:
1. Select a SIF identifier (tag number) from the Cause & Effect Tables.
Develop an ‘impact event scenario’ based on the HazOp workshop records. The
‘consequences’ identified in the HazOp records are listed as ‘impact events’. Each
‘hazard and consequence’ is a single ‘impact event scenario’.
For each impact event scenario evaluate the severity consequences on HSE, and Assets
2. Set the impact event scenario ‘Target Likelihoods’ after mitigation to meet the HSE and
Assets tolerable risks on the basis of severity of consequences on HSE and Assets
3. Initiating Cause(s)
Determine the initiating causes of each impact event, i.e. all of the Initiating Causes of the
hazard determined in the HazOp are listed.
4. Select an initiating cause and its Frequency
Calculate the enabled initiating event(s) frequency. The hazard initiating cause likelihood (inevents per year) is agreed on, i.e. a likelihood is estimated for each initiating cause.
5. Independent Protection Layers ‘IPLs’
Independent Protection Layers (IPLs) are listed. Each IPL is assigned a Probability of Failure
on Demand (PFD) value.
Among IPLs are:
General Process Design / Inherent Safety: The general process design to reduce the
likelihood of hazard manifesting itself, when an Initiating Cause occurs. An example of this
would be a jacketed pipe or vessel. The jacket would prevent the release of process
material if the integrity of the primary pipe or vessel were compromised.
BPCS: If a control loop in the BPCS prevents the impacted event from occurring when the
Initiating Cause occurs, credit based on its PFD is claimed.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 23/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 23 of 36Rev 1 (30-May-08)
Operator Intervention (Alarms): This takes credit for alarms that alert the operator andutilize operator intervention. Ensure that the alarm is independent of the cause, and the
BPCS (if credit given).
6. Other Protection Layers
For each event the following probabilities are also determined:
Occupancy - The probability of a person being in the area.
Ignition - The probability that a release of flammable material will ignited / explodes (given
that it has already released). The probability that a release will be ignited depends on a
number of factors, including the chemical’s reactivity, volatility, auto-ignition temperature,
and physical state as well as the potential sources of ignition that are present. For a blast
to result from vapor cloud combustion, a reasonable amount of obstructions and
confinement must exist to cause the flame front to burn turbulently and reach sonic
velocity.
Fatality - The probability that a person will die given a release of hazardous material and a
person is already there. Allow for escape and/or avoidance.
7. Intermediate Event Likelihood
The Intermediate Event Likelihood is calculated by multiplying the Initiating Likelihood by the
PFDs of the protection layers and mitigating layers. The calculated number is in units of events
per year. If the Intermediate Event Likelihood is less than the Corporate Criteria for Events of
this Severity Level, additional PLs are not required. Further risk reduction should, however, be
applied if economically appropriate.
8. Mitigated Event Likelihood
Mitigated event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs
for the applicable IPLs. The mitigated event likelihood is then compared to a criterion linked to
the corporation’s criteria for unacceptable risk levels. Additional IPLs can be added to reduce
the risk. The mitigated event likelihoods are summed to give an estimate of the risk for the
whole process. Mitigated event likelihood is calculated by multiplying the initiating cause
likelihood by the PFDs for the applicable IPLs. The mitigated event likelihood is then compared
to a criterion linked to the corporation’s criteria for unacceptable risk levels. Additional IPLs can
be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate of
the risk for the whole process.
9. Select other initiating causes and their Frequencies
Repeat all the previous steps
10. Safety Integrity Level Selection
The SIFs required Integrity Level can be calculated by dividing the Corporate Risk Criteria for
the event by the Required Event Likelihood (for all causes). A PFD for the SIF below this
number is selected as a maximum for the SIS and entered.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 24/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 24 of 36Rev 1 (30-May-08)
Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition *Probability of Occupancy * Probability of Fatality)
11. Environmental Integrity Level ‘EIL’ Selection
Exposure factor for Environmental effects and consequences are determined and inserted in
corresponding cell. As a result the Environmental Integrity Level ‘EIL’ will be determined.
If a new SIF is needed to prevent environmental consequences, the Required Integrity Level
can be calculated by dividing the Corporate Risk Criteria for the event by the Required Event
Likelihood. A PFD for the SIF below this number is selected as a maximum for the SIS and
entered.
Required Event Likelihood = (Intermediate Event Likelihood) x (Exposure factor)
12. Asset / Economical Integrity Level ‘AIL’ Selection
Exposure factor for Asset / Economical effects and consequences are determined and inserted
in corresponding cell. As a result the Asset / Economical Integrity Level ‘AIL’ will be
determined.
If a new SIF is needed, the Required Integrity Level can be calculated by dividing the Corporate
Criteria for the event by the Required Event Likelihood. A PFD for the SIF below this number is
selected as a maximum for the SIS and entered.
Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition *
Probability of Occupancy * Probability of Fatality) x (PFD of safety instrumented function)
13. Select another SIF identifier (tag number) from the Cause & Effect Tables
Repeat the process above
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 25/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 25 of 36Rev 1 (30-May-08)
7. SIL VERIFICATION
Phase 4 of the safety life-cycle defined in IEC 61511-1 requires verification to be performed on the
design to verify that the required SIL rating has been achieved. Refer to SIL Verification Guideline
EPP-0266.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 26/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 26 of 36Rev 1 (30-May-08)
8. REFERENCES
1. IEC 61508 – Functional Safety of electrical/electronic/programmable electronic safety-related
systems (Parts 1 to 7)
2. IEC 61511 – Functional Safety – Safety Instrumented Systems for the process industry sector
(Parts 1 to 3)
3. AS 4360 – Risk Management (2004)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 27/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 27 of 36Rev 1 (30-Ma -08)
Appendix 1 - Example Worksheet for SIL Determination -LOPA Method (Annex F - IEC 61511 part 3)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 28/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-167 (016099) EPP-0099 Corporate Base Page 28 of 36Rev 1 (30-May-08)
Example for Layer of Protection Analysis (LOPA) report format [Annex F – Layer of Protection Analysis from the IEC 61511 Part 3 Standard]
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 29/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 29 of 36Rev 1 (30-May-08)
Appendix 2 - SIL Determination – SIL Matrix Method(Annex C - IEC 61511 part 3)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 30/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 30 of 36Rev 1 (30-May-08)
Hazardous Event Severity Matrix - SIL Matrix
One common technique, among international refining, chemical and petrochemical companies, is to
use a risk matrix, which provides a correlation of risk severity and risk likelihood to SIL. The method
allows the probability of the potential event to be considered during the assignment of SIL.
It should also be noted that many companies already use a risk matrix and have their own guidelines.
WorleyParsons recommend that for each customer the matrix’s compatibility be assessed and
calibrated with the customers risk management requirements prior to any SIL determination.
A corporate risk matrix provides control of the SIL assigned for a particular severity and likelihood.
During the assessment of the incident severity and likelihood, the available layers of protection must
be evaluated and their effect on the incident severity and likelihood must be determined. The safeguards must be independent, verifiable, dependable, and designed for the prevention of the specific
risk.
The SIL matrix given here has been developed based on the guidelines given in IEC 61508 part 5,
and IEC 61511 and also AS 4360 Risk Management [Ref. 3]. The matrix identifies the potential risk
reduction that can be associated with the use of a SIS protection layer. The risk matrix is based on
the operating experience and risk criteria of the specific company, the design, operating and
protection philosophy of the company, and the level of safety that the company has established as its
safety target level.
Note that the use of a SIL matrix carries the inherent assumption that a ‘Low’’ risk is acceptable.
Explanation and Use of SIL Matrix
The underlying principle is that for any system, hazards that present unacceptable risks need to be
prevented or mitigated against to reduce the risk to ALARP.
A SIL 1 protective system moves the risk associated with a hypothetical hazardous scenario 1 column
to the right or 1 row down (i.e. reduced frequency or reduced consequence respectively by 1 order of
magnitude). Likewise a SIL 2 system would move the risk associated with a hazardous scenario 2
columns left or 2 rows down or 2 orders of magnitude. And so on.
Therefore, to determine the SIL requirements of a system the risk associated with a hazardous
scenario need to be determined without the SIS in place. Based on where the hazardous scenario is
then located on the Risk Matrix, the number of columns or rows that then need to be moved to reduce
the hazardous scenario to an acceptable risk, determines the SIL level(s) of the system(s).
The two essential parameters of the SIL matrix are Consequence Severity and Frequency of
Occurrence.
Consequence Severity
Associated with each hazardous event, the potential severity of the consequence without the
protective system or loops in place needs to be defined. The SIL matrix has a few levels of
consequence severity.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 31/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 31 of 36Rev 1 (30-May-08)
Frequency of Occurrence of the Initiating Event
The Frequency of Occurrence must be evaluated on the basis that the protective system(s) or loop(s)
are excluded. It is the likelihood that the hazardous event occurs without account for the specific
Safety Instrumented Systems.
It should be noted that it is important to link the Frequency of Occurrence with the end event
consequence severity defined above.
An example of a SIL matrix is given below.
Note: For each customer the matrix’s compatibility should be assessed and calibrated with the
company’s risk management requirements prior to any SIL determination.
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 32/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 32 of 36Rev 1 (30-May-08)
Example of other Consequence Identifiers is as below:
Safety Environmental Asset Protection
1 Catastrophic Nationwide attention $10 million
2 Major Attract Regulatory Attention $1 million
3 Moderate Breach of EPA regulations $100 thousand
4 Minor Small uncontained $10 thousand
5 Negligible Contained $1 thousand
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 33/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
002-000-PDW-228 (019056) EPP-0263 Corporate Base Page 33 of 36Rev 1 (30-May-08)
Appendix 3 - SIL Determination - Risk Graph Method(Annex D - IEC 61511 part 3)
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 34/36
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 35/36
8/13/2019 SIL Determination Guideline
http://slidepdf.com/reader/full/sil-determination-guideline 36/36
SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE
Risk Parameter Classification Comments
Occupancy (F)
This is calculated by determining the proportionallength of time the area exposed to the hazard isoccupied during a normal working period.
NOTE 1 if the time in the hazardous area isdifferent depending on the shift being operatedthen the maximum should be selected.
NOTE 2 It is only appropriate to use Fa where itcan be shown that the demand rate is random andnot related to when occupancy could be higherthan normal. The latter is usually the case with
demands which occur at equipment start-up orduring the investigation of abnormalities.
Fa
Fb
Rare to morefrequent exposurein the hazardouszone. Occupancyless than 0.1
Frequent topermanentexposure in thehazardous zone
See comment 1 above
Probability of avoiding the hazardous event (P) ifthe protection system fails to operate
Pa
Pb
Adopted if allcondition incolumn 4 aresatisfied
Adopted if all theconditions are notsatisfied
Pa should only be selected ifall the following are true:
facilities are provided toalert the operator that theSIS has failed
independent facilities areprovided to shut down suchthat the hazard can beavoided or which enable allpersons to escape to a safearea
the time between theoperator being alerted anda hazardous eventoccurring exceeds 1 houror is definitely sufficient forthe necessary actions
Demand rate (W). the number of times per yearthat the hazardous event would occur in absenceof SIF under consideration.
To determine the demand rate it is necessary toconsider all sources of failure that can lead to onehazardous event. In determining the demand rate,limited credit can be allowed for control systemperformance and intervention. The performancewhich can be claimed if the control system is not to
be designed and maintained according to IEC61511 is limited to below the performance rangesassociated with SIL 1
W1
W2
W3
Demand rate lessthan 0.1D* peryear
Demand ratebetween 0.1D andD per year
Demand ratebetween D and
10D per yearFor demand rateshigher than 10Dper year higherintegrity shall beneeded
1. The purpose of W is toestimate the frequency ofthe hazardous taking placewithout the addition of theSIS.
2. If W is very high, the SILhas to be determined byanother method or the riskgraph recalibrated.
*D is a calibration factor. The value of which should be determined so that the risk graph results in a level ofresidual risk which is tolerable taking into consideration other risks to exposed persons and corporate criteria.Note – The WorleyParsons default value for ‘D’ is 0.1