1. The document discusses selecting safety integrity levels (SIL) for safety instrumented functions to reduce risk from hazardous scenarios. 2. It describes various SIL target selection methods, with frequency-based targets like layer of protection analysis (LOPA) providing the most accurate results. 3. The document provides a simplified example of using a "risk-o-meter" to determine if actual risk is below a company's tolerable risk level of 1 fatality per 100,000 years after accounting for existing layers of protection.

1. SIL Target Selection – SIL Verification
Shanghai, 16 March 2011
Koen Leekens
Exida Contacts
Singapore +65 6222 5160 Canada +1 403 475 1943
Shanghai +86 21 5171 7250 United Kingdom +44 2476 456 195
Hong Kong
g g +852 2633 7727 Netherlands +31 318 414 505
Germany +49 89 4900 0547 Australia / NZL +64 3 472 7707
USA +1 215 453 1720 Mexico +52 55 5611 9858
Switzerland +41 22 364 14 34 South Africa +27 31 267 1564
Copyright exida LLC ® 2000-2011

2. IEC 61511 is Risk Based
“There is risk in reaping the cheese”
Reduce the Risk to a tolerable level
Reduce the Risk to a tolerable level
Copyright exida LLC ® 2000-2011

3. The IEC 61511 Safety Lifecycle
Analysis Phase
Analysis Phase
Copyright exida LLC ® 2000-2011

4. What is…?
SIL Target Selection:
“Select the Safety Integrity Level (SIL) for each Safety Instrumented Function
( )
(SIF). The SIL Target is the risk reduction to be provided by the SIF to bring the
g p y g
actual risk below the tolerable risk”
Copyright exida LLC ® 2000-2011

5. SIL Target Selection Methods
Risk Graph
Hazard Matrix
Hazard Matrix
Frequency Based Targets (LOPA)
Most Accurate resulting in best cost versus safety
Copyright exida LLC ® 2000-2011

6. SIL Target Selection Methods
Risk Graph
Hazard Matrix
Hazard Matrix
Frequency Based Targets (LOPA)
Most Accurate resulting in best cost versus safety
Copyright exida LLC ® 2000-2011

7. Simplified Exercise
Risk of 1 Fatality …
per year HIGH RISK
per 10 year
per 100 year
per 1,000 year
per 10,000 year
per 100,000 year
per 100 000 year
per 1,000,000 year LOW RISK
“Risk‐O‐Mometer”
Copyright exida LLC ® 2000-2011

8. Simplified Exercise
Risk of 1 Fatality … Practical SIL Target Selection
per year HIGH RISK
per 10 year
per 100 year
per 1,000 year
per 10,000 year
per 100,000 year
per 100 000 year
per 1,000,000 year LOW RISK
“Risk‐O‐Mometer”
Copyright exida LLC ® 2000-2011

9. 1. Define Tolerable Risk
Risk of 1 Fatality … Practical SIL Target Selection
per year
per 10 year
per 100 year
per 1,000 year Tolerable Risk must
be defined by
per 10,000 year
Corporate
per 100,000 year
per 100 000 year
per 1,000,000 year
Copyright exida LLC ® 2000-2011

10. 1. Define Tolerable Risk
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
per 10 year
per 100 year
Objective
per 1,000 year
Reduce risk below
Reduce risk below
per 10,000 year this Tolerable
per 100,000 year
per 100 000 year
Frequency
q y
per 1,000,000 year
Copyright exida LLC ® 2000-2011

11. 2. Determine Actual Risk
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
per 1,000 year
per 10,000year
HAZOP
per 100,000year
per 100 000year PHA method to
PHA method to
identify Hazards
per 1,000,000 year
Copyright exida LLC ® 2000-2011

12. 2. Determine Actual Risk
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
per 1,000 year
per 10,000year
Actual Risk
per 100,000year
per 100 000year Frequence (1/time)
(1/time)
Consequence (%)
per 1,000,000 year
Copyright exida LLC ® 2000-2011

13. 2. Determine Actual Risk
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
– Actual Risk
per 1,000 year
Frequency Flow Imbalance: 10 year
Frequency Flow Imbalance: 10 year
per 10,000year
Consequence: 1 fatality
per 100,000year
per 100 000year
per 1,000,000 year
Copyright exida LLC ® 2000-2011

14. 3. Take credit for “Other Layers of Protection”
Initiating
Layers of Protection Outcome
Event
Flow Operator No pipe
No Ignition Explosion
Imbalance Fails fracture
0.001
0.2 Per Year
05
0.5
0.1
0.1
Per Year No Event
Copyright exida LLC ® 2000-2011

15. 3. Take credit for “Other Layers of Protection”
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
– Result of Risk Assessment
per 1,000 year
Frequency Flow Imbalance: 10 year
Frequency Flow Imbalance: 10 year
per 10,000year
Consequence: 1 fatality
– Layer of Protection Analyses (LOPA):
per 100,000year
per 100 000year Reduced Frequency: 1000 year
educed eque cy 000 yea
per 1,000,000 year
Copyright exida LLC ® 2000-2011

16. 3. Take credit for “Other Layers of Protection”
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
– Result of Risk Assessment
per 1,000 year
Frequency Flow Imbalance: 10 year
Frequency Flow Imbalance: 10 year
per 10,000year
Consequence: 1 fatality
– Layer of Protection Analyses (LOPA):
per 100,000year
per 100 000year Reduced Frequency: 1000 year
educed eque cy 000 yea
per 1,000,000 year
Copyright exida LLC ® 2000-2011

17. 4. Select SIL
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
– Result of Risk Assessment
per 1,000 year
Frequency Flow Imbalance: 10 year
Frequency Flow Imbalance: 10 year
Consequence: 1 fatality
per 10,000year 10‐2 ? – Layer of Protection Analyses (LOPA):
Select SIL
Reduced Frequency: 1000 year
educed eque cy 000 yea
per 100,000year
per 100 000year
How much more risk
per 1,000,000 year reduction required?
Copyright exida LLC ® 2000-2011

18. 4. Select SIL Target
Copyright exida LLC ® 2000-2011

19. 4. Select SIL
Risk of 1 Fatality … Practical SIL Target Selection
– Company Tolerable Risk Guidelines:
per year 1 Fatality per 100.000 year (=10‐5)
– Result HAZOP “Cryogenic Heat exchange”
per 10 year Imbalance warm/cold flow can result in
freezing and fracture of pipe, and
f i df t f i d
per 100 year explosion.
– Result of Risk Assessment
per 1,000 year
Frequency Flow Imbalance: 10 year
Frequency Flow Imbalance: 10 year
Consequence: 1 fatality
per 10,000year 10‐2 SIL2 – Layer of Protection Analyses (LOPA):
per 100,000year
per 100 000year Reduced Frequency: 1000 year
educed eque cy 000 yea
– Select SIL: 10‐3 to 10‐5 = 10‐2 so SIL2
per 1,000,000 year Risk Reduction below Tolerable
Copyright exida LLC ® 2000-2011

20. The IEC 61511 Safety Lifecycle
Realization Phase
l h
Copyright exida LLC ® 2000-2011

21. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
of Failure on Demand Average/per hour (PFD
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida LLC ® 2000-2011

22. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
of Failure on Demand Average/per hour (PFD
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess‐connection
It is easy to do the
calculations right –
It is difficult to do the right
calculations
Copyright exida LLC ® 2000-2011

23. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
of Failure on Demand Average/per hour (PFD
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida LLC ® 2000-2011

24. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)
of Failure on Demand Average/per hour (PFD
2. SILAC : Hardware Fault Tolerance
3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Certificate
ifi Justification
ifi i
by Vendor by User
Copyright exida LLC ® 2000-2011

25. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1.
1 SILPFD: SIL2
: SIL2
2. SILAC : SIL1 The SIL level for this
3.
3 SILCAP: SIL3
SIL3 Safety Instrumented
Safety Instrumented
Function (SIF) is:
???
Copyright exida LLC ® 2000-2011

26. What is…?
SIL Verification
“Verify if the SIL achieved by the SIF meets the SIL Target.
The SIL achieved is the minimum of:
1.
1 SILPFD: SIL2
: SIL2
2. SILAC : SIL1 The SIL level for this
3.
3 SILCAP: SIL3
SIL3 Safety Instrumented
Safety Instrumented
Function (SIF) is:
SIL1
Copyright exida LLC ® 2000-2011

27. Common Mistakes SIL Verification
DO NOT:
– Use Spreadsheet without justification
– Use optimistic (Dangerous) Failure Rates
Use optimistic (Dangerous) Failure Rates
– Use 100% Proof Test coverage
– Ignoring Common Cause Failures
– Ignoring Process Connections Next CFSE Trainings China:
– Ignoring SIL Capability May – June 2011
– Ignoring Hardware Fault Tolerance
g g
– Engineer insufficiently trained
Certified by 3rd Party
y y
Copyright exida LLC ® 2000-2011

28. Copyright exida LLC ® 2000-2011