Chemical Technology July 2015

Figure 5: SIL 2 instrumented protection configuration

Figure 4: SIL 1 instrumented protection configuration

for spurious activation. The disadvantage is that the installa- tion would be unnecessarily shut down, incurring production costs. This problem can be overcome by a voting system, eg, a 2oo3. In this configuration, two channels must initiate activation before the SIS will function. Therefore, if one faulty channel initiates activation that would unnecessarily shut down the process, the logic solver would disable the shut down as it will have been set up to only enable shutdown if there are two activation signals. However, 2oo3 voting increases the PFD by a moderate amount. Note also, that achievement of SIL 1,2, 3 or 4 depends equally on the measures taken to ensure systematic safety integrity has been achieved. Hence SIL performance cannot be claimed for an SIS unless the design and maintenance specifications have been done in accordance with the requirements of the internationally recognized standards such as IEC 61508 or IEC 61511. Incorporating other layers of protection LOPA allows one to take credit for other layers of protection which may then allow one to reduce the required SIL rating of the SIS, thereby reducing the cost as well as ensuring that the system is not overprotected. In the example, the operator failure is the initiating event, with an initiating event frequency IEF, the high level trip LSH of the feed is the SIS, so with LOPA one could take credit for the control system assuming it has a PFD = 0,1. Therefore the mitigated risk R, excluding the SIS, but with other IPL included is: R = Initiating event frequency * Product of the PFD’s of all IPLs = IEF * [ PFD( IPL 1 ) * …PFD(IPL n ) ] = 1 * 0,1 = 0,1 / y = 0,1/ 0,001 = 100 which is now much lower. Hence the required PFD of the SIS (high level trip) can be reduced to PFD = 1/100 = 0,01 = 1 * 10 -2 . Referring to Table 2 on page 12, this value falls between 10 -2 up to 10 –1 which means that a lower SIL 1 can be specified for the SIS which is the high level trip. Risk graph method A simple short-cut method according to IEC 61508/61511 Revised risk reduction factor RRF= = Mitigated risk R Target frequency TF

is using the risk graph shown in Figure 7 on page 15. Inputs into the risk graph are as per the Figure 8 below. In the example, if we assume a consequence ‘Perma- nent injury > 1 person, 1 death’≡ C2, exposure time is ‘Frequent to permanent’≡ F2, avoidance of the hazard is ‘Almost impossible’≡ P2 and the probability of an unwanted occurrence is ‘Slight’≡ W2. Then, following through the risk graph, one arrives at a SIL 2. If credit is taken for the control loop acting to reduce the probability (W2 reduces to W1) of the event, then this would be one layer of protection and the required rating of the SIS will then reduce to SIL 2 – 1SIL = SIL1. Note: a control loop would not normally be rated SIL 1 or be called an SIS without expensive features. However, it is reasonable to claim that the control loop reduces the probability of the event by a factor of 10 (ie, PFD = 0,1). SIL matrix method A SIL matrix may be drawn up as shown in Table 3 opposite, to simplify the SIL rating of Safety Instrumented Systems. Therefore, having estimated the likelihood of the initiating event of a hazard and knowing the severity, onemay read off the required initial SIL level directly. Incorporating additional layers of protection, the SIL is decreased by 1. In the example above of filling a tank, the initiating event is 1/year for medium environmental damage, a SIL 2 is indicated. Incorporating a layer of protection, moving one column to the right, shows a SIL1. Note: ‘ALARP’ ≡ ‘As Low As Reasonably Practical’, means the design can be accepted, no further risk reduction is necessary, provided it can be shown that this will not be practical or cost-effective. Conclusions Simple explanations have been given to illustrate layers of protection. It was pointed out that such layers of protec- tion must have sufficient integrity to prevent initiation or propagation of a hazardous event. The suitability of layers of protection must be assessed against targets of tolerability, drawn up by the owner or organisation of the installation. Safety instrumented systems are normally incorporated in hazardous installations as a first choice of a layer of pro- tection. The required integrity of such a layer of protection is expressed as a probability of failure on demand, and

14

Chemical Technology • July 2015