Journal of Loss Prevention in the Process Industries 44 (2016) 212e222

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Method for assigning safety integrity level (SIL) during design of safety
instrumented systems (SIS) from database
Feng Wang a, *, Ou Yang a, Ruibo Zhang a, Lei Shi b
a
National Foundation Research Laboratory of Fault Prevention and Hazardous Chemicals Production System, Beijing University of Chemical Technology,
Beijing, 100029, China
b
State Grid Beijing Electric Test & Research Institute, China

a r t i c l e i n f o a b s t r a c t

Article history: A SIL assignment method for the design and rectication of SIS used for preventing failure action and
Received 10 September 2015 spurious activation is presented in this paper. The method has two stages, including SIL assignment
Received in revised form based on experience and SIL assignment based on risk quantitative calculation results. SIS experience
2 August 2016
information, stored in a SIS experience knowledge database, comprises of equipment, SIS names and SIL
Accepted 25 September 2016
Available online 26 September 2016
information, which is summarized from many different SIS design packages of petrochemical units and
SIS evaluation reports. In the stage of the SIL assignment based on experience, the SIL of SIS for a unit
could be assigned by common SIS information retrieved from the experience knowledge database. In the
Keywords:
Failure action
stage of the SIL assignment based on risk quantitative calculation results, according to IEC 61511, a risk
Spurious activation matrix is established to determine tolerable risks. A SIS initial event failure data table and a protective
SIS layer failure data table are established and the data could be obtained from certain common databases,
LOPA such as OREDA, CCPS. The data will be used to calculate and identify residual risks after applying safe-
SIL assignment system guards according to the Layer of Protection Analysis (LOPA) method. The SIL of SIS can be acquired from
the calculation results of residual risks and tolerance risks. The combination use of the two stages can
generate a method which could be applied in the SIS design of new-built or old-improved units. A SIL
assignment program for the design and rectication of SIS is developed to help SIL-assigning. The
software include three modules, a module of SIL assignment based on experience, a module of SIL
assignment based on risk quantitative calculation results, and a module of SIL verication. Experience
data and risk quantitative calculation results will contribute to the design of SISs for equipment systems.
A residual oil hydrogenation unit is taken as an example to illustrate the design and rectication method
for SIS.
2016 Elsevier Ltd. All rights reserved.

1. Introduction
SIS is one of the most important protection systems in a
petrochemical unit. It will be activated under certain conditions,
including process variables exceeding their design limits, me-
chanical equipment failures, or SIS failures occurring and power
system interruption, which can ensure the safety of operators,
equipment and other items in a chemical processing industry
(Torres-Echeverria et al., 2009). In IEC 61511, a safety function
implemented by SIS for reducing risk and avoiding accident
occurrence is called Safety Instrument Function (SIF) (Ding et al.,
2014). The failure of SIF will cause failure action or spurious
* Corresponding author.
E-mail address: wangfeng991@163.com (F. Wang).
activation. The failure action means that SIS refuses to execute
appropriate functions to keep a process unit from accidents. The
spurious activation means that SIS makes a wrong decision and
executes an error function to improperly act on the process
(Lundteigen and Rausand, 2008). With the wide use of SIS, the
failure action and the spurious activation become two serious
problems which have brought great harm to production process
and personal safety. The main reason for the failure action and the
spurious activation of SIS is improper design. The lack of SIS rele-
vant knowledge and experience and the tardiness of data updating
speed etc., will lead to the improper design of SIS. On March 23,
2005, an explosion accident happened in an isomerization unit of a
BP company in Texas, US. One of the main reasons of the accident is
an error indication of the liquid level of a distillation column in the
unit. The SIS of the unit didn't execute appropriate functions to
adjust the level back to normal. The operators misunderstood the

http://dx.doi.org/10.1016/j.jlp.2016.09.020
0950-4230/ 2016 Elsevier Ltd. All rights reserved.
 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222
level of the column and didn't take any measure to prevent the level
from increasing. Practical experience shows that the improper
design of SIS will cause failure action or spurious activation, and the
accident consequence will be extremely serious. In order to prevent
accidents from occurring, much research on presenting an appro-
priate SIS design method to avoid failure action and spurious
activation has been conducted by many institutions and re-
searchers. Fares Innal made a preliminary investigation of the
balance of KooN architecture analysis between safety integrity and
operating integrity. A general and suitable method based on a ge-
netic algorithm was put forward (Innal et al., 2015). Mary Ann
Lundteigen dened and claried concepts related to the spurious
activation, and a new set of formulas for calculating the rate of the
spurious activation is presented based on logical relationships and
error conditions (Lundteigen and Rausand, 2008). Alan G. King
described how to recognize a high demand rate scenario and
demonstrated how to address abnormal situation (King, 2014).
The above research results mostly focus on calculation methods
or models. However, lack of basic experience data will limit the
application range of the methods and decrease the calculation ac-
curacy of the models. Experience knowledge of a SIS design should
be summarized and used to establish a database. For the SIS design
of a unit, some parameter values could be obtained from the
database. Experience knowledge and risk quantitative calculation
results should be integrated so as to determine the SIS of a unit. This
paper proposes an assignment method of safety integrity level for
design and rectication of safety instrument system.
The database, including the experience knowledge for the SIS
design, could be established according to the method. A program
developed for conducting this method to design SIS is also pre-
sented in this paper. The software include three modules, a module
of SIL assignment based on experience, a module of SIL assignment
based on risk quantitative calculation results, and a module of SIL
verication. Experience data retrieved from the database and risk
quantitative calculation results will contribute to design of SISs for
equipment systems. The SIS design of a residual oil hydrogenation
unit is employed to illustrate a method application.
2. The instruction of assignment method of SIL for SIS design
and rectication
The assignment method of SIL for SIS design and rectication,
including SIL assignment based on experience and SIL assignment
based on risk quantitative calculation results, can be used to
determine the SIL for SIS. (Reniers and Amyotte, 2012; Kongsvik
et al., 2015). The method could be applied in the periods of new-
built units or old-improved units. As for the SIL design of a new
SIS and rectication for existing plants, the stage of the SIL
assignment based on experience will be used rstly. The SIL
assignment based on the risk quantitative calculation results will
be used when lack of relevant experience. Experience knowledge
for the SIL design and rectication should be summarized and
stored in an experience information database. The database in-
cludes SIS information, SIF information, initial event failure data
and protective layer failure data, etc. The information in the data-
base could be used to guide the SIS design and rectication for a
process unit. The SIL assignment based on risk quantitative calcu-
lation results will be necessary if there is no relative information
summarized about the SIS of the object unit in the database. The
calculation results include the occurrence probabilities of events
under protective layers, residual risks and PFDs, etc. Some failure
rates should be obtained from CCPS and OREDA databases or be
calculated based on certain basic models. These calculated results
could also be stored in the database as experience information. The
FTA model, the RBD model or the Markov Analysis (MA) model
213
could be used to calculate the PFDs of corresponding redundant
structures, such as 1oo1, 1oo2, 1oo2D, 2oo2 and 2oo3, etc. The PFD
values could contribute to the SIL determination and verication
(Oliveira and Abramovitch., 2010). The ow chart of the method is
shown in Fig. 1.
3. The SIL assignment based on experience knowledge
3.1. The experience knowledge database
Experience data for SIL design can be obtained from some
process packages and SIL evaluation reports of a certain kind of
unit. The data in the experience information database includes SIS
information, SIF information, initial event failure data and protec-
tive layer failure data, etc., which could be used to guide the design
and rectication of the SIL of SIS of a process unit. However, due to
the change of the design intentions of the plant, the experience
data may be renewed, and thus the knowledge stored in the
database should be updated according to practical situations and
expert experience.
3.1.1. The SIS information
Established is the structure of the data table of the SIS infor-
mation in the database. The column names of the data table are
equipment type, equipment, SIS, SIF, etc. The SIS information is
summarized from many process packages of petrochemical units,
such as hydrogenation units, catalytic cracking units and ethylene
oxide units. The information of 16 kinds of SISs for different types of
equipment and process units has been acquired and stored in the
data table. The SISs and SIFs which are required to ensure the
equipment or process unit safely running could be obtained from
the data table. Then the SIFs and the SISs could be determined
according to the data table. Part of the data table is shown in Table 1.
3.1.2. The SIF information
The information of 56 kinds of SIFs has been summarized and
stored in the data table. A piece of SIF information in the SIF in-
formation data table consists of three parts: basic information, SIF
logic diagram and safety life cycle information.
3.1.2.1. The basic information. The basic information for a SIF
should include SIF name, technological requirement of interlocking,
interlocking monitoring parameter, interlocking function, sensor
monitoring signal source, performance valve type, installation po-
sition of perform valves, etc. The basic information of SIF (low ow
rate of inlet) for a feed pump is taken as an example and shown in
Table 2.
3.1.2.2. The SIF logic diagram. The SIF logic diagram is established
based on logic algebra (and, or and not). It usually includes three
parts: input, logic calculation and output. The SIF logic diagram
could show the causal logic relationships among sensors, control-
lers, executors and calculators, etc. The executing route and
mechanism of a SIF can be acquired from the diagram. The design,
installation and cabling of a SIS could be completed correspond-
ingly to a diagram. The SIF logic diagram for the low feed ow rate
of a heating furnace is shown in Fig. 2.
In Fig. 2, the input signals include the signal of the feed ow of
reactors FXT-A, FXTeB and FTXeC, the signal of reset, etc. The logic
operators include or and and. The output results are 00 and 1.
When the cuteoff valve receives an output result signal, it will
execute an open or close action.
3.1.2.3. The safety life cycle information. The safety life cycle
information includes the safety life cycle parameters of sensors,
214 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222

Fig. 1. Flow chart of the method for a design method of safety integrity level in a hydrogenation unit.

Table 1
Part of the data table containing the SIS information.

Equipment type Equipment SIS SIF

Rotation equipment Pump Centrifugal pump Low ow rate of outlet, emergency shutdown, pressure releasing and shutdown,
low pressure of lubricating oil, low ow rate of inlet, axial displacement interlock,
shaft vibration, high bearing temperature, high motor winding temperature, pump
turbine over speed, etc.
Compressor Reciprocating compressor High temperature of outlet, emergency shutdown, pressure releasing and
shutdown, low pressure of lubricating oil, high liquid level of the separator before
the compressor, etc.
Static equipment Heating furnace Furnace Low feed ow rate, high outlet temperature, emergency shutdown, pressure
releasing and shutdown, low pressure of fuel gas, low fuel gas pressure of pilot, etc.
Separator Oil and gas water separator Low liquid level, high liquid level, low interface level, high interface level, etc.

logical controllers and actuators which mainly come from the
CCPS database and the OREDA database. In the data table of the
safety life cycle information, the column names are safety in-
strument function, redundant structure, hazardous failure rate,
safety failure rate, diagnostic coverage probability, common
cause failure factor, detecting interval time, average repairing
time and average restart time. The safety life cycle information
of a SIF (low ow rate of outlet) is shown in Table 3. The
required parameters for the SIL assignment based on risk
quantitative calculation results could be provided by the data
table.
3.2. The SIS assignment
3.2.1. The risk identication
The risk identication method could be employed to identify the
nodes and the equipment with high risk in a chemical processing
plant and verify whether the safeguard for the risk can successfully

Table 2
The basic information of SIF (low ow rate of inlet) for a feed pump.

SIF name Low ow rate of inlet

Technological Requirements of Interlocking 1. Valve position of electric valves equipped on inlet and outlet pipes should be displayed in a control room.
2. The pump could be started after all the electric valves equipped on the inlet pipes are opened. The electric valve
installed on the outlet pipe should be opened manually after the pump was opened.
3. The inlet electric valve of the pump cannot be closed for any reason during a normal operation process. Immediately
shutdown the pump if the inlet electric valve were closed.
Interlocking Monitoring Parameters Inlet ow rate of reaction feed pump P-1
Interlock Function 1. Preventing pump idling when the inlet ow rate is too low.
2. Avoid pump evacuation when the liquid level raw oil buffer tank is too low.
3. Avoid explosion accident caused by pump leakage.
The Required SIL Level 2
Sensor Monitoring Signal Source 1. The inlet electric valve of reaction feed pump.
2. The button (DCS HSO - 20601 - D).
Valve Type Electric valve
Installation Position of the Valve The inlet pipe of the pump and the valve number is XV20601.
Types of Output signal Start signal allowed (DO)
Signal Source 1. Electric valve of reaction feed pump, button for valve opening.
2. Electric valve of reaction feed pump, button for valve shutdown.
3. Reaction feed pump running signals.
 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222 215

Fig. 2. The SIF logic diagram for the low feed ow rate of a heating furnace.

Table 3
The safety life cycle information of a SIF (low ow rate of outlet).

Item Safety instrument function Redundant structure Hazardous failure rate Safety failure rate Diagnostic coverage probability

Value Outlet ow low SIF 1oo2 5.00E-07 5.00E-07 0.6

Item Common Cause Failure Factor Test Interval Time Average Repairing Time Average Restart Time
Value 0.03 26280 8 24

Unit name: Residual oil hydrogenation.

Node name: Hydrogenation feeding system.
Equipment name: Hydrogenation feed pump (P - 1002).
Drawing Number: PID- 1- 105- P1002.
P e Probability.
S e Severity.
R e Risk rank.

limit the risk to a tolerable range. HAZOP analysis is widely used to
conduct the process risk analysis (Wang et al., 2009). Process, hu-
man operations, equipment, a mass of material, a number of in-
struments, control systems, safety and environment, etc.,
interweave to form a complex process plant. The HAZOP analysis
has been widely used in petrochemical industries, especially in
complex process plants. In a HAZOP analysis report, causes, con-
sequences and safeguards can be obtained for each risk event
(Venkatasubramanian et al., 2000). Part of a HAZOP analysis report
is shown in Table 4.
3.2.2. The SIS assignment
The SIS information and the SIF information may be retrieved
from the data tables (Tables 1 and 2) in the database. Most units
may be designed and constructed according to a same process
design package developed by one famous design company. The
SIS design in the process package for different client companies
are the same, but the detailed design of SISs may be different,
because raw material, climate, personnel, equipment, environ-
ment etc., in different companies will be different. The data
cannot be directly used to design a SIS for a new unit, but the

Table 4
HAZOP analysis report.

Guide words Deviation Possible reasons Consequence Risk Corrective action Suggestion
assessment

P S R

High High level 1. High raw materials oil It's serious when the Tank is 3 2 2 LC1001; FC1001; FC1002;
from the atmospheric and full; raw material oil enters LI1003; PSV1001A/B LI1004
vacuum into emergency vent
system. The gas phase vent
pipe is plugged.
High High pressure 1. Control circuit failure of Overpressure leak of raw 3 2 2 PSV1001A/B; PI1005
PC1004 material oil buffer tank
V1001, it is easy to cause
burns, re, poisoning
accidents when it's serious.
216 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222

Table 5
The SIS assignment information based on experience.

HAZOP analysis report SIS information SIF information

Node name Unit name Equipment name Equipment type Equipment SIF name The required SIL Safety instrument Redundant
level function structure

Hydrogenation Residual oil Hydrogenation Rotation Pump low ow rate of 2 Outlet ow low 2oo3
feed hydrogenation feed pump equipment inlet SIF
(P - 1002)
Deviation Risk level Possible reasons SIS SIF Interlocking Sensor Valve type Installation
monitoring monitoring signal position of the
parameters source valve
High level 2 High raw centrifugal pump low ow rate of Inlet ow rate of 1. The inlet Electric valve The inlet pipe of
materials oil from inlet reaction feed electric valve of the pump and the
the atmospheric pump P-1 reaction feed valve number is
and vacuum pump. XV20601.
2. The button
(DCS HSO - 20601
- D).
Consequence It's Serious when the Tank is full, and The Safety life The information shown in Table 3
raw material oil enters into cycle information
emergency vent system. The gas of SIF
phase vent pipe is plugged.

Table 6
Consequence levels and their tolerable rates.

Consequences level Consequence Tolerable risk rate

1 Almost no loss 0.1

2 Cause serious injury, or acute poisoning for people, but did not cause death. Caused a direct economic loss of more than 0.01
500000 yuan, and less than1 million yuan. Light pollution to surroundings.
3 1-2 people died, or 3 to 9 people poisoning (seriously).Caused a direct economic loss of more than 1 million yuan, less 0.001
than 5 million yuan. Caused administrative areas disputes across the county by the accident. Oil leakage under 1 ton in
environmentally sensitive area, and for the sensitive area in the environment, the oil leakage is under 10 tons which
caused a pollution accidents in general.
4 3-9 deaths, or 10e49 people poisoning (seriously); Caused a direct economic loss of more than 5 million yuan, less than 0.0001
10 million yuan. Administrative regional disputes cross regional was caused by the accident, the local economic and
social activities are affected; In environmental sensitive area of 1e10 tons of oil leakage, and in the environmental
sensitive area oil leakage Leak amount of 10e100 tons, causing signicant pollution accident.
5 More than 10 deaths, or more than 50 people poisoning (seriously).Caused a direct economic loss of 10 million yuan or 0.0001
more;

data in the database can be taken into account for designing
identical equipment systems. SIL evaluation reports will
contribute to constructing the database. The SIS information for
one kind of unit could be summarized from the design package
and SIL evaluation reports and stored in a database. In this
database, 16 kinds of SISs and 56 kinds of SIFs for different types
of equipment and process units have been acquired and stored
in the data table. The information in the database will be
constantly increased and updated upon the accumulation of the
design experience of SIS. The SIS database consists of device
name, SIS name and SIF name. A SIL design example of a Hy-
drogenation Feed Pump is given in this paper to illustrate the
SIL evaluation.
3.2.2.1. Identication of equipment type. Hydrogenation feed pump
is a kind of centrifugal pumps. According to the data table, 9 kinds
of SIFs need to be set up, including outlet ow low SIF, emergency
stop SIF, pump pressure shutdown SIF, low oil pressure SIF, exces-
sive axial displacement SIF, shaft vibration SIF, bearing temperature
exorbitant SIF, motor winding temperature exorbitant SIF, and
pump turbine over speed SIF.
3.2.2.2. Determination of basic information. The SIS basic informa-
tion for a hydrogenation feed pump based on experience can be
determined by the data retrieval of the database. As shown in
Table 5, the SIL level is 2 and the SIS system can be assigned.
4. The SIL assignment based on risk quantitative calculation
results
4.1. Conrming tolerable risk rate for each consequence level
The consequence severity could be described and ranked by the
value of a tolerable risk rate. The tolerable risk rate for each
consequence level can be acquired according to the risk matrix in
IEC 61508 and IEC 61511, the ALARP theory, consequence catego-
rization in Chemical Process Safety Center of American Institute of
Chemical Engineers (CCPS) guideline for LOPA and the experience
knowledge used in the petrochemical industries. The consequence
levels and their tolerable rates are shown in Table 6. A real conse-
quence result can be evaluated according to the consequence
content described in Table 6. The tolerable risk rate of the conse-
quence result can be determined (H. Jin et al., 2011).
4.2. The PFD calculation
4.2.1. The initial event failure data and the protective layer failure
data
Data for a LOPA analysis includes initial event failure data and
independent protection layer data (Bai et al., 2010). The failure data
of 28 kinds of common initial events and 22 kinds of common
coating failure has been collected. The data mainly comes from the
guidelines of CCPS (Center for Chemical Process Safety). The data is
mainly used to quantify the causative events and independent
 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222 217

Table 7
The initial event failure data.

Initial event type Initial event Failure rate (per year) Data source

Control system failure BPCS Circuit failure 0.1000 CCPS

Equipment failure Regulator failure 0.1000 CCPS
Equipment failure Heat exchange tube failure 0.0100 CCPS
Equipment failure Pump or other rotating equipment failure 0.1000 CCPS
Equipment failure coupling failure of Junction of pump or compressor with dynamo 0.0100 CCPS
Reaction failure Cooling water failure 0.1000 CCPS
Control system failure Energy interruption 0.1000 CCPS
Human error Misoperation, routine tasks, improve the training 0.0010 CCPS
Human error Misoperation, routine tasks, once a day 0.1000 CCPS
Human error Misoperation, routine tasks, once a month 0.0100 CCPS
Human error Misoperation, unconventional task, low pressure condition 0.1000 CCPS
Human error Misoperation, unconventional task, high pressure condition 1.0000 CCPS

Table 8
The protective layer failure data.

Independent protection layer Failure rate (per year) Data source

BPCS circuit failure. When not considered as the initial event 1  10-1 CCPS
The operator's wrong response to alarm. Suppose you have ten minutes of the reaction time and also through effective training 1  10-1 CCPS
Danger/critical operation failure. Operating in a dangerous or critical condition 1  10-1 CCPS
SIL1 security function failure. Compliance to IEC61508 rules 1  10e2~1  10-1 CCPS
SIL2 security function failure. Compliance to IEC61508 rules 1  10e3~1  10-2 CCPS
SIL3 security function failure. Compliance to IEC61508 rules 1  10e4~1  10-3 CCPS
Discharge valve failure. in clean medium environment 1  10-2 CCPS
Discharge valve failure. in polluted medium environment 1  10-1 CCPS
Pump safety valve failure. component of MI system 1  10-2 CCPS
Pump safety valve failure. not the component of MI system 1  10-1 CCPS
Return valve of pump failure 1  10-1 CCPS
The check valve failure 1  10-1 CCPS

Table 9
Calculation of the event occurrence probability under protective layers.

IE IEF IDFF BFF AOPFF SRSFF PPFF ERFF OPEPL

Reaction failure F1 F2 F3 F4 F5 F6 F7 Q7
F i1 Fi
Equipment failure S1 S2 S3 S4 S5 S6 S7 Q7
S i1 Si
Q
Control system failure K1 K2 K3 K4 K5 K6 K7 K 7i1 Ki
Q
Human error R1 R2 R3 R4 R5 R6 R7 R 7i1 Ri
External event E1 E2 E3 E4 E5 E6 E7 Q7
E i1 Ei
Q
Reference experience Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y 7i1 Yi

IE dThe Initial Event.

IEF dThe Initial Event Frequency.
IDFF d The Industrial Design Failure Frequency.
BFF dThe BPCS Failure Frequency.
APOFF dThe Alarm and Personnel Operation Failure Frequency.
SRSFF dThe Safety Relief System Failure Frequency.
PPFF dThe Physical Protection Failure Frequency.
ERFF dThe Emergency Response Failure Frequency.
OPEPL dThe Occurrence Probability of Events under Protective Layers.

protection layer failure rates in the LOPA process. The initial event
failure data obtained from the CCPS guideline is shown in Table 7.
An initial event in a process control process could be divided into
several classes, including control system failure, equipment failure,
reaction failure, human error, external event, etc. (Bai et al., 2010).
The values of the failure rates of certain protective layers are shown
in Table 8. These basic data could be used to conduct a LOPA
calculation.
4.2.2. The calculation of the event occurrence probability under
protective layers
The initial events could been divided into several classes,
including Control System Failure (CSF), Equipment Failure (EF),
Reaction Failure (RF), Human Error (HE), External Event (EE), etc.
There will be seven protective layers for each initial event. Every
protective layer will have a failure rate. The initial event failure
data and the protective layer failure data may be obtained from
Tables 7 and 8 The occurrence probability of an event under
protective layers will be equal to the accumulation of the failure
rates of the protective layers and the initial event failure rates.
The occurrence probability of CSF, EF, RF, HE, EE can be acquired
Table 10
SIL-rank.
SIL PFD
1 10-2  PFD<10-1
2 10-3  PFD<10-2
3 10-4  PFD<10-3
4 10-5  PFD<10-4
218 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222

Fig. 3. Framework of the SIL-Assist software.

from the calculation result. However, the same SIS installed in Reference Experience (RE) is introduced to calibrate the failure
different units will have different failure rates due to operation rate calculation. The calculation method of the event occurrence
habit, external environment, chemicals and other different factors probability under protective layers is shown in Table 9. (Bai et al.,
(Keren et al., 2006) (Dunham, 2003). Therefore, a variable named 2010).

HHPS Vapor

Oil, hydrogen
reactants from R-1001
E-1006
HHPS Vapor/Recycle
Gas Exchangers

R-1002 R-1004
First Third
Reactor Reactor

V-1003 HLPS Vapor

Hot High Pressure
Separator
R-1003 R-1005
Second Fourth
Reactor Reactor
V-1004
Hot Low Pressure
Separator
E-1005
Bypass Gas/Reactor
Effluent Exchanger HLPS Liquid

Fig. 4. The ow chart of the process unit.

 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222 219

Fig. 5. The SIS assignment information based on experience.

4.2.3. The PFD calculation and the SIL determination

PFD TRR = F S K R E Y (1)
According to the ANSI/ISA-84.01-1996 standard, the PFD can be
calculated through the division of the Tolerable Risk Rate (TRR) by
the occurrence probability of event under protective layers'. The The corresponding SIL for the PFD calculation result can be
PFD can be calculated according to formula (1): obtained from Table 10. (Zhang, 2010).

Fig. 6. The tolerable risk rate of the event.

220 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222

Fig. 7. The initial event failure data and the protective layer failure data.

5. The development of SIL-Assist software and its application 5.2. The application of the SIL-Assist software

5.1. The SIL-Assist software
A SIL-Assist software is developed to conduct the SIL assignment
method for the SIS design and rectication of a petrochemical unit.
The software includes three modules, a module of SIL assignment
based on experience, a module of SIL assignment based on risk
quantitative calculation results, and a module of SIL verication. A
database is established to store SIS information, SIF information,
initial event failure data and protective layer failure data. FTA and
RBD models are used to verify the SIL. The framework of the SIL-
Assist software is shown in Fig. 3.
5.2.1. The description of the process unit of hot high pressure
separator
The hot high pressure separator in a residue hydro-
desulphurization unit is one of the most commonly used pressure
equipment. The process unit of the hot high pressure separator is
often operated at extremes of pressure and temperature, thus
making it more vulnerable to equipment failures. Fire, explosion
and toxic accidents will happen due to the leakage of the equip-
ment. In this process unit, the reaction product will ow to the hot
high pressure separator. The separated vapor will go into E1006
HHPS vapor/recycle gas exchanger and the separated liquid will

Fig. 8. PFD calculation and SIL determination.

 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222 221

Table 11
The PFD calculation formulas used in SIL verication.

Redundant FTA model RBD model

structure
   
1oo1
PFDavg lDU TI
2 MTTR lDD MTTR PFD lDC TI
2 MTTR lDD MTTR
     
1oo2
PFDavg lDUC TI
2 lDUN lDDN 2 tCE tGE lDDC MTTR lDUC TI
MTTR
2 MTTR lDUN
TI 2 MTTR,TI MTTR2
3 2
     
2oo2 0 0
PFDavg lDDC MTTR lDUC TI
2 MTTR 2lDDN MTTR 2lDUN 2 MTTR
TI 2lDUN lDUN lDDN lSD tCE tGE lDDC MTTR lDUC TI
2 MTTR
     
1oo2D
PFDavg 3lDDC MTTR 3lDUC TI2 MTTR 3lDDN MTTR 6lDDN MTTRlDUN 2 MTTR
2 TI 2lDU TI2 MTTR 2lDD MTTR
   
2oo3
3l2DUN TI3 MTTR,TI MTTR2
2
6lDDN lDUN 2 tCE tGE lDDC MTTR lDUC TI
2 MTTR

Fig. 9. The calculation result interface for the 2oo3 structure of sensor.

ow into V1004 hot low pressure separator. The temperature of the
hot high pressure separator is 624 K and the pressure is 16.23 MPa.
The process unit is very dangerous in the plant and will need SIS to
prevent an accident. The process unit will be taken as an example to
illustrate the software application. The ow chart of the process
unit is shown in Fig. 4.
information should be calculated by using the module of the SIL
assignment based on risk quantitative calculation results.
5.2.3. The SIL assignment based on risk quantitative calculation
results

5.2.2. The SIL assignment based on experience
From the module of the SIL assignment based on experience, the
SIF logic diagrams and the SIL assignment information based on
experience can be obtained, as shown in Fig. 5. The data retrieved
from the software database should be taken into account for
designing identical equipment systems. It is impossible to nd data
for all systems. The experience data in the database will contribute
to designing the SIS of a new process unit. If the available SIS in-
formation can't be found in the database, the SIL assignment
5.2.3.1. The tolerable risk rates of the scenarios of the process unit.
The tolerable risk rates of all the scenarios in the process unit could
be acquired according to IEC 61508, IEC 61511, the ALARP theory,
the consequence categorization in the CCPS guideline for LOPA and
the experience knowledge used in the petrochemical industries.
The consequence level could be evaluated according to a conse-
quence analysis result. The tolerable risk rate of the event (low level
of the equipment) is 0.0001, as shown in Fig. 6. The initial event
failure data and the protective layer failure data could be obtained
from the data table of the software database, as shown in Fig. 7.

Fig. 10. The calculation result interface for the 1oo1 structure of actuator.
222 F. Wang et al. / Journal of Loss Prevention in the Process Industries 44 (2016) 212e222
5.2.3.2. The PFD calculation. The PFD and the SIL of the event (low
level of the equipment) could be automatically calculated and
exhibited in a software interface by pressing the SIL Determination
button, as shown in Fig. 8. The PFD is 0.0091 and the SIL is 2.
5.2.4. The SIL verication
5.2.4.1. The verication model and the redundant structure
5.2.4.1.1. The validation models and calculation formulas.
The SIL verication for this process unit includes the verication of
sensors, controllers and actuators. According to IEC 61508, the FTA
model and the RBD model can be selected to be the verication
models in the software. The types of redundant structures used in
the process unit may include 1oo1, 1oo2, 1oo2D, 2oo2, 2oo3. The
PFD calculation formula used in the SIL verication are deduced
and listed in Table 11.
5.2.4.2. The SIL validation results. In the process unit, the redundant
structure of the sensor is a 2oo30 structure and the redundant
structure of the actuator is a 1oo10 structure. The PFD value of the
sensor of the event (low level) is 5.1022 e4/h and the PFD value of
the actuator is 8.655 e3/h. The calculation result interface for the
2oo30 structure of the sensor is shown in Fig. 9 and the interface for
the 1oo1 structure of the actuator is shown in Fig. 10. According to
the PLC TUV (Rhineland, Germany Rhine technical supervision
companies) safety certication, the PFD value of the logical
controller is 5.1  e4/h. Therefore, the PFD value of the system is
10.19022 e3/h and the SIL is 2.
The verication result and the calculation result are the same,
and if different, certain structures, variables and parameters, such
as redundant structure, would need to be adjusted and amended.
6. Conclusions
In order to avoid failure action and spurious activation caused by
an improper design of SIS, which are two severe problems existing
in the industrial application of a SIS, this paper presents a SIL
assignment method for a SIS design and rectication of a petro-
chemical unit. The experience information of a SIS design could be
stored in a database based on the study of classication of reliable
SIS in a petrochemical device, which can help designers design a SIS
with basic information. Not only the SIF and the SIL could be
designed completely and reasonably, but also the site setting of
sensors and nal elements could be more effective. The assignment
system of the SIL design and rectication for a SIS is developed to
help SIL-assigning. However, the accumulation and validation of
experience knowledge need to be constantly improved, and the
calculation model needs to be corrected continuously. With the
accumulation of experience and model correction, the function of
the method can be improved, which will ensure the safe perfor-
mance of security instrument and equipment.
Acknowledgments
This work was supported by the Beijing Key Subject Project 2015
Safety & the Fundamental Research Funds for the Central Univer-
sities 2016 & PetroChina Science and Technology Innovation Fund
2015D50060606 & Funding from SGCC for Hazard Assessment and
Prevention for Gas Insulated Equipment H2015331.
References
Bai, Yongzhong, Dang, Wenyi, Yu, Anfeng, 2010. Layer of Protection Analysis:
Simplied Process Risk Assessment. Center for Chemical Process Safety.
Ding, Long, Wang, Hong, Kang, Kai, 2014. A novel method for SIL verication based
on system degradation using reliability block diagram. Reliab. Eng. Syst. Saf.
132, 36e45.
Dunham, M.H., 2003. Data Mining Introductory and Advanced Topics. Pearson
Education, Inc, NJ, pp. 184e192.
Innal, Fares, Dutuit, Yves, Chebila, Mourad, 2015. Safety and operational integrity
evaluation and design optimization of safety instrumented systems. Reliab. Eng.
Syst. Saf. 134, 32e50.
Jin, H., Lundteigen, M.A., Rausand, M., 2011. Reliability performance of safety
instrumented system: a common approach for both low- and high- demand
mode of operation. Reliab. Eng. Syst. Saf. 96, 365e373.
Keren, N., Anand, S., Mannan, M.S., 2006. .Calibrate failure-based risk assessments
to take into account the type of chemical processed in equipment. J. Loss Prev.
Process Industries 19 (6), 714e718.
King, Alan G., 2014. SIL determination: recognising and handling highdemand mode
scenarios. Process Saf. Environ. Prot. 9 (2), 324e328.
Kongsvik, Trond, Almklov, Petter, Haavik, Torgeir, Haugen, Stein, Vinnem, Jan Erik,
Schieoe, Per Morten, 2015. Decisions and decision support for major accident
prevention in the process industries. J. Loss Prev. Process Industries 35, 85e94.
Lundteigen, Mary Ann, Rausand, Marvin, 2008. Spurious activation of safety
instrumented systems in the oil and gas industry: basic concepts and formulas.
Reliab. Eng. Syst. Saf. 93, 1208e1217.
Oliveira, L.F., Abramovitch, R.N., 2010. Extension of ISA TR84.00.02 PFD equations to
KooN architectures. Reliab. Eng. Syst. Saf. 95, 707e715.
Reniers, Genserik, Amyotte, Paul, 2012. Prevention in the chemical and process
industries: future directions. J. Loss Prev. Process Industries 25 (1), 227e231.
January 2012.
Torres-Echeverria, A.C., Martorell, S., Thompson, H.A., 2009. Modelling and opti-
mization of proof testing policies for safety instrumented systems. Reliab. Eng.
Syst. Saf. 94, 838e854.
Venkatasubramanian, V., Zhao, Jingsong, Viswanathan, Shankar, 2000. Intelligent
system for HAZOP analysis of complex process plants. Comput. Chem. Eng. 24,
2291e2302.
Wang, F., Gao, J.J., Guo, K., 2009. A hazard and operability analysis method for the
prevention of misoperations in the production of light magnesium carbonate.
J. Loss Prev. Process Industries 22 (2), 237e243.
Zhang, Jianguo, 2010. The Application of the Safety Instrument System in Process
Industry. China power press, Beijing, pp. 94e106.