Lloyd’s Register Energy Conference Safety-driven performance 2012

Understanding Safety Integrity Levels (SILs)

Trygve Leinum, Department Manager

Anne Østdahl, Principal Consultant

Scandpower Risk Management

October 18, 2012

Short introduction to terminology

“ Safety Integrity Level (SIL)

“ Safety Instrumented Function

“ SIL Measure: Probability of Failure on Demand (PFD)

Demand :

When the safety function is needed !

“ Process upsets / deviations beyond

limits for normal operation

conditions.

“ External hazardous events

Safety Integrity Levels Definition from IEC 61508 (simplified)

“ IEC 61508 Defines 4 SIL levels for a Safety Function

“ The SIL levels, SIL1, SIL2, SIL3 and SIL4 correspond to a

range of safety integrity values (i.e. probabilities), where SIL4 is the strictest level.

SIL 1

SIL 2

SIL 3

SIL 4

Probability of failure on demand

< 1 / 10 000

< 1 / 1000

< 1 / 100

< 1 / 10

Safety Instrumented Function (IEC 61511)

Safety function which can be either a safety instrumented protection function or a safety

instrumented control function.

SDV

PSHPSD

(PLC)SDV

PSD

(PLC)

PSH

SIL Requirement

Understanding Safety Integrity Levels (SILs)

“ What?

“ How?

“ Why?

An ambitious title for a 45 minutes speech,

so this 45 minutes are limited to the authors’ subjective opinion of

Why SIL?

The point of view is based on experiences from working within the risk and reliability field on the

Norwegian Continental Shelf.

Understanding SIL?

The Piper Alpha disaster led to a new regime

for application of quantitative risk analyses

(QRAs) on offshore installation.

The QRAs brought valuable knowledge.

Especially to conceptual layouts mitigating

consequences of fire and explosions.

After the Piper Alpha Disaster - 1988

Design in accordance with engineering standards

“ Before the early 90‘s, the use of API RP 14 ruled the ground for design of Safety Systems for offshore

production platforms.

API RP 14 C

Did the QRAs at that time (early 90’s) reflect the

reliability of specific process safety and emergency shut

down systems? “ What is the effect of our triple barrier X-mas trees?

“ Have you given credit to our sophisticated built in self test function?

“ What about our

“ Distributed Supervisory, Control and Safety Systems?

“ High Reliability Central Processing Units?

“ High Integrity Pressure Protection System…etc.. etc.. ?

‚Need to know‛ questions from enthusiastic system engineers were limitless !

And the correct answer to these questions was

All safety systems are assumed to be design in accordance with good engineering

practices and relevant standards.

Integration of QRAs and Reliability Studies

“ Still early 90’s: A new era for reliability analyses and comprehensive verification studies

“ Reliability of safety function, defined as:

“ The ‚ability to perform the required safety function‛, and the complementary event

‚loss of safety function‛

“ Quantitative measure: Probability of Failure on Demand - PFD

“ The general approach justification by comparing:

“ reliability figures for the new design A, are equal or better than figures for existing

‚accepted‛ design B.

Introduction of Safety Integrity Levels - SILs

“ A typical and simple example from reliability calculations:

“ The probability of failure in shutting of well-stream on a 40-well platform is approximately 10

time as high as for a 4-well platform.

“ Not a big surprise, but anyhow not sufficiently covered in API-RP 14 C.

“ API-RP 14 C was considered to origin from an environment with rather small installations compared

to the biggest installations in the North Sea.

“ There was an industry-pull for reliability requirement as a supplement to the engineering standard

“ The understanding of - WHY SIL ? - took root

Today, two decades later, the excellent

standard API RP 14 C is still a basic engineering

norm, but supplemented by the functional

safety standards:

- IEC 61508 Generic standard

- IEC 61511 For process industry

Defining 4 safety integrity levels for

Instrumented Functions

Safety Integrity Standards

SIL 1

SIL 2

SIL 3

SIL 4

Probability of failure on demand

< 1 / 10 000

< 1 / 1000

< 1 / 100

< 1 / 10

Example - Xmas tree valves upon PAHH on separator

SDV

PSHPSD

(PLC)SDV

PSD

(PLC)

PSH

SIL Requirement

Can SIL 2 be achieved for PAHH by closing Wing and Master on 17 Xmas trees?

I.e. replacing the SDV with 17 x WV and MV.

SIL 2 requirement: PFDavg < 1 x 10-2

With 50 % of PFD allocated to final

element:

PFDavg < 5 x 10-3

Pitfalls in SIL assessment

“ Reliability data

“ Reliability data from manufacturers are often much better than operational

experiences.

“ This is partly compensated for by ‚proven in use‛ requirements

“ Guidelines provides generic data collected from existing installation

“ Some model uncertainties

“ Selection of common cause failure fractions

“ Complex architecture…..

Manipulation of figures and results will always be possible !

Capitalization from the SIL approach

“ A quantitative scientific approach - i.e. not opinion based

“ Gives engineers the chance of optimizing, i.e. more safety for the money

“ balancing production uptime and safety performance

“ (or same safety for less money )

“ Final and self-convinced statement:

The approach stimulates to innovation, which on a long term is a competitive advantage

for those who ‚have joined‛ !

Lloyd’s Register Energy Conference

Safety-driven performance 2012

Any questions?

The Group at a glance

“ 278 offices delivering services in 228 countries

“ Some 7,500 employees of 90 nationalities

“ 101 companies

“ Celebrating our 250 year anniversary this year

“ Four business divisions:

“ Marine

“ Transportation (rail sector)

“ Energy (ModuSpec, Scandpower)

“ Management Systems (LRQA)

“ Anticipated annual turnover $1.0bn

Lloyd’s Register Energy Conference

Safety-driven performance 2012

For more information, please contact:

Trygve Leinum

Department Manager / Principal Engineer

Scandpower AS, Norway

T +47 90 79 73 74

E tle@scandpower.com

W www.scandpower.com

w www.lr.org