Bookmark and Share
01 October 2003

Get different answers with different SIL selection techniques

By Paul Gruhn

Which would you rather do, spend a few minutes using a simple qualitative technique and implement a safety integrity level (SIL) 3 design (with very high life-cycle costs), or spend a few more minutes in the up-front requirements using a more quantitative technique and end up implementing a SIL 1 design (with much lower life-cycle costs)? Here's how you can make the most of your SIL determination.

Safety instrumented system (SIS) standards (ANSI/ISA 84, IEC 61508, and 61511) cover several techniques to determine safety integrity levels—the performance required of safety instrumented functions. The three-dimensional risk matrix (associated with North America) and the risk graph (associated with Europe) are two qualitative methods. Layer of protection analysis (LOPA) is a semiquantitative technique. It involves identifying hazardous events, determining initiating event frequencies, establishing tolerable levels of risk, and analyzing each independent safety layer to see if you can reach the overall level of risk. If not, you will need to add either additional safety layers, or strengthen existing layers.

Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers, such as false high-integrity level requirements. This is usually due to the difficulty of " these techniques to incorporate risk criteria. More quantitative techniques (which you can more easily calibrate to incorporate risk criteria) can yield significantly lower requirements.

Therefore, spending a little more time in the up-front system requirements analysis using more quantitative techniques can result in (1) a more realistic (and possibly lower) system performance requirement, and (2) considerable economic savings in the design, installation, and maintenance of the system.

Take the sample case of a valve spuriously closing—resulting in pipeline overpressure and possible rupture. A valve in a pipeline application was recently modified from a motor-operated valve to a pneumatically controlled, solenoid-operated, spring-loaded, fail-safe (closed) valve. If this valve were to spuriously close, it would create an overpressure in a portion of the pipeline, resulting in a possible pipeline rupture and vapor cloud, with a potential for an explosion and fatalities. A proposed safety system called for a safety transmitter, logic box, and safety valve that would shut in a portion of the pipeline to prevent the over-pressure condition.

As an exercise, the three-dimensional risk matrix, risk graph, and LOPA helped to determine what the differences in integrity level recommendations, if any, might be. You will find the methods described (and diagrams) in the standards themselves.

THREE-DIMENSIONAL RISK MATRIX

The probability of the valve failing closed would be rated at high. (You can reasonably expect a failure to occur within the expected lifetime of the plant.) You would rate the severity as either medium (possible fatality) or high (major financial loss). There are no additional safety layers to account for on the z-axis. Therefore, this technique indicates SIL 3 is required.

RISK GRAPH

Cc: Number of fatalities between 0.05 and 0.5 (personnel not always present and not always at risk of being killed due to a fire)

Fb: Frequent to permanent exposure

Pb: Almost impossible to avoid

W2: 1/50 year assumed for valve failing closed

Therefore, this technique results in a SIL 3 requirement. Similar cases were run for environmental and commercial impact, which also produced SIL 3 requirements.

If the end user has a corporate risk document, you will want to establish a system design to lower the overall risk to a level "as low as reasonably practical" (ALARP).

OPTION 1

The initiating event frequency (valve failing closed) is estimated at 1/50 year. You would need to lower this frequency by a factor of at least 200 to lower the hazardous event probability to <1/10,000 (the corporate risk target). This would require a system with a risk reduction factor of at least 200 (in the SIL 2 range).

OPTION 2

To lower the performance requirement for the safety system, modify the valve in question with a second solenoid valve configured in a 2oo2 (two-out-of-two) voting arrangement. This means you would have to de-energize both solenoids for the valve to close, which would lower the safe failure rate of the valve one order of magnitude to 1/500 year. This assumes a realistic common cause factor of 10% between identical solenoid. The safety system would now only need to meet a risk reduction factor of at least 20 (SIL 1 range). (Accounting for the redundant solenoid arrangement would have lowered the SIL requirement by one level using the other techniques as well.) IT

Paul Gruhn, P.E., CFSE, is president of L&M Engineering in Houston.


Return to Previous Page

Coming Next

Ask The Experts

Read questions answered by our experts or join the email list.

Feedback Hub

ISA Jobs

All contents copyright of ISA © 1995-2012 All rights reserved.
Find Local Sections | ISA Home | Report a Problem | Privacy & Legal Policies | Site Map | Help | Contact Us
ISA  |  67 T.W. Alexander Drive, Research Triangle Park, NC 27709 USA  |  (919) 549-8411