SIL or RRF

©ING. ROBERTO FERNÁNDEZ BLANCO. LEY 11723

of 27

SIL or RRF THAT IS THE QUESTION ------------------------------------------------------------------

Author: Roberto Fernández Blanco, Eng. Director, DASIS Corp. (Ex-SISTEMAS DACS SA) a CCPS member.

About the Author: Roberto Fernández Blanco is a Director of DASIS Corp (Ex Sistemas DACS) an AIChE-CCPS member, a company specializing in Research and Supply of Industrial Process Control and Safety Systems. He is also a member of ISA (International Society of Automation) and NFPA (National Fire Protection Association). He has 50 years’ experience in the area of research and applications for Automated Process Control and Risk Reduction in a wide range of industries. * This article on “SIL or RRF” seeks to clarify the origin and scope of the concept of SIL (Safety Integrity Level) and the fact that it consists of a number of bands that group together Risk Reduction Factors (RRFs) of varying orders of magnitude. The SIL/RRF Graph presented here (introduced in 2005 by Eng. Fernandez Blanco) also evidences that implementing an automatic SIF (Safety Instrumented Function) protection function or loop by defining only the SIL can lead to imprecise and dangerous results, as the minimum value of the risk reduction factor with which such SIF should be designed remains undefined. This leads to errors in the design of the protection capacity of the SIF, as shown in Case #1, summarily described by the author in the presentation he delivered in the CCPS Conference held in Buenos Aires in August 2011 and in the webinar he conducted in Spanish in October 2008. Roberto Fernandez Blanco stresses the importance of introducing these graphs in industrial process protection practices to ensure a proper risk reduction. 1. INTRODUCTION.

Knowing the origin and full meaning of the SIL (Safety Integrity Level) concept, its nature, essence and content, has been a persistent aspiration of those who need to apply the Process Safety science. In this article, Roberto Fernandez Blanco clarifies—in simple, understandable terms—the scope of this concept and demonstrates the benefits of the SIL/RRF Categories Graph he designed in 2005 to replace the conventional SIL tables (for Low Demand and High and Continuous Demand processes, respectively). This SIL/RRF Graph (Figure 1) was presented internationally by the author through the first AIChE webinar conducted in Spanish in October 2008 and, more recently, in the 3rd Latin American AIChE-CCPS Conference on Process Safety held in Buenos Aires in August 2011.


of 27

© Juan Roberto Fernández Blanco. Hecho el depósito que marca la Ley 11723.

Discof 10 Slots

100 Slots

1,000Slots

10,000Slots

RRF 10 100 1,000 10,000 100,000

PFD 1/1010-1

1/10010-2

1/1,00010-3

1/10,00010-4

1/100,00010-5

Group SIL1 Group SIL2 Group SIL3 Group SIL4

PFD per hour 10-5 10-6 10-8


10-7 10-9

Continuousand HighDemand Mode

Low Demand

Mode

SIL / RRF GRAPH

Year 2005*Ing. Roberto Fernández Blanco

1 year = 8,760 hours. We w ill use 1 year = approx.10,000 hours (104)

100KSlots

101 102 103 104

(NUMBER OF DISC SLOT S)Figure 1

2. PROCESS SAFETY MANAGEMENT (PSM).

A few years ago the science of Process Safety burst into day-to-day industrial activities like a hurricane. And with it came the concept of SIL, which generated —among managers and department heads—the uneasy and disturbing sense that it was a “not-easily-understood” concept.

Rigorous prevention and protection measures are required to reduce—to below the levels deemed tolerable by the community—the risks derived from the hazards residing in industrial processes. The idea is to safeguard the health and physical integrity of individuals, the environment, production assets, and the continuity of plant operations.

To make good on such ethical and social commitment, a company needs to have a qualified management team that will prioritize safety by adopting the most sophisticated, state-of-the-art risk analysis and quantification criteria, establishing tolerable risk criteria, and imposing, at every technical and managerial level and in every plant team, a culture of high responsibility and accountability for the implementation and preservation of a sustainable safety level in the production process, embodied in the idea of Process Safety Management. 3. KEY CONCEPTS.

(a) A process is deemed risky when it contains hazards with a damaging or destructive potential (for example, a flammable or toxic material), a situation equivalent to keeping a fierce tiger in a cage that protects us from its attacks and consequent harm.

(b) An initiating event is an occurrence that releases the tiger (by opening its cage door) and thus generates an incident that exposes us to the tiger’s damaging potential. This


of 27

condition, i.e. exposure to the tiger’s damaging potential (the hazard), is a danger. Hence the phrase “a hazard is a source of danger” (Figure 2).


CAGED TIGER = HAZARDSAFE CONDITION !

ESCAPED TIGER RISK CONDITION !!!

SAFE CONDITION !! DANGEROUS SITUATION !!ABOUT TO SUFFER THE CONSEQUENCES

OF HAZARD’S DAMAGING CAPABILITY

HAZARD !!

INCIDENT !!

INITIATINGEVENT

A HAZARD IS A SOURCE OF DANGER

CONSEQUENCES?

Figure 2

(c) The possibility of the tiger escaping from its cage is measured in terms of probability (for example, the probability that a sharp blow on the cage latch—the initiating event—will open the cage door and let the tiger out).

(d) Once the incident has been engendered, it will develop and escalate until it reaches its outcome (incident outcome), thus causing damaging and destructive consequences of various degrees of intensity, severity or magnitude (Figure 3).


of 27

“HAZARD”(CONFINED DAMAGING POTENTIAL)

“DANGER”(UNLEASHED DAMAGING POTENTIAL)

HAZARD (CONFINED IN THE PROCESS)SAFE OPERATING CONDITION

(CAGED TIGER)

DANGER (AN EVENT GENERATED AN INCIDENT UNLEASHING THE

DESTRUCTIVE ENERGIES OF THE HAZARD(TIGER ON THE LOOSE)

© Juan Roberto Fernández Blanco. Hecho el depósito que marca la Ley 11723

HAZARDS INCIDENTINITIATINGEVENT CONSEQUENCES+ =

Figure 3

(e) The risk may be reduced by diminishing the potential damaging capacity of the hazard, that is, by reducing its level of consequences, and/or decreasing the probability that the incident releasing its destructive force will start and spread.

(f) If the incident has indeed arisen, the only thing for us to do is to try and abort it as soon as practicable, to prevent its development, escalation, expansion and outcome.

(g) A risk is therefore defined as an undesirable but possible damaging event which is to be feared because of the probability of its occurrence and the severity or intensity of its consequences. We will quantitatively represent the Risk (R) as the product of the Probability (P) times the Consequence (C) in an XYZ axes coordinate graph, as R=PxC, using arrows to indicate the magnitude of every value (figure 4).


of 27

PROBABILITY of theCONSEQUENCE

INTENSITY of theCONSEQUENCE

PROBABILITY OF THE SPECIFIC INCIDENT

HAZARD’S INHERENT RISK


“R”

RISK GRAPH of a specific HAZARD

RISK

“C”

“P”

INCIDENT CONSEQUENCE

R = C X P

P

C

Figure 4

(h) For the above graph to be meaningful, a reference criterion or benchmark (Tolerable Risk Level) should be established so that the risk can be assessed as high, low, medium and -primarily- as “acceptable/tolerable” or as “unacceptable/intolerable”. We will represent this reference Tolerable Risk as a level which cannot be exceeded by the risk arrow for the risk to be acceptable (Figure 5)



PROBABILITY OF THE SPECIFIC INCIDENT

INHERENT RISK of theSPECIFIC HAZARD


“R”

RISK GRAPH withTOLERABLE RISK LEVEL PLANE

RISK

“C”

“P”

CONSEQUENCE OF THE SPECIFIC INCIDENT

R = C X P

TOLERABLE RISK LEVEL PLANE

RISK OVER TOLERABLE LEVEL

I II III IVA

B

C

D

E

UNACCEPTABLERISK

Figure 5

(i) The analysis or assessment of the different risk levels will be performed by drawing a matrix on the base level (level C-P) which may be subdivided into any number of


of 27

rows and columns as long as these can be distinguished (Figure 6) from each other qualitatively (subjectively) or quantitatively (objectively).

LOW

“C”

“P”PROBABILITY

“R”RISK

HIGHHIGH

HIGHHIGH

HIGH

SERIOUS

SERIOUS

SERIOUS

SERIOUS

SERIOUS

MEDIUM

MEDIUM

MEDIUM

MEDIUM

MEDIUM

MEDIUM

MEDIUM

LOW

LOW

I II III IV

TOLERABLE RISKFRONTIER

“C-P” BASE LEVEL OF THE THREE-DIMENSIONAL RISK GRAPHWITH QUALITATIVE AND QUANTITATIVE MAGNITUDES

.NEGLIGIBLE

MARGINAL

CRITICAL

CATASTROPHIC

US$ 100 k

US$ 300 k

US$ 600k

US$ 1,200 k

IMPROBABLE A1/100/yr

REMOTE B1/50/yr

OCCASIONAL C1/10/yr

PROBABLE D1/2/yr

FREQUENT E1/½/yr


Figure 6 (j) The risk of the specific hazard under consideration can be reduced by means of an “inherently safer” redesign of the process (see Inherently Safer Chemical Processes, CCPS), which reduces the intensity of the consequences and/or the probability that the incident will evolve and escalate.

(k) If, after the process has been rendered “inherently safer”, the hazard remains higher than the Tolerable Risk and we want—additionally—to abort it within the limits of the process, we will have to reduce the probability of the incident being engendered and escalating. This will require setting up a number of successive defensive trenches (such as those that guard a fortress from an enemy attack), which are known as layers of protection.

(l) As the “attack to the community” (incident) is engendered, arises and escalates from the “uterus” of the process (the release of the tiger), the trenches or defensive layers are set up serially from such uterus outward, as shown in the figure 7.


of 27

PROCESS HAZARDS AND RISK ANALYSIS

INHERENTLY SAFER DESIGN

BASIC PROCESS CONTROLSYSTEM with “PFD”LOWER THAN 1/10

ALARMS & MONITORING OPERATOR INTERVENTION

SIFSAFETY INSTRUMENTED FUNCTION

PHYSICAL PROTECTIONSRELIEF COMPONENTS

PROTECTIONS AFTER PROCESS RUN OVER

(DIKES, MITIGATION SYSTEMS…)

PLANT EMERGENCY RESPONSEand PLANT EVACUATION

COMMUNITY EMERGENCY RESPONSE

PREVENTION, PROTECTIONand ABORTION to stop

the INCIDENT WITHIN THE PROCESS

ATTENUATION, MITIGATION.THE INCIDENT SURPASSED

THE PROCESS LIMITS

LIMIT of the

PROCESS

LIMIT of the

PROCESS

SUCCESSION OFDEFENSIVE TRENCHES

DEFENSIVE TRENCHES SUCCESSION

SIF TRENCH

Figure 7

(m) We will analyze a specific defensive trench, namely, the layer of protection consisting of a Safety Instrumented Function (SIF) implemented for the protection of a furnace, boiler, or home water heater, in the event of a flameout in the burner. This flameout incident will cause the furnace or boiler to begin to fill up with an explosive mix of flammable material (natural gas, for instance) and air, a type of incident that must be aborted very quickly. Thus, a protective SIF consisting of three serially lined-up and linked components is installed: a flame detector linked to a safety controller linked in turn to a shut-off valve to hermetically close and block the gas flow.

BURNER FUEL GASFLAMEDETECTOR

GAS SHUT OFFVALVE

SAFETYCONTROLLER

© ING. R OBERTO FERN AND EZ BLANCO. LEY 11723

SIF

GAS TO BURNER

SEQUENCE OF PROTECTION DEMANDS

PFD - PROBABILITY OF FAILURE ON DEMAND FOR PROTECTION

(THIS IS A DANGEROUS FAILURE. DEMANDED PROTECTION NO LONGER DELIVERED)

FLAME OUT

PFD PFD = 1/250???

“SIF” – FLAME OUT SAFETY INSTRUMENTED FUNCTION

SIF

Figure 8


of 27

(n) Whenever the burner flames out (incident), the process sends a protection demand signal to the flame detector. This device detects the flameout and sends out a demand to the safety controller, which, in turn, sends a demand to the shut-off valve instructing it to shut off the inflow of gas into the burner. If upon any of these successive “demands for protection” one of the links should malfunction and fail to perform its intended role, the valve will not shut off, there will be no protection, the gas will keep feeding the firebox, and the incident will escalate until it reaches a catastrophic outcome (explosion).

(o) This highlights the importance of ensuring the integrity level of the equipment that makes up the SIF protective loop, as measured in terms of its probability of failure on demand (PFD). In our figure, we have considered that such PFD is PFD = 1/250 (a fictitious value used solely for illustration purposes), meaning that—on average—out of every 250 times the flame burns out (and the process demands protection) the SIF function will properly fulfil its protective action on each such occasion but one, that is, there will be 1 protection failure for every 250 demands.

(p) To sum up, the process has per se an inherent flameout probability, and, in addition (as will be seen later), there is the PFD probability that the SIF protective loop may fail. If both circumstances occur, it will not be possible to abort the engendered incident, which will thus escalate until it reaches a catastrophic outcome. 4. HAZARD, INCIDENT, AND SIF

Each hazard residing in a process, as well as the potential incident it is capable of generating, is proper to and inherent in the nature of the process itself. For the same reason, the average frequency (or average recurrence of the probability) with which the specific incident is engendered is also an inherent characteristic specific to the process itself and the manner in which it is operated.

It may be helpful to view the process as a “uterus” in which one of its resident hazards is “fertilized” by an initiating event, which engenders a specific incident that will develop, escalate, and spread—depending on its inherent potential—until it reaches its outcome, provoking consequences of various degrees of intensity or severity.

This specific characteristic of the nature of each individual process can only be improved by changing its basic design, making it inherently safer (see Inherently Safer Chemical Processes, published by CCPS).

The inclusion of a SIF protective function will not alter the nature of the process or of its hazards, nor the frequency of occurrence of the incident involved. The SIF function merely detects the hazard “pregnancy” condition that engenders the incident and then executes an immediate abortive action.

But the SIF loop is not an entirely perfect arrangement. Its abortive action can fail, thus allowing the incident to escalate until it reaches its outcome and to cause its damaging


of 27

and destructive consequences. This makes it all the more important to install a SIF loop with the appropriate levels of reliability and integrity, in line with the harmful potential of the hazard and the level of risk posed by the specific incident. Reliability means the proper execution of the actions for which the SIF was installed, and integrity refers to its resistance, strength, and toughness not to falter in performing its protective action, but rather to execute it in due manner and time. 5. PROBABILITY ANALYSIS.

For purposes of this analysis, using the following symbols (Figure 9) should prove useful:

COIN, DICE AND PROBABILITY DISCS

© Ing. Roberto Fernández Blanco. Ley 11723

TNT

TNT

TNT

Figure 9 ● A bomb with its wick on fire, which stands for the beginning and spreading of

the incident, where the bomb volume suggest the intensity of the consequences (in the event the incident should reach its outcome) and the length of the wick is indicative of the timeframe available to attempt to abort the incident.

● A flame or blaze, which stands for the catastrophic event. ● A coin with which to bet on “heads” or “tails”. ● A conventional six-sided die, with the bomb drawn on the side labeled “1”

(which indicates that the incident has started and advances towards its destructive outcome or that the SIF has failed and will be unable to abort the incident).

● A 18- or 24-sided die, also bearing the bomb sticker on its side numbered “1”. ● And a probability wheel, which allows us to operate with different slot

contents, where slot “1” contains a flame or blaze (instead of a bomb), meaning that if we draw number 1 it was not possible for the SIF to abort the incident and we will therefore suffer the consequences.


of 27

Let us now perform a few probability analysis exercises by having our old friend Peter H. Skill play Russian roulette. To shed some light on the PFD (Probability of Failure on Demand) concept, for purposes of this game the acronym PFD will actually mean “Probability to Finish up Dead”, and the probability will be expressed as a fraction. In every case, Peter must shoot the gun.


PFD = 1/1

THE GUN IS LOADED PEDRO DIES !

PROBABILITY TO

FINISH UP

DEAD PFD = 100%

{ PFD - PROBABILITY OF FAILURE ON DEMAND } DR. ENG.

PEDRO H. SKILL

Figure 10

In the figure 10, as Peter holds only one pistol loaded with a single bullet in its firing chamber, his probability to finish up dead is absolute (100%), that is, PFD = 1/1. On the left-hand side of the two-panel figure 11, Peter gambles with two pistols, one loaded and the other one, unloaded. He must decide (heads or tails) which one he will shoot. Here his probability to finish up dead is PFD = 1/2 (one out of two).


of 27


Russian RoulettePFD = 1/6

THE CYLINDER OF THE GUN HAS SIX CHAMBERS

(EQUIVALENT TO A SIX-SIDED DIE).

ONE OF THE GUNS IS LOADED;

THE OTHER IS EMPTY.

YOUR CHOICE!(HEAD OR TAIL) ‏

PFD = 1/2PFD = 1/6

Figure 11

On the right-hand side of the figure 11, Peter gambles with a revolver, i.e., with a weapon having a rotating cylinder (drum) with six cartridge chambers but now lodging a single bullet. His PFD is equivalent to a conventional six-sided die with its side numbered 1 (i.e. the bomb) landing “head up”, that is, PFD = 1/6. With this logic in mind and seeking to preserve his highest chance of staying alive on this Russian roulette game, Peter decides to build his own revolver (see figure 12) with a 100-chamber drum (loaded with a single bullet), thus lowering his probability to finish up dead to PFD = 1/100 (equivalent to gambling with a 100-slot probability wheel bearing the flame on its number 1 slot).


Russian Roulette:PFD = 1/100

PFD = 1/100

Figure 12


of 27

6. TWO-STEP RUSSIAN ROULETTE.

Peter will now engage in the Russian roulette game in two steps (see figure 13), an approach we will apply to process protection. The first step requires Peter to shoot into the air a revolver with a conventional six-chamber drum loaded with a single bullet. In the event the bullet is actually fired (PFD = 1/6), Peter must move on to the second step, that is, to pull the trigger of the 100-chamber, single-bullet revolver against his head. For Peter to finish up dead both conditions should be met, so the resulting probability will be the product of both, PFD = 1/6 x 1/100 = 1/600.

PFD = 1/6 PFD = 1/100

RESULTANT PFD = 1/6 X 1/100 = 1/600

1st STEP 2nd STEP

RISK REDUCTION FROM 1/6 TO 1/600 RRF = 100

PFD=1/600

Figure 13

This manner of gambling lowered Peter’s probability to finish up dead from PFD = 1/6 to PFD = 1/600, thus reducing the risk from 1 out of 6 to 1 out of 600, which obviously entails a Risk Reduction Factor (RRF) equal to 100 (see figure). This RRF is represented by the 100-slot probability wheel (disc), a proxy for the 100-chamber revolver used in step two. 7. PROCESS PROTECTION THROUGH PROBABILITY REDUCTION.

As indicated in paragraph 3 (k), if the inherent Risk in the process (already reduced by means of other protection layers) is still higher than the tolerable level, we are left only with the possibility of “reducing the Probability” that the incident will escalate by adding a protective loop known as SIF (Safety Instrumented Function), as analyzed in paragraph 3 (m). Let us now consider the case of a single-burner boiler (Figure 14).


of 27

GASES

BOILER HAZARDS

Chimenea

CombustionAir

FlameScanner #A

FlameScanner #B

Atomizing steam

Natural Gas to Main Burner

Fuel Oil

Natural Gas to Pilot

CombustionGases

Lower Drum

Superheater

Atemperation Water

Feedwater

Saturated steam

Burner

Stack

Superheated steam

Figure 14© Juan Roberto Fernández Blanco. Ley 11723.

First, we should find out the Frequency (that is, the repeated Probability in a continuous process) of a flameout in the burner. Statistical records (fictitious values for purposes of this explanation) confirm that in this type of boiler the flame tends to be out (on average), with a Flame Out Probability of 1/6/month (FOP = 1/6/month).

A word of caution is in order here. FOP = 1/6/month means that for every month, one out of each six equal boilers of this type in continuous operation on the plant will flame out. By the same token, to signify that the “annual” fatality rate due to car accidents in a given city is one person per every 100,000 inhabitants, we write 1/100,000/year, but this does not mean that one death occurs every 100,000 years. Similarly, when we read that the death rate is 10-5/year, this should be understood to mean 1/100,000/year, i.e., one dead person per every one hundred thousand people per year. In addition, the specific incident involved and the specific area where it occurs should also be indicated (e.g., “death rate” due to “car accidents” “per year” in “the city under analysis”). For purposes of this industrial analysis, let us assume that a company has only one boiler. Thus, the 1/6/month unwanted flameout rate of the burner is represented by a six-sided die bearing the bomb symbol on its #1 side. This means that we should roll the die once a month and that, whenever the die falls with the bomb “head up”, this means that the burner has flamed out and given rise to the incident. If this six-sided die is rolled once a month, the average Probability (considering long periods) for the bomb to land head up will be once every six times the die is rolled, i.e., once every six months, equal to 1 unwanted flameout every 6 months.

When Peter considers this circumstance, he infers that, as the boiler suffers a flameout every six months it will have two flameouts per year, that is, two incidents per year that will tend to lead to the explosion and destruction of “two” boilers per year, with—additionally—potential serious injuries to the plant personnel (Figure 15).


of 27

© Juan Roberto Fernández Blanco. Ley 11723.

CAUTION: THE VALUES BELOW ARE FICTITIOUS

RISK PROBABILITY REDUCTION THROUGH A PROTECTIVE SIF

NO, IT IS NOT ACCEPTABLE

IS THE EXPLOSION AND DESTRUCTION OF “ONE BOILER EVERY 6 MONTHS” DUE TO THIS

FLAME OUT FREQUENCY AN ACCEPTABLE RISK?

FOP = 1/6/month

Figure 15

Flame OutProbability

FOP =1/6/month1 FLAME OUT EVERY 6 MONTHS

HAZ ARD

Clearly, running the risk of destroying two boilers per year, plus the associated injuries to the personnel and the disruptive effects on the continuity of the plant’s operations, is wholly unacceptable.

The key question is, then, what is the Tolerable Risk level? The answer should be provided by someone in charge, namely, the plant’s operating manager; the company; the government through a law, executive decree, or regulation; the technical agencies having jurisdiction over these issues; risk insurance companies, or the like.

For Peter to be able to carry out his job of improving the protection of the boiler by reducing the probability (or frequency) of the incident causing harm, he will have to receive a formal official confirmation in writing, backed by the highest corporate authority, defining the maximum level of Tolerable Risk allowed by the company (in this case, setting the maximum allowable level of probability that the specific incident can spread until it reaches a catastrophic outcome).

By way of example, let’s assume that the company imposes on Peter a maximum Tolerable Probability of 1/1,440/month, that is, an average Probability of one boiler -out of 1,440- experiencing an unwanted flameout each month. If the plant does not have 1,440 boilers but only one (as would be logical to expect), then -as average probability- one flameout within each 1,440-month period (equivalent to 1 average flameout every 120 years) will be deemed tolerable (Figure 16).


of 27


+ =

USER’s TOLERABLE PROBABILITY LEVELPT=1/1,440/month

Disc of1,440slots

(1/120/yr)

Figure 16





HAZARD

Precisely down to that low 1/1,440/month (or lower level) Peter should bring the Probability that the incident (flameout) may give rise to the emergence of a growing flammable gas-air cloud that will escalate until it explodes. To prevent this from happening, he should introduce a SIF defensive trench to properly abort the incident on a timely basis.

Based on the above two values, the frequency of flameout (1/6/month) in the boiler and the maximum tolerable probability (1/1,440/month), Peter can calculate the Integrity (strength not to falter in performing its protective action) of the SIF function that should be added to the boiler in order to abort the flameout-related incident and thus reduce from 1/6/month to 1/1,440/month (or less), the Probability that such incident will develop and escalate until it reaches its destructive outcome (explosion in the firebox).

To achieve this flameout protection Peter will introduce the SIF function analyzed in paragraph 3(m) (Figure 8) with an Integrity of PFD =1/250 (a single probable failure for every 250 protection requests). This SIF with a PFD = 1/250 (RRF = 250), represented by the 250-slot Failure-on-Demand Probability Wheel (as analyzed in section 5) reduces the original 1/6/month probability that the incident will escalate until its catastrophic outcome, to a new value of the Overall PFD resulting from the product of 1/6/month x 1/250 = 1/1500/month, less than the 1/1440/month required by the company’s management(Figure 17).


of 27


+ =

FLAME OUT SIF PROTECTION LOOP

Fuel

FlameSensor

SafetyPLC

Shut OffValve

(SIF) PFD = 1/250

RRF=250250-sided die or250-slot disc.

P=1/6x1/250=1/1,500/moBoiler Incident Probability

with SIF included

P=1/1,500/monthless than PT=1/1,440/month

Right Protection !!


Disc of1,440slots

Figure 17





HAZARD

A key conclusion to be drawn from this analysis is the significant and determinant role played by the Failure-on-Demand Probability Wheel that represents the Integrity of the SIF function.

● The number of slots in the Failure-on-Demand Probability Wheel provided by

the SIF protective function represents the RRF (Risk Reduction Factor).

● With a wheel having fewer slots than the required RRF, the required protection level cannot be achieved.

● The proper, or higher, level of protection can only be achieved with a SIF function represented by a Probability Wheel with a number of slots equal to or higher than the required 250 (i.e., an equal or higher RRF). This Risk Reduction is shown in the following XYZ coordinates graph (Figure 18):


of 27


CONSEQUENCE

INHERENT PROBABILITY of theSPECIFIC INCIDENT = 1/6/mo


“R”

RISK GRAPH withTOLERABLE RISK LEVEL PLANE

RISK

“C”

“P”

MAGNITUDE “C” of theSPECIFIC INCIDENT CONSEQUENCE

R = C X P

TOLERABLE RISK LEVEL PLANESET BY THE COMPANY

RT = C X 1/1,440/month

RISK MAGNITUDE REDUCED BY PROBABILITY = C X 1/1,500/month

REDUCTION OF PROBABILITY

C

1/1,500/monthPROBABILITYREDUCED to

RRF=250

RISKREDUCTION

FACTOR

INHERENT RISK of theSPECIFIC HAZARD = C X 1/6/month

Figure 18

8. THE “INEFFABLE” SIL

Once the necessary Risk Reduction has been calculated by determining the RRF or the required PFD for the SIF protection, the conventional SIL tables (Figure 19) will determine the SIL for this application.

10,000 to100,0001/10,000 to 1/100,000SIL#41,000 to 10,0001/1,000 to 1/10,000SIL#3

100 to 1,0001/100 to 1/1,000SIL#210 to 1001/10 to1/100SIL#1

(RRF) RISK REDUCTION FACTOR(PFD) PROBABILITY OF FAILUREON DEMAND

SAFETY INTEGRITY LEVEL

1/100,000,000 to 1/1,000,000,000 (10E-8 to 10E-9) SIL#41/10,000,000 to 1/100,000,000 (10E-7 to 10E-8) SIL#31/1,000,000 to 1/10,000,000 (10E-6 to 10E-7) SIL#2

1/100,000 to 1/1,000,000 (10E-5 to 10E-6) SIL#1

DANGEROUS FAILURE FREQUENCY per HOURSAFETY INTEGRITY LEVEL

SAFETY INTEGRITY LEVEL (SIL)FOR LOW DEMAND MODE SYSTEMS

SAFETY INTEGRITY LEVEL (SIL)FOR HIGH AND CONTINUOUS DEMAND MODE SYSTEMS

CONVENTIONAL “SIL” CATEGORIES TABLE

PFD = 1/250

?

Figure 19

But beyond the systematic use of such tables, as dictated by standard practices, the concept, essence, and content of the “ineffable SIL” remain unexplained. To address


of 27

this challenge, in 2005 I chose to discontinue the use of those conventional tables and to replace them with a new SIL/RRF Graph, whose construction unveils the mystery of the “ineffable SIL”. In designing this new Graph I simply used what is necessary for the process, that is, the Risk Reduction Factor (RRF) represented by a Probability Disc with a number of slots equal to the necessary RRF number. As if I were stacking a collection of old 33rpm vinyl records (see figure 20), I built up a pile of wheels beginning with a first one having just a few slots (10 slots, equal to RRF = 10) and then adding all the subsequent wheels with an increasing number of slots at one-slot difference, that is, the 10-slot wheel, then the one with 11 slots, followed by the ones with 12, 13, . . .98, . . . 520, 521, . . . 1000, 1001, . . . 3,950 slots, and so on. Then I drove a metal rod (by way of axis) through the center of the pile of discs and set it in a horizontal position.

As a drawing of all such wheels, viewed from the side, would have looked like a long, confusing, cryptic row of vertical lines signifying nothing, I drew just a few discs to stand for the “boundaries” between bands or groups of discs. Thus, I began by drawing the first, 10-slot disc (which should be followed by the discs having 11, 12, 13 slots, and so on, which are not shown in the drawing). The first disc corresponds to RRF = 10, or RRF = 101. Based on this approach, I then drew the 100-slot disc (RRF = 100 = 102) as the “boundary” mark for the second group, followed by the discs (not drawn) having 101, 102, 103 slots, and so on. I went on to draw the third-group boundary by including the 1,000-slot disc (RRF = 1,000 = 103). The third group runs up to the 10,000-slot boundary disc (RRF =10,000 = 104), which marks the beginning of the fourth group (including the discs having 10,000; 10,001; 10,002 slots, etc.).


of 27


Discof 10

Slots100

Slots1.000

Slots10.000

Slots

RRF 10 100 1,000 10,000 100,000

PFD 1/1010-1

1/10010-2

1/1,00010-3

1/10,00010-4

1/100,00010-5

Gestation of the PFD / RRF GRAPH

Año 2005*Ing. Roberto Fernández Blanco

(NUMBER OF DISC SLOTS

100KSlots

PFD/RRF GRAPH

SIF

PFD

101 102 103 104

Group 1 Group 2 Group 3 Group 4

Figure 20

In the upper part of this Graph (Figure 20) I have temporarily included a little cart rolling on imaginary rails, in which the SIF function (metaphorically) “travels” in search of the Probability Wheel that represents the RRF required by the process-specific hazard in order to reduce below the Tolerable Level—as set by the company—the resulting probability that the incident will escalate until it reaches its outcome. This SIL/RRF Graph (still a prototype) shows the “boundary” wheels for each of the four Probability Wheel groups. To better understand how the graph works, it may be useful to compare it to an old jukebox (Figure 21), where you selected the record you wanted to listen to and the machine picked it out automatically from a holding place and moved it onto a turntable.


of 27

RRF = 250

GROUP 1 GROUP 2 GROUP 3 GROUP 4

Figure 21

As the protection required for our boiler calls for a wheel of RRF = 250 slots, we need to press the RRF = 250 button on discs group # 2, so the machine will automatically pull out the 250-slot disc to install it in the SIF and provide it with a risk reduction capacity of RRF = 250. (Needless to say, this comparison is purely metaphorical, as the equipment in the SIF loop is provided by the manufacturer with such risk reduction capability already built in.)

The graph below (Figure 22) shows us the moment when the SIF picks out the 250-slot Probability Disc (RRF = 250).


Discof 10

Slots100

Slots1.000

Slots10.000

Slots

RRF 10 100 1,000 10,000 100,000

PFD1/1010-1 10-2

1/1,00010-3

1/10,00010-4

1/100,00010-5

Año 2005*Ing. Roberto Fernández Blanco

(NUMBER OF DISC SLOTS)

100KSlots

SIF

PFD

250

PFD=1/250

101 102 103 104

Group 1 Group 2 Group 3 Group 4

1/100

250Slots

Figure 22 PFD/RRF GRAPH

Gestation of the PFD / RRF GRAPH


of 27

Finally, I include below (see Figure 23) the new and complete SIL/RRF Graph I proposed in 2005 to replace the conventional SIL Tables.


Discof 10 Slots

100 Slots

1.000Slots

10.000Slots

RRF 10 100 1,000 10,000 100,000

PFD1/1010-1

1/10010-2

1/1,00010-3

1/10,00010-4

1/100,00010-5


PFD per hour 10-5 10-6 10-8


10-7 10-9

Continuousand HighDemandMode

LowDemand

Mode

SIL / RRF GRAPH

Year 2005*Ing. Roberto Fernández Blanco

1 year = 8760 hours. We will use 1 year approx=10.000 hours (104)

100KSlots

101 102 103 104

(NUMBER OF DISC SL OT S)Figure 23

This Graph provides several benefits:

(1) It makes it clear that each SIL Level represents a “group or set” of “Probability Discs” or RRFs.

(2) It includes in a single graph what previously required two conventional Tables: the bottom half shows the SIL/RRF for processes in the Low Demand Operation Mode, while the upper half includes those for the High or Continuous Demand Operation Mode.

(3) It will clearly indicate whether or not the SIF loop that effectively provides the required Risk Reduction is being introduced. We will illustrate these benefits with two examples bearing in mind that, to adequately protect a process, the specific risk of each of its hazards should be reduced to below the Tolerable Risk. If this cannot be achieved through a design that will make the process “inherently safer”, it will be necessary to add one (or more) defensive trenches (protection layers) that provide the appropriate RRF (or a higher one) of the Probability component of the Risk (green vector in the three-coordinate chart of figure 18).

It should be noted—and emphasized—that the conventional SIL Tables are not an accurate tool to express the risk reduction capacity that the protection layer should provide. This is because each SIL level or group clusters a high number of RRFs for


of 27

reducing the Probability (a large group of RRF discs). Of all the RRFs in the relevant SIL group, only one will be the optimal factor to achieve the required reduction, as well as the most economical option. Also, any RRFs exceeding such optimal factor will prove technically appropriate, but in all likelihood, at increasingly higher costs. Conversely, those RRFs that, while belonging to the same SIL group, have a lower value (or a smaller number of slots) than the optimal RRF will not be appropriate.

A problem arises when we determine the SIL group only without defining the necessary RRF, as this opens up the possibility of opting for any RRF (or probability wheel) among those in the SIL group. We may easily end up –unwittingly- adopting a RRF lower than the one the process actually requires. In that event, the resulting Probability reduction can be less than the one actually needed and the process will be left with an insufficient protection level, thus operating at a risk level unacceptably higher than tolerable even though the SIF has the calculated SIL. This is clearly seen in Example #1 below.

Example 1: This example (Figures 24 and 25) illustrates the protection introduced in the boiler as explained in section 7 above.


+ =


Fuel

FlameSensor

SafetyPLC

Shut OffValve

(SIF) PFD = 1/250

RRF=250250-sided die or250-slot disc.

P=1/6x1/250=1/1,500/moBoiler Incident Probability

with SIF included

P=1/1,500/monthless than PT=1/1,440/month

Right Protection !!

USER’s TOLERABLE PROBABILITY LEVEL

PT=1/1,440/month

Disc of1,440slots

Figure 24



SIL2



HAZ ARD


of 27

+Flame Out Probability FOP =1/6/month

FLAME OUT“SIF” LOOP

FlameSensor(3/3,000)

SafetySolver

(2/3,000)

Shut OffValve

(7/3,000)

PFD = 1/250ONE FAILURE EVERY 250 DEMANDS

RRF=250250-sided Dieor 250-slot Disc* ONE DEMAND EVERY SIX MONTHS

© Ing. Juan Roberto Fernández Blanco. Ley 11723 Figure 25Figure 25


HAZARD

SIL2

The analysis has confirmed that the RRF = 250 required for the SIF belongs to SIL2 (Figure 26).


Discof 10 Slots

100 Slots

1.000Slots

10.000Slots

RRF 10 100 1,000 10,000 100,000

PFD1/1010-1

1/100 1/1,00010-3

1/10,00010-4

1/100,00010-5


PFD per hour 10-5 10-6 10-8


10-7 10-9


LowDemand

Mode

(NUMBER OF DISC SLOT S)

100KSlots

101 102 103 104

250Slots

10-2

RRF = 250

SIF

PFD =1/250

PROTECTIONSIF

Figure 26

SIL / RRF GRAPH1 year = 8,760 hours. We will use 1 year = approx. 10,000 hours (104)

Based on this input (SIL2), a Safety Requirement Specification (SRS) is drafted (pursuant to the conventional procedure) to acquire a SIL2 protection function. With this SRS, the procurement department will purchase a SIL2 SIF loop provided by any of the well-established international manufacturers of SIF functions. When the function has been installed in the process and the commissioning to start up the plant is


of 27

underway, a validation procedure is carried out to confirm that the installed SIF is actually SIL2.

However, as at the time of purchase of the SIF the required RRF had not been specified (250-slot probability disc), upon completion of such validation procedure the installed SIF is found to have a specific SIL2 Integrity in line with a RRF = 120 (120-slot probability disc). The result of this difference is evidenced in the following graph (Figure 27) and in Figure 28:


Discof 10 Slots

100 Slots

1.000Slots

10.000Slots

RRF 10 100 1,000 10,000 100,000

PFD 1/1010-1

1/100 1/1,00010-3

1/10,00010-4

1/100,00010-5


PFD per hour 10-5 10-6 10-8


10-7 10-9


LowDemand

Mode

(NUMBER OF DISC SL OT S)

100KSlots

101 102 103 104

250Slots

10-2

PROTECTIONSIF

250

120

●Figure 27



+ =

Fuel

SafetyPLC

Shut OffValve

(SIF) PFD = 1/120

RRF=120

P=1/720/m>PT=1/1,440/mo

Insufficient ProtectionSIL2

● 1/60/yr instead of 1/120/yr

1/120/yr

EXPLOSIONS DOUBLED WITH SAME SIL 2


Disc of1,440slots


FlameSensor

120-sided die or120-slot disc.

P=1/6x1/120=1/720/monthBoiler Incident Probability with

SIF included

Figure 28





HAZARD


of 27

The SIL/RRF Graph confirms that the SIF with a RRF = 120 probability disc belongs to the SIL2 group as requested. The boiler figure shows that, with that SIL2-level SIF and RRF = 120, the probability that the incident may escalate until it reaches a catastrophic outcome will be an Overall PFD of 1/6/month x 1/120 = 1/720/month, that is, twice as high as the Tolerable Risk as set by the company (1/720/month = 2/1,440/month is double the Tolerable Risk of 1/1,440/month).

● The most important benefit this new SIL/RRF Graph provides is that it renders

“self-evident” and obvious that setting a SIL value is not enough to define the SIF needed to adequately protect the process.

● What the process needs is to reduce the risk of the specific hazard to below the

acceptable value set by the company. To achieve this, the proper Risk Reduction Factor (RFF) should be accurately determined (or else a somewhat higher RRF should be selected, with a wheel containing a larger number of slots).

Example 2: This second example refers to an application where the requirement established in the SRS specified a SIL3-level SIF. But the validation performed prior to the start-up of the process showed that the SIF was SIL2. This raised a good deal of alarm, as it was estimated that adjusting the SIF to SIL3 would require putting the start-up on hold, redesigning the loop, purchasing new equipment, rectifying the installation, and so on. Thus, even the -clearly crazy- idea was entertained to hush-hush the situation, but then it was realized that, if an accident should actually occur, the parties responsible could be prosecuted and severely punished in the event the incident should cause any injuries to individuals. Also, from an essentially ethical standpoint, the right thing to do was (and is) to provide the proper level of protection and not to expose the personnel to a risk level higher than the prescribed one.

A review of the data and the calculations showed that the SIL3 requirement called for RRF = 1001, whereas the SIF loop installed actually provided RRF = 999 (pertaining to the SIL2 group) (see Figure 29).


of 27


Discof 10 Slots

100 Slots

1.000Slots

10.000Slots

RRF 10 100 1,000 10,000 100,000

PFD 1/1010-1

1/10010-2

1/1,00010-3

1/10,00010-4

1/100,00010-5


PFD per hour 10-5 10-6 10-8


10-7 10-9


LowDemand

Mode

(NUMBER OF DISC SL OT S)

100KSlots

101 102 104RRF=999 RRF=1001

SIL3 WAS REQUIRED BUT VALIDATION SHOWED SIL2 (RRF=999 instead of RRF=1,001)

Figure 29


The SIL/RRF Graph clearly shows that these are two discs with a very similar number of slots (just 2 slots apart). When the calculations were reviewed, the difference was deemed to be within reasonable margins, and it was ultimately accepted. The documentation, with proper technical support, was then reviewed, and the start-up was finally initiated. 9. CONCLUSION (with a recommendation about the PSM culture).

This article should serve to provide a clearer understanding of the Ineffable SIL concept, as it demonstrates that each SIL level actually groups several successive probability discs (or RRFs). It also clearly shows that the essential purpose of Process Safety Management (PSM) is to run the process (in a sustainable manner) with the proper risk reduction, that is, with an appropriate RRF. Naturally, the RRF risk reduction capability should be preserved through a rigorous preventive maintenance effort to keep the equipment in an “as new” operating condition in order to prevent the RRF from gradually degrading over time with an ensuing increase of the risk level over and above the tolerable level allowed. This is as important as checking and maintaining—with the same degree of dedication, care, precision, and perfection—the condition of the brakes in a car used daily to drive along a cliffside road. This example helps us more clearly understand the meaning of RRF degradation and how it affects process safety. Let us assume that the Probability of Failure on Demand in a braking requirement (pressing down the brake pedal and having the brake function fully) is represented by a 12-side die, meaning 1/12/month, that is, a braking protection failure per every twelve months of continuous driving (a fictitious value assumed for explanation purposes). A


of 27

lack of maintenance will mean that gradual wearing-out will reduce the responsiveness of the brake and deprive it of protection power. At the same time this will be accompanied (in a figurative manner of speaking) by a gradual wearing out (“degrading”) of the die or wheel that represents the Probability (as it loses sides or slots) and the Probability of Failure on Demand of the worn-out brake will become evident. Thus, the brake’s PFD will gradually “degrade” until eventually it will be represented by a die (or disc) of, say, 8 sides (or slots) while when new—i.e., before being worn out—it was represented by a 12-side die (or 12-slot disc). This means going from the original 1/12/month PFD to a higher, degraded PFD of 1/8/month. The probability of failure will continue to grow (degrade) if no proper and timely checkups, “as new” maintenance and required testing are carried out, all of which should be carefully specified and scheduled before start-up and rigorously and continuously complied with as long as the car is in use.

Hence the recommendation, repeatedly made by this author to managers and department heads, is to buy a conventional 6-sided die, slap a bomb sticker on its face numbered “1”, keep it permanently on their office desk and roll it every day when they arrive at the plant. The author has indeed found that those who have received a “bomb-die” as a gift have become more aware of the problem and changed their habits as to the degree of attention and care they devote to ensuring a sustained maintenance effort to take all the Protection Layer components back to an “as new” condition. As the passive element of any culture entails habits, customs and usage, this simple game generated a positive cultural growth dynamics in PSM (Process Safety Management), the key objective of the CCPS’s mission. It is the author’s recommendation that those companies truly interested in keeping their processes safe should join the CCPS and use the services the organization provides, as well as its extensive literature, to broaden their knowledge on the subject and adopt the recommended steps required for an effective operating process safety. Readers may also want to refer to other articles written by this author on the various stages of the Safety Life Cycle (SLC). Roberto Fernandez Blanco, Eng. (Buenos Aires, Argentina) ********************************************************************** Keywords:

CCPS: Chemical Center for Process Safety HAZARD: Potential danger residing in—and inherent to—the process SIF: Safety Instrumented Function FOP: Flame Out Probability PFD: Probability of Failure on Demand RRF: Risk Reduction Factor SIL: Safety Integrity Level SLC: Safety Life Cycle PSM: Process Safety Management

SIL or RRF

Documents

Transcript of SIL or RRF