sil determination guideline

8/13/2019 SIL Determination Guideline

http://slidepdf.com/reader/full/sil-determination-guideline 1/36

Safety Integrity Level (SIL)Determination Guideline

– EPP-0263

30 May 2008

Level 12, 141 Walker Street, North Sydney NSW 2060, Australia+61 2 8923 6866+61 2 8923 6877

ABN 61 001 279 812



SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

PROJECT - SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

REV DESCRIPTION ORIG REVIEW WORLEY-

PARSONSAPPROVAL

DATE CUSTOMER

APPROVAL

DATE

1 Issued for use

K Bahrami J Pohlner L Wheeler

30-May-08 N/A

002-000-PDW-228 (019056) EPP-0263 Corporate Base of 36Rev 1 (30-May-08)

SYNOPSIS

This guideline presents the WorleyParsons methodology for undertaking a Safety Integrity Level (SIL)

determination study. The methodology follows the intent of ‘IEC 61511-3: Guidance for the

determination of the required safety integrity levels’, which requires that the SIL rating of Safety

Instrumented Functions (SIFs) to be determined.

This guideline has been developed to assist engineers, designers and other project decision makers

to deliver safe, reliable and sustainable design outcomes.





CONTENTS

1. INTRODUCTION ............................................................................................................ 5 1.1 Application ..................................................................................................................... 7 1.2 Roles and Responsibilities .............................................................................................. 7

2. ABBREVIATIONS AND TERMINOLOGIES .................................................................... 8 3. SIL DETERMINATION METHODOLOGY ..................................................................... 10 4. SIL DETERMINATION - PREPARATION ..................................................................... 12

4.1

Charter ......................................................................................................................... 12

4.2 Timing .......................................................................................................................... 12 4.3 Attendees ..................................................................................................................... 13 4.4 Workshop Duration ....................................................................................................... 13 4.5 Role of the Coordinator / Project Engineer .................................................................... 13

4.5.1 Before the Sessions ......................................................................................... 14 4.5.2 During the Sessions ......................................................................................... 14 4.5.3 After the Sessions ............................................................................................ 14

4.6 The Facilitator .............................................................................................................. 14 4.6.1 Before the Sessions ......................................................................................... 15 4.6.2 During the Sessions ......................................................................................... 15 4.6.3 After the Sessions ............................................................................................ 15

4.7 Technical Scribe ........................................................................................................... 16 4.8 Documentation Requirements ...................................................................................... 16

5. SIL DETERMINATION – WORKSHOP ......................................................................... 17 5.1 Workshop Procedure .................................................................................................... 17 5.2 SIF Assessment ........................................................................................................... 17

5.2.1 Establish Context for each System and the Safety Target of the Process ......... 17 5.2.2 Identify SIFs Needed ........................................................................................ 17 5.2.3 Determine required SIL of the SIF .................................................................... 18

5.3 Recording..................................................................................................................... 18 5.4 SIL Determination Report ............................................................................................. 18





5.5 Archiving ...................................................................................................................... 19 6. LAYER OF PROTECTION ANALYSIS (LOPA) METHOD ............................................. 20

6.1 Protection Layers ......................................................................................................... 21 6.2 LOPA Steps ................................................................................................................. 22

7. SIL VERIFICATION ...................................................................................................... 25 8. REFERENCES ............................................................................................................. 26 APPENDIX 1 - EXAMPLE WORKSHEET FOR SIL DETERMINATION - LOPA METHOD (ANNEX

F - IEC 61511 PART 3) APPENDIX 2 - SIL DETERMINATION – SIL MATRIX METHOD (ANNEX C - IEC 61511 PART 3) APPENDIX 3 - SIL DETERMINATION - RISK GRAPH METHOD (ANNEX D - IEC 61511 PART 3)





1. INTRODUCTION

Phase 2 of the safety life-cycle defined in IEC 61511-1 requires the determination of a Safety Integrity

Level (SIL) for the design of a Safety Instrumented Function (SIF).

The objectives of the Clause 9 of Phase 2 are allocation of safety functions to protection layers and

for each safety instrumented function, determination of the associated safety integrity level. Inputs to

this phase are a description of the required safety instrumented function(s) and associated safety

integrity requirements and the outputs are description of allocation of safety requirements.

Determination of the SIL rating of a SIF is an important process in ensuring that the design is

adequate and that any risk associated with the SIF failure is tolerable (i.e. the residual risk is as lowas is reasonably practicable – ALARP).

Once the SIL rating has been established the SIF design must be analysed to ensure that it meets the

required level of reliability. This is termed SIL Verification and is covered by SIL Verification Guideline

EPP-0266.

The primary focus of the SIL determination process is Safety. However, the integrity level

determination process can also be used for any type of control that provides protection against

Environmental risks (EIL rating) and Asset (Business or Financial and Property) risks (AIL rating).

This guideline has been developed in accordance with the functional safety standard IEC 61511

which is process industry specific within the framework of IEC 61508 [Ref 1], [Ref 2]. Both of these

standards are recognized and generally accepted as good engineering practices for SafetyInstrumented Systems (SIS).

This guideline contains the minimum requirements for the SIL study determination conducted by or for

WorleyParsons to ensure that all the required information is available, the most suitable people are

involved, and the documentation meets WorleyParsons requirements.

The document assumes a reasonable working knowledge of the hazardous scenario identification

(HAZID and HazOp) studies and the use of qualitative and semi-quantitative Risk assessment

processes to determine risk and SIL ratings.





Figure 1-1: SIS safety life-cycle phases and functional safety assessment stages based on IEC

61511





1.1 Application

The SIL determination process is applicable to all Customer Sector Groups (CSGs) and to the three

phases of project execution:

Define - Front End Engineering Design (FEED)

Execute - Detailed Engineering,

Operate - Asset Services, Maintenance, Upgrade,

1.2 Roles and Responsibi lities

This guideline makes reference to the following position titles:

Project Manager - The Project Manager is responsible for ensuring the SIL Determination

requirements are executed on the project in accordance with the Project Execution Plan. These

responsibilities include appointment of a SIL Determination Coordinator and a SIL Determination

Facilitator.

SIL Determination Coordinator / Project Engineer – This is the person in charge of organizing the

SIL Determination workshop, ensuring that the SIL Determination report is developed and circulated.

SIL Determination Facilitator – The person in charge of running the SIL Determination workshop

and developing the report.

Workshop Technical Scribe - For most workshops, an experienced technical scribe is preferred.





2. ABBREVIATIONS AND TERMINOLOGIES

AIL Asset Integrity Level

ALARP As Low As Reasonably Practicable

BPCS Basic Process Control System

E/E/PES Electrical/Electronic/Programmable Electronic safety-related systems

EIL Environment Integrity Level

ESD Emergency Shutdown

IPL Independent Protection Layer

LOPA Layer of Protection Analysis

PFD Probability of Failure on Demand

PHA Process Hazard Analysis

PLC Programmable Logic Controller

SRS Safety Requirements Specification

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

Safety Integrity Level (SIL): The IEC 61511 standard defines the Safety Integrity Level (SIL) as a

discrete value (one out of four) for specifying the safety integrity requirements of the safety functions

to be allocated to the safety instrumented functions. The higher the SIL, the higher the probability that

the safety function is correctly executed, the lower the average Probability of Failure on Demand.

A SIL 4 has the highest level of reliability and hence safety integrity and SIL 1 has the lowest.

Independent Protection Layer (IPL): A safeguard / layer of protection that (with certain probability)

will prevent an unsafe scenario from progressing regardless of the initiating event or the performance

of another layer of protection.

Safety Function: Function to be implemented by a safety instrumented system, other technology

safety-related system or external risk reduction facilities, which is intended to achieve or maintain a

safe state for the equipment, in respect of a specific hazardous event





Mode of Operation: Safety Instrumented Systems are split into two types, based on the mode ofoperation in which the system is intended to be used, with respect to the frequency of demands made

upon it.

For SIS operating in a low demand mode of operation, the safety integrity measure of interest is the

average probability of failure to perform its designed function on demand. For SIS operating in a

continuous mode of operation, the safety integrity measure of interest is the frequency of a dangerous

failure per hour,

The SIL ratings and requirements relating to both systems and their application are shown below.

SIL Continuous

(High) Demand

Mode of

Operation

Low Demand Mode of Operation

Failure Rate /

hour

Probability of Failure on Demand Risk Reduction Factor

(RRF)

1 < 10-5

to 10-6

< 10-1 to 10

-2 < 1 in 10 to 1 in 100 10 – 100

2 < 10-6

to 10-7

< 10-2

to 10-3

< 1 in 100 to 1 in 1000 100 – 1,000

3 < 10-7

to 10-8

< 10-3 to 10

-4 < 1 in 1000 to 1 in 10000 1,000 - 10,000

4 < 10

-8

to 10

-9

< 10

-4

to

10

-5

Less than 1 in 10000 10,000 – 100,000

High Demand Mode: where the frequency of demands for operation made on the system is

greater than one per year or greater than twice the proof test frequency. An example of this

could be the braking system on a car. The safety integrity measure of interest is the frequency of

a dangerous failure per hour.

Low Demand Mode: where the frequency of demands for operation made on the system is no

greater than one per year and no greater than twice the proof test frequency. An example of this

could be an air bag within a car. The safety integrity measure of interest is the average

probability of failure to perform its designed function on demand.

Necessary Risk Reduction: Risk reduction to be achieved by the E/E/PE safety-related systems,

other technology safety-related systems and external risk reduction facilities in order to ensure that

the tolerable risk is not exceeded.

Intermediate Event Likelihood: The Intermediate Event Likelihood is calculated by multiplying the

Initiating Event Likelihood by the PFDs of the protection layers and mitigating layers.

Required (Target) Event Likelihood: Corporate (Customer) Criteria for Events of this Severity Level.





3. SIL DETERMINATIO N METHODOLOG Y

Safety function is implemented by an SIS, other technology safety related system or external risk

reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect

to a specific hazardous event. The safety functions in process industries are more often delegated to

electrical, electronic or programmable electronic (E/E/PE) Safety Instrumented Systems (SIS).

The functional safety standards IEC 61508 and IEC 61511 propose guidelines which can be used in

order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to

evaluate the actual availability of a SIS.

There are several methods that can be used for SIL determination for a specific safety instrumentedfunction. IEC 61511-3 presents information on a number of methods that have been used. The

method selected for a specific application will depend on many factors, including:

The customer

The complexity of the application

The guidelines from regulatory authorities

The nature of the risk and the required risk reduction

The experience and skills of the person available to undertake the work

The information available on the parameters relevant to the risk.

The following are basic and generic steps to determine a safety function SIL rating based on IEC

61511:

Perform a hazard and risk analysis to evaluate existing risk

Identify safety function(s) needed

Allocate safety function(s) to independent protection layers

Determine if a SIF is required

Determine required SIL of the SIF.

The methods presented in this guideline are based on IEC 61511 and utilise a Workshop approach:

Layer of Protection Analysis (LOPA)

SIL Matrix

Risk Graph

The LOPA methodology as covered in IEC 61508 Part 7 is one of the WorleyParsons preferred

methods as it provides a logical means of evaluating a large number of SIF, and includes means to

consider several key parameters (severity, likelihood, occupancy, and safeguards). As such LOPA





methodology is described in this Guideline. For completeness, SIL Matrix and Risk Graph methodsare included in Appendices 2 and 3.

In some applications more than one method may be used. A qualitative method may be used as a

first pass to determine the required SIL of all the SIFs. Those which are assigned a high SIL by this

method should then be considered in greater detail using a quantitative method to give a more

rigorous understanding of their required safety integrity.

Note:

1. Some customers may have their own SIL determination guidelines. If this is the case, then

there needs to be clear agreement as to which process will be used before the SIL

determination proceeds.

2. There is commercial SIL determination / documentation software available which can

enhance the determination and documentation processes.





4. SIL DETERMINATIO N - PREPARATION

The SIL determination process is based on the principle that a team approach to risk assessment will

identify more problems than when individuals working separately combine results.

As such, the SIL determination should be conducted in a Brainstorming Workshop environment

similar to a HazOp or HAZID session.

The first major element for a successful SIL determination process is that it is well planned prior to the

workshop taking place.

This planning needs to ensure that:

The design is sufficiently progressed and that it can be understood and questioned by the SIL

workshop clearly and in sufficient detail to arrive at an appropriate SIL determination.

The SIL workshop attendees are invited early enough to be involved

Prior to the workshop, the responsible project designer (process or instrument) should produce a

concise list of SIFs to be reviewed. The facilitator can work with the designer but ultimately it is

their responsibility to generate the actual list of SIFs to be reviewed containing the following

information.

- SIF descriptor

- P&ID reference

The facilitator needs to ensure that these elements have been satisfactorily completed prior to

the workshop taking place. If necessary the facilitator should postpone or cancel the workshop

until he/she is satisfied.

4.1 Charter

The Safety Workshop Charter defines the scope of the SIL Determination, the attendees, the

proposed duration, location and date. The use of the Charter is MANDATORY for all SIL

Determination studies.

4.2 Timing

The SIL Determination study should be conducted after the process design (or equivalent) has been

finalized, P&IDs developed (basic or detailed design), the design review is conducted, and the

process design has been subjected to a process HazOp study.

The SIL Determination workshop should not be undertaken before the design is complete to the

extent required for the particular study and the HazOp study is done. The SIL Determination

facilitator should not proceed with the study with a poorly completed design and HazOp study not

done.





4.3 Attendees

The workshop team shall be multi-disciplinary and comprise representatives from major groups

involved. People should be selected for their knowledge of the process and/or equipment and/or

ability to make a technical contribution.

The attendees should include experienced project and/or operations personnel as set out in the

functional safety standards. This requires that the team involved in making the SIL decisions consists

of participants with certain types of expertise. It is generally appropriate to include the following

personnel:

Competent Facilitator

Technical Scribe/ secretary

Operator with experience in operating the process under consideration;

Process Engineer - Engineer with expertise in the process design;

Instrument/Control engineer with experience in the process under consideration;

Lead Safety and Risk engineer

Customer Safety Coordinator (if relevant)

The actual composition of the team depends on the particular study. The composition may also vary

from meeting to meeting within a study as various technical specialists, are utilized on an as needed

basis. The team composition shall be defined on the charter.

4.4 Workshop Duration

Duration of the SIL Determination workshop depends on the complexity and size of the project, as

well as the team size and composition. The expected duration of the SIL Determination should be

discussed and agreed with the SIL Determination Facilitator once they have had an opportunity to

review the project scope and drawings.

The typical duration for a Greenfield site is about 2 to 3 hours per Safety Instrumented Function (SIF).

SIL Determination must be planned with regular breaks and ideally they should be limited to 6 hrs per

day. This enables personnel to keep in touch with their normal workload and prevents fatigue.

Additionally it allows time for the facilitator and scribe to tidy up the existing records and plan for the

next session.

4.5 Role of the Coordinator / Project Engineer

Main responsibilities of the Coordinator / Project Engineer according to the different stages of the

study are described as follows:





4.5.1 Before the Sessions

Book the facilitator and select the team members with advice from the Facilitator.

Organise a Scribe if appropriate. Note the scribe must have a technical background.

Set a date, time and duration for the workshop and book an appropriate location.

Arrange a data projector and computer for use (Though there are different ways to record the

minutes, WorleyParsons strongly advocates the projection of the minutes to ensure agreement

and understanding between the team. This may mean a laptop and data projector, or it may be

as simple as a printable whiteboard.)

Ensure the required documentation is available (see Section 5.6).

Issue the relevant document to the facilitator no less than 3-5 working days (depending on the

project size) prior to the session.

Prepare and distribute the Charter.

Organise catering if appropriate.

4.5.2 During the Sessions

Provide an introduction to the Project.

Provide guidance on the Scope of the study.

4.5.3 After the Sessions

Every project has its own document control system. Normally the following steps are followed:

Review the minutes of the meeting and circulate for review.

Distribute the Draft Report (Revision A) for review.

Gain sign-off on the Final Report (Revision 0).

4.6 The Facilitator

It is WorleyParsons requirement that an independent, competent facilitator and experienced in the

field of study is used. The SIL determination facilitator should not be closely associated with

designing or delivering the subject of the study, as there is a danger of real or perceived conflicts of

interest in identification of hazards, operability problems or design flaws. This will help ensure

compliance with the minimum required level of independence for carrying out SIL assessments (refer

to IEC 61508).

The major role of the facilitator is to guide the team in the process during the SIL determination

session. However the facilitator should assist with the defining of objectives for the study, reviewing

the Charter, choosing team members and adequately preparing for the study.





The responsibilities of the facilitator according to the different phases of the study are described asfollows.

4.6.1 Before the Sessions

Ensure the objectives and scope are clearly defined.

Ensure that the proposed team and facilities for the study are appropriate.

In conjunction with the Process / IE Engineer identify existing SIFs and determine a preliminary

description of each (to be confirmed with the Study Team during the workshop).

In conjunction with the Coordinator estimate the duration of the workshop.

Review any previous HazOp and any SIL study, Safety Case or Risk Assessment

documentation.

Plan the study sequence.

Calibrate the determination / recording software (if any)

4.6.2 During the Sessions

Ensure that the team members understand the method and their individual roles.

Guide the team in the technique.

Ensure that the full range of events are generated and that a full range of realistic causes and

consequences is developed.

Ensure that all team members participate in the discussions and that those who have the specific

technical knowledge or ability are given the opportunity to express their views, avoid one team

member dominating the discussions.

Keep the discussions to the topic under review, minimize side track discussions.

Keep track of time, if discussion of a particular issue is taking too long, record an “action” to

resolve outside of the meeting.

Ensure the results of the process are accurately recorded.

Note: The use of data projector to display the “minutes” as they are recorded allows the Facilitator to

advise that the minutes / Study records represent the consensus of the meeting and an already“accepted” set of minutes of the meeting.

4.6.3 After the Sessions

The minutes of the meeting are reviewed and circulated to workshop attendees

Prepare the Draft report (normally as Rev A) and issue to the Coordinator - for distribution and

review.





Incorporate any alterations and revise the minutes and reissue the Report as “Final” / “For Use” –normally as Rev 0.

4.7 Technical Scribe

For most workshops, an experienced technical scribe is preferred as part of the Study Team since

they can have a significant impact in terms of efficiency by enabling the facilitator to concentrate on

the process and not the records. For large studies there may be value in having more than one

scribe, using them in rotation to limit fatigue. For small and simple studies, the facilitator may elect to

take on the responsibility of the technical scribe or secretary.

4.8 Documentatio n RequirementsFor the LOPA study, it is required to have agreed tolerable risk criteria (specific limit per yr) for each

of the consequence categories studied before the workshop can be started. Also there needs to be a

list of proposed SIFs agreed and suitably documented.

The following documents need to be available during the study session to the team:

Basis of Design

Process Description

Process Flow Diagrams (PFDs - for process systems)

Utility Flow Diagrams (UFDs - for utility systems)

Piping and Instrumentation Diagrams (P&IDs -for both process and utility systems).

Plant / Equipment Layouts (preliminary)

Previous hazard study documents.

Cause and effect diagrams

In addition, the following documents should be available for reference, where applicable.

Control Philosophy

Shutdown Philosophy

Isolation Philosophy

Fire & Safety Philosophy

Fire & Gas Detection Philosophy

Hazardous Area Drawings

Relief and Blow down Philosophy





5. SIL DETERMINATIO N – WORKSHOP

In order to determine the required SIL of the safety instrumented functions (SIFs), it is necessary to

define the customer’s tolerable risk target in terms of probability and consequence of the process

potential incidents. This would take place by discussion and agreement between the interested

parties before the workshop (for example safety regulatory authorities, those producing the risks and

those exposed to the risks).

The following sections outline the main sequence of events associated with the SIL determination

process as developed by WorleyParsons. This process is consistent with IEC 61511, IEC 61508 and

the concepts of Risk Management in AS/NZ 4360.

5.1 Workshop Procedure

The procedure for each meeting/session is as follows:

1. Introduction of team members and their responsibilities (an attendance sheet should be circulated

to formally record all attendees including their signature to confirm attendance).

2. Statement of the objectives and scope of the study (by the Coordinator and / or facilitator).

3. Brief outline of the plan for the study (by the facilitator). Going into the study process in more

detail if any team member is not familiar with the method.

4. SIF Assessment as next step

5.2 SIF Assessment

5.2.1 Establish Context for each System and the Safety Target of the

Process

Based on the information prepared for each identified system, the context and design intent of each

system or protective loop should be explained to the group. The responsible design person should

provide this step as background to the group prior to assessment.

The key issues to identify for each system or loop are:

The equipment being protected What it is being protected against (the hazard and incident)

What independent levels of protection exist

5.2.2 Identify SIFs Needed

This step drives from the risk analysis what safety functions are required and what risk reduction they

need to meet the safety target.





This step determines whether a safety instrumented function is required. Protection layers of othertechnologies should be considered prior to establishing the need for a safety instrumented function

implemented in a SIS. If no other non-SIS protection can meet the safety target level, a safety

instrumented function implemented in a SIS is required to protect against the identified hazards.

5.2.3 Determine required SIL of the SIF

The required SIL rating of the identified SIF is determined in this step.

Select first SIF (hazardous scenario) to be examined. The facilitator asks to explain the explicit

purpose and intent of the SIF including any safeguards available.

The facilitator assesses the first SIF

The SIL rating of each SIF will be identified

5.3 Recording

The SIL determination process should be recorded thoroughly using a computer software used for

SIL determination or MS Excel to ensure consistency.

Refer to SIL Determination Worksheet EPF-0267 Appendix 1 shows a typical example of how the

worksheet is used for LOPA.

It is highly recommended that a data projector is used during the workshop such that all participants

can view the record, recommend modifications and agree the minutes and actions, thereby

minimizing any revisions and modifications required later on.

The study team needs to agree on the similarity / equivalence of multiple units (in order to review only

one unit).

REMEMBER – The minutes of the study need to be understood by personnel who were NOT present

at the study!

5.4 SIL Determination Report

To comply with the standards the SIL determination process needs to be documented.

The facilitator and/or scribe need to formally document the SIL determination process, this need to

provide and contain information on;

Scope of the SIL study

The team involved

The systems examined

Assumptions made / data sources used

Methodology used (LOPA / Matrix / Risk Graph)





The results as captured in the meeting

The report should be formally submitted for review and subsequently used as the basis for the SIL

verification process.

A typical outline for a summary report is given below.

Standard WorleyParsons Report Cover pages

Standard WorleyParsons Report disclaimer

Introduction and project overview

Objectives and scope

Team composition

Recommendations and major outcomes

Attachments

- Drawings/ data used as the basis for the study;

- Full Minutes.

- Meeting attendance register with attendee’s signature included.

The Document Control for the report is per standard WorleyParsons procedure. Specifically, a

‘Revision A – Issued for Internal Review’ should be produced and distributed. Comments from this

should then be used to finalize the report as a ‘Revision 0 – Issued for Use’. This may vary between

projects depending on the customer’s project specific or document control procedures.

The Report should be saved in the project directory (in accordance with the project File Index) with an

appropriate file name as per the standard WorleyParsons or project specific document numbers.

5.5 Archiving

A hard copy of the SIL determination report must be retained in accordance with the location

archiving procedure.





6. LAYER OF PROTECTION ANALYSIS (LOP A) METHOD

The role that safety functions play in achieving the necessary risk reduction is illustrated in the figures

below taken from IEC 61511:

The Layers of Protection Analysis (LOPA) method requires that the customer’s tolerable risk level

(e.g. per scenario or cumulative) be stated explicitly as a numerical target. Once the tolerable risk

frequency target is known, the required risk reduction - in terms of Probability of Failure on Demand





(PFD) of the SIF - can be determined. LOPA evaluates risk in order of magnitude of selectedunwanted event scenarios.

The information required for the LOPA is contained in the data collected and developed in the HazOp

study. Table below shows the relationship between the data required for LOPA and the data

developed during the HazOp study.

LOPA required information HazOp developed information

Impact event Consequence

Impact event severity level Consequence severity

Initiating cause Cause

Initiating likelihood Cause frequency

Protection layers Existing safeguards

Required additional mitigation Recommended new safeguards

LOPA provides basis for specification of Independent Protection Layers (IPLs) and support

compliance with good process safety practices as per IEC 61508 and IEC 61511.

A worked example for LOPA method is presented in Appendix 1.

6.1 Protection Layers

In a typical chemical process various layers of protection against incidents are in place. The main

purpose of the layers is to reduce the frequency of undesired consequences.

These layers consist of preventive, protective or mitigating measures. Examples are:

Inherently safe design features;

Basic Process Control System (BPCS);

Critical alarms and Operator intervention;

Safety Instrumented System (SIS) or Emergency Shutdown System;

Pressure Relief Device;

Mechanical Integrity of Vessel;

Fire Suppression System;

The layers of protection identified must be considered to be sufficiently independent to avoid common

cause failure. An Independent Protection Layer (IPL) is a device, system, or action that is capable of

preventing a scenario from proceeding to i ts undesired consequence independent of the initiating





event or the action of any other layer of protection associated with the scenario to control, preventand/or mitigate process risk.

6.2 LOPA Steps

The method starts with data developed in the Hazard and Operability analysis (HazOp study) and

accounts for each identified hazard by documenting the initiating cause and the protection layers that

prevent or mitigate the hazard. The total amount of risk reduction can then be determined and the

need for more risk reduction analyzed. If additional risk reduction is required and if it is to be provided

in the form of a SIF, the LOPA methodology allows the determination of the appropriate SIL for the

SIF. The method is illustrated in the figure below.

Steps are:

1. Select a SIF identifier (tag number) from the Cause & Effect Tables.

Develop an ‘impact event scenario’ based on the HazOp workshop records. The

‘consequences’ identified in the HazOp records are listed as ‘impact events’. Each

‘hazard and consequence’ is a single ‘impact event scenario’.

For each impact event scenario evaluate the severity consequences on HSE, and Assets

2. Set the impact event scenario ‘Target Likelihoods’ after mitigation to meet the HSE and

Assets tolerable risks on the basis of severity of consequences on HSE and Assets

3. Initiating Cause(s)

Determine the initiating causes of each impact event, i.e. all of the Initiating Causes of the

hazard determined in the HazOp are listed.

4. Select an initiating cause and its Frequency

Calculate the enabled initiating event(s) frequency. The hazard initiating cause likelihood (inevents per year) is agreed on, i.e. a likelihood is estimated for each initiating cause.

5. Independent Protection Layers ‘IPLs’

Independent Protection Layers (IPLs) are listed. Each IPL is assigned a Probability of Failure

on Demand (PFD) value.

Among IPLs are:

General Process Design / Inherent Safety: The general process design to reduce the

likelihood of hazard manifesting itself, when an Initiating Cause occurs. An example of this

would be a jacketed pipe or vessel. The jacket would prevent the release of process

material if the integrity of the primary pipe or vessel were compromised.

BPCS: If a control loop in the BPCS prevents the impacted event from occurring when the

Initiating Cause occurs, credit based on its PFD is claimed.





Operator Intervention (Alarms): This takes credit for alarms that alert the operator andutilize operator intervention. Ensure that the alarm is independent of the cause, and the

BPCS (if credit given).

6. Other Protection Layers

For each event the following probabilities are also determined:

Occupancy - The probability of a person being in the area.

Ignition - The probability that a release of flammable material will ignited / explodes (given

that it has already released). The probability that a release will be ignited depends on a

number of factors, including the chemical’s reactivity, volatility, auto-ignition temperature,

and physical state as well as the potential sources of ignition that are present. For a blast

to result from vapor cloud combustion, a reasonable amount of obstructions and

confinement must exist to cause the flame front to burn turbulently and reach sonic

velocity.

Fatality - The probability that a person will die given a release of hazardous material and a

person is already there. Allow for escape and/or avoidance.

7. Intermediate Event Likelihood

The Intermediate Event Likelihood is calculated by multiplying the Initiating Likelihood by the

PFDs of the protection layers and mitigating layers. The calculated number is in units of events

per year. If the Intermediate Event Likelihood is less than the Corporate Criteria for Events of

this Severity Level, additional PLs are not required. Further risk reduction should, however, be

applied if economically appropriate.

8. Mitigated Event Likelihood

Mitigated event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs

for the applicable IPLs. The mitigated event likelihood is then compared to a criterion linked to

the corporation’s criteria for unacceptable risk levels. Additional IPLs can be added to reduce

the risk. The mitigated event likelihoods are summed to give an estimate of the risk for the

whole process. Mitigated event likelihood is calculated by multiplying the initiating cause

likelihood by the PFDs for the applicable IPLs. The mitigated event likelihood is then compared

to a criterion linked to the corporation’s criteria for unacceptable risk levels. Additional IPLs can

be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate of

the risk for the whole process.

9. Select other initiating causes and their Frequencies

Repeat all the previous steps

10. Safety Integrity Level Selection

The SIFs required Integrity Level can be calculated by dividing the Corporate Risk Criteria for

the event by the Required Event Likelihood (for all causes). A PFD for the SIF below this

number is selected as a maximum for the SIS and entered.





Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition *Probability of Occupancy * Probability of Fatality)

11. Environmental Integrity Level ‘EIL’ Selection

Exposure factor for Environmental effects and consequences are determined and inserted in

corresponding cell. As a result the Environmental Integrity Level ‘EIL’ will be determined.

If a new SIF is needed to prevent environmental consequences, the Required Integrity Level

can be calculated by dividing the Corporate Risk Criteria for the event by the Required Event

Likelihood. A PFD for the SIF below this number is selected as a maximum for the SIS and

entered.

Required Event Likelihood = (Intermediate Event Likelihood) x (Exposure factor)

12. Asset / Economical Integrity Level ‘AIL’ Selection

Exposure factor for Asset / Economical effects and consequences are determined and inserted

in corresponding cell. As a result the Asset / Economical Integrity Level ‘AIL’ will be

determined.

If a new SIF is needed, the Required Integrity Level can be calculated by dividing the Corporate

Criteria for the event by the Required Event Likelihood. A PFD for the SIF below this number is

selected as a maximum for the SIS and entered.

Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition *

Probability of Occupancy * Probability of Fatality) x (PFD of safety instrumented function)

13. Select another SIF identifier (tag number) from the Cause & Effect Tables

Repeat the process above





7. SIL VERIFICATION

Phase 4 of the safety life-cycle defined in IEC 61511-1 requires verification to be performed on the

design to verify that the required SIL rating has been achieved. Refer to SIL Verification Guideline

EPP-0266.





8. REFERENCES

1. IEC 61508 – Functional Safety of electrical/electronic/programmable electronic safety-related

systems (Parts 1 to 7)

2. IEC 61511 – Functional Safety – Safety Instrumented Systems for the process industry sector

(Parts 1 to 3)

3. AS 4360 – Risk Management (2004)




002-000-PDW-228 (019056) EPP-0263 Corporate Base of 36Rev 1 (30-Ma -08)

Appendix 1 - Example Worksheet for SIL Determination -LOPA Method (Annex F - IEC 61511 part 3)





Example for Layer of Protection Analysis (LOPA) report format [Annex F – Layer of Protection Analysis from the IEC 61511 Part 3 Standard]





Appendix 2 - SIL Determination – SIL Matrix Method(Annex C - IEC 61511 part 3)





Hazardous Event Severity Matrix - SIL Matrix

One common technique, among international refining, chemical and petrochemical companies, is to

use a risk matrix, which provides a correlation of risk severity and risk likelihood to SIL. The method

allows the probability of the potential event to be considered during the assignment of SIL.

It should also be noted that many companies already use a risk matrix and have their own guidelines.

WorleyParsons recommend that for each customer the matrix’s compatibility be assessed and

calibrated with the customers risk management requirements prior to any SIL determination.

A corporate risk matrix provides control of the SIL assigned for a particular severity and likelihood.

During the assessment of the incident severity and likelihood, the available layers of protection must

be evaluated and their effect on the incident severity and likelihood must be determined. The safeguards must be independent, verifiable, dependable, and designed for the prevention of the specific

risk.

The SIL matrix given here has been developed based on the guidelines given in IEC 61508 part 5,

and IEC 61511 and also AS 4360 Risk Management [Ref. 3]. The matrix identifies the potential risk

reduction that can be associated with the use of a SIS protection layer. The risk matrix is based on

the operating experience and risk criteria of the specific company, the design, operating and

protection philosophy of the company, and the level of safety that the company has established as its

safety target level.

Note that the use of a SIL matrix carries the inherent assumption that a ‘Low’’ risk is acceptable.

Explanation and Use of SIL Matrix

The underlying principle is that for any system, hazards that present unacceptable risks need to be

prevented or mitigated against to reduce the risk to ALARP.

A SIL 1 protective system moves the risk associated with a hypothetical hazardous scenario 1 column

to the right or 1 row down (i.e. reduced frequency or reduced consequence respectively by 1 order of

magnitude). Likewise a SIL 2 system would move the risk associated with a hazardous scenario 2

columns left or 2 rows down or 2 orders of magnitude. And so on.

Therefore, to determine the SIL requirements of a system the risk associated with a hazardous

scenario need to be determined without the SIS in place. Based on where the hazardous scenario is

then located on the Risk Matrix, the number of columns or rows that then need to be moved to reduce

the hazardous scenario to an acceptable risk, determines the SIL level(s) of the system(s).

The two essential parameters of the SIL matrix are Consequence Severity and Frequency of

Occurrence.

Consequence Severity

Associated with each hazardous event, the potential severity of the consequence without the

protective system or loops in place needs to be defined. The SIL matrix has a few levels of

consequence severity.





Frequency of Occurrence of the Initiating Event

The Frequency of Occurrence must be evaluated on the basis that the protective system(s) or loop(s)

are excluded. It is the likelihood that the hazardous event occurs without account for the specific

Safety Instrumented Systems.

It should be noted that it is important to link the Frequency of Occurrence with the end event

consequence severity defined above.

An example of a SIL matrix is given below.

Note: For each customer the matrix’s compatibility should be assessed and calibrated with the

company’s risk management requirements prior to any SIL determination.





Example of other Consequence Identifiers is as below:

Safety Environmental Asset Protection

1 Catastrophic Nationwide attention $10 million

2 Major Attract Regulatory Attention $1 million

3 Moderate Breach of EPA regulations $100 thousand

4 Minor Small uncontained $10 thousand

5 Negligible Contained $1 thousand





Appendix 3 - SIL Determination - Risk Graph Method(Annex D - IEC 61511 part 3)




Risk Parameter Classification Comments

Occupancy (F)

This is calculated by determining the proportionallength of time the area exposed to the hazard isoccupied during a normal working period.

NOTE 1 if the time in the hazardous area isdifferent depending on the shift being operatedthen the maximum should be selected.

NOTE 2 It is only appropriate to use Fa where itcan be shown that the demand rate is random andnot related to when occupancy could be higherthan normal. The latter is usually the case with

demands which occur at equipment start-up orduring the investigation of abnormalities.

Fa

Fb

Rare to morefrequent exposurein the hazardouszone. Occupancyless than 0.1

Frequent topermanentexposure in thehazardous zone

See comment 1 above

Probability of avoiding the hazardous event (P) ifthe protection system fails to operate

Pa

Pb

Adopted if allcondition incolumn 4 aresatisfied

Adopted if all theconditions are notsatisfied

Pa should only be selected ifall the following are true:

facilities are provided toalert the operator that theSIS has failed

independent facilities areprovided to shut down suchthat the hazard can beavoided or which enable allpersons to escape to a safearea

the time between theoperator being alerted anda hazardous eventoccurring exceeds 1 houror is definitely sufficient forthe necessary actions

Demand rate (W). the number of times per yearthat the hazardous event would occur in absenceof SIF under consideration.

To determine the demand rate it is necessary toconsider all sources of failure that can lead to onehazardous event. In determining the demand rate,limited credit can be allowed for control systemperformance and intervention. The performancewhich can be claimed if the control system is not to

be designed and maintained according to IEC61511 is limited to below the performance rangesassociated with SIL 1

W1

W2

W3

Demand rate lessthan 0.1D* peryear

Demand ratebetween 0.1D andD per year

Demand ratebetween D and

10D per yearFor demand rateshigher than 10Dper year higherintegrity shall beneeded

1. The purpose of W is toestimate the frequency ofthe hazardous taking placewithout the addition of theSIS.

2. If W is very high, the SILhas to be determined byanother method or the riskgraph recalibrated.

*D is a calibration factor. The value of which should be determined so that the risk graph results in a level ofresidual risk which is tolerable taking into consideration other risks to exposed persons and corporate criteria.Note – The WorleyParsons default value for ‘D’ is 0.1

sil determination guideline

Documents