SIL stands for Safety Integrity Level. The methodology and its application are defined in standards like ANSI Standard 84.00.01 where a distinction is made between ‘basic process control’ and ‘safety instrumented systems’. A SIL assessment is normally an Execute phase project deliverable, however, industry practices vary between regions and there is no clear policy for when, SIL should be carried out, and the methodology that should be used (risk graph, FTA etc.)
Many projects decide not to carry out SIL assessment, which is appropriate for ‘vanilla’ projects with process safety control strategies based on API RP 14C Recommended Practice. This recommended practice requires a basic process control system (BPCS), and physically separate and independent Safety Instrumented Systems (SIS). The RP also provides several checklists for typical equipment items (tank, separator etc.) which identify minimum SIS requirements. Novel engineering systems, with little or no operating history, will however benefit from carefully allocating control functions between the Operators, the BPCS, and the SIS. In this case, SIL assessment informs decision-making during development of operating procedures and maintenance plans, in our experience it also helps avoid overcomplicated control systems with high spurious trip rates.
ANSI Standard 84.00.01 includes a guideline (Pt. 3), which outlines several methods for undertaking SIL assessment. In order of complexity, these include:
1. Quantitative risk assessment
2. Fault and event tree methods
3. Safety layer method (LOPA)
4. Risk graphs (generally used in Europe)
5. Risk assessment matrix methods
All of these methods have been used in industry worldwide. Feedback from the our clients suggests that each one has different merits.
Thus far we have referred to the SIL methodologies outlined in the ANSI / ISA Standard. Its focus is on safety instrumented systems, however, some safety functions can reasonably be allocated to the BPCS (e.g. in cases where there are redundant controls in the SIS). Others have therefore developed the concept of Instrumented Protective Functions (IPFs), these map to SIL in the manner shown Table 1. The intent of IPF Assessment is to identify the design, operation, and maintenance requirements for all control loops, during one assessment. This avoids having to separately assess how to allocate control functions between operators, the BPCS, and SIS, and provides a rational basis for determination of design specifications (e.g. dual redundancy), maintenance strategies (e.g. breakdown vs. preventive), and maintenance intervals.
Table 1 IPF and SIL ratings with range of probability of failure on demand
|IPF||SIL||Upper PFD||Lower PFD|