Background Image
Table of Contents Table of Contents
Previous Page  16 / 40 Next Page
Information
Show Menu
Previous Page 16 / 40 Next Page
Page Background

Chemical Technology • July 2015

14

for spurious activation. The disadvantage is that the installa-

tion would be unnecessarily shut down, incurring production

costs. This problem can be overcome by a voting system,

eg, a 2oo3. In this configuration, two channels must initiate

activation before the SIS will function. Therefore, if one faulty

channel initiates activation that would unnecessarily shut

down the process, the logic solver would disable the shut

down as it will have been set up to only enable shutdown

if there are two activation signals. However, 2oo3 voting

increases the PFD by a moderate amount.

Note also, that achievement of SIL 1,2, 3 or 4 depends

equally on the measures taken to ensure systematic safety

integrity has been achieved. Hence SIL performance cannot

be claimed for an SIS unless the design and maintenance

specifications have been done in accordance with the

requirements of the internationally recognized standards

such as IEC 61508 or IEC 61511.

Incorporating other layers of protection

LOPA allows one to take credit for other layers of protection

which may then allow one to reduce the required SIL rating

of the SIS, thereby reducing the cost as well as ensuring

that the system is not overprotected.

In the example, the operator failure is the initiating

event, with an initiating event frequency IEF, the high level

trip LSH of the feed is the SIS, so with LOPA one could take

credit for the control system assuming it has a PFD = 0,1.

Therefore the mitigated risk R, excluding the SIS, but with

other IPL included is:

R = Initiating event frequency * Product of the PFD’s of

all IPLs

= IEF * [ PFD( IPL

1

) * …PFD(IPL

n

) ] = 1 * 0,1 = 0,1 / y

Revised risk reduction factor RRF=

=

= 0,1/ 0,001 = 100 which is now much lower.

Hence the required PFD of the SIS (high level trip) can

be reduced to PFD = 1/100 = 0,01 = 1 * 10

-2

.

Referring to Table 2 on page 12, this value falls between

10

-2

up to 10

–1

which means that a lower SIL 1 can be

specified for the SIS which is the high level trip.

Risk graph method

A simple short-cut method according to IEC 61508/61511

is using the risk graph shown in Figure 7 on page 15.

Inputs into the risk graph are as per the Figure 8 below.

In the example, if we assume a consequence ‘Perma-

nent injury > 1 person, 1 death’≡ C2, exposure time is

‘Frequent to permanent’≡ F2, avoidance of the hazard is

‘Almost impossible’≡ P2 and the probability of an unwanted

occurrence is ‘Slight’≡ W2. Then, following through the risk

graph, one arrives at a SIL 2.

If credit is taken for the control loop acting to reduce

the probability (W2 reduces to W1) of the event, then this

would be one layer of protection and the required rating

of the SIS will then reduce to SIL 2 – 1SIL = SIL1. Note: a

control loop would not normally be rated SIL 1 or be called

an SIS without expensive features. However, it is reasonable

to claim that the control loop reduces the probability of the

event by a factor of 10 (ie, PFD = 0,1).

SIL matrix method

A SIL matrix may be drawn up as shown in Table 3 opposite,

to simplify the SIL rating of Safety Instrumented Systems.

Therefore, having estimated the likelihood of the initiating

event of a hazard and knowing the severity, onemay read off

the required initial SIL level directly. Incorporating additional

layers of protection, the SIL is decreased by 1.

In the example above of filling a tank, the initiating event

is 1/year for medium environmental damage, a SIL 2 is

indicated. Incorporating a layer of protection, moving one

column to the right, shows a SIL1.

Note: ‘ALARP’ ≡ ‘As Low As Reasonably Practical’, means

the design can be accepted, no further risk reduction is

necessary, provided it can be shown that this will not be

practical or cost-effective.

Conclusions

Simple explanations have been given to illustrate layers of

protection. It was pointed out that such layers of protec-

tion must have sufficient integrity to prevent initiation or

propagation of a hazardous event. The suitability of layers of

protection must be assessed against targets of tolerability,

drawn up by the owner or organisation of the installation.

Safety instrumented systems are normally incorporated

in hazardous installations as a first choice of a layer of pro-

tection. The required integrity of such a layer of protection

is expressed as a probability of failure on demand, and

Mitigated risk R

Target frequency TF

Figure 4: SIL 1 instrumented protection configuration

Figure 5: SIL 2 instrumented protection configuration

1 11 12 13 14 15 16 17 18 19 20 21 22 40  FlippingBook