An SIS is a set of devices and software that perform one or more Safety Instrumented Functions (SIF). Each SIF has a stated SIL. The SIL is related to the probability that the SIF will Not work when challenged (when needed). The higher the SIL, the more redundant and sophisticated the shutdown system becomes, and therefore the more reliable it becomes. A SIL 1 will fail less than 1 in 10 times and a SIL 2 will fail less than 1 in 100 times it is challenged. There are 6 major aspects (broken into steps) of for SISs. In brief these steps are:
- SIF/SIL determination: This is deciding (1) if a SIF is needed and if so (2) what should be the SIL of the SIF. SIF/SIL determination should and normally is performed within a PHA/HAZOP. You first find the accident scenarios and then decide what can go wrong and how, and then you determine what independent levels of protection you have and if these are sufficient to keep the risk at acceptable levels, and if not, the PHA/HAZOP recommends a SIF and SIL. Note that about 1% to 5% of the time, a HAZOP team does not fully understand an accident scenario; in such cases, a further analysis may be needed. The best method for this further analysis is LOPA (Layer of Protection Analysis).
- Note that there are a couple of other methods to determine SIF and SIL, but these normally grossly overestimate the number of SIF and level of SIL. One refinery had a SIL Vendor perform this step (outside of a PHA/HAZOP that had already been done reasonably well) for them using RiskGraph. The vendor recommended and later convinced the client refinery to install about 110 different SIFs of SIL 1 to SIL 2; this was for only ONE refinery unit. (This is way too many SIFs, which is what PII told the refinery represents who asked us later about this number. We said normally that for a typical, complex refinery unit, we end with about 10-12 SIFs, perhaps one is SIL 2 and the rest are SIL 1.) When the refinery tried to start up, the unit tripped each time (due to too many SIFs). The refinery then disabled the SIFs they thought were excessive and ended up with about 12 SIFs in the final configuration. These are likely all they need and the original PHA/HAZOP report pretty much agrees. The lesson is always use a PHA/HAZOP (and in rare cases, a LOPA analyst) to determine the SIF/SIL needed. Do Not let the SIL vendors or SIL Consultants determine what is needed; if you do, they may use other methods that will require far more SIFs that are needed; perhaps 10 times more than is needed. The mistake above cost the refinery tens of millions of dollars of wasted resources.
- SIF specification: This involves (usually) process engineers who take the request of the HAZOP team (or perhaps LOPA analyst) and design the SIS to provide the SIF with the requested SIL. This means also making sure the proper sequence of functions is considered in the design and the interaction with the DCS (BPCS) is accounted for.
- SIF design: This is normally done by a SIL vendor to meet the SIL specification and requires instrumentation specialist and perhaps instrumentation engineers.
- SIL verification: This should be done by the owner company to make sure the SIL design will provide the SIL needed, without causing harm due to trips. This requires a fault tree analysis (FTA) or Markov analysis to complete a quantitative risk analysis of the design. Most folks use the proprietary database and calculation program for this task. You can also let your SIL Vendor do this. Note that the current version of the SIS international standards have a problem in the requirements for SIL verification. The plans are to fix this problem before the end of 2010. The problem is that the current SIL verification methods do not Require the inclusion of the possibilities of humans leaving the bypasses on, or bypass valves open, or root valves closed (any of which can happen if testing is required without shutting down a system). It also does not Require inclusion of other systemic failures in the calculation of SIL, such as plugging of all instrument taps by the same phenomena internal to the process (such as dirt, debris, polymerization). Omitting these systemic failures can be a very Big Deal. For instance, there are many SIL 2 and SIL 3 systems that will only have a SIL 1 reliability, if the human and other systemic errors are accounted for in the SIL verification calculations. This means that you could specify, order, and install a SIL 3 system, only to have the actual performance of a SIL 1 system. SIL 3 systems cost 5 times more than SIL1, and more importantly, a SIL 3 would only be installed if extreme risk was present and if a SIL 3 was the Only way to control the risk. In such cases, you may believe you are installing a SIL 3, but in fact the performance of the SIF could have 100 times higher failure rate due to these systemic errors and process problems.
- SIS installation: The vendor or the owner technicians normally do this.
- SIS functional checks: The owner process technicians normally do this in the field as part of operational readiness checks or pre-startup safety reviews (PSSRs).
Note that PII staff are expert at all of the above. For instance, our staff were co-authors of the textbooks on how to properly lead and document HAZOPs, sponsored by AIChE/CCPS. Our staff co-invented LOPA and were primary authors of the first textbook on LOPA and are authoring the second textbook on LOPA now, again sponsored by AIChE/CCPS. And we are helping the SIS standards committee (ANSI/ISA committee) to fix the requirements of Step 4, SIL Verification, to include consideration of systemic errors such as human errors. We already do the calculations right at PII.
If you want to know more about how we can help your organization with SIS, please Contact Us.
>> Click here to return to the main consulting/contract services page.