Example methods for selecting SIL - Isa s84.01 Application of Safety Instrumented Systems for P

In the following sections, four different methods will be described for selecting SIL for this high pressure shutdown SIS.

Figure A.1 — Company ABC, Site XX, Specific SIL implementation techniques,

example only

...T XXXX

SIL 1 _SolverLogic

Sensor Safety

Integrity Level Logic Solver Actuator

...T XXXX ...T YYYY SIL 2 Logic Solver Logic Solver Note 1 Note:

1) Sensors, logic solvers, and/or final elements may be redundant as safety availability requirements dictate ...T XXXX ...T YYYY SIL 3 Logic Solver Logic Solver Note 2

2) The performance of two identical SIL 1 SIS’s may not equal that of one SIL 3 SIS. Figure A.1a Figure A.1b Figure A.1c Figure A.1d ...T XXXX ...T YYYY SIL 3 Logic Solver(s) *

* Logic Solver(s) as required to meet SIL

ANSI/ISA-S84.01-1996 51

Figure A.2 — Process example

A.3.1 Example method - the safety layer matrix (Reference C.1)

The method is based on a qualitative understanding of the process risk, and requires a

qualitative evaluation of potential consequences, or impact of harm, that could occur if the SIS and other protection did not stop an initiating event from proceeding to completion. It requires a qualitative evaluation; primarily identification of all the different initiating events and their potential consequences.

The method uses a qualitative matrix, shown in Figure A.3, that requires an evaluation of all the initiating events that could lead to the consequences, and the effectiveness of protection, other than the SIS. Qualitative guidance for determining the range of low to high values for the matrix inputs is specific to many considerations such as company guidance, local factors, the nature of the process, etc. The matrix used here is strictly for illustrative purposes. Matrixes actually used will be company dependent.

Use of the matrix requires qualitative evaluation of the severity of the consequences for hazardous events the SIS is protecting against. The process safety team felt that the severity was moderate for this example.

The matrix also requires an evaluation of the likelihood of occurrence for all the initiating events that could lead to consequences. The process safety team felt the likelihood was moderate for this example.

The third axis of the matrix requires a qualitative evaluation of the effectiveness of other protection layers. Layers, other than the SIS under consideration, are evaluated for their effectiveness in preventing the initiating events from leading to consequences. The process safety team felt the effectiveness was between low and medium for this example. This

judgement was based on the need for extremely rapid operator response and the tendency for the pressure relief valve to plug. Using these qualitative evaluations, the matrix indicates SIL 2 for the high pressure shutdown system.

A.3.2 Example method - the consequences only method

This method has fewer steps than many other methods and only requires evaluation of the severity of consequences possible if the SIS and other protection fails. The process safety team felt this method should be used because it could expedite SIL decisions by reducing the time spent on evaluations. The possible trade-off was that the design selection of SIL could be higher

than predicted by use of other SIL selection methods. Erring on the side of designing a higher than necessary SIL level was felt to be conservative by this team. The team preferred to save time that would be spent on risk evaluations and to incur the potential cost penalties imposed by selecting a higher SIL than might otherwise result. Money spent on equal or better safety performing SIS was felt to be a good investment in safety.

Figure A.3 — Company ABC, Site XX, Example of a qualitative matrix for the

determining SIL

The method only requires an evaluation of the severity of consequences, should the SIS and other protective safety items fail. Since this is a conservative method, this particular plant decided to simplify the SIL selection process from three SIL choices to two SIL choices. This was done by selecting only SIL 1 or SIL 3 designs. If the consequences are above a base threshold, then a SIL 1 is selected. If they are above a "major" severity criteria, then a SIL 3 is selected.

These two severity levels were defined to include injuries, property damage, and environmental impact specific to this process. Risk was addressed in setting these guidelines, by the

underlying assumption that the frequence of occurrence of initiating events for all SIS applications was assumed to be frequent, or “likely.”

The team evaluated the severity of consequences for the high pressure shutdown SIS in the example and felt they exceeded the "major" criteria. Based on that evaluation, a SIL 3 was selected.

A.3.3 Example method - the modified HAZOP method

In order to determine the SIL, the modified HAZOP method includes the consideration of the severity of the consequences, their probability of occurrence, along with other risk-related

ANSI/ISA-S84.01-1996 53

factors. Specific risk reduction recommendations can be evaluated in terms of their effectiveness in reducing risk. The team decides on recommendations, or the adequacy of current risk controls, based on this evaluation process.

Using an experienced leader in HAZOP methodology, the process segment is systematically analyzed using a set of guide words to identify process deviations that could lead to hazardous events. A spreadsheet format is used to associate the process deviation, with a specific upset cause. The upset cause is followed by the potential consequences of the upset, factors that prevent or protect against the consequences, and the action or judgement of the team on how to control the associated risk. The team decides on recommendations or the adequacy of current risk controls, based on this evaluation process.

Part of the modified HAZOP documentation for the example is summarized in Table A.1.

The modified HAZOP team also identified operator error when in manual mode during startup as a cause of a high pressure upset.

Based on the severity of the consequences, the team’s feeling for the likelihood of these upsets, and overall performance of the protective systems, the team agreed a SIS was needed. Initially, a SIL 2 or 3 was considered by the team for further evaluation. The team considered safety, equipment reliability, and operation and maintenance costs then determined that an SIL 2 SIS is more appropriate for this application.

Table A.1 — Modified HAZOP documentation example

A.3.4 Example method - SIL determined from a fault tree

Based on the example vessel rupture hazard and several other major hazards in this process, a fault tree analysis was done for a large part of the process, which included the example. The fault tree quantitatively estimated the frequency of occurrence for explosive over-pressure rupture of several process vessels.

Fault trees are logic diagrams that systematically display sequences of failures. Sequences of failures that begin with basic events, such as a sensor failure, and lead to a defined "top" event are diagramed. The top event in this case is explosive over-pressure rupture of process vessels. The fault tree logic diagram can be analyzed to estimate the frequency of occurrence for the top event. Failure rates and conditional failure probabilities are assigned to each basic event. Then the top event frequency of occurrence can be calculated. Fault tree analysis is briefly described

PROCESS DEVIATION CAUSE CONSEQUENCES PROTECTION

More Flow Pressure control valve

fails to open

Vessel rupture with potential injuries, property damage, and environmental damage – Relief Valve – Operator response to high pressure alarms – High pressure shutdown SIS

More Pressure Pressure sensor fails,

drifts to a false low pressure output

Same as More Flow – Same as More Flow,

except the operator response is only triggered by a single high pressure signal

in Reference C.1, page 56, and extensively covered in Reference C.13. Details of the fault tree covering the example are too complex to describe or depict in this annex.

The first step in using the fault tree to determine SIL for the example was to develop the fault tree logic diagram. The initial fault tree was based on the assumption of a high pressure shutdown SIS designed as shown in Figure A.2, a SIL 1 design. Appropriate failure information were determined for all the failure events associated with the example. For example, failure frequencies were estimated for initiating events, such as the pressure control valve failing to open. A top event frequency for vessel rupture was then calculated.

After reviewing the fault tree results, the team decided that the fault tree should be changed for evaluation of an SIL 2 and 3 design for this SIS. Subsequent results of this fault tree evaluation indicated a substantial safety improvement for the SIL 2 design, versus the SIL 1 design. The top event vessel rupture frequency of occurrence decreased by a substantial percentage. A similar comparison of SIL 2 versus SIL 3 designs, indicated only a small safety improvement, i.e., the top event frequency decreased only slightly. Based on these comparisons, the team selected SIL 2 for the high pressure shut down SIS.

ANSI/ISA-S84.01-1996 55

Annex B (Informative) — SIS design considerations

NOTE — THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD. IT IS PROVIDED FOR INFORMATION ONLY.

This informative annex addresses design methods to meet SIL requirements. The following SIS design considerations are addressed:

B.1 Separation - identical or diverse

In document Isa s84.01 Application of Safety Instrumented Systems for Process Industries (Page 50-55)