SIL Made Simple

Many valve end users, piping engineers and valve manufacturers are responsible for products to be used in Safety Instrumented Systems (SIS). But these “valve people” tend to be mechanically oriented, not particularly oriented toward instrumentation. Nonetheless, these days any valve person may very well be responsible for equipment to be used in what is typically, but perhaps incorrectly, referred to as an “SIL [Safety Integrity Level] application.” But the issue of specifying or using products with an SIL can be confusing and intimidating for people not familiar with what the term means.

This article seeks to provide non-instrumentation personnel with a basic overall understanding of what SIL is and how to think about it in terms of the selling, use or purchase of valve and actuator products, particularly as it applies to partial stroke valve testing (PST). It deals with broad concepts and generalities of SIL, recognizing there are always exceptions to the rules.

Taking this topic that, for many, is shrouded in mystery, confusion and intimidation and making it into something that can be understood in general terms should help all valve people serve their companies and customers better.

WHAT IS SIL?

Understanding SIL begins with learning where SIL came from, and what is involved.

As a result of industrial accidents such as the Bhopal pesticide plant disaster and the Piper Alpha offshore platform explosion in the 1980s, increasing attention has been paid to the risks within industrial processes. Today, we are constantly weighing the relative risks involved with the hazardous processes-such as refined fuels, hydrocarbons, petrochemicals-so necessary for our modern way of living.

We also look for ways to meet demands for continuous operations for as many months and years as possible because plant shutdowns result in reduced revenue stream. These demands on plant operations, coupled with the advent of more recent safety procedures, reliability engineering and much more have led to greatly extended times between routine “maintenance shutdowns” (a time to close down process plant operations and concentrate on maintenance of equipment and testing of safety systems). This, in turn, has led to increased attention to reducing operational risk.

The increasing number of industrial accidents and the resulting pressure from insurance companies and governmental oversight/safety agencies created a movement to set standards for the classification of SIS. The oversight bodies posed this question to process plants:

If the plant is going to remain operational for an extended period of time, how can we be assured that the valve plant safety systems will function correctly when called upon?

Industry responded to this question with accepted industry standards (essentially self-governing practices) such as ISA-S84.01 and IEC 61508/61511 to measure the acceptable level of performance of these systems. Adherence to the standards became a best practice. Note that the standards are not prescriptive-they are performance oriented. They say what level needs to be achieved, not how to reach those levels. Ultimately, it is up to the end user to make the decision of how that’s to be done.

• When the tank pressure gets too high, a safety valve opens.
• When the solution in the tank gets too hot, the inlet steam valve closes.

Of course, each SIF loop will be a combination of logic solvers, sensors, solenoids and final control elements, such as an automated valve. Every SIF within an SIS will have an SIL level. These levels may be the same or they may differ, depending on the process. A common misconception is that an entire system must have the same SIL level for each safety function.

An SIL is essentially a measure of the system performance in terms of Probability of Failure on Demand (PFD). If the goal is to reduce risk, we need to understand what that risk is. The simplified equation for risk is:

Risk = Probability X Consequence

We can think of probability in terms of hazard frequency (how often will a process exceed normal conditions and need to be brought to a safe state?); and consequences in terms of hazard consequences (what happens to the plant, employees, environment and community if the process upset is not brought to a safe state?).

Where the SIL number comes from or how it is determined might be described in the following simplified sequence:

• A decision is made that a process plant needs to comply with the international standards for process safety systems, usually IEC 61511.
• The plant forms a HAZOP (Hazard and Operability Study) team. Essentially the HAZOP procedure involves taking a full description of a process and systematically questioning every part of it to establish how deviations from the design intent could arise. Once identified, an assessment is made whether such deviations and their consequences can have a negative impact upon the safe and efficient operation of the plant. If considered necessary, action is then taken to remedy the situation. In a sense, this is based upon Murphy's law: Anything that can go wrong, WILL go wrong. What the HAZOP team attempts to determine is: What will go wrong? The team might be comprised of process design engineers, operations personnel, maintenance and instrumentation engineers, etc.
• As part of the HAZOP, all instrument safeguards, i.e., SIS, are identified and validated for their primary capability to prevent an incident from occurring or to mitigate the consequences of an accident. SIL classification of an SIS is the next step after the HAZOP to ensure that the SIS provides sufficient risk reduction.
• Essentially, the HAZOP team identifies which systems will create the highest level of risk if the SIF fails and then determines the impact of the failure, i.e., the consequence of failure.
• Consequences of failure might include escalating examples, but the possibilities are endless. In other words, the list might address: “If the system fails...:”

• • The plant will lose $15,000 per day.
  • The plant will lose $1 million per day.
  • The plant will become damaged and will shut down for three weeks.
  • A high degree of probability exists for injury or loss of life to company personnel in the immediate area.
  • A high degree of probability exists for explosion and loss of life to non-company personnel outside the parameter of the facility.

---

Ultimately, it is up to the plant owner and operator to determine what level of risk is acceptable based on their own criteria (best practice, company philosophy, insurance rates and requirements, budgets, etc). Therefore, risk tolerance is subjective and site-specific.

Once the level of risk tolerance is established, SIL levels may be established for specific SIF within an SIS.

THE ROLE OF PROBABILITY

Before discovering how the numerical value of SIL is derived, a better understanding of PFD is needed.

It's easier to express probability in terms of failure, rather than in terms of proper performance. As published in the aforementioned standards and some product brochures, four levels of SIL are listed, enumerated 1-4-the higher the SIL level, the higher the associated safety level, and the lower probability that a system will fail to perform properly (Figure 1).

These various SIL levels might be correlated to the above mentioned examples of consequences of failure.

For purposes of this article, it is appropriate to think of SIL as “the degree of likelihood that our system will work when we want it to.” (Generally, SIL 4 is beyond the scope of what we see in the process industries.) Again, we might want to think of a "function" as an emergency shutdown valve system, typically consisting of a sensor of some type (pressure, level, temperature) and a logic controller that will send a signal to an automated valve. The automated valve package might consist of an ­actuator (pneumatic, electric, hydraulic, etc.), solenoid valves, quick exhaust valves and the final control element, the valve. The “system” may consist of many functions; it might have five emergency shutdown valves protecting a pressure vessel cooking a process. Or, it might have only one function (the SIF) making the entire SIS.

To summarize, the HAZOP team will determine SIL levels based on determined PFD. Michael Young of General Monitors has summed this issue up nicely in his paper, SIL 101: How Safe Do I Need to Be?

A simple example will help illustrate the concepts of SIS, SIF, and SIL. Consider the installation of a pressure vessel containing flammable liquid. It is maintained at a design operating pressure by the Basic Process Control System (BPCS). If the process control system fails, the vessel will be subjected to an over-pressure condition that could result in a vessel failure, release of the flammable contents and even fire or explosion. If the risk in this scenario is deemed to be ­intolerable by the facility owner, an SIS will be implemented to further reduce this risk situation to a tolerable risk level.

The SIS system will be independent from the BPCS and will act to prevent or mitigate the hazardous condition resulting from pressure vessel overpressure. The SIS will have an SIF which might include a pressure transmitter which can sense when an intolerable level of pressure has been reached, a logic solver to control the system logic, and a solenoid valve which might vent the contents of the vessel into a safe location (flare stack, environment, storage tank, etc.), thus bringing the pressure vessel to a safe state.

If the risk reduction factor required from the Process Hazard Analysis is a factor of 100 then an SIL 2 level of SIF performance would be specified. Calculations for the components of the entire SIF loop will be done to verify that the PFD of the safety function is 10, meaning that the SIF is SIL 2 or reduces the risk of the hazard by a factor of 100. This one SIF may constitute the entire SIS, or the SIS may be composed of multiple SIFs that are implemented for several other unacceptable process risks in the facility.

Now we see from the chart in Table 1, and the example, above, the SIL numerical values relate directly to the minimum risk reduction factor. For example: SIL 1 = 10, SIL 2 = 100, etc. This is helpful in allowing us to get a feel for what SIL is.

SIL AND THE VALVE INDUSTRY

Since this article is primarily for those who are not instrumentation engineers, it is helpful to also know how SIL applies to the valve and actuator ­industries.

A HAZOP team will look closely at automated valve systems that need to perform an action to return the process to a safe state when design or operating parameters have been exceeded. To keep the discussion simple, we will use the term ESD, assuming we are concerned with an emergency shutdown valve.

The HAZOP team will want to know: What is the likelihood of my valve working when I need it to work? They will perform a risk analysis and assign an SIL level to that ESD system. The SIL will cover the entire ESD system-from initial process sensor to the valve itself, and everything in between. It is important to note that SIL covers systems comprised of individual products. Products are not "SIL rated." There is no such thing, for example, as an SIL 3 actuator, an SIL 3 digital valve controller or an SIL 3 solenoid valve. There are only products that are reliable to the degree they are suitable for an SIL 3 environment.

So, as industrial fluid control representatives, it would be inappropriate to say of a product: This is SIL 2. The correct nomenclature would be: This is suitable for an SIL 2 environment. Likewise, as a consultant or end user, it is inappropriate to ask a vendor: What is the SIL rating of your product? It would be more appropriate to ask for specific failure rates.

In determining whether a product is suitable for use in a given SIL environment, the important factors are failure rates such as PFD.

PFD average (PFDAVG) is relevant to the valve industry and users of valves. As the graphs in Figures 2 and 3 indicate, the probability of operational failure for a valve escalates soon after every full cycle test. It has been demonstrated that partial stroke testing (PST) of the valve (when full stroke testing is not practical) significantly lowers the PFDAVG.To say it another way, partial stroking increases the probability that the system and valve will work when it needs to work (Figure 3).

---

Based on the need to increase reliability and the desire by end users to comply with new safety standards, a PST industry has emerged. It has spawned a plethora of increasingly sophisticated products and systems promising to make the SIS more reliable. The end result has been confusion not only for vendors, but for consultants and end users as well.

A good way to think about this ­situation is in simple terms of a safety system that requires 10 components and must maintain a desired level of SIL 2. This might fall along the lines of the following example:

Consider a container that will hold a maximum one liter of ­liquid. The container will represent the maximum amount of potential failure allowed in the safety system. In other words, for this example, we have a budget of only 1,000 milliliters of failure. If we exceed that safety budget, we will not have an SIL 2 system.

Visualize the container surrounded by 25 individual 200 milliliter vials, each holding different levels of liquid. Some are more than half full, many are almost full. If we were to combine the liquid from all 25 vials, the total would be well in excess of one liter.

The 25 vials represent a variety of individual components that might be selected for our 10-component safety system; various valves, solenoids, controllers, etc. The liquid levels in the vials represent the different PFDAVG of the individual components.

Taken individually, the volume of liquid from each vial will easily fit into the one liter container. But only by selecting components that-in total-have a combined volume equal to or less than 1 liter will give us a successful SIL 2 system.

The components can be thought of in the following way: Each of the 25 individual components may have a PFDAVG that will allow use in a SIL 2 environment. But if the combined failure rates of our 10 selected components exceed the SIL 2 requirements, the system will not qualify as an SIL 2. We must select the right combination of components that satisfy our safety budget.

The main point of this example is to stress the fact that one or more SIL 2 products (if there were such things) will not necessarily make the system an SIL 2 system. Ultimately, the end user or the end user’s consultant will have to perform the calculations based on failure rates and other criteria to determine the impact of each individual component on the system SIL.

Statements such as: “our assessment indicates Product X can be used up to SIL 3 as a single device” have been made. That statement may be true, but it is also misleading and of limited value. After all, how many safety systems are comprised of a single device? We would need to know the failure rates, etc., of that individual product to actually know if it was suitable for use in a specific SIL system. The end user cannot just buy the product and assume suitability. Neither can a valve or actuator vendor just sell the product and assume it is suitable for use in a given SIL environment. (NOTE: A safety relief valve would be an exception and is an example of a single device SIL system. It detects overpressure and stops further elevation. Our primary discussion is concerning automated valve packages).

Making Sense of the Whole Thing

Occasionally, it might be wise to clear our heads of all the technical jargon, numbers and calculations and remember that the ultimate goal is the safety of human beings and our environment.

In considering SIL products and their application, it is easy to become sidetracked by details. But it is important to remember we are dealing with human systems, and because we live in a world governed, albeit unofficially, by Murphy’s Law, elimination of all risk is impossible.

Vendors and users alike need to pay particular attention not only to a product’s rating and certifications, but also the real world implications of actually installing and using a given product in the industrial process environment.

To conclude, the basic concepts of SIL are:

• SIL is an indication of system reliability.
• The end user (often through the analysis of a HAZOP team) determines the desired SIL level for a SIS.
• Based on a product's reliability (in essence, the reciprocal of PFDAVG), products may by suitable for use in a desired SIL environment.
•  
• Using a product marketed, for example, as SIL 3 does not ­necessarily mean it is suitable for use in a specific SIL 3 ­environment.

By understanding these basic ­concepts, some of the mystery of SIL can be diminished for valve industry professionals and end users.

---

Michael A. Mitchell, Cameron Flow Control, DYNATORQUE Product Manager, has over 34 years of technical sales experience in the ­automated valve industry.  Reach him at mike.mitchell@c-a-m.com

This article was adapted from a presentation originally made at the Valve World Conference 2010.

---

References

1.  General Monitors Corporate Website: Frequently Asked Questions about Safety Integrity Levels; www.gmigasandflame. com/sil_faqs.html#SIS

2. Michael Young, General Monitors; SIL 101: How Safe Do I Need to Be?; www.gmigasandflame.com/sil_info_101.html

3. Lihou Technical & Software Services; Hazard & Operability Studies (Hazops); www.lihoutech.com/hazop1.htm

4. Technip Benelux Services, a division of Technip Benelux B.V.; Hazard & Operability Studies (HAZOP) & Safety Integrity Level Classification (SIL)

5.  International Society of Automation; ANSI/ISA-TR9605.01-2008, page 21; Figure 2─Effect of partial testing on PFDAVG