Reliability of Instrumented Safety Systems (SIL)

Reliability requirements to instrumented safety systems are normally defined through the use of Safety Integrity Levels (SIL). The concept of SIL was introduced in the late nineties through the international standard IEC61508. Later IEC61511 was issued tailored to the process industry. These standard states requirements to ensure that instrumented safety systems are designed, implemented, operated and maintained to provide a required safety integrity level.

The standards encompass all phases from the initial hazard and risk assessment, through design and engineering to operation of the safety systems.

The first step in the process is to identify risks related to personnel, assets or environment. The reliability requirements of the instrumented safety functions can then be determined, considering all other risk reducing measures. There are several methods to determine the SIL requirements, among those are the Risk Graph method and Layer of Protection Analysis (LOPA)

After performing the initial SIL evaluations the results are documented in a Safety Requirement Specification (SRS). The SRS shall serve as input to the design process, and also include requirements related to subsequent operation of the system.
 

Functional Safety Management Plan

Essential in the IEC standards are the management of functional safety. This document presents the plans and working methods, and includes everything from activity planning, design and engineering, to installation and commissioning.

Lilleaker have assisted customers in developing SIL working methods and verification plans on several projects.
 

SIL Allocation Report

The purpose of a SIL allocation report is to present the results from the SIL allocation process. This document includes a list of instrumented safety functions and their assigned Safety Integrity Levels.

The Safety Integrity Levels can be defined in a number of ways. The most common are LOPA, risk graph or using predefined SIL requirements presented in the Norwegian Oil and Gas association GL070. Other quantitative methods may also be used.

The Safety Requirement Specification, SRS, will later be based on the results from the SIL allocation process.
 

Safety Requirement Specification (SRS)

SIL requirements to instrumented safety functions shall be documented in a Safety Requirements Specification document (SRS) in accordance with the IEC61511 standard.

The SRS shall contain necessary information and requirements, such as:

  • Description of the instrumented functions
  • The safety integrity level of each function
  • Definition of the safe state of each function
  • Demand rate
  • Requirement for proof-test intervals
  • Response time requirements
  • Survivability requirements in case of accidents or extreme environmental conditions

Detailed requirements to the contents of the SRS are given in IEC 61511-1.

The SRS shall serve as input to the design process, and also include requirements related to subsequent operation of the system.
 

SIL Compliance Document

The SIL Compliance document shall demonstrate that the instrumented safety functions comply with the SIL requirements presented in the SRS.

There are three main requirements, for each safety function, that shall be complied with;

– Quantitative requirements
– Architectural constraints (redundancy)
– Avoidance and control of systematic faults

It is necessary to document compliance with these requirements.

A SIL compliance report is often developed in several iterations throughout a project. In the initial phases the intention is to demonstrate that the requirements are likely to be met. Any deviations should be presented to the project as early as possible.

In later phases the intention is to show compliance given the equipment specific reliability data.
 

Safety Manual/Safety Analysis Report

Suppliers of equipment which is part of an instrumented safety system are responsible for providing evidence that the equipment is suitable for use in safety related applications.

This evidence is normally presented in a Safety Manual, and shall demonstrate compliance with the requirements defined in the project Safety Requirement Specifications (SRS).

The Safety Manual shall include necessary information to demonstrate compliance, such as:

  • Equipment description
  • Failure rates
  • Diagnostic coverage
  • Response time
  • Frequency of testing
  • Operational constraints

The IEC 61508 standard lists information that shall be available for each safety-related subsystem and documented in the Safety Manual.

The classification of equipment failures may be documented through the use of Failure Mode, Effect and Criticality Analysis (FMECA).
 

Functional Safety Assessments (FSA)

The IEC61508/IEC61511 standards require that a Functional Safety Assessment, FSA, is carried out as part of the SIL lifecycle process. A Functional Safety Assessment is an independent review of the instrumented safety functions and the design process.

The FSA is carried out using checklists prepared based on SIL standards, and spot checks to ensure that the SIL process is carried out in accordance with the standards.

fsa
The intention is to ensure that the instrumented safety function is selected and designed in accordance with the SIL standards, to ensure that the probability and the consequences of the hazardous event meet the acceptance criteria.
 

Layer of Protection Analysis (LOPA)

Layer of Protection Analysis (LOPA) is used to determine the reliability requirements of the instrumented safety functions based on the severity of the hazards, in combination with other risk reducing measures. An example of independent layers of protection is illustrated in the figure below.

lopa

LOPA is a semi-quantitative analysis, and is by several major companies the preferred method to define SIL requirements for instrumented safety functions designed to prevent unintended incidents.

The LOPA method conforms to industry standard IEC 61511.

In order to evaluate a safety instrumented function using the LOPA methodology, both the initiating events causing a demand on the function, and the consequences in case of failure of the function have to be assessed. A LOPA shall be performed in a multidisciplinary workshop and may be quite a comprehensive task.
 

Risk Graph Analysis

A Risk Graph is used to determine reliability requirements of the instrumented safety functions based on the severity of the hazards, in combination with other risk reducing measures. The risk graph method is a less comprehensive analysis than a LOPA and may yield less accurate results.

The risk graph method utilizes four risk parameters;

  • Consequence of the hazardous event (C)
  • Frequency of presence in the hazardous zone × exposure time (F)
  • Possibility of avoiding the consequences of the hazardous event (P)
  • Probability of the unwanted occurrence (W)

The combination of the risk parameters above enables a risk graph as shown in the figure below. Following a path given by the parameters determine the reliability requirement.

risk-graph