SAFETY INTEGRITY LEVEL HAFIZ HUSNAIN BASRA

(2019-MS-CH-104)
INTRODUCTION

The boundary conditions for the safe operation of an industrial plant are already identified
and mitigated within the project define phase. During the Basic Design (or Front-End
Engineering & Design) of an industrial plant all safeguards and Layers of Protection needs to
be properly identified and defined. The various process protection layers are illustrated within
the figure.
The Safety Instrumented Function (SIF) forms the third protection layer. The SIF is required to
interfere in case the basic process control system as well as the process alarms could not bring
back the process values under normal control. Within that respect the SIF initiates on critical
process demand a unit trip to avert further process escalation and mitigate hazardous process
conditions. Therefore an adequate and unambiguous SIF definition is very important.
The SIF definition is mandatory necessary and important for every Safety Integrity Level (SIL)
classification. An incorrect definition easily leads to over or under engineering.

The intention of a safety function is to prevent or mitigate the consequences of a hazardous

event. Therefore, it needs to function properly and it needs to be reliable. Adequate definition
of a safety function can only be achieved if a full understanding of its demand scenarios,
design intent and consequences of failure on demand are known:

1. The ‘demand scenario’ describes the initiating events (e.g. failure of control instruments or
failure of equipment), which will ultimately lead to a demand on the SIF.
2. The ‘design intent’ specifies the released hazard to be averted (e.g. loss of containment).
3. The ‘consequences of failure on demand’ describe the ultimate consequences (of a SIF
failure) and the way they are achieved.
DEFINATIONS (SIL)

Safety integrity level (SIL) is defined as a relative level of risk-reduction provided by

a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a
measurement of performance required for a safety instrumented function (SIF).

The requirements for a given SIL are not consistent among all of the functional safety
standards. In the functional safety standards based on the IEC 61508 standard, four SILs are
defined, with SIL 4 the most dependable and SIL 1 the least. The applicable SIL is determined
based on a number of quantitative factors in combination with qualitative factors such as
development process and safety life cycle management.
SOME BASIC TERMS
Probability of Failure on Demand (PFD): It It is a measure of safety system performance in
terms of the Probability of Failure on Demand (PFD). It is expressed as a negative exponential
of 10, for example, 10-5 .

Risk Reduction Factor: This is the inverse of of the POF and provides the reduction in risk by
implementation of a SIL level to any critical safety-related instrumentation.

Safety-Instrumented Systems: It is a process plant instrument system which is designed to

prevent or mitigate hazardous events by taking a process to a safe state when predetermined
conditions are violated. Other common terms for SIS are safety interlock systems, emergency
shutdown systems (ESD), and safety shutdown systems (SSD).
SIL evaluation is done for Safety-Instrumented Systems (SIS). Each SIS has one or more
Safety Instrumented Functions (SIF).
To perform its function, a SIF loop has a combination of logic solver(s), sensor(s), and final
element(s).
Every SIF within a SIS will have a SIL level.
These SIL levels may be the same, or may differ, depending on the process.
It is a common misconception that an entire system must have the same SIL level for each
safety function.
SIL LEVELS (AS PER IEC 61508)

There are four discrete integrity levels associated with SIL: SIL 1, SIL 2, SIL 3, and SIL 4.
The higher the SIL level, the higher the associated safety level, and the lower probability that
a system will fail to perform properly.
As the SIL level increases, typically the installation and maintenance costs and complexity of
the system also increase.
Specifically for the process industries, SIL 4 systems are so complex and costly that they are
not economically beneficial to implement. Additionally, if a process includes so much risk that a
SIL 4 system is required to bring it to a safe state, then there is a fundamental problem in the
process design that needs to be addressed by a process change or other non-instrumented
method.
Standards adopted for the study
IEC 61508
IEC 61511
ANSIISA 84.01
Documents required for the study
Process flow schemes
P & ID diagrams
Standards adopted for the instrument selection
Process safety study reports
Cause and effect matrices
 SIL (SAFETY INTEGRITY LEVEL)
SIL is a relative level of risk reduction provided by a safety function.
SIL ratings correlate to frequency and severity of hazards. They determine the performance
required to maintain and achieve safety — and the probability of failure.
There are four SILs — SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL, the greater the risk of
failure. And the greater the risk of failure, the stricter the safety requirements.
Probability of Failure
Safety Integrity Level Risk Reduction Factor
on Demand
SIL 4 ≥105 to <104 100,000 to 10,000
SIL 3 ≥104 to <103 10,000 to 1,000
SIL 2 ≥103 to <102 1,000 to 100
SIL 1 ≥102 to <101 100 to 10
ASSIGNMENT OF SIL
Assignment of SIL is an exercise in risk analysis where the risk associated with a specific
hazard, that is intended to be protected against by a SIF, is calculated without the beneficial
risk reduction effect of the SIF. That unmitigated risk is then compared against a tolerable risk
target. The difference between the unmitigated risk and the tolerable risk, if the unmitigated
risk is higher than tolerable, must be addressed through risk reduction of the SIF. This amount
of required risk reduction is correlated with the SIL target. In essence, each order of
magnitude of risk reduction that is required correlates with an increase in one of the required
SIL numbers.
There are several methods used to assign a SIL. These are normally used in combination, and
may include:
Risk matrices
Risk graphs
Layers of protection analysis (LOPA)
Of the methods presented above, LOPA is by far the most commonly used by large industrial
facilities.
In a SIL classification the demand scenario frequency and the severity of the consequences of
the hazardous event are used to establish the Safety Integrity Level (see also the generic norm
for safety IEC 61508 and the adapted safety norm for process industry IEC 61511), which
determines the required level of risk reduction.
The SIL indicates the minimum probability that the equipment will successfully do what it is
desired to do when it is called upon to do it. As soon as the required risk reduction is known, it
can be converted into a Probability of Failure on Demand (PFD) which is required for the SIF
and which results into the SIL.
SIL 1 - represents the integrity required to avoid relatively minor incidents and is
likely to be satisfied by a certain degree of fault tolerant design using guidelines
that follow good practice.
SIL 2 - represents the integrity to avoid more serious, but limited, incidents some
of which may result in serious injury or death to one or more persons.
SIL 3 - represents the integrity required to avoid serious incidents involving a
number of fatalities and/or serious injuries.
SIL 4 - represents the integrity level required to avoid disastrous accidents.
BENEFITS
SIL Determination is done to
To allocate safety functions to protection layers;
Determine the required safety instrumented functions;
Determine , for each safety instrumented function, the associated safety integrity level.

Safety Requirement Specification

The objective is to specify the requirements for the safety instrumented functions.
To define the safe state of the process for each identified safety instrumented function;
The assumed sources of demand and demand rate on the safety instrumented function;
BENEFITS

Safety Requirement Specification

Requirement for proof-test intervals;
Response time requirement for the sis to bring the process to a safe state;
The safety integrity level and mode of operation(demand/continuous) for each
safety instrumented function;
A description of SIS process measurements and their trip points;
Requirements relating to energize or de-energize to trip;
Requirement for resetting the SIS after a shutdown.
Maximum allowable spurious trip rate ; as per IEC 61511.
BENEFITS

Helps improve overall safety of the facility.

Prevents (or) mitigates consequences which can result in – loss of life, personnel injury,
equipment damage, loss of production.
 Helps in complying with present (or) future government directives on Health, Safety
and
Environment.
Provides a better corporate image and helps in boosting employee morale.
SIL Verification
A key step in the conceptual design process of SIF. After the preparation of SRS based on SIL
Assessment exercise the SIF subsystem is decided. The SIF design is verified whether it meets
functional and integrity requirements.
SIL Validation
The objective of the requirements of this stage is to validate, through inspection and testing,
that the installed and commissioned safety instrumented system and its associated safety
instrumented functions achieve the requirements as stated in the safety requirement
specification.
PROBLEMS

There are several problems inherent in the use of safety integrity levels. These can be
summarized as follows:
Poor harmonization of definition across the different standards bodies which utilize SIL
Process-oriented metrics for derivation of SIL
Estimation of SIL based on reliability estimates
System complexity, particularly in software systems, making SIL estimation difficult to
impossible
CERTIFICATION

The International Electro technical Commission's (IEC) standard IEC 61508 defines SIL using
requirements grouped into two broad categories: hardware safety integrity and systematic
safety integrity. A device or system must meet the requirements for both categories to achieve
a given SIL.

The SIL requirements for hardware safety integrity are based on a probabilistic analysis of
the device. In order to achieve a given SIL, the device must meet targets for the maximum
probability of dangerous failure and a minimum safe failure fraction. The concept of
'dangerous failure' must be rigorously defined for the system in question, normally in the form
of requirement constraints whose integrity is verified throughout system development. The
actual targets required vary depending on the likelihood of a demand, the complexity of the
device(s), and types of redundancy used.

PFD (probability of dangerous failure on demand) and RRF (risk reduction factor) of low
demand operation for different SILs as defined in IEC EN 61508 are as follows:
 SIL PFD PFD (power) RRF
1 0.1–0.01 10−1 – 10−2 10–100
2 0.01–0.001 10−2 – 10−3 100–1000
3 0.001–0.0001 10−3 – 10−4 1000–10,000
4 0.0001–0.00001 10−4 – 10−5 10,000–100,000
 SAFETY STANDARDS
The following standards use SIL as a measure of reliability and/or risk reduction.
ANSI/ISA S84 (Functional safety of safety instrumented systems for the process industry
sector)
IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety
related systems)
IEC 61511 (Safety instrumented systems for the process industry sector)
IEC 61513 (nuclear industry)
IEC 62061 (safety of machinery)
EN 50128 (railway applications – software for railway control and protection)
EN 50129 (railway applications – safety related electronic systems for signalling)
EN 50402 (fixed gas-detection systems) & ISO 26262 (automotive industry)
Defence Standard 00-56 Issue 2- accident consequence
MISRA, various (guidelines for safety analysis, modelling, and programming in automotive
applications)
SIL METHODOLOGY
ROLES AND RESPONSIBILITIES
Chairman
Responsible for chairing the SIL review meeting and ensuring the process runs smoothly in
accordance with the procedure. The Chairman shall ensure the team remain focused and do
not deviate from the objective of the study. The chairman shall have experience of conducting
a SIL or similar studies. The Chairman shall bring the SIL Assessment software. The SIL
Assessment and SIL Verification report shall be prepared by the Chairman.
 Secretary
Responsible for recording the discussion of the meeting, using the worksheets. It is preferable
that the SIL Secretary has a technical background in Instrumentation.
ROLES AND RESPONSIBILITIES

Lead HSE Design Engineer

The Lead HSE (Design) Engineer on the project shall to ensure that the SIL is performed to the
standards set out in this procedure. The Lead HSE Engineer shall ensure the administrative tasks
necessary to perform the SIL study completed (organisation of team, distributing the
documents, Chairman Selection, selection of venue, etc).
Lead Instrument Engineer
Lead Instrument Engineer shall be responsible to ensure completion of Project design
documents necessary prior to SIL study including vendor documents. He shall provide Chairman
the list of tags, initiating devices, final elements and service description for each SIF to include
into the worksheets.
ROLES AND RESPONSIBILITIES

Lead Process Engineer

Lead Process Engineer shall ensure that the P&ID’s are updated in line with the
recommendations given in the HAZOP.
Follow-up
The Follow-up Coordinator shall be nominated by Project Engineering Manager (PEM) who can
make project decisions on the conflicting requirements. The co-ordinator shall act on behalf of
the PEM to facilitate and expedite the satisfactory close-out of recommendations raised by the
SIL study. The overall responsibility of SIL close-out process lies with PEM.
SIL TEAM COMPOSITION

Presence of following team members both from Contractor and the Operating
Company is essential during the full duration of the review:
Process Engineer
Control and Instrumentation Engineer
HSE/ Safety Engineer
Operation Representative
Other discipline engineers( Mechanical, Civil, layout etc.) shall be
available on need basis
SIL STUDY SCHEDULE AND PRE-REQUISITES

The SIL study should be scheduled after completion of HAZOP study and incorporation of
major HAZOP recommendations onto the P&IDs and Cause & Effects Charts.
The following project specific documents shall be made available prior to the SIL workshop:
Piping & Instrumentation Diagrams
Cause and Effects Chart
HAZOP Report
QRA Reports
Plot plans
SIL METHODOLOGY

The common methods used for Target Safety Integrity Level determination are:
Risk Graph
Layer of Protection Analysis (LOPA)

Both these methods are included in the IEC61508 and IEC61511 standard.
The risk graph is a qualitative technique, the results tend to be quite subjective
and lead to SIL levels biased on the high side. The Layers of protection analysis
technique is quantitative and more accurate and it is becoming the widely
accepted technique for SIL determination.
It is advisable to consider Risk Graph method at the FEED stage and LOPA
technique during detail design phase. Appropriate methodology should be
chosen by the Project group after considering client guidelines or advice. In the
absence of Client guideline follow LOPA methodology for Detailed Design.
RISK GRAPH TECHNIQUE

The risk graph method is a qualitative approach to determine the level of

integrity required for the identified Instrumented Protective Functions (IPF) for
the project. The approach is based on the International Electro technical
Commission standard, IEC61511.

Risk graph analysis uses four parameters to make a SIL selection. These
parameters are consequence (C), occupancy (F), probability of avoiding the
hazard (P), and demand rate (W).
RISK GRAPH TECHNIQUE

Consequence represents the average number of fatalities that are likely to

result from a hazard when the area is occupied, and should include the
expected size of the hazard and the receptor’s vulnerability to the hazard.

Occupancy (Exposure Time Parameter) is a measure of the amount of time that

the area that would be impacted by the incident outcome is occupied.

The probability of avoiding the hazard will depend on the methods that are
available for personnel to know that a hazard exists and also the means for
escaping from the hazard.
RISK GRAPH TECHNIQUE
The demand rate is the likelihood that the accident will occur without considering the effect of
the SIF that is being studied, but including all other non-SIS protection layers.
A combination of consequence, likelihood, occupancy, and probability of avoidance
represents a level of unmitigated risk.
Once those categories have been determined, the risk graph is used to determine that SIL
that will reduce the risk by the appropriate amount.
Figure 1 contains a typical risk graph, as presented in IEC 61511-3.
The SIL is selected by drawing a path from the starting point on the left to the boxes at the
right by following the categories that were selected for consequence, occupancy and
probability of avoidance.
The combination of those three determines the row that is selected.
LAYER OF PROTECTION ANALYSIS

LOPA is one of the techniques developed in response to a requirement within the

process industry to be able to assess the adequacy of the layers of protection
provided for an activity. Initially this was driven by industry codes of practice or
guidance and latterly by the development of international standards such as
IEC61508
Steps
Following are the important steps, which shall be addressed during SIL assessment
sessions
Identify and list all Safety Instrumented Functions for the unit(s)
For each SIF identified: Define the worst consequence if the SIF failed to operate
when a demand occurs.
Categorize the consequence severity and tolerable frequency based on the
Company Risk guidelines.
The tolerable frequency will be selected from the reducible frequency band as per
the table
List all causes and likelihood for the initiating event
For each cause identify all available layers of protection and assign
failure probabilities for each layer
SIL ASSESSMENT REPORT

The SIL Assessment Report shall be prepared by Chairman using the company format and shall
include the following as a minimum:
Executive Summary
The scope of SIL Study
List of Participants
The systems examined
The results as captured in the worksheets
Conclusions and Recommendations
SIL VERIFICATION

During EPC phase of the project, SIL verification study will be performed if it
required contractually or any specific instruction from the Company.
SIL validation is not covered under this document as it is normally carried out
during operation phase.
The outcome of the SIL assessment is followed by a SIL verification study, where
the design of the safety instrumented system (SIS) is verified.
The risk reduction performance of any given SIF depends on the equipment chosen and the
redundancy levels.
SIL VERIFICATION

The safety performance evaluation is called SIL verification and requires reliability analysis
of the equipment with a view toward a particular failure mode titled "failure to function on
demand" or "fail danger.“
A piece of equipment used to implement a SIF has a certain probability that it will
not successfully protect a process if a dangerous condition (a demand) occurs.
This average "probability of failure on demand" (PFD) is calculated and
compared with the PFD average table to obtain a "design SIL.“
 If the design SIL is not greater than or equal to the target SIL, better technology or more
redundancy is required.
SIL VERIFICATION
The first step in SIL verification is gathering failure rate data and failure mode
data for the equipment selected. Thereafter, the designer calculates PFD sub
avg using simplified equations, fault-tree analysis, or Markov analysis.

There are two fundamental challenges faced during SIL verification:

Gathering the failure rate/mode data and
Building a PFD sub avg model.

Failure rate data is available in a generic sense from several industry databases,
including AIChE and OREDA.
Failure rate data is also available from some manufacturers, although it is often
difficult to source.
FOLLOW-UP AND CLOSE-OUT
Upon completion of the SIL assessment workshop, the Chairman will present the
findings of the study in the form of a SIL Assessment report.
Recommendations of the SIL assessment will be generally closed out by
Instrumentation discipline.
It is important that Project allocate adequate resources to not only perform the SIL
study but to ensure that the recommendations raised in the SIL report are
satisfactorily closed out.
The PEM shall be responsible to ensure that the adequate resources are available
for timely completion of SIL study.
In general almost all SIL actions belong to instrument group, therefore as a general
practice PEM will nominate instrument engineer to own the SIL close-out responses.
The PEM nominee shall prepare & issue the SIL Close-out report
 Probability of Failure on Demand average
SIL (PFDavg) Risk Reduction Availability (%)

4 10-4 to 10-5 10,000 to 100,000 99.99 to 99.999

3 10-3 to 10-4 1,000 to 10,000 99.9 to 99.99

2 10-2 to 10-3 100 to 1,000 99 to 99.9

1 10-1 to 10-2 10 to 100 90 to 99