Chemical Technology • July 2015

12

a probability of no more than 1 in 1 000 chance per year.

This provides one with a design target.

Evaluating initial protection required

Evaluation of the initial protection necessitates one’s

knowing the initiating event frequency (IEF). In the example

above this could be the number of times it is expected that

the operator will overfill the tank, say once a year. Thus to

achieve a target frequency (TF) of once in a 1 000 years,

the risk reduction required, or the risk reduction factor

RRF, is given by

RRF =

= = = 1 000

This is by how much the initiating event frequency must

be reduced to meet the target. Then the probability of failure

on demand (PFD) of the protection needed is determined as

PFD = = = 0,001 = 1 x 10

-3

PFD is sometimes referred to as the safety gap in the design

and is also a measure of the reliability or safety integrity

required from the protection to achieve the safety target.

Safety integrity

Safety integrity is defined as the probability of a safety

related system satisfactorily performing its safety function

under all conditions within a stated period of time, (IEC

61508 Ed 2 Part 4). This includes both hardware reliability

and systematic safety integrity, the latter requiring that all

forms of human error in specification, design and software

engineering are minimised. Hence the quality of the design

process as well as the design features and reliability of the

hardware are all equally important.

A simplification was introduced through the international

standard IEC 61508 by classifying safety integrity perfor-

mance into four distinct levels, known as Safety Integrity

Levels (SIL). These levels are defined by their ranges of

achievable average PFDs as shown in Table 2.

Thus, in the example above, a PFD of 1 x 10

-3

is > 10

-3

up

to 10

-2

and therefore equivalent to a SIL2. This will indicate

to the designer that protection with a reliability or integrity of

SIL2 must be incorporated in the design to meet the speci-

fied safety standard. In most cases the first choice would

be to add a safety instrumented system (SIS), which, in the

above example of a tank, would be the high t level trip LSH,

which closes the actuated valve on the filling line. Such a

trip would be specified to the designer as a SIL2.

Implementation of protection

Protection may take place in many forms, such as operator

actions, alarms, controls, trips and interlocks, relief devices,

Table 1 - Acceptable design target frequencies

Severity

Catastrophic

Critical

Marginal

Negligible

Financial effect

R100m

R50m

R1m

R100 000

Environmental damage

Permanent

Long term

Medium

Short

Health effect

Fatal

Irreversible

Major

Minor

Safety Target Frequency

> 1 death

1 death / injuries

Disabling injuries

Minor injuries

1 per year

I

I

I

II

1 per 10 years

I

I

II

III

1 per 100 years

I

II

III

III

1 per 1000 years

II

III

III

IV

1 per 10 000 years

III

III

IV

IV

1 per 100 000 years

IV

IV

IV

IV

Initiating event frequency IFF

1

1

1

Target frequency

TF

RRF

0,001

1 000

Table 2

Safety integrity level

Probability of failure on demand

SIL 1

> 10 -2 up to 10

–1

SIL 2

> 10 -3 up to 10

–2

SIL 3

> 10 -4 up to 10

–3

SIL 4

> 10 -5 up to 10

–4

Figure 1: Layers of protection

Figure 2: Example of a tank filling situation with no protection