Forum Topic

Thursday 15 November 2007 8:53:39 pm

Determining SIL for SRS by Risk matrix

As an outcome of guided-word Hazop sessions during the engineering phase we discovered a list of Risks and related occurrences. Initially we did not quantify them because we planned to do that later because of the ongoing modifications and therefore a too heavy MOC.

Now that our P&ID’s are relative reliable we want to quantify our risks by a SIL level using a risk matrix which is according the company standard.

We did do that by estimate the risk first as a normal standard facility including already determined non SIS related safety systems (SOP, active elements, passive elements and instrument systems intended for operation connected via DCS etc.).
Afterwards we did estimate the risk again by considering the residual risk after additional measurements and assigning SIF’s with SIS’s

Is it correct that considering the residual risk is acceptable (classified in SIL levels) and obtained by a SIS, we do need to use this last SIL to specify into our SRS (assumed there is no other SIS which affect the considered SIS to a higher SIL)
-OR-
should we use the SIL where the SIS is originated, namely the last step we have defined the SIL was unacceptable?

Example:
- Risk overfilling of a tank; Flammable P3 products; Tank contains a LIT with LAH on 95%... on 97% DCS, a normal interlock is integrated into the DCS to close all supply valves
Evaluation 1 Risk estimate (failure of LT, DCS, etc.): SIL2 (defined as not acceptable)
- Additional measurements… SIF: indipendent LSAH which has to close all supply valves on 98%, valves FC etc…
Evaluation 2: Risk estimate (decreasing rest of risk by the independent SIS): SIL1 (Accepted)

- SRS (SIL part): SIS containing LSAH + supply valves + controller: acc. SIL??
(Should we use SIL 1 or 2?)

Kind regards
Daniel

Monday 26 November 2007 9:46:51 pm

You need to take the second outcome.

What you do is you first determine the risk without any layers of protection or safeguards. This risk level you compare to the company's acceptable risk level. The difference between the two is risk that needs to be reduced.

In your case you determined the risk, then you checked all non-SIS solutions, and reduced your risk to a new lower level. The difference between this new level and the acceptable level can apperently only be overcome with a SIL 1.

So you did it right. But check if you cannot overcome that SIL 1 with another risk reduction measure worth 10-100. In that case you do not need to implement a SIF.

Hope this helps

Thursday 13 December 2007 12:05:49 am

Thanks, very helpfull to convince myself I did interprete it right.

Nevertheless according the end-user procedures they have to specify a SIL2 for the given example because they are looking backwards in stead of the remaining risk SIL1.
The subject is that we are always bound to follow standard procedures of the end-user.
Sometimes too stringent, some too easy but I don't feel myself called / authorised to put end-user's procedures in doubt. Isn't that something for a FS Expert (i.e. by audit)?

Kind regards,
Daniel

Thursday 20 December 2007 9:37:32 pm

The polically correct answer is that the customer is always right....
But make sure you protect yourselfs in case they make decisions that are not safe....