Intro4u2u

Hazard and Risk Analysis

In the United States, OSHA Process Safety Management (PSM) and EPA Risk Management Program (RMP) regulations dictate that a PHA be used to identify potential hazards in the operation of a chemical process and to determine the protective measures necessary to protect workers, the community, and the environment.

The scope of a PHA may range from a very simple screening analysis to a complex hazard and operability study (HAZOP).

A HAZOP is a systematic, methodical examination of a process design that uses a multi-disciplinary team to identify hazards or operability problems that could result in an accident. A HAZOP provides a prioritized basis for the implementation of risk mitigation strategies, such as SISs or ESDs.

If a PHA determines that the mechanical integrity of a process and the process control are insufficient to mitigate the potential hazard, an SIS is required. An SIS consists of the instrumentation or controls that are installed for the purpose of mitigating a hazard or bringing a process to a safe state in the event of a process upset.

A compliant program incorporates “good engineering practice.” This means that the program follows the codes and standards published by such organizations as the American Society of Mechanical Engineers, American Petroleum Institute, American National Standards Institute, National Fire Protection Association, American Society for Testing and Materials, and National Board of Boiler and Pressure Vessel Inspectors. Other countries have similar requirements.
Safety Integrity Levels

The figure below shows the relationship of DIN V 19250 classes and safety integrity levels (SILs). As a required SIL increases, SIS integrity increases as measured by:

* System availability (expressed as a percentage)
* Average probability-to-fail-on-demand (PFDavg)
* Risk reduction factor (RRF, reciprocal of PFDavg)

The relationship between AK class and SIL is extremely important and should not be overlooked. These designations were developed in response to serious incidents that resulted in the loss of life, and are intended to serve as a foundation for the effective selection and appropriate design of safety-instrumented systems.

Determining a Safety Integrity Level

If a PHA concludes that an SIS is required, ANSI/ISA S84.01 and IEC 61508 require that a target SIL be assigned. The assignment of a SIL is a corporate decision based on risk management and risk tolerance philosophy. Safety regulations require that the assignment of SILs should be carefully performed and thoroughly documented.

Completion of a HAZOP determines the severity and probability of the risks associated with a process. Risk severity is based on a measure of the anticipated impact or consequences, including:

* On-site consequences
* Worker injury or death
* Equipment damage
* Off-site consequences
* Community exposure, including injury and death
* Property damage
* Environmental impact
* Emission of hazardous chemicals
* Contamination of air, soil, and water supplies
* Damage to environmentally sensitive areas

A risk probability is an estimate of the likelihood that an expected event will occur. A risk probability is classified as high, medium, or low, and is often based on a company’s or a competitor’s operating experience. Several methods of converting HAZOP data into SILs are used. Methods range from making a corporate decision on all safety system installations to more complex techniques, such as an IEC 61508 risk graph.
Example SIL Calculation

As a PES, the controller is designed to minimize its contribution to the SIL, thereby allowing greater flexibility in the SIS design.

* Tricon controller failure rates have been independently calculated by Factory Mutual System. A copy of Factory Mutual Technical Report, “An Estimation of the Failure Rates for Modules Used in the Triconex Tricon 9 System,” FMRC J.I. 003003840, is available upon request.

Equation for Calculating PFD_avg for Sensors

The following simplified equation may be used to calculate PFDavg for sensors (2oo3):

PFD_avg = (λDU*TI)²

where the following variables are supplied by the manufacturer:

λ = failure rate
DU = dangerous, undetected failure rate
TI = test interval in hours

Equation for Calculating PFD_avg for Block Valves

The following simplified equation may be used to calculate PFDavg for block valves (1oo2) in series (final elements):

PFD_avg = ⅓(λ^DU*TI)²

where the following variables are supplied by the manufacturer:

λ = failure rate
DU = dangerous, undetected failure rate
TI = test interval in hours

Equation for Calculating PFD_avg for System

The following simplified equation may be used to calculate PFDavg for a system.

System PFD_avg = Sensors PFD_avg + Block Valves PFD_avg + Controller PFD_avg

Using the Equations

To determine the SIL, compare the calculated PFD_avg to the figure on page 4. In this example, the system is acceptable as an SIS for use in SIL3 applications.

Safety Life Cycle Model

The necessary steps for designing an SIS from conception through decommissioning are described in the safety life cycle. Before the safety life cycle model is implemented, the following requirements should be met:

* Hazard and operability study has been completed
* SIS requirement has been determined
* Target SIL has been determined

PES Steps in a Safety Life Cycle:

1.

Develop a safety requirement specification.

An SRS consists of safety functional requirements and safety integrity requirements. An SRS can be a collection of documents or information.

Safety functional requirements specify the logic and actions to be performed by an SIS and the process conditions under which actions are initiated. These requirements include such items as consideration for manual shutdown, loss of energy source, etc.

Safety integrity requirements specify a SIL and the performance required for executing SIS functions. Safety integrity requirements include:
* Required SIL for each safety function
* Requirements for diagnostics
* Requirements for maintenance and testing
* Reliability requirements if the spurious trips are hazardous
2.

For conceptual design, an engineer should:
* Define the SIS architecture to ensure the SIL is met; e.g. voting 1oo1, 1oo2, 2oo2, 2oo3
* Define the logic solver to meet the highest SIL if different SIL levels are required in a single logic solver
* Select a functional test interval to achieve the SIL
* Verify the conceptual design against the SRS

3.

Develop a detail design including:
* General requirements
* SIS logic solver
* Field devices
* Interfaces
* Energy sources
* System environment
* Application logic requirements
* Maintenance or testing requirements

Some key ANSI/ISA S84.01 requirements are:
* The logic solver shall be separated from the basic process control system
* Sensors for SIS shall be separated from the sensors for the BPCS
*

The logic system vendor shall provide:
o MTTF data
o Covert failure listing
o Frequency of occurrence of identified covert failures
* Each individual field device shall have its own dedicated wiring to the system I/O. Using a field bus is not allowed!
* A control valve from the BPCS shall not be used as a single final element for SIL3
* The operator interface may not be allowed to change the SIS application software
* Forcing shall not be used as a part of application software or operating procedures
* When on-line testing is required, test facilities shall be an integral part of the SIS design
4. Develop a pre-start-up acceptance test procedure that provides a fully functional test of the SIS to verify conformance with the SRS.
5. Before startup, establish operational and maintenance procedures to ensure that the SIS functions comply with the SRS throughout the SIS operational life, including:
* Training
* Documentation
* Operating procedures
* Maintenance program
* Testing and preventive maintenance
* Functional testing
* Documentation of functional testing
6. Before start-up, complete a safety review.
7. Define procedures for the following:
* Start-up
* Operations
* Maintenance, including administrative controls and written procedures that ensure safety if a process is hazardous while an SIS function is being bypassed
* Training that complies with national regulations (e.g., OSHA 29 CFR 1910.119)
* Functional testing to detect covert faults that prevent the SIS from operating according to the SRS
* SIS testing, including:
o Sensors
o Logic solver
o Final elements (e.g., shutdown valves, motors, etc.)
8. To ensure that no unauthorized changes are made to an application program, as mandated by OSHA 29 CFR 1910.119, follow management of change (MOC) procedures.
9. To ensure proper review, decommission an SIS before its permanent retirement from active service.

SIS safety audits are requirements for validation of the design safety function.

IEC 61511, true to the criteria of a performance base standard, has no specific requirements regarding the frequency or the procedures. However, the safety audits must be independent and objective.

Process industry experience would indicate that:

* Audit frequency of 3 years is a starting point. Based on the number of negative findings, the frequency may be adjusted accordingly.
* Individuals conducting the audit should be independent of the plant personnel.
* Standards and/or Corporate documents against which the audit is to be conducted, should be agreed upon in anticipation.
* Procedures review should reveal if they are in place, understood and followed.
* Interviews should start with managers, followed by engineering and finally operation and maintenance personnel.
* All maintenance and testing records should be reviewed in detail.
* Especially critical is the review of management of change records.
* Visual inspection of field equipment condition and tagging is a key indicator of general health.
* Checking for unauthorized systems in bypass is critical.
* Records of the SIL for each SIF should be clearly documented.
* Records of the validation of the SIL and RRF for each SIF should be documented.
* Records of the number and cause of process demands should be clearly documented.
* Records of the number and cause of nuisance trips should be clearly documented.
* Records of the actual failure rates of the SIS devices, as they compare to the design assumptions, should be clearly documented.
* Documentation should reflect up to date installed hardware and software.

The safety audits are normally conducted by corporate personnel independent of the plant and/or by specialized consulting companies, such as Premier Consulting Services.

SCAMP® Safety Compliance Auditing and Maintenance Program is an excellent service for this phase of the safety lifecycle and compliance to IEC 61511 clause 16.1.1, which states: “To ensure that the required SIL of each safety instrumented function is maintained during operation and maintenance”. “To operate and maintain the SIS so that the designed functional safety is maintained.”

IEC 61511 requires that the SIS be operated and maintained so that the designed safety function is preserved. The SIL of each SIF must be maintained throughout the lifecycle of the plant.

This function is usually performed by the user/operator and/or a maintenance contractor. However, the responsibility resides with the owner.

The operation and maintenance plan should address, at minimum, the following:

* Proof testing, preventive and breakdown maintenance activities.
* Verification of adherence to operation and maintenance procedures.
* Designation and competence of persons, departments and organizations responsible.
* Schedule adherence to all activities.
* Additional mitigation actions necessary during bypass and/or testing.
* Recording of actual process demand rate on the SIS.
* Identification of the cause of process demands.
* Recording of actual failure rates of SIS devices, including field equipment.
* Identification of the cause of false trips.
* Correct operation of each field sensor and final element.
* Correct logic action of the SIS.
* Correct alarms and indicators.
* Verification and Validation of actual SIL of each SIF and confirmation of equipment failure rate assumptions during the design phase, as well as adequacy of the proof test interval necessary to maintain the designed safety function.

Note: COSIL® Safety System management tool-set for on-line / real time continuous SIL monitoring of all the Safety Instrumented Functions (SIF) in a process plant’s SIS is an excellent tool that provides the mechanism for SIS operation and maintenance validation.

COSIL® additionally provides the functionality to perform continuous on-line calculations of the Safety Instrumented Function’s (SIF) instantaneous probability to fail on demand (PFD). This measurement provides plant engineers with real time data for evaluating the actual instantaneous Risk Reduction Factor (RRF), conducive to better decision making in the area of improvements in plant safety. Knowledge of the instantaneous PFD provides a wealth of information over and above the PFDavg based SIL.

COSIL® is applicable to both “Demand mode of operation” and “Continuous mode of operation” as defined in IEC 61511-1 paragraph 3.2.43.2

IEC 61511 requires that a functional safety assessment (FSA) be performed prior to the introduction of process materials in to the equipment under control (EUC). This requirement is similar to the pre-startup safety review (PSSR) called for by OSHA and other regulatory bodies around the world.

IEC 61511 requires that at least one senior, competent, independent (from the project team) person, take part in the FSA. This independent individual must have the authority to prevent the process unit startup, if necessary.

The Functional Safety Assessment is documented in a “SIS validation plan” and is usually performed by the user/operator in conjunction with the engineering contractor and/or the SIS vendor. The FSA should at minimum verify the following:

* The SIS has been constructed, installed and tested in accordance with the SRS.
* All procedures for safety, operation, maintenance and management of change (MOC) are complete and in place.
* Any pending PHA and/or SRS issues are resolved and implemented.
* Operations and maintenance personnel are trained and competence is documented.
* Application software is validated in accordance with validation plan.
* All safety instrumented functions perform according to the SRS.
* Bypasses, overrides and reset functions perform in accordance with SRS.
* SIS is not affected by adverse interactions of the BPCS or any shared instrumentation.
* Loss of utilities do not impede proper SIS action.
* Verification of EMC immunity.
* BRPB or other manual independent e-stop operate correctly.
* Critical Safety alarms function as per the SRS.
* HMI graphics function correctly.
* SIS safety validation (SAT) completed prior to startup.
* PSSR completed. All bypasses returned to normal, isolation valves set to startup position, test materials removed and all forces removed

Installation and Commissioning activities involve strict planning and implementation activities in compliance with the detail design and the SRS.

This phase of the SIS project is usually implemented by a combination of the engineering contractor, SIS vendor and the user.

The following considerations are accounted for:

* Installation and Commissioning plan.
* Procedures, measures and techniques to be used.
* Persons, departments and organizations responsible.
* Safety loop drawings / instrument lists.
* Field instrumentation calibration.
* Power and grounding verified.
* Equipment functional tests.
* Loop checks.
* Interface communications tests.
* Application software version control.
* As built drawings verified against SRS.
* PSAT – Pre-Startup Acceptance Test.

The detailed design phase of a typical SIS project entails implementing the “Conceptual Design” through good engineering practices, verifying all the requirements in the SRS (Safety Requirements Specification).

The detailed design is usually performed by the SIS vendor and/or the engineering contractor.

The following considerations are accounted for:

* Verification of site applicable standards
(API, NFPA, MMS, Authority having Jurisdiction, etc)
* Power and Grounding drawings.
* Field equipment installation drawings.
* Field wiring layouts / junction boxes, etc.
* Intrinsic safety, explosion proof considerations.
* Environmental considerations.
* Logic solver equipment layout drawings.
* Cabinet integration drawings.
* Communications wiring drawings.
* HMI workstations layout.
* Application program development.
* Verification of use of Fixed or Limited Variability Languages.
* Use of V-Model or other verification process.
* Peer review and testing of application software.
* Application software behavior in presence of hardware failures.
* Security implementation (access restrictions).
* HMI screens development.
* Critical alarms implementation.
* Implementation of bypass keys / permissives / inhibits.
* Maintenance procedures development.
* Proof Testing procedures development.
* FAT - Factory Acceptance Test.

IEC 61511 and ANSI/ISA S84.01-2003 require a quantitative verification of the SIL of each SIF to meet the target SIL determined in the SRS.

Modeling methods are referred to in IEC 61511-2 Annex A and described in IEC 61508-6 and ISA TR84.0.02:

1. Reliability block diagram technique
2. Simplified equations technique
3. Fault tree analysis technique
4. Markov modeling technique

The modeling technique is selected as appropriate for each application.

Fault Tree Analysis (FTA) was developed in the 1960s by Bell Laboratories in the United States. During the Polaris Missile Project, FTA was utilized to evaluate the probability of an inadvertent launching of a Minuteman missile. FTA has been used extensively by the military, the space program, and the nuclear industry. It is a highly adaptable logic diagram based technique that can be readily applied to the processes of the refining, petrochemical, chemical, oil and gas production, pipeline, pulp and paper, utility, nuclear, manufacturing and pharmaceutical industries. Premier Consulting Services recommends this FTA technique for complete SIF SIL quantified verification.

The principal benefits include:

* A clear graphical representation of the system.
* Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by).
* Results directly indicate key contributors to system unavailability.
* Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals.
* Easy conversion of system model for evaluation of nuisance trip rates.

Fault tree analysis is a top down deductive method for identifying the numerous ways in which equipment failures, software failures, human error, environmental factors, and external events can lead to accidents or other undesirable conditions. A fault tree model consists of a top event and a connecting logic structure of events that must take place in order for the undesired top event to result. In the evaluation of Safety Instrumented Systems, there are two scenario top events that are typically of interest: SIS Failure on Demand and SIS Spurious Trip.

A model of the SIS failure on demand investigates the potential for the SIS failing to perform its designed safety function. In the event of a failure on demand, the process plant is experiencing an undesired condition that the SIS has been designed to detect and, upon detection, automatically take the process to a safe state but because of a latent failure, the SIS fails to function, allowing the undesired condition and the subsequent consequences to continue. Simply stated, the SIS fails to perform its designed function when needed.

The second scenario top event that is considered in the evaluation of SIS is a spurious trip. In the event of a spurious trip, the SIS has taken action when no process condition warranting such action is present.

Both the failure on demand and the spurious trip are critical performance characteristics of an SIS.

The fault tree model consists of a single top event, a number of simple faults called basic events and logical operators that dictate how the basic events must combine to result in failure described by the fault tree top event.

Basic events, which represent a simple failure or fault, are the building blocks of the model. It may be a hardware failure, a human error, or an adverse condition. Basic events are always assumed to be independent of each other. A common cause event must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically independent of all other basic events.

Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event.

The basic events are assigned a corresponding “failure rate”, “proof test interval” and “mission time” data for computation in the Fault Tree. The resulting PFDavg calculation for each SIF is referenced to the SIL number and compared with the target SIL determined in the SRS. This constitutes the quantified SIL verification process for the fail to function or Safety Availability.

A second Fault Tree is constructed to verify the MTTFspurious. The computed result is compared with the maximum spurious trip rate established in the SRS. This constitutes the quantified verification of the spurious trip rate.
Special Tools

Fault Tree Analysis requires the use of Boolean algebra for the mathematical quantification in order to achieve correct and repeatable results. Therefore, a computer model is recommended for quantification of the fault trees. The US Department of Energy supports a fault tree analysis program with the appropriate mathematics capability and minimum cut sets assessments, which was initially developed for the Nuclear Industry. The software package, SAPHIRE® (Systems Analysis Programs for Hands-on Integrated Reliability Evaluations), is utilized by Premier Consulting Services.

Additionally, PCS may also utilize SILwatch™, which is a Fault Tree based computer modeling tool for the simpler safety instrumented functions. Both tools have been verified to yield equivalent and repeatable results.
SIL Verification
Inputs:     PCS LogoDeliverables:

* SRS- Safety Requirements Spec.
* P&ID’s and/or Cause and Effect Matrix
* Instrumentation description
* Interlock description
* Expected proof testing frequency
* Process Safety Hazard Analysis
* Safety Availability (PFDavg)
* Minimal cut-sets
* Devices % contributions to PFDavg
* SIL verification to SRS targets
* MTTFspurious (Spurious trip rate)
* Recommendations for proof test intervals
* Recommendations for SIS improvements
* Tools: SAPHIRE® and SILwatch™

The SIS design and engineering phase of the Safety Lifecycle requires a solid “Conceptual design” which develops and verifies that all the items defined in the SRS – Safety Requirements Specification are fulfilled.

* Field instrumentation redundancy requirements and voting scheme.
* Field instrumentation process connection requirements, considering possible tap plugging, freezing, etc.
* Logic solver technology per the SRS.
* Cabinet integration requirements, material/temperature/humidity limits.
* BPCS technology and communication requirements.
* Field and communication wiring / routing requirements.
* Power source requirements, such as redundancy and/or UPS.
* Environmental requirements, lightning, flooding, extreme temperatures.
* Requirements for intrinsic safety / explosion proof.
* SIS equipment and junction boxes identification / tags / color painted, etc.
* Possible sources of common cause failures of the SIS.
* Non-safety instrumented functions in the SIS that may negatively affect a SIF shall be treated as part of the SIS complying with the highest SIL requirements.
* Common hardware and software SIS that share SIF of different SIL will be designed to meet the highest SIL.
* BPCS-SIS separation, independence and diversity shall be assessed.
* Requirements for operability, maintainability and testability shall be assessed. (i.e. bypass facilities for on-line testing, including alarms when in bypass).
* Design of HMI shall account for human capabilities and limitations and accommodate level of operator training.
* Manual E-Stop should be implemented per the SRS.
* Subsystems that do not fail to the safe state on loss of power require line monitoring and special power loss detection measures.
* Action required upon detection of a fault, either by diagnostics or proof testing.
* Operator response time to critical alarms shall be accounted for.
* Bypasses protection by key locks or passwords shall be implemented.
* SIS status, such as active, bypassed or tripped shall be a function of the HMI.
* SIS operator interface shall be protected against unauthorized changes.
* Any failure of the SIS maintenance/engineering interface should not prevent the SIS from bringing the process to its safe state.
* The maintenance /engineering interface should not be used as operator interface.
* SIS communication failures should not prevent the SIS from bringing the process to its safe state.
* Electromagnetic interference and power surges in the SIS communication should not cause dangerous failures.
* Where required by the SRS, the design should allow for on-line proof testing of the SIS, either end to end or in parts.
* Operator should be alerted of the bypass of any part of the SIS by an alarm or procedure.
* Forcing of I/O in the PES should not be allowed, unless supplemented by procedures and access security.

Conceptual Design
Inputs:     PCS LogoDeliverables:

* SRS - Safety Requirements Specification
* Field technology / voting
* PES technology
* Power sources data
* Environmental data
* Project data gathered during study
* Power & Grounding conceptual drawings
* Field installation typical drawings
* Bypass typical drawings
* E-Stop typical drawings
* HMI Requirements
* Communication requirements
* SIS P&ID’s (as applicable)
* SIS Cause & Effect Matrix (as applicable)

IEC 61511 and ANSI/ISA S84.01-2003 require that components and subsystems (sensors, logic solvers and final elements) for use as part of a SIS for SIL 1 to SIL 3 applications, be designed in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else comply with the Proven-In-Use (PIU) requirements of IEC 61511.

Additionally, the standards require that sensors, logic solvers and final elements selected for use as part of a SIS for SIL 1 to SIL 3 applications conform to a Minimum Hardware Fault Tolerance (MHFT) criteria.

The MHFT has been defined to alleviate potential shortcomings in SIF design that may result due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of components or subsystems used in various process applications.

IEC 61511 and ANSI/ISA S84.01-2003 have further design requirements regarding the independence of the SIS and the BPCS (sensors, logic solver and final elements). IEC 61511-2 clause 11.2.4 deals with the special concern for SIS-BPCS Separation, Independence, Diversity, Hardware common cause, Systematic (software) common cause and Human errors.

Premier Consulting Services provides expert consulting in the selection of components and subsystems (sensors, logic solvers and final elements), addressing the requirements of “proven-in-use” and “minimum hardware fault tolerance” in IEC 61511 and ANSI ISA S84.01-2003. Specific emphasis is made on determining the adequacy of field devices with “prior use” records, including the number of these devices with sufficient operating experience in a similar operating profile and process application environment. PCS provides further guidance and analysis of test results (i.e. FMEDA’s) or third party certifications (i.e. TÜV, FM, etc) for field devices with certain SIL claim limits and their adequacy for the SIS application, including any application guidelines and/or restrictions.

Bearing in mind that the logic solver is normally shared by a number of safety functions, selection of the safety PLC technology is crucial to a safe and reliable SIS.

Premier Consulting Services expertise can prove invaluable in the analysis of logic solvers manufacturers’ claims for “safety availability”, “reliability”, “fault tolerance”, “safe failure fraction” as it relates to “demand mode” or “continuous mode” of operation. Furthermore, an analysis of any third party (i.e. TÜV, FM, etc.) certification guidelines and restrictions, as well as an analysis of the manufacturer’s “safety manual” becomes an essential review process in the selection of the logic solver technology.

Premier Consulting Services recognizes that third party certifications (i.e. TÜV, FM, etc) to IEC 61508 and other applicable standards are focused exclusively on a “fail safe” mode of operation of the device. Premier Consulting Services also recognizes the importance of “process up-time” and therefore provides the expertise for the selection of SIS devices that will issue not only safety, but a high degree of “reliability” and low “spurious trip” rate.

There are some devices and PLCs on the market that have “low fault tolerance” and low redundancy but high “safe failure fraction”, and thus get certified to even a SIL 2 or SIL 3 rating. PCS expert analysis and recommendations build towards avoiding the trap of designing a “safe” but “unreliable” SIS.
SIF Device Selection - PIU - MHFT
Inputs:     PCS LogoDeliverables:

* Field equipment performance data
* Site environmental data
* Process up-time requirements
* List of SIF with individual SIL targets
* Project data gathered during study
* Proven-in-use device analysis
* Fault Tolerance device analysis
* Third party certification analysis
* Application restrictions analysis
* Device safety & reliability analysis
* BPCS-SIS independence analysis

IEC 61511 and ANSI/ISA S84.01-2003, as well as Regulatory Agencies, require that a process hazard analysis (PHA) be performed to identify potential hazards in the operation of a process unit.

The PHA is a methodical examination of the process design that involves the participation of a multidisciplinary team to identify potential hazards and operability problems that could result in undesired consequences with adverse impact on personnel, equipment or the environment. The initial “process” PHA is normally performed by the plant operator in conjunction with the process licensor or basic design team.

The process design drawings and narratives together with the P&ID’s and the PHA documents, form the basis for the identification of the safety instrumented functions (SIF) required to mitigate the potential hazards.

Premier Consulting Services provides industry experts in the review process of the PHA results and allocation of Safety Instrumented Functions (SIF), leading to the assignment of a target Safety Integrity Level (SIL) for each SIF.

Safety integrity is a measure of the likelihood that the SIF will achieve the specified safety function.

A PCS senior consultant performs the role of facilitator and provides guidance to a multidisciplinary team consisting of plant experts in the areas of process, operations, safety, maintenance, instrumentation and electrical.

The standards do not mandate any specific method for assigning the target SIL rating, but do provide examples of industry-recognized techniques. The PCS facilitator reviews the different methodologies (Risk Matrix, Risk Graph, LOPA, Semi-quantitative, etc) and applicability to each situation, leading to a consensus on the techniques to be utilized.

PCS provides further guidance in the approach to aligning the SIL assignment method selected with the corporate risk tolerance criteria. Where necessary, the ALARP risk tolerance principle is discussed and taken in to account.

The multidisciplinary team reviews every SIF, and with PCS guidance, a SIL rating is assigned to each safety instrumented function.

SILassign™ software tool-set is made available for the target SIL determination process. The final report reflects the assumptions made with regards to potential hazards likelihood, consequence and risk tolerance criteria in conjunction with the target SIL assigned to each independent SIF.

Premier Consulting Services (PCS) reports are recognized world wide for their integrity and professionalism by plant operators, regulators and risk insurers.