A good deal of misunderstanding exists about what an SIL is and how it is assigned. Yet anyone involved in products that are to be used in Safety Instrumented Systems should know how this designation came to be and what it means.
Many valve end users, piping engineers and valve manufacturers are responsible for products to be used in Safety Instrumented Systems (SIS). But these “valve people” tend to be mechanically oriented, not particularly oriented toward instrumentation. Nonetheless, these days any valve person may very well be responsible for equipment to be used in what is typically, but perhaps incorrectly, referred to as an “SIL [Safety Integrity Level] application.” But the issue of specifying or using products with an SIL can be confusing and intimidating for people not familiar with what the term means.
This article seeks to provide non-instrumentation personnel with a basic overall understanding of what SIL is and how to think about it in terms of the selling, use or purchase of valve and actuator products, particularly as it applies to partial stroke valve testing (PST). It deals with broad concepts and generalities of SIL, recognizing there are always exceptions to the rules.
Taking this topic that, for many, is shrouded in mystery, confusion and intimidation and making it into something that can be understood in general terms should help all valve people serve their companies and customers better.
WHAT IS SIL?
Understanding SIL begins with learning where SIL came from, and what is involved.
As a result of industrial accidents such as the Bhopal pesticide plant disaster and the Piper Alpha offshore platform explosion in the 1980s, increasing attention has been paid to the risks within industrial processes. Today, we are constantly weighing the relative risks involved with the hazardous processes-such as refined fuels, hydrocarbons, petrochemicals-so necessary for our modern way of living.
We also look for ways to meet demands for continuous operations for as many months and years as possible because plant shutdowns result in reduced revenue stream. These demands on plant operations, coupled with the advent of more recent safety procedures, reliability engineering and much more have led to greatly extended times between routine “maintenance shutdowns” (a time to close down process plant operations and concentrate on maintenance of equipment and testing of safety systems). This, in turn, has led to increased attention to reducing operational risk.
The increasing number of industrial accidents and the resulting pressure from insurance companies and governmental oversight/safety agencies created a movement to set standards for the classification of SIS. The oversight bodies posed this question to process plants:
If the plant is going to remain operational for an extended period of time, how can we be assured that the valve plant safety systems will function correctly when called upon?
Industry responded to this question with accepted industry standards (essentially self-governing practices) such as ISA-S84.01 and IEC 61508/61511 to measure the acceptable level of performance of these systems. Adherence to the standards became a best practice. Note that the standards are not prescriptive-they are performance oriented. They say what level needs to be achieved, not how to reach those levels. Ultimately, it is up to the end user to make the decision of how that’s to be done.
An SIS is designed to prevent or reduce hazardous events by taking a process to a safe state when predetermined conditions are violated. An SIS can typically be an emergency shutdown system (ESD), a safety interlock system or a safety shutdown system. Each SIS will have one or more Safety Instrumented Functions (SIF). Such a function might be something like:
- When the tank pressure gets too high, a safety valve opens.
- When the solution in the tank gets too hot, the inlet steam valve closes.
Of course, each SIF loop will be a combination of logic solvers, sensors, solenoids and final control elements, such as an automated valve. Every SIF within an SIS will have an SIL level. These levels may be the same or they may differ, depending on the process. A common misconception is that an entire system must have the same SIL level for each safety function.
An SIL is essentially a measure of the system performance in terms of Probability of Failure on Demand (PFD). If the goal is to reduce risk, we need to understand what that risk is. The simplified equation for risk is:
Risk = Probability X Consequence
We can think of probability in terms of hazard frequency (how often will a process exceed normal conditions and need to be brought to a safe state?); and consequences in terms of hazard consequences (what happens to the plant, employees, environment and community if the process upset is not brought to a safe state?).
Where the SIL number comes from or how it is determined might be described in the following simplified sequence:
- A decision is made that a process plant needs to comply with the international standards for process safety systems, usually IEC 61511.
- The plant forms a HAZOP (Hazard and Operability Study) team. Essentially the HAZOP procedure involves taking a full description of a process and systematically questioning every part of it to establish how deviations from the design intent could arise. Once identified, an assessment is made whether such deviations and their consequences can have a negative impact upon the safe and efficient operation of the plant. If considered necessary, action is then taken to remedy the situation. In a sense, this is based upon Murphy's law: Anything that can go wrong, WILL go wrong. What the HAZOP team attempts to determine is: What will go wrong? The team might be comprised of process design engineers, operations personnel, maintenance and instrumentation engineers, etc.
- As part of the HAZOP, all instrument safeguards, i.e., SIS, are identified and validated for their primary capability to prevent an incident from occurring or to mitigate the consequences of an accident. SIL classification of an SIS is the next step after the HAZOP to ensure that the SIS provides sufficient risk reduction.
- Essentially, the HAZOP team identifies which systems will create the highest level of risk if the SIF fails and then determines the impact of the failure, i.e., the consequence of failure.
- Consequences of failure might include escalating examples, but the possibilities are endless. In other words, the list might address: “If the system fails...:”
- The plant will lose $15,000 per day.
- The plant will lose $1 million per day.
- The plant will become damaged and will shut down for three weeks.
- A high degree of probability exists for injury or loss of life to company personnel in the immediate area.
- A high degree of probability exists for explosion and loss of life to non-company personnel outside the parameter of the facility.