The Oil and Gas Engineering Guide

blog

fr en
Published Saturday 25/09/2010

SIL reviews

Recent development of industry standard related to Safety Instrumented Systems (SIS) in the Process Industry, ISA 84.00.00 in particular, have placed many new requirements on the design, selection, installation, operation and maintenance of instrumented safety systems.

 

These standards have prompted Safety Integrity Level (SIL) review to be systematically done on projects.

 

The objective is to ensure that each safety automation has the reliability required given its criticality.

 

 

It is done in two steps:

 

  • First review of the criticality and assignment of a required reliability level for the automation

 

  • Second check that the automation has indeed the required reliability

 

In the following text we will use the dedicated vocabulary. Safety Automation will therefore be called “Safety Instrumented Function (SIF)” and “reliability” will be called “Safety Integrity Level (SIL)”.

 

 

First step of the SIL study: SIL determination/assignment workshop

 

All SIF, i.e., instrumented interlocks, appearing on the project P&IDs are reviewed. For each one, the team evaluate qualitatively the consequence if the SIF fails. Consequences are evaluated in the field of impact of personnel (Safety), economical loss, environmental.

 

The consequence rating is done using categories, e.g. category 1 in case of fatalities on the public, category 2 in case of serious injury on public, category 3 if impact on personnel only etc.

 

The team then evaluates the likelihood of the SIF failure using a qualitative approach as well and categories: category A for 20 or more failure during the facility life, up to category D, once every 100 facility lives.

 

The product of the consequence severity and likelihood is the risk level. A matrix is defined, such as the one shown here, that indicates the tolerable risk area (low consequence, low probability), where no action is required, and the area were the risk is not tolerable.

 

In the non-tolerable risk area, one of the two following actions must be done:

 

  • Either assign the SIF the SIL target shown in the matrix

 

  • or, in case this protection is considered undesirable, due to the high SIL level required, such a SIL 3, additional safeguards or other risk reduction measures besides the SIF can be considered by the review team. The revised case shall then be subject to the same assessment as above to determine the new SIL target.

 

 

 

Once the required SIL level for each SIF is determined, comes the second step of the SIL Study.

 

 

Second step of the SIL study: the SIS performance verification.

 

This second step, which is done after outside the above step 1 workshop, consists of calculations of the actual Safety Integrity Level of each SIF. Such calculation takes into account the hardware used (component failure rates), architecture (redundancy, voting), test intervals etc.

 

In case were the calculated SIL is below the target set in the assignment workshop, improvements are required, such as increase of testing interval, change of SIF component types and  adding components for redundancy.

 

The deliverable of this second step is the documented calculations and recommendations “SIS performance verification results and recommendations”.

 

 

 

 

Most safety automations are the first of two barriers. A high pressure safety switch (PSHH) that shuts the fuel supply to a turbine driving a compressor, for instance, is the first barrier to stop the turbine in case of too high compressor discharge pressure.

 

If it fails to operate, a pressure safety relief valve (PSV) on the compressor discharge line will open, providing the second level of protection.

 

In most cases, 2 such safeguards are provided in the design: the safety automation is backed by a hard device. In these cases, the reliability of the automation is not thoroughly investigated as it is backed up.

 

The SIL review will focus on the few cases were the SIF is the only barrier. That would be the case if, for some reason, no PSV is installed on the compressor discharge line for the above case. In this case the SIF will be thoroughly examined, a SIL target set and the performance duly verified.



Comments(0)


No comment


Your name
Your website:
Your comment:
Captcha  Recharger
Enter the security code : 
* = Required fields