SIL Allocation

- Deterministic vs. risk-based approach

- Layer Of Protection Analysis (LOPA) overview
2012-03-07

Origin and causes of accidents involving control system failure

44% Specification

20% Changes after

Start-up

15% Maintenance
and Operation
15% Design and
Implementation

6% Instalation
and Start-up

Ref Out of Control: Why control systems go wrong and how to prevent failure
Published by UK HSE

2012-03-07

SIS Safety Lifecycle, IEC61511

Management
of functional
safety and
assessment
and audit of
functional
safety

Structure
and
planning of
the safety
life cycle

Assessment of hazards
hazards
and risks

Verification

Allocation of the safety

functions to the protection
layers
2

Specification of the safety

requirements for the safety
instrumented system
3

Design and engineering of

Design
the safety instrumented
system
4

Design and development of

other means of reducing risk

Installation, Receipt
reception
and Validation
validation
5

Operation and maintenance

6

Modification

Decommissioning
10

2012-03-07

11

SIL Allocation in the IEC61511 Safety Lifecycle

Management
of functional
safety and
assessment
and audit of
functional
safety

Structure
and
planning of
the safety
life cycle

Assessment of hazards
hazards
and risks

Verification

Allocation of the safety

functions to the protection
layers
2

Specification of the safety

requirements for the safety
instrumented system
3

Design and engineering of

Design
the safety instrumented
system
4

Design and development of

other means of reducing risk

Installation, Receipt
reception
and Validation
validation
5

Operation and maintenance

6

Modification

Decommissioning
10

2012-03-07

11

SIL Allocation & SIL Verification

Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3

Set target

4system
Installation
reception
validation
and,
5
6
Modification
7
Decommissioning

Demonstrate
target is met

Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of 1
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3
system
Installation
reception
,
validation
and
5
6
Modification
7
Decommissioning

SIL Allocation

SIL 1

Design & Engineering

Minimum SIL requirements

LOPA, Risk graphs,

SIL 2

SIL Verification calculations (PFD)

FMECA, SAR, Safety Manuals,
etc.

SIL3
Determine if additional
SIF are required and if
yes then allocate the
target SIL

2012-03-07

Address target SIL (Fault

Tolerance & PFD)
Select system technology
Configuration / vooting
Test interval
Diagnostic

SIL Allocation The two approaches

Deterministic

Risk-Based

ISO10418

LOPA, Risk graph,

QRA

OLF070

2012-03-07

SIL Allocation Deterministic approach

1. Design in accordance with process industry standards

Prescriptive recommendation for protective

ISO10418, API RP14C
measures
for offshore
Based on experience and recognized
installations
practice
NFPA 85, 86, API
Acceptable level of safety achieved (refer to
RP556 for various
clearly defined hazards and standardized
types of fired
behavious of safety systems and barriers)
equipments
etc.

2012-03-07

SIL Allocation Deterministic approach

2. Allocate SIL based on predetermined requirements
Minimum SIL Requirements

OLF070 Application of IEC

in the Norwegian Petroleum
Industry

Company Governing
Documentation

2012-03-07

Minimum SIL requirement is

derived from expected reliability
(PFD) of typical SISs. i.e.
achievable by standard solutions
considered good industry practice.
Not based on required risk
reduction conforming to specific
RTC
Enforces quality requirements in
the SIS design, installation and
operation

SIL Allocation The two approaches

Deterministic

Risk-Based

ISO10418

LOPA, Risk graph,

QRA

OLF070

TES
9

2012-03-07

The safety onion Integrated approach

COMMUNITY EMERGENCY REPSONSE

Independent
Protection
Layers

PLANT EMERGENCY REPSONSE

PHYSICAL PROTECTION (DIKES)

PHYSICAL PROTECTION (RELIEF DEVICES)

AUTOMATIC ACTION SIS OR ESD
CRITICAL ALARMS, OPERATOR
SUPERVISION, AND MANUAL INTERVENTION
BASIC CONTROLS, PROCESS ALARMS,
AND OPERATOR SUPERVISION
PROCESS
DESIGN
I

LAH
1

Layer of SIS
10 2012-03-07

Alternative view - protecting by multiple protection layers

SIS Action
Trip set point

High Level Alarm

Operator
Takes Action

High level

Process level
Normal Level

PSD logic

Low level

PCS

PT

11 2012-03-07

PT

Reducing risks with protection layers

Remaining
risk

Missing
adequate
barriers ?

Initial
Risk
(frequency)

Risk
tolerance
criteria

Increasing risk

Required risk reduction

Achieved risk reduction
Risk reduction
SIS

Risk reduction
Other technologies

Closing the safety gap

between risk and target

12 2012-03-07

Risk reduction
external

Applicability of risk assessment methods for risk judgements

Qualitative analysis

Simplified-quantitative
or semi-qualitative
analysis

Quantitative analysis

(100% of scenarios are

analyzed using qualitative
methods)

(1-5% of scenarios, 100% of SIF)

Technique

HAZOP, What if

LOPA, Risk Graph

ETA, FTA, QRA

Applicability to
simple issues

Good

Good

Overkill

Applicability to
complex issues

Poor to Okay for risk

judgment

Usually Good

Good

13 2012-03-07

(<1o/oo of scenarios, 1% of SIF)

SIL Allocation process (risk-based)

Plant Facilities & Safety
Conceptual strategies / philosophies
Design & Operating principles / Performance Standards / Acceptance criteria
Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition

Qualitative

(e.g. HAZOP)

For each scenario, SIF determination & SIL allocation with

simplified risk analysis technique

Semi-qualitative

(e.g. LOPA, risk graph)

Simplified-quantitative
NO

SIL1, SIL2
or SIL3 with GALE
TES
where further
assessment is
needed?

NO

SIL4?
YES
OR
Design change or
SIL3 with no GALE
TES?
other non-SIS IPL
possible?
NO

YES

Quantitative

Quantitative risk assessment for dedicated scenario

SIL1, SIL2, SIL3

or SIL4 by
multiple SIS?

NO
SIL4 Required
by a single
SIS?

YES

Apply for
dispensation to
TR2041

YES

Complete SIL allocation for each SIF & Reporting

14 2012-03-07

SRS,
etc.
SRS, CDD,
SAR, etc.

Evaluate other non-SIS IPL or design change

SIF determination & SIL Allocation

LOPA Layer of Protection Analysis

Multidiscipline team exercise. Immediately after HAZOP (1w/m)
Good synergy with HazOp (Cause, consequence, safeguards)
Simple rules (reproducible), order of magnitude of the risk
Barrier/Protection layers analysis methodology
Focus on Safety Instrumented Systems
Will also address credit for other Safety Related Systems
Identification of required and expected performance of critical systems
Closes the gap between expected system performance and required Risk
Tolerance
Determines Safety Integrity Level (SIL) of gap
Can be an entry point to QRA

15 2012-03-07

LOPA Can address the following

Does my system (planned or actual) ensure my criteria are met?
Do I need additional Safety Instrumented System?
Are there alternatives?

LOPA References and applicability in the industry

IEC 61511 - LOPA will meet requirements (Part 3, Annex F))
AIChE endorsement
Risk-based approach common in downstream industry, especially for PSD
LOPA often used In Americas. Europe often using risk graphs
Some O&G companies have developed their own software / spreadsheets

16 2012-03-07

LOPA Procedure
Step 1: Establish TTC
Step 2: Preliminary selection of scenarios
Step 3: Evaluate impact severity on
safety, environment and assets
Step 4: Determine IE frequency
Step 5: Identify IPLs and select the
probability of failure
Step 6: Identify Conditional Modifiers and
select the probability
Step 7: Evaluate Scenario frequency and
compare with TTC
Step 8: Identify SIF and
Allocate SIL

Step 9: Evaluate need for

other non-SIS IPL or redesign

Step 10: Evaluate consequences of

spurious failure
Step 11: Reporting

17 2012-03-07

Step1 Establish Target Tolerance Criteria (TTC)

Category
Frequency (/year)
< 1E-4

1E-4 1E-3

1E-3 0.01

0.01 0.05

0.05 0,3

0.3 0.7

Impact level

1
2

8/
Catastrophic
7/
0.7- 1.4 Major > 1.4
6/
Severe
5/
Serious
4/
Moderate

3
4
5
6
7
8
1

Frequency Level

18 2012-03-07

Target
Tolerance
Criteria
1 x E-6 pr year
1 x E-5 pr year
1 x E-4 pr year
1 x E-3 pr year
1 x E-2 pr year

Step1 Establish TTC

The criteria are dependant on numbers used for initiating events,
risk reduction factors etc.
Economic impact should include the total loss
Demolition cost
Installed equipment costs (x3 purchase price)
Cost of business interruption
(value of product that cannot be shipped out, not cost of lost production)

Corporate TTC should be used as a basis to establish local

applicable TTC

19 2012-03-07

Step2 Preliminary selection of scenarios/SIFs

Scenarios/SIF identified from C&E, interlocks narrative and P&IDs

Temperature
transmitter
Solenoide

Temperature
transmitter

Level Switch

Flow transmitter

Logic Solver
(PLC)

On/off valve

Pump

Solenoide

On/off valve

Additional scenario where a SIF is recommended for evaluation (e.g.

identified during HAZID, HAZOP or other project/facility review)
High impact severity scenarios (i.e. category 7 and 8 in TTC)

20 2012-03-07

Step2 Identification of scenario

MITIGATION &
RECOVERY

Terminate the
chain of events,
reduce frequency

Initiating
Event 1

Reduce
consequence
severity

No consequence

CAUSES

BPCS

Initiating
Event 2

Operator
response to Alarm
from monitoring
SIS
system

Consequence A

PSV

TOP EVENT

ESD

Consequence B

E.g. Loss of Containment

Ignition
control
Consequence C
Fire Water
Initiating
Event 3

Consequence D

Initiating
Event 1

Consequence D

LOPA scenario : single cause consequence pair

21 2012-03-07

CONSEQUENCES

PREVENTION

Step3 Evaluate Impact severity

Define worst reasonably credible consequences that result if the
chain of events continues without interruption.
Select Impact severity from TTC for all categories (Peoples safety,
Environment, Economic).

Category
8/
Catastrophic
7/
Major
6/
Severe
5/
Serious
4/
Moderate

22 2012-03-07

Target
Tolerance
Criteria
1 x E-6 pr year
1 x E-5 pr year
1 x E-4 pr year
1 x E-3 pr year
1 x E-2 pr year

Step4 Determine Initiating Event Frequency

Identify all possible initiating events, i.e. causes
Mechanical, Instrument or Human failures

f ie
Instrument Initiating Event
BPCS Instrument Loop Failure
BPCS Sensor failure
Control loop failure
Loss of instrument air
Human Initiating Event
3rd Party Intervention
Human error in a no-routine, low stress
Human error in a routine, once per day opportunity
Human error in a routine, once per month opportunity
Operator Failure Action more than once per quarter

failure/year
1,00E-01
1,00E-01
1,00E-01
1,00E-01
failure/year
1,00E-02
1,00E-01
1,00E+00
1,00E-01
1,00E-01

Mechanical Initiating Event

Canned/Magnetic Drive Pump Failure
Compressors, Pumps and Crane fail
Control valve failure
Cooling Water Failure
Double Mechanical Seal Pump Failure
Expansion Joint Fails
General Utility Failure
Heat Exch. tube leak <100 tube
Heat Exch. tube leak >100 tubes
Heat Exch. tube rupture <100 tubes
Heat Exch. tube rupture >100 tubes
Loss Cooling
Loss Power
Manual valve failure
Pressure safety valve failure
Pressure Vessel Failure Significant Release
Pump Failure Loss of Flow
Single Mechanical Seal Pump Failure
Unloading/Loading Hose Failure

failure/year
1,00E-02
1,00E+00
1,00E-01
1,00E-01
1,00E-02
1,00E-02
1,00E-01
1,00E-02
1,00E-01
1,00E-03
1,00E-02
1,00E-01
1,00E-01
1,00E+00
2,00E-01
1,00E-05
1,00E-01
1,00E-01
1,00E-01

Human Error probability for not correctly performing a task for various situations per demand
Complexity

Simplest

Routine & Simple

No Stress
Moderate Stress
High stress

1 10-4
1 10-3
1 10-2

1 10-3
1 10-2
1 10-1 - 1.0

23 2012-03-07

Routine but
Care
1 10-2
5 10-2
0.25 1.0

Requires

Complicated
Routine
0.1
0.3
1.0

non-

Step4 Determine Initiating Event Frequency

Enabling event, e.g. adjust to the time at risk,
i.e. multiply

f ie by fraction of time during which the risk is present

SIF operating in continuous mode of operation

f ie

24 2012-03-07

2*

PFD

Step5 Identify IPLs and select probability of failures

Essential Requirements
Specific. Detect Decide and Deflect
Effective. big Enough, fast Enough, strong Enough, smart Enough
Independent. Its performance must not be affected by other protection
layers and must be Independent of the events causing the accident
Reliable: The protection given by the IPL reduce the risk in a known
and specific quantity.
Auditable: It must allow periodic checks and tests of the protection
function.
All IPL are protection Layers, but all protection layers are not IPLs

25 2012-03-07

Step5 Identify IPLs and select probability of failures

Process design Inherent safety in design
Initial risk, not an IPL.

Minimize, Substitute, Moderate, Simplify

Process control system

Actions to return the process in within normal operating envelope (e.g.
minimum flow control)
Process shutdown (shadowing the SIS in the PCS)
Alarms (+operator response)

26 2012-03-07

Step5 Identify IPLs and select probability of failures

Process control system
Maximum PFD claimed 0,1 if independent of initiating events and other IPLs
It the initiating event is caused by PCS control loop failure, PCS can be
considered an IPL if:
Sensors, I/O cards and final elements are independents
Logic controller designed with high level of reliability by reference to
recognized industry standards (e.g. redundant CPUs).
IE
Sensor 1

Input 1

Output 1

Final
Element 1

Output 2

Final
Element 2

Logic
Controler
Sensor 2

Input 2
IPL

PFD lower than 0,1 requires that the PCS is designed according to IEC61511

PCS cannot be catered twice as IPL.

27 2012-03-07

Step5 Identify IPLs and select probability of failures

PCS supervision & Alarms Human intervention
direct connection between the alarm, which indicates the event, and the
measures to be taken by staff to avoid the event
Safety Alarms requiring intervention should be prioritized, configuration
access restricted
Time needed vs time available due to process dynamics:
Final Consequences

alarm processing
limited troubleshooting

Top event (e.g. Loss of integrity)

SIS trip point

decide action
PCS pre-alarm set point

Process Safety time

trigger action and get action to be effective

Time available for the
operator to take action

Min 15-20 min if automatic; min 30-1h if manual local action

Written procedure in use, training
28 2012-03-07

Time

Step5 Identify IPLs and select probability of failures

Preventive SIS (PSD)
Mitigation SIS
ESD, F&G, Emergency Depressurization or Dumping system, Fire water,
etc.
Have a role in risk reduction but should not be considered IPL for
evaluation of preventive SIF (PSD) with LOPA. Objective is to prevent
scenario without relying on mitigation SIS (residual consequences even if
successful). May be given credit in QRA.
Design against scenario shall be demonstrated, claimed reliability shall
be demonstrated, appropriate maintenance and testing.

29 2012-03-07

Step5 Identify IPLs and select probability of failures

Mechanical mitigation system
PSV and rupture disk
Depends on SIF design intent, i.e. in lieu of PSV or in addition e.g. to limit release to
disposal system.
PSV fulfils the 3E? release damageable? Fouling service?

Check valve
IPL, with restriction on service and technology, frequent testing required

Flame arrestor (in line)

Can be IPL. Design against deflagration will not prevent detonation, testing

Explosion doors
Not an IPL. can be considered for selection of lower impact severity. Design must be
checked against explosion load

Excess flow valves

Mitigation, generally not an IPL

30 2012-03-07

Step5 Identify IPLs and select probability of failures

Post release physical protection (Passive)
Dike, Fire wall, Passive fire protection, Collision protection
Should not considered IPL for evaluation of preventive SIF with LOPA.
May be given credit in QRA. Design against scenario shall be
demonstrated, appropriate maintenance

Emergency response (Evacuation and rescue)

Relying on Evacuation and rescue is the last resort. No credit for risk
reduction shall be granted as IPL. Considered in the selection of
conditional modifier (Probability of personnel present)

31 2012-03-07

Step5 Identify IPLs and select probability of failures

PFD IPL

32 2012-03-07

Independent protection layer

Single check valve in clean liquid service
Single check valve in gas service

PFD
2,00E-01
1,00E+00

Two check valves in series in clean gas or liquid service

Process Safety Valve fail to open. Clean service.
Control loop /PCS
Explosion doors
Flame arrestor
Operator response to alarm (15-20 minutes)

2,00E-02
1,00E-02
1,00E-01
1,00E+00
1,00E-01
1,00E-01

Step6 Conditional modifiers

Pignition

Probability of Ignition for flammable release

Ignition Probability Modifier
Gas Major (1-50kg/s) EXPLOSION
Gas Major (1-50kg/s) FIRE
Gas Massive (>50kg/s) EXPLOSION
Gas Massive (>50kg/s) FIRE
Gas Minor (<1kg/s) EXPLOSION
Gas Minor (<1kg/s) FIRE
Liquid Major (1-50kg/s) EXPLOSION
Liquid Major (1-50kg/s) FIRE
Liquid Massive (>50kg/s) EXPLOSION
Liquid Massive (>50kg/s) FIRE
Liquid Minor (<1kg/s) EXPLOSION
Liquid Minor (<1kg/s) FIRE

Probability
8,40E-03
7,00E-02
9,00E-02
3,00E-01
4,00E-04
1,00E-02
3,60E-03
3,00E-02
2,40E-02
8,00E-02
4,00E-04
1,00E-02

Not always relevant (e.g. release above auto-ignition, control of ignition souces environmental impact)

Probability that personnel are present at the time of the hazardous event
Pperson present = Occupancy X Probability to avoid the hazardous event once the SIS has failed

Probability of death (vulnerability)

Not taken into account (conservative but simpler)

33 2012-03-07

Step6 Conditional modifiers

Occupancy
0,1: Rare to occasional exposure in the hazardous zone:
Exposure time inferior to 10%
Most continuous process plants will have only occasional exposure. This would be the default
choice for normal operation and when something goes spontaneously wrong
1 : Frequent to permanent exposure in the hazardous zone (more than 10% of the time).
Exposure time superior to 10%
Most continuous process plants will have troubleshooting, testing and maintenance activities
upon certain alarms. This can mean that several people are exposed to a hazard when it
happens.
The correct action for hazardous work and when something goes wrong is to evacuate the
premises as much as possible; (ARCO 1989 tank explosion).
Consider specific scenarios during shut-down or start-up with almost permanent exposure
(e.g. lightning of fired heaters).
Batch plants and semi-batch plants that often require semi-continuous human supervision.

34 2012-03-07

Step6 Conditional modifiers

Probability to avoid the hazardous event once the SIS has failed
1 : Almost impossible to avoid the hazard: this is the default probability.
Credit for using personal protective equipment to avert a hazard should not be taken, unless it is
certain that the personal protective equipment will actually be worn. Usually, systems are
designed on the assumption that the use of such equipment is not absolutely required to achieve
a sufficient degree of safety, although it is recognized that it can further improve safety.
0,1: Possible to avoid the hazard under certain conditions: needs strong justification.

Should be only selected if all the following conditions are true:

Facilities are provided to alert the operator that the SIS has failed
Independent facilities are provided to shut down such that the hazard can be avoided or which
enable all persons to escape to a safe area (e.g. escape route is obvious and immediate, with
no vertical or spiral staircase, no rescue required, etc.)

The time between the operator being alerted and a hazardous event occurring exceeds 1 hour
or is definitely sufficient for the necessary actions
Caution: Dont cater twice for the same operator intervention (e.g. Alarm+operator intervention)

35 2012-03-07

Step7 Compare scenario frequency with TTC

Initiating
Event 1

Consequence D

f LOPA scenario f ie * PFDIPL1 * PFDIPL 2 * * PFDIPLn * Pignition * Pperson present

n IPL

RRF

f LOPA scenario

RRF

f LOPA scenario

TTC
TTC

Step8 Identify SIF and

Allocate SIL

36 2012-03-07

<1

Scenario passes LOPA

>1

Risk reduction needed

Step9 Evaluate need

for other non-SIS IPL
or redesign

Step8 - Identify SIF and Allocate SIL

Increasing risk

Risk Reduction by
BPCS
Risk Reduction by
Operator response to alarms
Risk reduction factor (RRF)
required for the SIS

Risk reduction reduction Needed

i.e. Safety Gap (SG)

Risk reduction Reduction Achieved

Initial Process Risk (Without IPL)

Risk Reduction by
Safety Instrumented System

Target Tolerance Criteria

Risk Reduction by
Mechanical devide

Residual Risk (With IPL)

Closing the safety gap by SIS

37 2012-03-07

Risk Reduction by
Other means

Step9 Evaluate need for other non-SIS IPL

LOPA is focused on identification of SIF to close the safety gap, it does not
necessarily mean that a SIS is needed
By order of preference:
Design the problem out of the process using inherently safe principles
Protection by non-SIS protective measure
Passive rather than active
A SIF should be the solution of last resort when other solutions are not
practicle

Step10 Evaluate consequences of spurious trip failure

Spurious failure: failure trigging action in an untimely manner

Consider need for robust to spurious trip design (e.g. 2oo3 instead of 1oo2)
Set minimum mean time to fail safe requirement (MTTFS=1/ STR)

38 2012-03-07

Step10 Reporting. SIL Allocation Report

Methodology
Identified IPL listing that is regarded part of the PCS, e.g. alarm function
requiring operator action
Identified SIF list and SIL allocation result, corresponding SIS
SIF/SIL Allocation worksheet
All assumption, uncertainties and sensitivities should be recorded
Level of detail sufficient to enable 3rd party to follow/reproduce the evaluation

Starting point for the Safety Requirement Specification (SRS)

39 2012-03-07

Step10 Reporting. SIL Allocation Report

SIF/SIL Allocation worksheet

Target Tolerance Criteria = 10-5/yr

40 2012-03-07

SIL Allocation & SIL Verification

Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3

Set target

4system
Installation
reception
validation
and,
5
6
Modification
7
Decommissioning

Demonstrate
target is met

Management
of
s hazard
ofsafety
functional
andAssessment
and risks
planning
assessment
eand
safety
thof of 1
and
audit
functional
safety
Specification for
of the
requirements
the safety
safety
instrumented
system
3
system
Installation
reception
,
validation
and
5
6
Modification
7
Decommissioning

SIL Allocation

SIL 1

Design & Engineering

Minimum SIL requirements

LOPA, Risk graphs,

SIL 2

SIL Verification calculations (PFD)

FMECA, CDD, SAR, Safety
Manuals, etc.

SIL3
determine if additional
SIS are required and if
yes then allocate the
target SIL

41 2012-03-07

Address target SIL (Fault

Tolerance, PFD, software req.)
Select system technology
Configuration / vooting
Test interval
Diagnostic

Thank you
SIL Allocation Layer of protection analysis
Presenters name: Mathilde Cot
Presenters title: Principal Consultant, Safety Technology, CFSE
mcot@statoil.com, tel: +47 95785095
www.statoil.com

42 2012-03-07

Special cases handling

Global Safety Instrumented Systems for consequence Mitigation
ESD, F&G, Emergency Depressurization or Dumping system, Fire water, etc.

Release and other events cannot be interrupted by mitigation SIS.

Severity reduction, but residual consequences even if the mitigation SIS is
successfull (e.g. large uncontrolled fire vs controlled fire, avoid escalation)
MITIGATION &
RECOVERY

Terminate the
chain of events,
reduce frequency

Initiating
Event 1

Reduce
consequence
severity

No consequence

CAUSES

BPCS

Initiating
Event 2

Operator
response to Alarm
from monitoring
SIS
system

Consequence A

PSV

TOP EVENT

ESD

Consequence B

E.g. Loss of Containment

Ignition
control
Consequence C
Fire Water
Initiating
Event 3

CONSEQUENCES

PREVENTION

PFD*TTC (large uncontroled fire)

1*TTC (controlled fire)

Consequence D

Same protection GAP?

Initiating
Event 1

43 2012-03-07

Consequence D

Special cases handling

Global Safety Instrumented Systems for consequence Mitigation
Preferred approach: Deterministic
Divide Global SIS

Detection SIS

Action SIS
Detection SIS:
incomplete safety
instrumented system:

S1

PLC
output
signal

Input
signal

S2

V1

S3

V2
Safety
logigram

44 2012-03-07

Action SIS:
Incomplete safety
instrumented system

Special cases handling

Safety-related parts of control systems for machinery

SIS in process under patented license

Permissive safety function
Staggered safety functions

Overpressure protection via SIS

45 2012-03-07

Plant Facilities & Safety

LOPA - Limitations

Conceptual strategies / philosophies

Design & Operating principles / Performance Standards / Acceptance criteria
Plant Design development input (e.g., process conditions, P&ID, C&E, FDS, etc.)

Simplified risk assessment.

SIL 3 with no TES and SIL4
(implemented by independent SIS)
shall be further assessed by
quantitative method

Components shared between the IE

and candidate IPLs. No
independence.
Several independent SIS with same
functionality and possibility for
common cause failures
Complex scenarios sequences

(e.g. HAZOP)

SIF determination & SIL Allocation

For each scenario, SIF determination & SIL allocation with
simplified risk analysis technique
(e.g. LOPA, risk graph)

NO

SIL1, SIL2
or SIL3 with TES
where further
assessment is
needed?

NO

SIL4?
YES
OR
Design change or
SIL3 with no TES?
other non-SIS IPL
possible?
NO

YES

Quantitative risk assessment for dedicated scenario

SIL1, SIL2, SIL3

or SIL4 by
multiple SIS?

NO
SIL4 Required
by a single
SIS?

YES

Apply for
dispensation to
TR2041

YES

Complete SIL allocation for each SIF & Reporting

SRS, CDD, etc.

46 2012-03-07

Evaluate other non-SIS IPL or design change

Risk Assessment / Process Hazard Analysis (PHA) / IPL definition

Step2 Identification of SIF

Design Intent
Safe State
Demand mode vs Continuous mode of operation (IEC61511-1 definitions)
Demand mode:
where a specified action (e.g. closing of a valve) is taken in response to process
conditions or other demands. In the event of a dangerous failure of the SIF a
potential hazard only occurs in the event of a failure in the process or the PCS
PFD
Continuous mode:
where in the event of a dangerous failure of the safety instrumented function a
potential hazard will occur without further failure unless action is taken to prevent it
A SIF operates in continuous mode when the frequency of demands for operation
on the SIF is more than once per year or more than twice the SIF proof test
frequency.
PFH

47 2012-03-07