To navigate our frequently asked questions page, please click on the main topic and further subtopics will open, or use the search function.
SIL selection is the process of assiging a SIL (Safety Integrity Level) to a safety function in order to close the gap between residual risk (evaluated in HAZOP) and tolerable risk (as per Client Risk Matrix).
SIL (or its inverse – Risk Reduction Factor RRF) is defined in IEC 61508/61511 for low demand operation, as follows:
|SIL||PFD (avg)||PFD (power)||RRF|
|1||0.1–0.01||10−1 – 10−2||10–100|
|2||0.01–0.001||10−2 – 10−3||100–1000|
|3||0.001–0.0001||10−3 – 10−4||1000–10,000|
|4||0.0001–0.00001||10−4 – 10−5||10,000–100,000|
Layers of Protection Analysis (LOPA) is a semi-quantitative method for analsying the likelihood of a hazardous event, considering initiating event (IE) frequency and the mitigating effect of various independent protection layers (IPL).
Initiating events are defined in the HAZOP, such as:
- Piping leak or rupture
- BPCS failure
- Equipment failure (loss of containment)
- Human error (depending on frequency and criticality of task performed)
- Loss of utility (e.g. power supply, instrument air)
- Mechanical overpressure protection (e.g. PRV, burst disk)
- BPCS interlock (where control loop is not initiating event)
- Independent safety systems (e.g. BMS for a fired heater)
- Operator response to alarm (sufficient time to adequately respond must be available)
Additional mitigating factors (e.g. F&G systems, spill containment) and conditional modifiers (e.g. ignition probability, presence of personnel) are considered.
After consideration of all IPLs, the gap between residual risk and tolerable risk gives the required SIL of instrumented safety functions (SIF).
The calibrated risk graph method is a semi-quantitative method for determining the required SIL for safety instrumented functions (IEC 61511-3, Annex D). Its basis is a graphical decision chart where, in addition to Demand Rate W and Consequence parameter C, additional factors F (exposure time) and P (probability of avoiding the hazardous event) enable ‚order-of-magnitude‘ steps to define the final SIL.
The standard does not quantify demand rate and consequence, therefore parameters W1, 2, 3 and CA, B, C, D must be ‚calibrated‘ in line with Client risk acceptance criteria. Consequence criteria are defined for personal safety, environmental damage and asset loss. The calibrated risk graph method generally results in more a conservative SIL-selection than the LOPA method.
The calibrated risk graph method as per IEC 61511 defines SIL-a for safety functions with a required risk reduction factor lower than 10 (i.e. below SIL-1). SIL-a functions may be implemented in the BPCS as ‚low integrity safety functions‘, but shall be subject to Functional Safety Management, including:
- Safety and quality management
- Independence of safety and control functions
- Documentation control
- Management of change
- Periodic testing