Do you want to print this guide?
We plan to have a free printable PDF version of this guide which you can download and keep. Request your copy now.
3.3 Risk reduction principles
Inherent risk reduction should always be the first priority in reducing risk. Reducing hazardous inventory is an example. This has the possibility of changing the consequence side of risk if the reduced inventory changes the severity of a potential hazardous event.
Reducing hazardous inventory can reduce consequence, but possibly still leave a small number of exposed personnel . Another option for altering consequence is to alter facility siting to reduce occupancy in hazardous areas.
When the consequence has been reduced to a minimum, then the frequency side of risk must be addressed. For example, start with a single fatality (personnel safety) risk estimated to be in the unacceptable region at 1E-03 per year. Without altering the estimated consequence (1 fatality), it is only possible to reduce the frequency of the event. This can be achieved by various different means, typically referred to as Independent Protection Layers (IPL).
3.4 Independent Protection Layer - IPL
There are many types of IPL that can be applied to help reduce the frequency of hazardous events. These include actions by operators, mechanical safety devices designed for specific events like pressure relief, and safety instrumented functions (SIF) designed to actively sense a hazard and automatically take an action to prevent escalation.
Whatever the type of IPL, there are some fundamental principles that must be met if they are be claimed for risk reduction. These principles were first introduced in the CCPS book "Layer of protection analysis - simplified process risk assessment" published in 2001 by the American Institute of Chemical Engineers (ISBN 0-8169-0811-7). The principles are as follows:
An IPL must:
- be effective in preventing the consequence when it functions as designed. Note: this should include consideration of the process safety time and the effectiveness of the IPL to act within that time.
- be independent of the initiating event and any other IPL claimed for the same scenario;
- be auditable and verifiable in some manner by documentation, review or testing.
When these principles are correctly applied to the selection of IPL then the remaining question is "how much risk reduction" is provided by a given IPL device, system or action.
There are no formally approved values other than what has been proposed in text books like the one mentioned above, or more recent CCPS texts such as "Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis" published in 2015 by the American Institute of Chemical Engineers (ISBN 978-0-470-34385-2).
The usual way to approach quantifying risk reduction is to look at an order of magnitude probability of failure n demand (PFD) of each IPL. Using the assumption that each IPL will be designed to specifically prevent a consequence from occurring, an assumed PFD of 10% (or a factor of 0.1) will represent ONE order of magnitude risk reduction.
Taking the earlier example of an unacceptable single fatality risk of 1E-03 per year, a correctly applied IPL with a PFD of 0.1 will reduce this frequency to 1E-04 per year with the same outcome consequence. Of course, this will only be a valid assumption if the IPL fully meets the fundamental principles of effectiveness, independence and auditability.
Following this same principle and applying another IPL with a 1% probability of failure on demand (PFD of 0.01), it is clear that the 1E-04 per year risk could be further reduced to 1E-06 per year in order to claim a negligible risk.
3.5 Safety Instrumented Function - SIF
A special type of IPL is known as a safety instrumented function or SIF. A SIF comprises at least one element for directly sensing a dangerous process condition, a logic solver to decide on the action(s) to be taken, and a final element which will take a direct action on the process to avert the hazardous condition sensed.
Usually, each SIF will be designed to take action without any human intervention
3.6 Safety Instrumented System - SIS
When SIF for different hazards are collected together into one logic solver, the collective is called a Safety Instrumented System - SIS. The SIS may comprise only a few SIF, or it may have tens or hundreds. There is actually no limit, although commercially available logic solvers will always have some limitations.
It is important to note that the SIS logic solver will need to be designed for the highest SIL requirement of any SIF which resides within the system.
3.7 Safety Integrity Level - SIL
The term SIL, Safety Integrity Level, is a measure of the amount of risk reduction provided by a Safety Instrumented Function (SIF) for each specific hazardous event. IEC 61511 requires that each SIF is designed to meet minimum risk reduction factors (RRF), between 10 times risk reduction at SIL 1, and >10,000 times risk reduction at SIL 4.
In practice, SIL requirements in the process industry sector are limited to SIL 3. Even SIL 3 is an extremely hard design requirement to meet and typically means diverse equipment or non-programmable systems are required. A SIL 4 requirement specified for a non-nuclear process industry application typically means that there is something suspect with the process design or the SIL assessment procedure. For the nuclear industry, different standards apply which are not discussed in further detail here - see IEC 61513: 2011.
For a SIF operating in low demand, by definition less than one demand per year, the reciprocal of the RRF is known as average probability of failure on demand (or PFD average). Note that not all safety functions operate in low demand, but perhaps upwards of 90% of process industry functions do operate in this mode.
For functions which operate more frequently than once per year (or which operate continuously), SIL is specified in terms of probability of failure per hour, or PFH. Such High Demand or Continuous Mode functions are less commonplace in the process industry, but they do occur.
3.8 SIL and risk reduction
The target frequency for this event is decided to be 1E-5 per year. In practice this target comes from an estimate or calculation of the consequences, in comparison with corporate risk criteria. These criteria should be set by your organization before embarking on SIL determination. If a SIL 1 SIF is applied with a minimum of 10 times risk reduction, the risk enters into the "tolerable if ALARP", amber region. As SIL 1 is a band of RRF from 10 to 100 times, the resulting risk could be approaching 2E-5 per year with a very well designed SIL 1 function. However, this does not meet the required risk reduction target for the consequence of 1E-5 per year.
If a SIL 2 function is applied with a minimum of 200 times risk reduction, the target risk frequency could be met. This is calculated by taking the unmitigated event frequency and dividing by the target. A well designed SIL 2 function would therefore be sufficient. Negligible risk (the green region) could be achieved with SIL 3, but this would be over-engineering, on the assumption that the cost of a SIL 3 function is grossly disproportionate to the extra risk reduction gained.