own sil calculation
DESCRIPTION
SilTRANSCRIPT
SIL CALCULATIONS
Doc. No
Revision No
Revision Date
Page
SIL CALCULATIONS
SECLDISTRIBUTION
Rev. DATE DESCRIPTION MADE BYDATE
CHK’D BY APP’D BY PM APP’D BY DATE
SAMSUNG ENGINEERINGDATE
DATE
Table of Contents
page
1. Introduction ………………………………………………………………………………….. 3
2. References ………………………………………………….……….……………………….. 3
3. Definitions of Terminology ….…………………………………….………………………. 3
4. Safety Integrity Level(SIL) VERIFICATION ..…..…………………………….…..……… 6
5. Safety Instrumented Function (SIF) ……………….……..………………………….…. 10
6. Conclusion……………….. ………………………………………………………………… 18
7. Failure Rate Data …………………..………………………………………………………. 18
1. Introduction
This document serves to consolidate the safety integrity level(SIL) verification calculations for the
Project which located in Al-Jubail, Kingdom of Saudi Arabia. The aim of this study is to verify that
the intended safety integrity level of an instrument system was achieved.
The information contained in this report is subject to revision when the process is modified in any
way that could impact any part of the safety instrumented systems.
2. References
This report is designed and constructed to meet all requirements of the following codes and
standards, latest edition.
IEC 61508 Functional Safety of Electrical / Electronic / Programmable electronic
safety related systems
IEC 61511 Functional Safety Instrumented Systems for the Process Industry sector
SES X06-S01 General Specification for Shutdown Systems
LC-55 UTTPTC Licensor Package
SS-300-ZX-4-1054 SIL Review Report
SS-300-SA-3-1031 Instrument Logic Diagram rev.2
3. Definitions of Terminology
Some terminology used in this report is specific to the fields of safety instrumented system design
and quantitative risk assessment. A brief description of terminology is provided below:
Availability The system availability is the fraction of time that the SIS is available to prevent or
mitigate hazardous events. The SIS is not available when it has covertly failed. Availability is equal
to 1 minus the probability of failure on demand.
Basic Process Control System The BPCS is the primary regulatory control system for a process.
The BPCS responds to input signals from field devices and/or from an operation and generates
output signals that result in the process performing in a desired manner. The BPCS is also referred
to as the distributed control system (DCS).
Common Cause Failure The result of a single fault that caused failures of multiple devices in a
system, acts of God, etc.
Consequence The consequence is the result of the failure of the safety system. It is what the
safety system is designed to prevent. The consequence can include impacts on safety, economics
or the environment.
Fail Safe Condition The safety system is designed to place the operating unit in an ideal state. The
state is considered the fail safe condition. When nuisance trips of the safety system occur, the final
state of the operating unit is safe.
Probability of Failure on Demand The PFD indicates the probability that the SIS will fail to
respond to a process demand. This is related to the covert failure of the SIS.
Process Demand This is a condition that required the action of the SIS to prevent a hazardous
event.
Qualitative Methods These methods range from a simple screening analysis to a complex
hazardous and operability study. All the methods rely on a team of personnel with diverse
backgrounds to determine the hazardous within a process. The results are based on the application
of good engineering judgements.
Quantitative Methods These methods involve the numerical and mathematical analysis of the
FSS. Quantitative methods are used to determine the probability of the FSS to fail on demand or to
determines human reliability
Redundancy This involves the use of multiple devices to perform the same function. Redundancy
is utilized with voting to achieve designated safety levels.
Safety Integrated Level The categorization of covert failure risks into specific levels. The
international standards for safety instrumented systems, IEC61508, or the equivalent Australian
standard AS/NZS 61508, establish four risk levels as shown in the Table 1 below.
SILProbability of failure on
DemandAvailability Required Mean Time Between Failures
4 1.0E-5 ~ 1.0E-4 99.99% ~ 99.999% 10,000 ~ 100,000
3 1.0E-4 ~ 1.0E-3 99.90% ~ 99.99% 1,000 ~ 10,000
2 1.0E-3 ~ 1.0E-2 99.00 ~ 99.90% 100 ~ 1,000
1 1.0E-2 ~ 1.0E-1 90.00% ~ 99.00% 10 ~ 100
Table 1. SIL Risk Levels
Safety Instrumented System(SIS) This is an independent instrument system that is installed to
reduce potential risk of process. The SIS will include sensors, transmitters, logic solver and final
control elements. SIS is also commonly referred to as Emergency Shutdown System(ESS), Safety
Shutdown System(ESD), Safety Interlock System(SIS).
TMR Triple Modular Redundant Architecture
Voting Scheme The field device and logic configurations defined as follows:
1oo1 – Single – No voting
1oo2 – Dual – Fail safe arrangement (one-out-of-two voting to trip)
2oo3 – Triple – Fail safe & fail operational arrangement (two-out-of-three voting to trip)
4. SIL Verification
Before the system can be designed in detail, the system performance must be verified against the
SIL requirements. Quantitative techniques are utilized to model the system architecture and
calculate the expected availability in terms of Probability of Failure on Demand (PFD). Fault Tree
Analysis is the best technique applicable to this type of analysis. If the original design is found to be
insufficient to meet the SIL performance requirements, risk reduction techniques must be employed
to improve the conceptual design and meet the SIL.
4.1 Quantitative Risk Assessment
Quantitative risk assessment can be utilized to determine the availability of the SIS and the
instrumentation causes for loss of reliability. This is accomplished by developing the failure logic for
the SIS and assigning a failure rate for each SIS device. This includes sensors, valves, solenoids,
that are identified in the failure logic. Boolean algebra is then utilized to determine the individual
interlock availability and the overall availability.
Once the availability is determined for the existing SIS system upgrades can be modelled to
determine how specific upgrades can affect the overall reliability of the system.
The intent of QRA is to ensure that the designed Instrumented System and all the safety
functions meet the requirement for Safety Integrity Levels(SIL) assigned.
4.2 Fault Tree Analysis
Quantitative risk assessment was performed by modelling the safety-instrumented system using
Fault Tree Analysis (FTA). Fault Tree Analysis was developed in the 1960s by Bell Laboratories in
the United States. The military, the space program, and the nuclear industry have used FTA
extensively. It is a highly adaptable logic diagram based technique that can be readily applied to the
processes of the refining, petrochemical, chemical, oil and gas production, pipeline, pulp and paper,
utility, nuclear, manufacturing and pharmaceutical industries.
FTA was chosen, because it is a very structured, systematic, and rigorous technique that lends
itself well to quantification. It is the best way to priorities the multitude of potential hazards of loss of
production by determining numerically how much each cause contributed to the loss (safety of
production). In this way, solid interactions between the actions taken to improve safety or production
and the actual events generated could be established.
4.2.1 Assumptions for Fault Tree Calculations for a SIF
The following assumptions are used in this part for Fault Tree Calculations:
1. Component failure and repair rates are assumed to be constant over the life of the SIF.
2. The SIF being evaluated will be designed, installed, and maintained in accordance with
IEC61508/IEC61511 standards.
3. Once a component has failed in one of the possible failure modes it cannot fail again in one
of the remaining failure modes, It can only again after it has first been repaired. This
assumption has been made to simplify the modelling effort.
4. The sensor failure rate includes everything from the sensor up to the input module of the
logic solver including the process impacts (e.g., plugged impulse line to transmitter).
5. The logic solver failure rates typically are supplied by the logic solver vendor.
6. The final element failure rate includes everything from the output module of the logic solver
to the final element including the process impacts to the final element.
7. While dependent failures can be modelled using FTA, it is generally assumed that the failure
of individual components is statistically independent of other component, that is, the failure
of any component is in no way affected by the failure of any other component.
8. The test interval(TI) is assumed to be much shorter than the Mean Time To Failure(MTTF).
9. It is generally assumed that all repairs are perfect, that is, the repair results in the
component being returned to its normal state. If review of the repair history identifies failures
that have not been adequately repaired, FTA should be used to model imperfect
maintenance and repair.
10. It is generally assumed that all testing is perfect, that is, the testing procedure will detect the
covert failure of a component. If review of the testing procedures identifies failures that
would not be detected by the testing procedure, the FTA should be used to model those
failures.
11. All SIF components have been properly specified based on the process application. For
example, final elements (valves) have been selected to fail in the safe direction depending
on their specific application.
12. It is generally assumed that when a dangerous detected failure occurs, the SIF will take the
process to a safe state of plant personnel will take necessary action to ensure the process
is safe (operator response is assumed to be before a demand occurs and PFD of operator
response is assumed to be 0). Note: If the action depends on plant personnel to provide
safety, the User is cautioned to account for the probability of failure of personnel to perform
the required function in a timely manner.
13. The target PFDavg is defined for each safety instrumented function implemented in the SIS.
4.2.2 Typical Fault Tree Study
To understand how to make use of the FTA information outlined in this report, a typical study for
simple SIS is given below. The system consists of two redundant transmitters, logic solver and
one shut-off valve including the solenoid. The FTA for this system is shown below. Since the
transmitters are redundant then transmitter A & B must fail to cause the initiation to fail and it is
either the solenoid or the valve that would cause the final element to fail.
4.2.3 Calculation equation for average probability of failure on demand (IEC61508-6)
For 1oo1 architecture, the average probability formula of failure on demand is
Where,
For 1oo2 architecture, the average probability formula of failure on demand is
Where,
The valve of tCE is as given in (1)
For 2oo3 architecture, the average probability formula of failure on demand is
INITIATOR FINAL ELEMENTLOGIC SOLVER
TRANSMITTER A TRANSMITTER B SOLENOID VALVE
Where,
The value of tCE is as given in (1) and the valve of tGE is as given in (2)
5. Safety Instrumented Function (SIF) Identification
SIF No. LOPA No. SIF Description Target SIL
Fn1, 41-8A/ 1.11a Product Discharge System, Product Blow
Tank resin outlet valve ‘E’ and Product
Blow Tank gas discharge valve ‘M’ ESD
logic, 41-8A/B
SIL2
Fn2, 40-2 2.9 Ethylene Supply Isolation, 40-2 SIL1
Fn3, 62-2A 2.21 Liquid Additive Pumps 350-P-02/52
Protection system, 62-2A/BSIL1
Fn4, 50-2-1A 4.3.1 &
4.5.1
Product Purge Bin 340-V-02, Nitrogen
Purging Failure, 50-2-1A & 62-4SIL1
Fn5, 50-1 4.21 Product Receiver Operation Failure, 50-1 SIL2
Fn18, Turbine 1.47 Cycle Gas Turbine, 320-T-01 shutdown SIL2*
Table 2. SIF in Project
Note.
* During Engineering Stage, and Licensor(DOW) agreed with SIL2 for Cycle Gas Turbine.
5.1 Fn1, 41-8A
5.7931E-3
5.7832E-31.3180E-10
SOLENOID VALVE
INITIATORFINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
32PAHH035A3.3883E-3
32PAH036A3.3883E-3 32KY024AA
7.0E-432KV024A5.0822E-3
34PAH003A3.3883E-3
34PA3H003B3.3883E-3
For Valve ‘E’
5.7932E-3
5.7832E-33.8900E-8
SOLENOID VALVE
INITIATORFINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
32PA4H035A3.3883E-3
32PAHH036A3.3883E-3
32KY028AA7.0E-4
32KV028A5.0822E-3
34PAH003A3.3883E-3
For Valve ‘M’
5.1.1 Safety Function Detail
For ‘E’ valve
Tag No. Voting Test Interval PFDavg
32PAHH035A 1oo1 1 Year 3.3883E-3
32PAH036A 1oo1 1 Year 3.3883E-3
34PAH003A 1oo1 1 Year 3.3883E-3
34PA3H003B 1oo1 1 Year 3.3883E-3
Logic Solver 2oo3D 1 Year 9.917E-6
32KY024AA 1oo1 1 Year 7.0E-4
32KV024A 1oo1 1 Year 5.0822E-3
Overall Result 1 Year 5.7931E-3
For ‘M’ valve
Tag No. Voting Test Interval PFDavg
32PA4H035A 1oo1 1 Year 3.3883E-3
34PAH003A 1oo1 1 Year 3.3883E-3
32PAHH0036A 1oo1 1 Year 3.3883E-3
Logic Solver 2oo3D 1 Year 9.917E-6
32KY028AA 1oo1 1 Year 7.0E-4
32KV028A 1oo1 1 Year 5.0822E-3
Overall Result 1 Year s 5.7932E-3
5.1.2 Conclusion
For ‘E’ valve
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn1, 41-8A PDS Valve ‘E’ ESD SIL2 5.7931E-3 SIL2
For ‘M’ valve
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn1, 41-8A PDS Valve ‘M’ ESD SIL2 5.7932E-3 SIL2
The calculated PFD meets the assigned SIL2 rating. The proof testing period for transmitters and
solenoid valve are assumed to be three months.
5.2 Fn2, 40-2
5.2.1 Safety Function Detail
Tag No. Voting Test Interval PFDavg
32PDALL002 1oo1 1 Year 6.7746E-3
Logic Solver 2oo3D 1 Year 9.917E-6
32KY001A 1oo1 1 Year 7.0E-4
32KV001 1oo1 1 Year 5.0822E-3
Overall Result 1 Year 1.2568E-2
5.2.2 Conclusion
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn2, 40-2Ethylene Supply
IsolationSIL1 1.2568E-2 SIL1
The calculated PFD meets the assigned SIL1 rating. The proof testing period for transmitters and
solenoid valve are assumed to be one year.
5.3 Fn3, 62-2A
1.2568E-2
5.7832E-36.7746E-3
SOLENOID VALVE
INITIATOR
FINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
32PDALL0026.7746E-3
32KY001A7.0E-4
32KV0015.0822E-3
5.3.1 Safety Function Detail
Tag No. Voting Test Interval PFDavg
35PAH004 1oo1 1 Year 3.3883E-3
Logic Solver 2oo3D 1 Year 9.917E-6
35P02TR 1oo1 1 Year 7.3895E-4
Overall Result 1 Year 4.1372E-3
5.3.2 Conclusion
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn3, 62-2ALiquid Additive Pumps
350-P-02/52 ProtectionSIL1 4.1372E-3 SIL2
The calculated PFD meets the assigned SIL1 rating. The proof testing period for transmitters and
solenoid valve are assumed to be one year.
4.1372E-3
7.3895E-43.3883E-3
RELAY
INITIATOR FINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
35PAH0043.3883E-3 35P02TR
7.3895E-4
5.4 Fn4, 50-2-1A
5.4.1 Safety Function Detail
Tag No. Voting Test Interval PFDavg
34FALL021AA 1oo1 1 Year 6.7746E-3
34LAL003A 1oo1 1 Year 1.9185E-2
34LALL004 1oo1 1 Year 2.4979E-2
34FAL021BA 1oo1 1 Year 6.7746E-3
Logic Solver 2oo3D 1 Year 9.917E-6
34LY003A 1oo1 1 Year 7.0E-4
34LV003 1oo1 1 Year 5.0822E-3
Overall Result 5.7931E-3
5.4.2 Conclusion
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn4, 50-2-1A PPB N2 Purge Failure SIL1 5.7931E-3 SIL2
The calculated PFD meets the assigned SIL1 rating. The proof testing period for transmitters and
solenoid valve are assumed to be one year whereas nuclear level transmitter/switch are 8.8
months.
5.5 Fn5, 50-1
5.7931E-3
5.7832E-32.1994E-8
SOLENOID VALVE
INITIATOR FINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
34FALL021AA6.7746E-3
34LAL003A1.9185E-2 34LY003A
7.0E-434LV003
5.0822E-3
34LALL0042.4979E-2
34FAL021BA6.7746E-3
5.5.1 Safety Function Detail
Tag No. Voting Test Interval PFDavg
34TALL029AA/
AB1oo2 1 Year 5.7023E-5
Logic Solver 2oo3D 1 Year 9.917E-6
34LY003A 1oo1 1 Year 7.00E-4
34LV003 1oo1 1 Year 5.0822E-3
Overall Result 5.8501E-3
5.5.2 Conclusion
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn5, 50-1 PR Operation Failure SIL2 5.8501E-3 SIL2
The calculated PFD meets the assigned SIL2 rating. The proof testing period for transmitters are
one year whereas solenoid valve and main valve are assumed to be one year.
5.8501E-3
5.7832E-35.7023E-5
SOLENOID VALVE
INITIATORFINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
9.917E-6
34TALL029AA/BA1oo2 Voting5.7023E-5
34LY001A7.0E-4
34LV0015.0822E-3
5.6 Fn18, Turbine
For this loop, it is consisted of 2oo3 configuration of speed sensor, TUV certified Overspeed Trip
system and shut-off valve with dual solenoid valve.
5.6.1 Safety Function Detail
Tag No. Voting Test Interval PFDavg
32SAHH323A/
B/C2oo3 1 Year 1.15E-5
Logic Solver 2oo3D 1 Year 1.28E-5
32KY300A/B 1oo2 1 Year 2.5402E-7
32KV300 1oo1 1 Year 5.0822E-3
Overall Result 5.1068E-3
5.6.2 Conclusion
SIF No. SIF Description Assigned SIL Calculated PFD Result SIL
Fn6, 40-1 Overspeed Valve Trip SIL2 5.1068E-3 SIL2
The calculated PFD meets the assigned SIL2 rating. The proof testing period for transducers are
one year and solenoid valve and main valve are assumed to be one year.
The base figures for this calculation are provided by Cycle Gas Compressor Manufacturer, GE Oil &
Gas.
5.1068E-3
5.0825E-31.28E-51.15E-5
VALVE
INITIATORFINAL ELEMENT
LOGIC SOLVERTMR, 2oo3D
32SAHH323A/B/C2oo3 Voting 32KV300
SOLENOID
32KY300A/B1oo2
6. Conclusion
SIF No. SIF DescriptionTarget
SILAchieved
SIL
Proof Testing Period
Fn1, 41-8A Product Discharge System,
Product Blow Tank resin
outlet valve ‘E’ and Product
Blow Tank gas discharge
valve ‘M’ ESD logic, 41-8A/B
SIL2 SIL2 1 Year
Fn2, 40-2 Ethylene Supply Isolation,
40-2SIL1 SIL1 1 Year
Fn3, 62-2A Liquid Additive Pumps 350-
P-02/52 Protection system,
62-2A/B
SIL1 SIL2 1 Year
Fn4, 50-2-
1A
Product Purge Bin 340-V-02,
Nitrogen Purging Failure, 50-
2-1A & 62-4
SIL1 SIL2 1 Year
Fn5, 50-1 Product Receiver Operation
Failure, 50-1SIL2 SIL2 1 Year
Fn18,
Turbine
Cycle Gas Turbine, 320-T-01
shutdownSIL2 SIL2 1 Year
7. Failure Rate Data
For the data of calculation basis, refer to attachment #1.