Safety Integrity Level (SIL)

DR. AAProcess Control and Safety Group

SIS

• Safety instrumented systems (SIS) are used to provide safe control

functions for processes, e.g. emergency shutdown (ESD), fire

detection and blowdown functions. SIS typically are composed of

sensors, logic solvers and final control elements

• A Safety Instrumented System is designed to prevent or mitigate

hazardous events by taking a process to a safe state when

predetermined conditions are violated.

• Other common terms for SISs are safety interlock systems,

emergency shutdown systems (ESD), and safety shutdown

systems (SSD). Each SIS has one or more Safety Instrumented

Functions (SIF).

SIL

• SIL stands for Safety Integrity Level. A SIL is a measure of safety

system performance, in terms of probability of failure on demand

(PFD).

• A SIL is a statistical representation of the reliability of the SIS when

a process demand occurs

– The higher the SIL is, the more reliable or effective the system is.

• To perform its function, a SIF loop has a combination of logic

solver(s), sensor(s), and final element(s). Every SIF within a SIS

will have a Safety Integrity Level (SIL). These SIL levels may be the

same, or may differ, depending on the process.

• It is a common misconception that an entire system must have the

same SIL level for each safety function.

SIS and SIL

• In the Safety Life Cycle outlined in ISA-S84.01-1996 (ISA, 1996),

steps are included to determine if a SIS (Safety Instrumented

System) is needed and to determine the target SIL (Safety Integrity

Level) for the SIS

Safety Integrity

Level (SIL)

Probability of Failure on Demand

Average Range (PFD Average)

Risk Reduction Availability (%)

1 10-1 to 10-2 10 to 100 90 to 99

2 10-2 to 10-3 100 to 1000 99 to 99.9

3 10-3 to 10-4 1000 to 10,000 99.9 to 99.99

4 Below 10-4 10,000 to 100,000 99.99 to 99.999

What do these numbers mean in the real

world?

• SIL 1 means that a dangerous failure is probable once

every 11.5 to 114 years of continuous operation

• SIL 2 means that a dangerous failure is probable once

every 114 to1,141 years of continuous operation

• SIL 3 means that a dangerous failure is probable once

every 1,141 to 11,410 years of continuous operation

• SIL 4 is defined but is unnecessarily high for machine

safety applications and is considered economically not

practical(unless you are in the nuclear .

SIL levels

Event Likelihood Consequence

Catas-

trophic

Major Severe Minor

Frequent SIL 4 SIL 3 SIL 3 SIL 2

Probable SIL 3 SIL 3 SIL 3 SIL 2

Occasional SIL 3 SIL 3 SIL 2 SIL 1

Remote SIL 3 SIL 2 SIL 2 SIL 1

Improbable SIL 3 SIL 2 SIL 1 SIL 1

Negligible / Not Credible SIL 2 SIL 1 SIL 1 SIL 1

SIL Misconception

• It is a very common misconception that individual products or

components have SIL ratings. Rather, products and components

are suitable for use within a given SIL environment, but are not

individually SIL rated. SIL levels apply to safety functions and

safety systems (SIFs and SISs).

• The logic solvers, sensors, and final elements are only suitable for

use in specific SIL environments, and only the end user can

ensure that the safety system is implemented correctly.

• The equipment or system must be used in the manner in which it

was intended in order to successfully obtain the desired risk

reduction level. Just buying SIL 2 or SIL 3 suitable components

does not ensure a SIL 2 or SIL 3 system.

Standards and Regulations relating to SIL Analysis

• ANSI/ISA-SP-84.01, "Application of Safety Instrumented Systems

for the Process Industries," Instrument Society of America

Standards and Practices, 1996.

• IEC-61508,"Functional Safety: Safety Related Systems,"

International Electrotechnical Commission,Technical Committee

(1998).

• IEC-61511, "Functional Safety: Safety Instrumented Systems for

the process industry sector", International Electrotechnical

Commission, Technical Committee (Draft).

• "Programmable Electronic Systems in Safety Related

Applications", Health and Safety Executive, U.K., 1987.

• 29 CFR Part 1910, "Process Safety Management of Highly

Hazardous Chemicals; Explosives and Blasting Agents",

Occupational Safety and Health Administration, 1992.

Question !!!

• ENGINEER: "Why is this existing interlock SIL 2?“

• RISK ANALYST: "I don't know off the top of my head.

What does the documentation say?"

• ENGINEER: "It was set in a safety review. And you were

there!"

• RISK ANALYST: "Beats me! It doesn't look like it should

be SIL 2 when I look at it now.“

• So, how do we determine the required SIL?

Target SIL

• ANSI/ISA S84.01 and IEC 61508 require that companies

assign a target SIL for any new or retrofitted SIS.

• The assignment of the target SIL is a decision requiring

the extension of the Process Hazards Analysis (PHA).

• The assignment is based on the amount of risk

reduction that is necessary to mitigate the risk

associated with the process to an acceptable level.

• All of the SIS design, operation and maintenance

choices must then be verified against the target SIL.

How do we determine the right SIL-1

• The modified HAZOP method in CCPS (1993) and in the informative

annex of S84.01 depends on the team comparing the consequence

and frequency of the impact event with similar events in their

experience, and then choosing an SIL.

• If the event being analyzed is worse or more frequent, then they

would choose a higher SIL. It is very much in the experience and

judgment of the team.

• Thus, the SIL chosen may depend more on whether a team

member knows of an actual impact event like the one being

analyzed, and it may depend less on the estimated frequency of

the event.

How do we determine the right SIL-2

• The safety layer matrix listed in CCPS (1993) and in the

informative annex of S84.01 (p49) uses categories of

frequency, severity, and effectiveness of the protection

layers.

• The categories are described in general terms and

some calibration would be needed to get consistent

results.

• The matrix was originally developed using quantitative

calculations tied to some numeric level of unacceptable

risk (Green, 1993).

How do we determine the right SIL-3

• The consequences-only method (mentioned in S84.01)

evaluates only the severity of the unmitigated

consequence.

• If the severity is above a specified threshold, a

specified SIL would be required.

• This method does not account for frequency of

initiating causes; it assumes all causes are "likely".

• It is recognized that this method may give a higher

required SIL than other methods.

• The perceived trade-off is reduced analysis time. On

other hand, for events whose causes have a high

frequency, this method could give a lower SIL.

How do we determine the right SIL - 4

• The fault tree analysis (FTA) method quantitatively

estimates the frequency of the undesired event for a

given process configuration.

• If the frequency is too high, an SIS of a certain SIL is

added to the design and incorporated into the FTA. The

SIL can be increased until the frequency is low enough

in the judgment of the team.

• FTA requires significant resources.