Different SIL (Safety Integrity Level) Selection Techniques Can Yield Significantly Different Answers

By Paul Gruhn, PE, CFSE President L&M Engineering Houston, TX pgruhn@landmengineering.com

KEYWORDS
Safety Instrumented Systems (SIS), Safety Instrumented Function (SIF), Safety Integrity Level (SIL)

ABSTRACT
Safety Instrumented System standards (e.g., ANSI/ISA 84, IEC 61508 & 61511) cover a variety of techniques for determining safety integrity levels (i.e., the performance required of safety instrumented functions). The 3-dimensional Risk Matrix (associated with North America) and the Risk Graph (associated with Europe) are two qualitative methods. LOPA (Layer of Protection Analysis) is considered a semi-quantitative technique. Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers (e.g., falsely high integrity level requirements). This is usually due to the difficulty of calibrating these techniques to corporate risk criteria. More quantitative techniques (which can be more easily calibrated to corporate risk criteria) can yield significantly lower requirements. Spending a bit more time in the up front system requirements analysis using more quantitative techniques can result in a) a more realistic (and possibly lower) system performance requirements, and b) significantly lower costs associated with the design, installation and maintenance of the system.

CASE STUDY
A valve in a pipeline application was recently modified (for fire considerations) from a motor operated valve to a pneumatically controlled, solenoid operated, spring loaded, fail-safe (closed) valve. If this valve were to spuriously close (an unlikely scenario with a motor operated valve, but likely with a solenoid operated valve), it would create an overpressure in a portion of the pipeline resulting in a possible pipeline rupture, vapor cloud, with a potential for an explosion and fatalities. A safety system

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

was proposed consisting of a sensor, logic box, and valve that would shut in a portion of the pipeline in order to prevent the overpressure condition. As an exercise, it was decided to use the 3-dimensional Risk Matrix, Risk Graph, and LOPA in order to determine the differences in integrity level recommendations, if any, that there might be. 3-DIMENSIONAL RISK MATRIX The 3-dimensional risk matrix is described in a number of documents (1, 2, 3). See Figure 1. The probability of the valve failing closed would be rated at high. (A failure can reasonably be expected to occur within the expected lifetime of the plant.) The severity would be rated as either medium (possible fatality), or high (major financial loss). There are no additional safety layers to account for on the z axis. Therefore, this technique indicates SIL 3 is required (as shown by the dotted rectangular area in Figure 1).

1 2 1 3 2

2 3 3

2 2 1

1 0

Quantity and/or effectiveness of additional layers

Severity

Probability
FIGURE 1: 3-DIMENSIONAL RISK MATRIX RISK GRAPH Reference 2 describes the Risk Graph, which was developed by at least two European countries. See Figure 2.

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

W3 Ca Fa Fb Fa Fb Fa Fb Pa Pb Pa Pb Pa Pb Pa Pb a 1 2 3 4 b

W2

W1

a 1 2 3 4 a 1 2 3

Ca Cb Cc Cd Fa Fb Pa Pb

Consequence Minor Injury Serious Injury, Single Death Several Deaths Many Deaths Frequency & Exposure Rare to Frequent Frequent to Continuous Possibility of Avoidance Sometimes Possible Almost Impossible

Cb Cc Cd

a = No special safety requirements b = Single SIS not sufficient

Probability of Occurrence W1 Very Slight W2 Slight W3 Relatively High

Safety Integrity Levels

FIGURE 2: RISK GRAPH While the wording used in the reference and the right column in Figure 2 is intentionally vague, the company involved did have a corporate document that defined the boundaries more clearly. The exact wording will not be replicated here for the sake of confidentiality. Cc: Number of fatalities between 0.03 and 0.3 (personnel not always present and not always at risk of being killed due to a fire) Fb: Frequent to permanent exposure (occupancy more than 0.5) Pb: Almost impossible to avoid W2: Medium demand (between 1/5 and 1/50 years) Therefore, this technique results in a SIL 3 requirement (as shown by the dashed line in Figure 2). Similar cases were run for environmental and commercial impact, which also resulted in SIL 3 requirements. LOPA (LAYER OF PROTECTION ANALYSIS) Layer of Protection Analysis involves identifying hazardous events, determining initiating event frequencies, establishing tolerable levels of risk, and analyzing each independent safety layer to see if the overall level of risk can be reached. If the tolerable level of risk cannot be achieved, either additional safety layers must be added, or existing layers must be strengthened. The end user involved had a corporate risk document. The desire is to establish a system design to lower the overall risk to a level As Low As Reasonably Practical (ALARP). For this case it meant

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

lowering the event probability, based on the consequences of this particular hazardous event, to less than 1/10,000 year.
OPTION 1:

The initiating event frequency (i.e., solenoid valve spuriously failing closed) was estimated at 1/50 year. This frequency would need to be lowered by a factor of at least 200 in order to lower the hazardous event probability to < 1/10,000. This would require a system with a Risk Reduction Factor of at least 200 (in the SIL 2 range, between 100 and 1,000).
OPTION 2:

In order to lower the performance requirement for the safety system, the original valve in question could be modified with a second solenoid valve configured in a 2oo2 (two-out-of-two) voting arrangement, meaning both solenoids would have to de-energize in order for the valve to close. There is a commercially available solution of this type. This would essentially lower the safe failure rate of the valve (i.e., valve closing spuriously) one order of magnitude to 1/500 year. This assumes a realistic common cause factor of 10% between identical solenoids. The proposed safety system would now only need to lower the initiating event frequency by a factor of at least 20 (SIL 1 range, between 10 and 100). Note that accounting for the redundant solenoid arrangement would have lowered the SIL requirement by one level using the other techniques (risk matrix and risk graph) as well down from SIL 3 to SIL 2.

CONCLUSION
It should not come as a surprise that different SIL selection techniques produce different answers. The techniques are all relatively recent and many are qualitative. The qualitative techniques (risk matrix and risk graph) do not have obvious connections to industry-wide or corporate tolerable risk levels. Determining corporate tolerable risk levels can be very problematic in itself. (What do you mean its tolerable to kill four people every 100 million man-hours?!) An unscientific poll at a recent industry conference (5) indicated major end users in the oil & gas and chemical industries have a preference for LOPA. This is understandable when an organization has been involved with any of the techniques for any length of time. The qualitative techniques tend to come up with higher (i.e., more conservative or pessimistic) requirements. Simpler techniques may make the analysis easier, but the difference in total costs for a single safety instrumented function can increase tens of thousands of dollars when increasing the SIL just one level. Spending a few more minutes in the up front analysis can potentially save tens, if not hundreds of thousands of dollars in the long run.

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

REFERENCES:
1. Guidelines for Safe Automation of Chemical Processes, American Institute of Chemical Engineers, Center for Chemical Process Safety, ISBN 0-8169-0554-1, 1993 2. Application of Safety Instrumented Systems for the Process Industries, International Society for Measurement and Control, ANSI/ISA S84.01, 1996 3. Functional safety - Safety instrumented systems for the process industry sector, International Electrotechnical Commission, standard 61511, 2003 4. Layer of Protection Analysis, AIChE CCPS, ISBN 0-8169-0811-7, 2001 5. Panelist statements made at the 59th Instrumentation Symposium for the Process Industries, held at Texas A&M University, Jan 20-22, 2004

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org