Safety Integrity Level (SIL)

DR. AA Process Control and Safety Group

SIS
Safety instrumented systems (SIS) are used to provide safe control functions for processes, e.g. emergency shutdown (ESD), fire detection and blowdown functions. SIS typically are composed of sensors, logic solvers and final control elements

A Safety Instrumented System is designed to prevent or mitigate hazardous events by taking a process to a safe state when predetermined conditions are violated.
Other common terms for SISs are safety interlock systems, emergency shutdown systems (ESD), and safety shutdown systems (SSD). Each SIS has one or more Safety Instrumented Functions (SIF).

SIL
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, in terms of probability of failure on demand (PFD). A SIL is a statistical representation of the reliability of the SIS when a process demand occurs
The higher the SIL is, the more reliable or effective the system is.

To perform its function, a SIF loop has a combination of logic solver(s), sensor(s), and final element(s). Every SIF within a SIS will have a Safety Integrity Level (SIL). These SIL levels may be the same, or may differ, depending on the process. It is a common misconception that an entire system must have the same SIL level for each safety function.

SIS and SIL

In the Safety Life Cycle outlined in ISA-S84.01-1996 (ISA, 1996), steps are included to determine if a SIS (Safety Instrumented System) is needed and to determine the target SIL (Safety Integrity Level) for the SIS Safety Integrity Level (SIL) 1 2 3 4 Probability of Failure on Demand Average Range (PFD Average) 10-1 to 10-2 10-2 to 10-3 10-3 to 10-4 Below 10-4 Risk Reduction Availability (%)

10 to 100 100 to 1000 1000 to 10,000 10,000 to 100,000

90 to 99 99 to 99.9 99.9 to 99.99 99.99 to 99.999

What do these numbers mean in the real world?

SIL 1 means that a dangerous failure is probable once every 11.5 to 114 years of continuous operation SIL 2 means that a dangerous failure is probable once every 114 to1,141 years of continuous operation SIL 3 means that a dangerous failure is probable once every 1,141 to 11,410 years of continuous operation SIL 4 is defined but is unnecessarily high for machine safety applications and is considered economically not practical(unless you are in the nuclear .

SIL levels
Event Likelihood Catastrophic Frequent Probable Occasional Remote Improbable SIL 4 SIL 3 SIL 3 SIL 3 SIL 3 Consequence Major SIL 3 SIL 3 SIL 3 SIL 2 SIL 2 Severe SIL 3 SIL 3 SIL 2 SIL 2 SIL 1 Minor SIL 2 SIL 2 SIL 1 SIL 1 SIL 1

Negligible / Not Credible

SIL 2

SIL 1

SIL 1

SIL 1

SIL Misconception
It is a very common misconception that individual products or components have SIL ratings. Rather, products and components are suitable for use within a given SIL environment, but are not individually SIL rated. SIL levels apply to safety functions and safety systems (SIFs and SISs). The logic solvers, sensors, and final elements are only suitable for use in specific SIL environments, and only the end user can ensure that the safety system is implemented correctly. The equipment or system must be used in the manner in which it was intended in order to successfully obtain the desired risk reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure a SIL 2 or SIL 3 system.

Standards and Regulations relating to SIL Analysis

ANSI/ISA-SP-84.01, "Application of Safety Instrumented Systems for the Process Industries," Instrument Society of America Standards and Practices, 1996. IEC-61508,"Functional Safety: Safety Related Systems," International Electrotechnical Commission,Technical Committee (1998). IEC-61511, "Functional Safety: Safety Instrumented Systems for the process industry sector", International Electrotechnical Commission, Technical Committee (Draft). "Programmable Electronic Systems in Safety Related Applications", Health and Safety Executive, U.K., 1987. 29 CFR Part 1910, "Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents", Occupational Safety and Health Administration, 1992.

Question !!!
ENGINEER: "Why is this existing interlock SIL 2? RISK ANALYST: "I don't know off the top of my head. What does the documentation say?"

ENGINEER: "It was set in a safety review. And you were there!"
RISK ANALYST: "Beats me! It doesn't look like it should be SIL 2 when I look at it now.

So, how do we determine the required SIL?

Target SIL
ANSI/ISA S84.01 and IEC 61508 require that companies assign a target SIL for any new or retrofitted SIS. The assignment of the target SIL is a decision requiring the extension of the Process Hazards Analysis (PHA). The assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to an acceptable level.

All of the SIS design, operation and maintenance choices must then be verified against the target SIL.

How do we determine the right SIL-1

The modified HAZOP method in CCPS (1993) and in the informative annex of S84.01 depends on the team comparing the consequence and frequency of the impact event with similar events in their experience, and then choosing an SIL. If the event being analyzed is worse or more frequent, then they would choose a higher SIL. It is very much in the experience and judgment of the team. Thus, the SIL chosen may depend more on whether a team member knows of an actual impact event like the one being analyzed, and it may depend less on the estimated frequency of the event.

How do we determine the right SIL-2

The safety layer matrix listed in CCPS (1993) and in the informative annex of S84.01 (p49) uses categories of frequency, severity, and effectiveness of the protection layers.

The categories are described in general terms and some calibration would be needed to get consistent results.
The matrix was originally developed using quantitative calculations tied to some numeric level of unacceptable risk (Green, 1993).

How do we determine the right SIL-3

The consequences-only method (mentioned in S84.01) evaluates only the severity of the unmitigated consequence. If the severity is above a specified threshold, a specified SIL would be required. This method does not account for frequency of initiating causes; it assumes all causes are "likely".

It is recognized that this method may give a higher required SIL than other methods.
The perceived trade-off is reduced analysis time. On other hand, for events whose causes have a high frequency, this method could give a lower SIL.

How do we determine the right SIL - 4

The fault tree analysis (FTA) method quantitatively estimates the frequency of the undesired event for a given process configuration. If the frequency is too high, an SIS of a certain SIL is added to the design and incorporated into the FTA. The SIL can be increased until the frequency is low enough in the judgment of the team. FTA requires significant resources.