There is a common perception that the SIL verification is a straightforward activity computing reliability data and checking that target SIL is met.
By Gobind Khiani – Consulting Fellow-Piping/Pipelines
As the engineer starts SIL verification, it is soon realized that the data is inadequate; the SIL assessment report is not clear enough and stumbles around multiple roadblocks. We have seen this closely for several projects and noted some of the aspects where the challenges are commonly observed. Some of the challenges are related to the design of the process itself and some challenges are related to execution of the project and documentation. These observations are listed below:
The design of the equipment and operation philosophy is developed relying much on SIS (safety instrumented system) rather than following an inherent safety design approach. You may wonder how it affects the SIL verification. Higher reliance on the SIS means it would result in higher SIL ratings. The verifier would have to add up to the instruments to meet typically higher SIL. In a typical lump sum project, this might be a good impact and generally the blame is passed on to engineer running the SIL verification tool.
o Design of the process and selection of equipment should take into consideration the inherent safety in design.
Documents such as C&E (cause & effect) narratives many times do not sufficiently address the SIF (safety instrumented function) requirements. Implementing a good SRS (safety requirement specification) and hence completing the SIL verification becomes a challenging task.
o E.g. Requirements of process safety time with basis should be documented.
o Clear definition of actions required to mitigate the risk is required, e.g. the primary actions sufficient to mitigate the risk and secondary actions following the primary actions are mixed resulting in voting on final elements like 2oo2, 3oo3. This architecture of final elements is difficult to meet the target SIL, especially the SIL 2 and SIL3.
Many a times, the HAZOP and SIL assignment study findings and discussions are not recorded appropriately. The clear definition of the hazard and consequences are not properly captured. The SIL verifier does not attain the confidence of the design. SIL verification often is thought of just completing the calculations for checking that intended SIL is met. But without proper definitions of hazard and consequence, though mathematical SIL verification calculations might indicate the requirements are met, the validation of the design would be a difficult task.
o The team participating in HAZOP and SIL should document the findings more precisely. E.g. 1 – High Pressure Trip on Extractor causes plant shutdown. E.g. 2 – LAHH1001 causes closure of FCV2021. The definition of the consequence should be clearer to indicate what exactly the consequence is.
o The participation of the SIS engineer in the early phases of the lifecycle would mitigate this to a good extent.
The important activity in SIL verification is collection of the reliability data for all chosen instruments and the logic solver. Though the logic solver data is generally available, getting proper and certified reliability data for instruments is always a challenge.
o There should be close coordination between the instrument engineer procuring the instruments and SIL verification engineer.
o The selection of the instruments should be done based on the detailed evaluation of the reliability data (certificate, associated report, and safety manual).
o The SIS engineer should check the project philosophy to determine whether it allows to use the instruments which are certified based on proven in use/prior use criteria.
Inputs to SRS like turnaround period, testing interval, common cause failure rates, and coverage factor considerations are generally not available in client specifications.
o The SIS engineer should ensure that this data is captured in SRS based on documented discussions with client.
Many times, higher perception of risk during HAZOP and SIL assessment result in higher SIL ratings.
o To avoid conflicts and endless debates between the client, contractors and licensors, the documents establishing the criterion of loss to the personnel, environment and assets should be properly established.
Loss of production is always a point of debate and it should be clearly established in the SIL assessment procedure to keep this out, unless the SIF is designed with this intent.
Establish clear criteria for consequence before the SIL assessment phase. E.g. Severity definitions like slight injury, minor injury, and permanent disability or up to ‘n’ fatalities, should be clearly described with notable differences in each consequence.
The competence of the engineer performing the verification is an important aspect. The SIL verification activity not only requires competence with respect to Functional Safety and should have fair understanding of the logic solvers and field instruments. The engineer should be in a position to understand the details and restrictions of use mentioned in the instrument certificates and reports.
o E.g. the reliability data of valves may contain different failure rates based on service, like clean service or toxic service. The verification engineer should understand the process and any such criterion.
NOTE: A SIL rating applies to the whole safety instrumented function (SIF) including the final element.
The definition from IEC61511. 3.2.68 safety function : function to be implemented by an SIS, other technology safety related system or external risk, reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event.
A prominent example on SIL as explained here, F&G (fire & gas) systems are not normally considered to have a SIL rating, but a reliability calculation of the F&G components rather than the “full” SIL rating. If the operation stops at the solenoid valve then the SIF is not complete. The final result is water at the required pressure coming out of the valve.
In fact you would also have to include the reliability of the water supply to the system (for example a pump, and associated equipment) should one want a “full” SIL rating of the system. A SIF needs to consider an action that removes the hazard. The problem is that while reliability is a component of a SIL rating it is not the sole consideration.
Additional Things to Consider During SIL Requirements
When discussing safety requirements, it would be prudent for anyone working with SIS to read section 10 of the IEC 61511 – 2016 Part I. There are many factors that are needed to be specified for a SIF, for example tight shut off. A checklist should be prepared for use at HAZOP, etc.
It is important for control system experts to ensure that an experienced safety integrity functional engineer, such as an instrumentation and control system engineer, is present at the HAZOP. She/he needs to capture as much information as possible about the potential safety functions, regardless of what the HAZOP scribe is capturing.
Further, SIL Verification activity must not be used to reverse engineer a safety function. Some engineers think that it is okay to assign a SIL rating as long as it passes the SIL Verification. There are more activities (and associated cost) after SIL Verification so we need to carefully assign the right SIL rating for a safety function.
Competent engineers must review the SIL Certificates during the Technical Bid Evaluation of SIF components. SIL Verification may happen after the SIF components have been purchased. Many times, the SIS engineer performing the SIL Verification is stuck with what the RE (Responsible Engineer) has purchased and this can bring huge challenges, especially on a lump sum project. SIL Certificates nowadays are becoming more and more confusing, so it has to be reviewed by a competent SIS engineer.
Conclusion
Assessment of tight shut off as a functional safety requirement is important for the safety life cycle which is preferably done during the SIL assignment study. It sometimes impacts the SIL verification as well. Before the HAZOP & SIL studies, the participants must be educated regarding the impact of each decision made during these studies on the final design of the SIF, since all participants are not supposed to be safety experts. If this is not done during these stages, one is bound to face difficulties during SIL verification.
The SIF action to be verified should be very clear. For example, the interlock may describe to shut down the unit and list five on/off valves and a command to the DCS to de-energize control valve SOVs or put controllers in manual and output to 0. De-pressurization may confuse the issue.
The SIF that needs to be validated is the minimum set of actions to mitigate the consequence. It may be as simple as closing one (or 1oo2) on/off valve(s), greatly simplifying the calculation and helping meet/exceed the SIL target.
DISCLAIMER:
The article is written/edited by the author to best of his/her knowledge including enough references provided at the time of writing this, to meet best industry practice.
REFERENCES:
- Understanding SIL Certificates by SIRA Certification.
- Bureau Veritas-SIL Capability Introduction
- SIL made simple by Michael A. Mitchell
- Unanimous Industry colleagues and experts known to author.
- Industry codes and practices author participates.