🔥 Need PLC Experts? → Start Consultation 🚀 Industrial Automation Support

SIL is Necessary for Process Safety, But is Not Sufficient

Explore why SIL is necessary for process safety in industrial projects and learn risk reduction methods, prevention, and mitigation layers.

Mansoor Mohseni
Safety Instrumented System (SIS) Instrumentation Design
No Comments
21 Min Read

Ensuring a suitable level of safety is the primary goal of designing and operating all industrial projects, including Process Plants. Simply by applying different protection layers, the possible plant risks will be reduced to some acceptable levels. Safety Instrumented System (SIS) and, accordingly, considering Safety Integrity Level (SIL) is one of the important protection layers for plant risk reduction.

Contents

SIL is Necessary for Process Safety

Due to the important role of SIS in Process Plant Safety and quantifying the facility of SIL levels (and hence finding a better sense of measuring safety aspects than other qualifying methods), nowadays most of the project client specialists have special and extremely great concerns on such concepts, and sometimes their expectations may be more than they should be. On the other hand, somebody thinks that SIS (with related SIL Level Concerns) may produce a miracle in process safety, while it may not be true. In this article, we try to review that SIL is a necessary condition for Process Safety, but is not sufficient, and for maximizing the effectiveness of SIS protection layer action (level), we need to notice, study, consider, and provide some other conditions and factors too.

Process Plant Safety Instrumented System Risk Reduction Methods

Figure-1: Different Representations of Typical Risk Reduction Methods/ Layers.

Process Plant Safety by Applying Protection Layers

For reaching the acceptable safety level of Process Plants, different protection layers are applied to reduce the possible risks for preventing the Hazardous Events and mitigating their consequences. On the other hand, the occurrence of the Hazardous Event is the point for classifying the Protection Layers as Prevention Layers and Mitigation Layers. Figure-1 shows three representations for applying protection layers: inside the IEC-61511 Functional Safety Standard, Layers of Protection Analysis (LOPA), and the Bowtie Model. However, Figure-2 accordingly clarifies the risk reduction roles of possible protection layers.

Process Plant Safety by Applying Protection Layers in SIS

Figure-2: Representing the risk reduction role of different protection layers of the process plant.

SIS is just one of the Protection Layers of Process Plant

Referring to Figures 1 and 2, we can see that the Safety Instrumented System (SIS) is just one of the considered protection layers for the process plant, and to reach the desired risk reduction, we need to consider the roles of other protection layers too.

On the other hand, SIL is the characteristics (performance level) of just one of the multiple protection layers, and focusing on SIL’s best performance cannot guarantee the good performance of other protection layers. Again, repeated that for reaching the good risk reduction, other protection layers shall work properly and completely play their roles too. Therefore, we shall not expect all plant risk reduction to be related to SIL level (as the performance characteristics of SIS), and always other protection layers shall be in our concern view in parallel to SIL Level too!

It shall be noticed that during SIL Level confirmation and validation, we may not reach the considered target SIL Level, and hence we may need to increase the roles of other protection layers in risk reduction.

SIS shall have Rarely Actions

Figure 3 shows another good representation of Prevention and Mitigation Layers Actions due to Process Plant Status and Occurring Hazardous Event.

Referring to Figures 1 to 3, we can see that before reaching the SIS Protection Layer, we have other Prevention Layers that, if they are applied and work properly and completely, we can prevent the occurrence of Hazardous Events, and hence we do not need activation of SIS.

Prevention and Mitigation Layers of Process Plant

Figure-3: Good Representation of Prevention and Mitigation Layers Actions due to Process Plant Status and Occurring Hazardous Event.

In fact, the process plant (itself) shall have the best design in such a way that all process plant parameters/ factors settle in normal values and status, and accordingly the upper protection levels Process Control Systems shall be designed, configured, and equipped with the best facilities (hardware and software) to easily and completely control any process deviations and abnormal cases.

Furthermore, a good Alarm Management System shall be applied by exact considerations on different values of Process Safety Times (PST) and right enough Operator and Process response actions (times), further to facilities on classification, rationalization, and representing the alarms. In such a case, the process parameters and status seldom or rarely will reach the trip level of alarms, and hence the action use of SIS will be minimal. It should be noticed that tripping (stopping) the process plant is not a favorite, since it equals to stopping the normal production process (and accordingly decreasing the relevant benefits! Which is a loss.)

A lower frequency of reaching trip level alarms is approximately equal to a lower occurrence probability of Hazardous Events and hence less expected Process Plant Risks. Remember that the risk is the result of the multiplication of occurrence probability in the severity levels of the hazard. Decreasing the possible process plant risks will decrease the required (target) SIL Level accordingly.

Simply, we can say that the best process plant implementation has the rare use of SIS (and optimum level of SIL), and for reaching such a goal, other prevention layers than SIS shall be investigated and established with a complete and exact study and awareness.

SIL Level will be valid just by obeying the complete standard requirements

IEC-61511 (“Functional Safety – Safety instrumented systems for the process industry sector”) is the global standard for implementing SIS in the Process Plants. This standard defines, describes, and clarifies all the requirements/ specifications for establishing SIS in the Process Plants. On the other hand, proposed SIL levels of different Safety Instrumented Functions (SIF) will be valid just by following the IEC 61511 standard for complete Safety Lifecycle conditions and requirements, and focusing just on the proposed SIL Level at the design stage of an Industrial Process Plant Project may not guarantee reaching the expectations for the presuppositions.

Functional Safety Lifecycle

Figure-4: Management of Functional Safety in the Safety Life Cycle. (By System Vendor’s view – SIEMENS)

Figure-4 shows a good representation of applying verification and validations during different stages of management of functional safety (SIS) in the safety lifecycle (provided by SIEMENS). From Figure-4, it is clear that SIS shall be verified and validated during the safety lifecycle by different teams and responsible positions, and guaranteeing complete satisfaction of such requirements may not be so easy.

So, simply we can say that more focus on formally proposed SIL Levels at the design Stage of an Industrial Process Plant Project will not guarantee the completeness of process plant safety. A good Process Safety Management shall have enough focus on all requirements of SIL during the whole Safety Lifecycle. Furthermore stablishing right SIS for a Process Plant needs several hidden conditions and requirements, some of which are described in followings.

Competency Requirements for all SIL-Related Specialists

It is very important to notice that IEC-61511 has great concerns about competency requirements for all SIL-related specialists throughout the whole safety lifecycle. Engaging wrong or weak competent specialists in each stage will create big problems with the validity of establishing SIS for process plant and related SIL Levels of Safety Functions. Such problems may appear in planning, SIL Study Meeting, SIS Design (Overall, Hardware, and Software), SIS Fabrication and Test, SIL Calculation and Verification, SIS Test and SIL Validation, SIS Installation, SIS Commissioning, SIS Maintenance and Operation, SIS Modifications and Changes, SIS Decommissioning. Figure-4 shows such stages of the Functional Safety Management Lifecycle.

For example, notice that selecting wrong or weak specialists for SIL Study Meetings may have bad results, as over- or under-estimating on SIL Level Target Assignment for different safety function loops. So it is very important to have exact focus on the right competency of all SIS related specialists to have a valid SIS in Process Plant and relevant SIL Levels for Safety Function Loops.

Right Time Planning for SIL Assessment:

Planning for doing all stages of Functional Safety (SIS) at the right times will have a great effect on the results of the project SIL assessment. For example, SIL Study Meetings shall be arranged after providing enough valid information and data related to Process Safety Functions. In addition, enough duration times shall be considered for such meetings and the relevant following actions. Precipitous activities and inopportune actions may cause big effects on the resultant established SIS and related SIL Levels.

Valid and Right Sequence of Design and Validation of SIS

Designing the Safety Systems based on the right data of the Process Plant Project and following on time actions for any changes or modifications will have a great effect on the established Process Plant SIS. It shall be noticed that any project data and any change tracking will have vital effects up to the operation phase of the Safety Lifecycle. Furthermore, selecting certified Safety System vendors and having close communication and proper supervision of such vendors is very important. There are so many factors are existed during the design phase of Safety Lifecycle that shall be studied in more detail via other references or articles.

Providing the right project SRS for Process Plant SIS

Providing the right and complete data, information, documents, and procedures as the Project SRS (Safety Requirements Specifications) has the vital role for stablishing valid and effective Process Plant SIS. Figure-5 shows a sample list of SRS contents provided by the Safety System vendor (SIEMENS).

The validity and completeness of all contents of SRS shall be monitored and audited by expert Functional Safety Specialists, since they are the basis of the following site activities related to Process Safety Management.

All safety datasheets shall be provided as certified documents, and all Safety Following Activities shall have suitable procedures or guidelines. As an example, all Proof Testing activities or overriding safety functions shall have a suitable procedure or guideline.

Of course, any future safety routines and activities shall be equipped with suitable facilities in the design phase and with relevant documents. Some of these documents will be used or finalized by Site Process Safety Management Teams, and so they shall be completely usable and applicable in this regard. Therefore, it is clear that focusing on the required facilities for the considered safety functions and facilities in advance is very important.

SIL Study and Design Based on Complete, Valid, and Updated Data

Any activities of all stages of the safety lifecycle (especially SIL Study and Design) shall be done based on complete, valid, updated data and information, and so any deficiencies in this regard will produce imperfect SIS and SIL considerations.

On the other hand, any (effective) changes and modifications to safety functions will need review or repeat the relevant safety lifecycle. Therefore, it is very important to focus (and trace) the sequence of transferring and using updated data and information as the basis of any activities of the safety lifecycle.

Exact Supervisions for Right Installation and Operation Check during Construction and Commissioning Phases of Safety Lifecycle

All Safety Function Loops of SIS shall have proper response in actual and realistic site conditions, and hence, following the right requirements for installation and operation check during construction and commissioning phases of the safety lifecycle is very important. Figure-6 shows a sample of tracing the safety function during the installation and commissioning phases.

Safety Requirements Specifications (SRS) Document

Figure-5: Sample of Safety Requirements Specifications (SRS) Contents List. (By System Vendor’s view – SIEMENS)

Checking for consideration of all required installation conditions of safety function loops during the Design Stage and providing complete installation procedures and supporting items is very important for the final validity of Safety Function Loops.

However, sometimes due to site feedback or technical queries, the considered design for safety function loops may be changed or modified, too.

Practical Issues of Installation of Safety Function Loops

Figure-6: Sample of tracing the practical issues of the installation of safety function loops.

Operation and Maintenance Precautions for Safety Function Loops

All Safety Function Loops of SIS shall have proper response in actual and realistic site conditions, and hence tracing their performances and doing the right maintenance activities is very important. For applying such right actions, the complete precautions and maintenance facility conditions and requirements shall be considered during the design phase of the safety lifecycle. Relevant procedures like proof testing or precautions for bypassing safety functions, and so on, shall be provided during the design phase, too.

Functional Safety and Process Safety Management (FSM and PSM) Overlaps

Functional Safety Management (FSM) is a part of Process Hazard Analysis (PHA) element of Process Safety Management (PSM). It is very important to notice that to guarantee the safety and performance operations of Process Plant, the Project Management shall follow the right, and complete Process Safety Management, and focusing on just one part of one element of such requirements (SIS or accordingly SIL Level), shall not make carelessness on other important elements of safety pillars. However, Functional Safety Management and Process Safety Management generally have some main overlap concerns and relations, as shown in Figure 7, which is provided by the Institution of Chemical Engineers.

Functional Safety Management (FSM) and Process Safety Management (PSM)

Figure-7: Concern Relations between Functional Safety Management (FSM) and Process Safety Management (PSM), provided by IChemE. 

Obtained Precision Feedback from Accident Investigations

A complete and exact study feedback on the Process Plant Accidents (made by IChemE) concludes that several main factors have the effects on the accidents. As Figure-8 shows, these main factors can be listed as:

  1. Context (Abnormal operation, Escalation Potential).
  2. Natural Hazards (Earthquake, Tsunami, Flood, Cyclone/ Hurricane, Extreme Cold/ Ice).
  3. Design Factors (Hazard Identification, Process design, Equipment/ Piping Design, Materials of Construction, Instrumentation, Safety Instrumented Systems, Protective Systems, Plant Layout, Occupied Buildings).
  4. Operation Factors (Process Monitoring, Process Control, Cyber Security Breach, Alarm Management, Creeping Change, Hazard Awareness, operation Risk assessment).
  5. Maintenance Factors (Preventive Maintenance, Inspection/ Testing, Material Degradation, Work Planning, Maintenance Risk Assessment, Energy Isolation, Control of Work, Housekeeping).
  6. Personal (Human Factors, Role Clarity, Personal Protective Equipment).
  7. Competency (Communication, Procedures, Training, supervision/ Leadership, Contractor Selection).
  8. Culture (Production over Safety, Normalization of Deviance, Quality Assurance/ Control, Management of Change, Failure to Lean, Emergency Preparedness, Process Safety Management).
  9. Regulator (Design Standards, Land Use planning, Regulatory Compliance Audits).
Major Process Safety Incident vs Root Cause Map

Figure 8: Major Process Safety Incident vs Root Cause Map (Quick Reference Guide) provided by IChemE.

Figure-8 shows that Design Factors have a great weight effect on the occurrence of accidents inside Process Plants, and among them, Safety Instrumented System (SIS) also has an appreciable role, hence considering exact focuses on SIS during the Design Phase will have sensible reasons.

However, it shall be noticed that SIS is just one of several root causes of Process Plant accidents, and further to this root, some other roots may have greater or comparable weight to SIS’s role, and so they should be considered in any study that focuses on this.

From Figure-8, we can see that different causes or roots of accidents may exist or be initiated in different phases of a project lifecycle. However, via a more detailed view, we can see many of them can be studied during the Detail Design Phase of a project for removing or preventing such probable root causes in the future, or at least reduce the risk weight of such roots.  Furthermore, by some more detailed studies, we may find that for an exact SIS design, we shall review the relation with our SIS effects on other accident roots too.

Conclusion

Good SIS Design and implementation have a vital role in Process Safety, and among different factors, SIL Study and especially SIL Values have great weight in this regard, but we find that:

  1. SIS and relevant SIL Levels for Safety Loops are not the single condition for guaranteeing the Plant Safety, and in fact, we shall study complete Process Safety management for a Process Plant Design, in which FSM (and relevant SIL Levels) is one part of one of the pillars (elements) as Process Hazard Analysis (PHA). In fact, as explained in the reference article, further to SIS and SIL Level, Process Safety/ Performance Key Point Aspects need special concern and study during the Detail Design Engineering phase of the Process Plant Project.  
  2. For having an efficient, reliable SIS, just considering the SIL Values for Safety Functions is not sufficient, and to reach the optimum efficiency, we shall review different relevant conditions and requirements simultaneously too.
  3. Simply, we can say, “SIL (value) is a necessary condition for Process Plant Safety, but is not sufficient”, and several SIS relevant requirements and also extra conditions/ facilities shall be considered at the same time too.

References:

  1. Instrumentation Engineer in Process Plant Project
  2. A Good Practice on Override Safety Signal (Automation System)
  3. Safety Bypass Management System (Instrument & Control)
  4. Process Safety and Performance Key Point Aspects
Don't Miss Our Updates
Be the first to get exclusive content straight to your email.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

Continue Reading

Basic Calculations of Instrument Air
Explain Operation of the Lamp Circuit ?
Common Mistakes in SIS Design According to ISA-84
Normally-Closed Contacts for Stop Buttons
What is Contact bounce ?
4-20 mA Loop Splitter
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Categories

Explore More

History of 3-15 psi, 10-50 mA, and 4-20 mA signals
Design Basis for Fire Detection and Alarm System
Safety Requirement Specifications (SRS) – Safety Instrumented System
What is Burner Management System (BMS)?
Multiple Thermowell Installations Problems
Why choose Intrinsic Safety ?
What is a Logic Solver? – Safety PLC
SIS – Safety Instrumented System Example

Keep Learning

Learn More

 
Share via
Send this to a friend