Modern industrial systems and processes tend to be technically complex, involve substantial energies and monetary interests, and have the potential to inflict serious harm to persons or property during an accident. Although absolute protection may not be possible to achieve, risk can be reduced to an acceptable level using various methods to increase an industrial system's safety and reliability and mitigate harm if an event, e.g., a failure, does occur.
In the context of safety systems, one of these methods includes utilization of one or more safety instrumented systems (SIS). A safety instrumented system (SIS) is an instrumented system used to implement one or more safety instrumented functions (SIF), and is composed of sensors, logic solvers and final elements designed for the purposes of: taking an industrial process to a safe state when specified conditions are violated; permitting a process to move forward in a safe manner when specified conditions allow (permissive functions); and/or taking action to mitigate the consequences of an industrial hazard.
As mentioned above, a safety instrumented function (SIF) is a function implemented by a SIS which is intended to achieve or maintain a safe state for a process with respect to a specific event, e.g., a hazardous event. Hardware to carry out the SIF typically includes a logic solver and a collection of sensors and actuators for detecting and reacting to events, respectively.
To direct appropriate design and planned maintenance of a SIF, safety standards bodies have established a system that defines several Safety Integrity Levels (SIL) that are appropriate for a SIF depending upon the consequences of the SIF failing on demand. According to the International Electrotechnical Commission (IEC) standard 61508, safety integrity level (SIL) is a measure of the risk reduction provided by a SIF based on four discrete levels, each representing an order of magnitude of risk reduction. As shown in Table 1, each SIL level is associated with a designed average probability of failure on demand (PFD). For example, a SIL 1 means that the maximum probability of failure is 10% (i.e., the SIF is at least 90% available), and a SIL 4 means that the maximum probability of failure is 0.01% (i.e., the SIF is at least 99.99% available).
TABLE 1DEMAND MODE OF OPERATIONSafety IntegrityTarget Average Probability ofLevel (SIL)Failure on DemandTarget Risk Reduction4≧10−5 to <10−4>10,000 to ≦100,0003≧10−4 to <10−3 >1000 to ≦10,0002≧10−3 to <10−2>100 to ≦10001≧10−2 to <10−1>10 to ≦100
For continuous or high demand mode of operation, the following Table 2 applies:
TABLE 2CONTINUOUS MODE OF OPERATIONTarget Frequency ofDangerous Failures to perform theSafety Integritysafety instrumented function (perLevelhour)4≧10−9 to <10−83≧10−8 to <10−72≧10−7 to <10−61≧10−6 to <10−5
Consistent with existing, standardized methodology, during design of a safety instrumented system (SIS), safety integrity level (SIL) requirements are established for each SIF based upon the impact of the specific hazardous event that the SIF is intended to prevent. For example, a SIL level of 1 may be assigned to a hazardous event that imparts only minor property damage, whereas a SIL of 4 may be assigned to a SIF that is intended to prevent an event that would produce catastrophic community-wide consequences.
After a SIL is assigned to each SIF, each SIF is designed to operate within the designed average probability of failure on demand (PFD) that corresponds to the SIL assigned to the SIF. Because a SIF is typically comprised of a collection of instrumented function components (e.g., a logic solver, sensors, and actuators), and each of the instrumented function components have a respective average PFD, which affects the overall average PFD of the SIF, a designer has some flexibility in the way the overall average PFD is achieved. For example, by assuming a set of environmental conditions (e.g., humidity, temperature and pressure) that the instrumented function components will operate under, a designer is able to arrive at an overall average PFD by establishing regimented testing schedule for each of the instrumented function components.
Thus, once a SIS is commissioned, a plant engineer is able to estimate the SIL level of a particular SIF as long as the actual maintenance and environmental conditions do not vary from the assumed design conditions.
Unfortunately, after a SIS is operational, a plant engineer is unable to determine what the average PFD or SIL levels are for a SIF once actual testing varies from the regimented test schedule. Furthermore, the actual PFD and SIL levels will vary depending upon actual environment conditions, and as a consequence, a plant engineer will face further uncertainty as to what the actual PFD and SIL level is for the SIP.
Corresponding reference characters indicate corresponding components throughout the several views of the drawings.