HRELEOUOUA Chic ening sean doom serces sil and Lora LoPA and Safety Integrity Level "The modern way of ensuring the reliability of most instrumented protective systems" . SIL- haiti an what pps to ow ases fe SL romani fan neni proche sso : ows des on inner rte sys oa SI ogden . Cer tacnuee ale in SIL steaent LSiLesbatisndsba tole ‘Safety Ineprity Level isa concept that was introduced with BS-EN 61508, and has been developed forthe process industries in BS EN 61511, These recogaise that made design tends to rely on electonie programmable systems for contol and safety fanetions. Auge mount has been writen on the subject since then, and I won ty to give more than an overview below. There are tree distinct aspect to compliance with these standards, Firstly it comprises arisk astestment. ntis, the loss scenario is considered in detail ina quantified way. All practical aspeets ofthe risk are considered, the aim being to come vp witha conservative but realistic estimate ofthe severity (consequences) ofthe risk, anda conservative but realistic estimate ofthe likely Frequency with which it will occur. This is then compared with the Tolerability of Risk tat has been declared by the Company or project, and this comparison allows ‘conclusion tobe made as fo whether the risk hs been controlled to an aeceptably low level If i has, then an Safety nstrumented Function (SIF is not needed, Ifo, then further risk reduction is needed, which might take the form of an SIF If thsi the chosen method, then the system has to comply with the standards. The size of the gap (between the acceptable rate forthe risk andthe predicted rate) determines the Safety Inegrity Level, and the Risk Reduction Factor, which the SIF must provide Secondly, compliance requires thatthe SIF shouldbe suitable designed and configured and its predicted performance must meet or exceed {he requirement st inthe first stage, The architectre and reliability of the system mst conform fo the standards, Most systems ae so= callod "low demand rato" systoms, such as emergency shut-down systoms. An air ba in ear isan example of such a system, These must be periodically tested to ensure they are working correctly. However there are also "high demand rate"systems, which re contimously keeping the process safe. These cannot be tested, asthe loss scenario will occur within a short time ofthe SIF filing to danger. ‘Thiel, the system must be operated correctly. This usually means tha all low demand rate systems must be tested as prescribed in the ‘design, and result recorded for inspection and analysis, The analysis i intended to ve a practical check onthe field performance of the SIF. evidence is gathore tat its field reliability is poorer than predicted in the design, then remedial action must be taken to improve it the required level 2 Howto assess he SIL requirements of an inscumented protective system, In principle it's quite easy - you do a risk assessment and decide how much risk eduction i required from the SIF to meet or exceed the risk target. Tis ean be done either by so-called Risk Graph (see below) or by Layer of Protection Analysis (LOPA), or by ay ather quantitative riskassessment method, The method chosen depends onthe ste ofthe study andthe answer itself, as higher SIL results shouldbe supported bby more rigorous assessment methods. In pectic, doing this has many pitfalls. na recent survey of LoPAstudies that had heen submitted tothe UK Health and Safety Executive (CASE) in support oftheir COMAH (Control of Major Accident Hazards legislation) IPLs installed on fuel tanks, the HSE’ Health & Safety Laboratory made many critical statements about the quality of the work. In Rescarch Report 716 (R716), the authors ertically review 1 LoPA studies on what would be regarded as quite simple systems which protect tanks from becoming over-flled, as happened at Buncefeld in December 2005. These LoP. calculations had all bee performed by competent people, some being company experts and some being external consultants. However the report points to multiple instances showing: + lack of explanation of why certain dta wore taken and thei sources + poor justification of dt ake fr human ibility conetbusons| + lock of rigour in identifying all the initiating evens + giving credit of@ PFD (pobsblity of failure on demand) of less than 0.1 to non-SIL rated protective layer systems + insufficient detail inthe assesement of the loss events + double counting of layers of protection ipskwuuscord.couielopa him! 18arie20168 CCherrcal engineering safetyand design serdces. + failure fo check onthe independence of separate protective layers + lackofsite specific data + assumed probabilities of Conditional Modifiers being unjustified and optimistic + failure to correctly derive and justify the TOR (tolerability ofrisk targets set for she systems + confusion between societal and individual risk values This shows tht LoPA is not a simple procedure, and also thatthe Authorities ae avare ofthis and wil be keen to ensure that duty holders are not only paying ip service to their responsibilities to design, install and operate thei SIFs correctly 4. How to design an instrumented protective system to meet dhe SIL requirements ‘As explained above, the Fist stp isto carry out arisk assessment and analyse the visk gap that has tobe closed by the SIF. There are tw primary methods used, Risk Graphs and LoPA Risk eras ‘The first method offered by the Standards isthe Risk Graph, This isa simple graphical interpretation ofthe calculation, with risk actors duced toa simple word model, Details are piven in the Standards (See BS FN 6151 part 3, Annex D), but atypical representation of a SIL. Fisk graph sas follows: a Using this graph is simple: 1. Assess the consequence of the risk should it occur without any mitigation, and select an appropriate severity from the lef column of ‘options, Then follow that thread to the right 2. For the centre two severities, the assess whether people are Frequently exposed to the vsk, eg are the located within the area where & fire is forescen as being a risk. Ifthore is less thana 10% chance, selece ‘are’, otherwise select "requ" 4. IPappropriat, then decide whether a person finding themselves in danger as the risk is becoming reality, can they escape? I their chance is 90% or better, choose ‘possible otherwise choose ot likely 4 nal eases, estimate how often the risk might come about. Init raw state, ask graph would simply look for how often it might happen, how often an operator might overfill atank, However i is reasonable to modify that if there are other safeguards, ean independent high eve! alarm than an operator ean observe and respond to, and hence reduce the risk rate. This is asmall input fom "Layers of Protection” methodology. S. Read the SIL rating fom the table. So, ean you just copy this graph and go away and determine your SIL requirements? NOL! This is an example graph and you must produce your own, quantifying what you mean by Yelatively high’ low” and "very low” demand rates, and then checking that following some example ‘ations Teads toa correct SIL rating (in etms of PFD) with your company’s tolerability of risk eiteria. You cannot just "borrow someone clse's graph and use it without justification, Once thus calibrated, you can use the risk graph for your situation, However this is avery crude tol, Small changes inthe data can leedo large changes inthe result. Hence they shouldbe calibrated conservatively. As result oftheir inaccuracy it would be wise not to rely on any result higher than SILI. However it might still berating a system SILI when is no atually needed, were the risk assessment tobe done more thoroughly, Hence many practitioners recommend ‘vowing risk grap inthe waste bin, Howover, they do have ase in early process design, say at Hazard Study 2 stage, when there is not enough detail inthe dosign to cary out a LoPA analysis. This then becomes a process desig tol rather than a safety system design too. bb. Lavers of Protection Amalie (LoPA) ‘This procedure as become very popular since it hs the potential to be accurate in most situations, and doesnot necessarily lead to over- design of the safety system, Having said hat, the Authorities still expect justifiable and eonservative data tobe used, s noted above in my ‘comments on R716, ‘Also as noted above, LoPA appears simple, bu there are many pital forthe inexperienced, The principle though is simple: 1. Sot your Tolerability of Risk Criteria tobe sod inthe assessment of aeptability. This shouldbe your Site oF Company aes 2, Collect your reliability data tobe wed inthe calculations. Kelly the same st of data willbe used forall LoPA assessment onthe site ‘Then foreach loss scenario = 1. Estimate the total risk ate based on summing all the ways in which the isk can become reality (ie the Initiating Events), eth rate at ‘which tank might be ovefilled equals te rate at which t might be overiled by a tanker offload plus te rte at which it might be overfilled by process transfer. 2. Estimate the consequence of the loss event should it occur without any mitigating actions and assuming people are present in the danger 3. Account for any conditions that have to be true before the risk ean occur, know as Enabling Conditions, eg tank being above a certain ipskwuuscord.couielopa him! 20arie20168 CCherrical engineering safetyand design serdces level ‘Account for any factors tha reduc the consequence ofthe hazard, known as Conkitional Modifiers, eg people normally present in the axca for only 10% ofthe time. ‘Account for any Layers of Protection. These must fulfil set of eriteria for these, such as "sit able to prevent the Toss, sit fast ‘enough’, "sit independent" (Check that ll reducing factors apply for ll initiating methods, and discount these factors if any are not true ‘Tis leads toa prediction of how often the Toss event will ead to aloss ofthe type assumed Hence deduce the PFD required ofthe SIF that will reduce the risk better than te target. Convert the PFD into a SIL love. This SIL rating and PFD are the evteriafor design ofthe SIF that wl to the standards, ie 0.1>PFD>0.01 SILI OO1>PRD>=0.001 — :SIL2 0.001>PFD>~0.0001 ILS 0.0001>PFD>=0,00001: SIL 4 be used This is done according 10. the PED is less than 01, it might be possible to give the function:o the Basic Process Control System (BPCS), ic the plant control ‘computer, provided no ter BPCS function has been assumed as @ layer of protection, oF as 2 conditional modifier. 1 the PED is more than 1, then no SIF is required ©) Fault trees and event trees ‘This isa powerful pai ‘outcomes (the event tee). Toa certain degree, the technique "Bow Tie analysis techniques for mapping the precise set of events leading to 2 loss event (fall tree) or the loss event leading to -ombines the to ‘This is a large subject and is very versatile. Events tht donot fit with the “simple mode! used by LoPAA can be analysed using these techniques. Often itis found that a simple safety system cannot be added to complex situations with the holistic effect that we ree for safety systems applied to simple loss situations modelled by LoPA. There are many text books on this subject, and I ef the reader to these. ‘Systems cbt need a fll FTS However it’s worthwhile saying that he majority of loss events in chemical plants do fit with he simple "Something goes wrong, leading to a lose, leading to some consequences, the frequency of which can be reduced bya simple safety system” model, Hence LoP-A i far more ‘common than FIA and ETA in chemical plant loss and risk assessments. Stuart Ord [BSc (University of Leeds, Honours clas 1), CEng, FIChemE, MEI, TechlOSH_ ‘Stuart is an experienced Hazard Study and SIL assessment leader who offers: + Leadership of safety studies - + Hazard Studies HS, HS2, H83// HazOp, HS4, HSS, and HSB «SIL assessments using LoPA, Event Troe Analysis, Faut Tee Analysis, + Related work such as Failure Modes and Effects analysis, and Bow Tie analysis, + Hazard Idenfication (HaziD) + Training in any of the above topics - «For ders For participants [CEDCS Ld - Company no S781124- 4, Boxoor Cs, Chest, Chess, Bglan, C4 TPL ipskwuuscord.couielopa him! a0