Selection of Technique for Assigning A Target Safety Integrity Level (SIL) for Safety Instrumented

Systems (SIS)

SIS consists of instrumentation or controls that are installed for the purpose of mitigating the hazard or bringing
the process to a safe state in the event of a process upset. SIS requirements are indentified by performing a
HAZOP study of the Plant / relevant area. A mini safety workshop was conducted in the Kentz office in
conjunction with ADGAS personnel for better understanding of the Storex area, various operations affected as
part of this project and the potential for human / Asset / environmental loss in case of deviation from the
operational parameters.
There are six common techniques currently used in the industry for assigning target SIL for Safety Instrumented
Systems (SIS).
1. Modified HAZOP
This is an extension of the existing HAZOP process. It is a subjective assignment of the SIL based on the team’s
qualitative understanding of the incident severity (consequence) and likelihood of failure of SIS. It must include
an understanding of the process risk and the acceptable risk tolerance of the company. The SIL is assigned by
qualitatively examining the risk potential and selecting a SIL that seems appropriate by the team’s estimation of
the risk.
Problems: HAZOP report not provided by ADGAS, ADGAS may not be able to provide credible failure data for
the SIS (lack of vendor support / obsolete instruments / lack of historical information from plant)
Favorable: HAZOP report required for Storex Area to identify credible consequences, generic failure data
available for the instruments or use input from ADGAS for qualitative historical information.

2. Consequence Only
The most conservative technique, Consequence only, uses an estimation of the potential consequence of the
incident. The incident frequency is not considered. This method, while conservative, is the simplest tool to utilize,
because the team does not need to estimate the PFD, which is often the most difficult estimation for the team to
make. This method is especially appropriate when the process history is very limited.
Sample: Consequence only decision table can be modified to include Asset loss / environmental damage
SIL Generalized View
4 Potential for fatalities in the community
3 Potential for multiple fatalities
2 Potential for major serious injuries or one fatality
1 Potential for minor injuries

Problems: HAZOP report not provided by ADGAS; highly qualitative and no consideration of probability of
occurrence
Favorable: HAZOP report required for Storex Area to identify credible consequences, enable a more thorough
approach and creation of a HAZOP report for future reference.

3. Risk Matrix
This is the most common techniques, among refining, chemical and petrochemical companies, uses a risk matrix,
which provides a correlation of risk severity and risk likelihood to SIL. The Risk matrix method allows the
probability of the potential event to be considered in conjunction with the consequence to provide a semi-
qualitative assignment of SIL.
A corporate risk matrix provides control of the SIL assigned for a particular severity and likelihood. During the
assessment of the incident severity and likelihood, the available layers of protection must be evaluated and their
effect on the incident severity and likelihood must be determined. For risk reduction consideration, the layers of
protections must be independent, verifiable, dependable, and designed for the mitigation of the specific risk.

Sample: ADGAS Risk Matrix modified to reflect the SIL Assignment

It is advisable to consider replacing the Probability definition for this project with the following:
Frequent – Has happened few time in the history of the Plant
Probable – Has happened few times in the history of Das Island
Occasional – Has happened few times in the Oil & Gas sector
Remote – Has happened few times in some industry
Improbable – Has never occurred in the world
Problems: HAZOP report not provided by ADGAS, hence no credible consequence or probability of occurrence
Favorable: HAZOP report required for Storex Area to identify credible consequences and probability of
occurrence input from ADGAS; enable a more thorough approach and creation of a HAZOP report for future
reference.

4. Risk Graph
The international standard IEC 61508 (draft) provides an alternative method to the Risk matrix. It is called a Risk
graph and provides a SIL correlation based on four factors:
1. consequence (C),
2. frequency and exposure time (F),
3. possibility of avoiding the hazardous event (P), and
4. Probability of the unwanted occurrence (W).
This method is a qualitative technique that focuses most of the evaluation on an individual person’s risk. The four
factors are evaluated from the point of view of a theoretical person being in the incident impact zone. This method
is consequence driven, but allows credit for controlling access to the facility. For this method, the likelihood and
consequence are determined by considering the independent protection layers during the assessment.
Figure 3 Sample Risk graph

The Risk graph method uses the four parameters: Consequence-C, Frequency of exposure-F, Possibility of
escape-P, and Likelihood of event-W. The analysis proceeds with a determination of each of the parameters, in
terms of levels shown as subscripted numbers. The Risk graph shown in Fig. 3 has four levels for consequence,
two levels for frequency, two levels for possibility of escape, and three levels for likelihood. As the subscripted
numbers increase, the perceived hazard is higher.
Each of these levels must be carefully defined on a corporate basis for the methodology to be useful. The
consequence, C, is not simply defining the incident in terms of loss of containment, fires or chemical releases, as
defined in the PHA process. It is examining the incident from the exposed person’s perspective in terms of an
injury or fatality. For the example Risk graph shown in Fig. 3,
Consequence levels are as follows:
C1 = Minor injury
C2 = Serious permanent injury to one or more persons
C3 = Death to several people
C4 = Very many people killed
Exposure frequency, F, the process unit must be evaluated in terms of the personnel presence and activity in the
unit.
Possibility of escape, P, can be difficult for the hazards evaluation team to agree upon, because, as engineers and
risk assessment people; there is a tendency to want to believe that people can always escape if there are alarms.
Probability of occurrence, W, is based on the likelihood of the event, which should be evaluated without taking
into account any existing safety instrumented systems. The likelihood parameter in the Risk graph is the same as
that determined for the Risk matrix.
Problems: HAZOP report not provided by ADGAS, hence no credible consequence; focuses on Individual risk,
the qualitative estimation of exposure frequency, possibility of escape and probability of occurrence will be
difficult.
Favorable: We have a copy of an ADGAS approved risk graph utilized on a previous project; it is calibrated for
personnel, asset and environmental loss
 5. Quantitative Assessment
The quantitative approach to SIL assignment is the most rigorous technique to utilize. The SIL is assigned by
determining the process demand or incident likelihood quantitatively. The potential causes of the incident are
modeled using a quantitative risk assessment technique, such as a fault tree. The quantitative technique is often
used when there is very limited historical information about the process, so that the qualitative determination of
likelihood is extremely difficult.
Problems: Very complicated, time consuming and not essential to this project as the plant has been existence for
many years now.
Favorable: Detailed approach and higher level of confidence in the result

6. Corporate Mandated SIL

This is the least time consuming method, which is one being adopted by many small, specialty chemical plants
that do not wish to devote extensive manpower to SIL assignment methodologies. This method recognizes that the
greatest increase in cost occurs when the decision is made that the SIL must be higher than SIL 1. The selection of
SIL 2 or SIL 3 forces the SIS design toward device redundancy and diversity. With this recognition, many small
companies are taking the approach that "a safety system is a safety system and therefore should be SIL 3".
Problems: Scope of the project to move away from single SIL rating, ESD to contain SIL 3 I/O and DCS to
contain all other I/O
Favorable: saves time in the PHA process, reduces documentation in justifying the SIL choice, and ensures
consistency across process units.

Conclusion:
Based on the review of the above mentioned 6 techniques for assignment of SIL and the understanding gained
from the mini safety workshop; following points were concluded:
• No HAZOP Report available for the Storex Area; hence a need for developing a HAZOP report for the
area.
• HAZOP workshop will provide an excellent platform to develop credible consequences and to identify
the probability of occurrence of various events.
• The HAZOP workshop will also provide the team with adequate information to opt for 4 out of the 6 SIL
techniques reviewed (modified HAZOP, Consequence only, Risk Matrix, and Risk Graph).
• Due to the lack of credible failure data for the SIS (lack of vendor support / obsolete instruments / lack of
historical information from plant), Modified HAZOP technique will have to be excluded.
• As Consequence only technique does not consider the probability of occurrence and the severity of the
consequences identified during the mini safety workshop were mostly marginal, it is not advisable to
utilize this technique for this project.
• Risk Matrix would be a better option than Risk Graph technique as the estimation required is only for the
probability of occurrence of the event, as compared to the qualitative estimation of exposure frequency,
possibility of escape and probability of occurrence. Another short coming of Risk Graph is that it focuses
mainly on individual risk, which is marginal in this area.
• Risk Matrix will be the best approach and provide result with adequate confidence in the assigned SIL
ratings.
Ideal approach would be to conduct a HAZOP workshop for the Storex area affected by this project (exclusion to
be decided and approved), identification of all existing SIS in the Storex Area. The consequences and the
probability of the occurrence of the event identified in the HAZOP report will form the basis for assigning SIL
rating to the SIS in accordance with the modified Risk Matrix. This will be a semi-quantitative approach.