The risk reduction factor fromeach independent layer can becombined to obtain the total riskreduction factor. Risk reductionfactor (RRF) = 1/PFD Avg.Safety Integrity Level (SIL)Safety Integrity Level (SIL) is astatistical representation of safetyavailability of a SIS at the timeof process demand. When thehazards identification and riskassessment phase concludes thata SIS is required, the level ofrisk reduction afforded by theSIS and the target SIL has to beassigned. The effectiveness of aSIS as an independent protectivelayer is described in terms of theprobability it will fail to performits required function when it iscalled upon to do so.The level of risk reduction varieswith respect to the amount ofrisk that has to be reduced andtolerable risk that has to beachieved. Once the level of riskreduction is determined, it isexpressed as safety integrity level(SIL). An adequate safety relatedsystem (SRS) can then be selectedby choosing a system that fallsunder the appropriate safetyintegrity level.The necessity of SIF is termed asdemand mode and is classifiedas Low demand mode and Highdemand or Continuous mode. Ifthe demand frequency is less thanone per year and test frequencyis greater than two times demandfrequency, then it is called lowdemand mode. If the demandfrequency is greater than oneper year and test frequency isless than two times demandfrequency, then it is consideredhigh demand mode.Target failure measures for SIF at low demand mode of operation is given in Table 1:Safety IntegrityLevelPFDavg.Risk Reduction Factor4≥ 10-5 to
AnalysisRealizationSLC analysis phase focuses onthe SIL selection process andstarts from the basic conceptualdesign of the process and safetysystem through to the releaseof the safety requirementsspecifications. This includescollecting supporting informationon process and tolerable risklevels of the organization throughPHA, HAZOP and potentialsafety instrumented functionsare identified. By LPOA, theamount of risk present withoutSIS is characterized. If the riskis within a tolerable level, SIS isnot required to be implementedand can rely on existinglayers of protections. If risk isintolerable, appropriate SIL toreduce the risk to an acceptablelevel is determined and thesame shall be documented withrelevant information as safetyspecification.SLC realization phase highlightson designing and fabricating theSIS to meet the specificationsyielded by the analysis phase.SLC operation phase starts fromstartup to decommissioningthrough the entire safety system.The highlights of this phase ismaintaining function, testingand proof testing the system toOperationensure the system is functionallysafe. The operation phaseends when the system is fullydecommissioned and taken outof service or when modified withrespect to a specific MOC whichwill start the safety lifecyclefrom beginning. The SLC can besummarized in three steps whichinclude analyzing the hazardousrisk, designing the suitablesolution and verifying that thesolution effectively solves thehazard risk.Proof TestingIn order to maintain the SIL levelof a SIS loop, proof testing isan important factor. Dangerousfailures are identified by prooftesting. For the proof testexecuted online, all the prooftesting devices shall be anintegral part of SIS loop. In mostcases, full proof testing is notpractical in a running plant. Inthis case partial stroke testing isadopted as a method to executeproof testing.Periodic proof testing shallbe carried out by well writtenprocedures and methodologies,and proof testing shall haveproper records with details suchas description of tests, dates,name of person, serial number,tag numbers, results of tests andinspection, etc.Personnel competencycertificationA major issue faced bycompanies that implement SISis the verification of personnelcompetency. Personnel whodesign, implement, maintain andoperate SIS are required to becompetent in the process they areassigned.As per IEC 61508, “All personnelinvolved in any overall E/E/PES or software safety life cycleactivity including managementactivities should have theappropriate training, technicalknowledge, experience, andqualifications relevant to thespecific duties they have toperform.” Personnel competencyis therefore now a “Normative”requirement in the IEC 61508edition 2.0. Many companies areconcerned that there has been noguidance on how this assessmentshall be carried out. There areagencies such as TUV, ISA, Exida,Risknowlogy and more whichprovide certification programs toovercome these issues.What may go wrong in SISdesign?There is a general tendency tokeep adding safeguards in thebelief that the more safeguardsadded, the safer the process.In fact it is a false concept.Eventually the more and moresafeguards that are added thatare unnecessary for the SIF,the effect shall be less focuson the safeguards that arecritical to achieve tolerablerisk. Unnecessary safeguardsalso become complex whichmay result in new unidentifiedhazard situations. Selection ofa competitive team for the SISdesign is an important criterionto achieve an optimum andeconomical design. Gatheringrelevant plant data and historyis another major factor to beconsidered during SIS design.October - December 2012 27