One Safety Integrity Level (SIL) Does Not Fit All: SIL Misuse and Unsafe Operational Conditions
The Safety Integrity Level (SIL) is a hazard analysis and risk mitigation method that is used to ensure electronic systems based safety functions such as fire and gas detection are fit for purpose. More recently, we have seen SIL being proposed as an OEM specification for rig operational systems such as blowout preventers (BOP) and drilling equipment. Using SIL as an OEM equipment specification often precludes many of the hazard analysis and risk mitigation activities that ensure the required safety levels are met. This represents a significant misuse of the SIL method and that can lead to unsafe and potentially dangerous operational conditions.
The SIL method was originally developed as a way to quantify the integrity requirements of a safety function, specifically a Safety Instrumented Function (SIF). While there are several safety standards that describe a SIL method, IEC 61508 provides the method most appropriate to ensuring safety in the drilling industry.
In IEC 61508, the integrity requirement is quantified as a “probability of failure to perform its intended function on demand (PFD)” for low demand safety functions, or as an “average frequency of a dangerous failure of the safety function (PFH)” for a high demand safety function. Tables 2 and 3 of IEC 61508-1 quantify SIL as a level from 1 to 4, with each level representing an additional order of magnitude of reduction of PFD or PFH.
Given that a SIL can be directly related to a probability of failure on demand, one might assume that SIL could be used as an equipment specification for reliability. However, because SIL is not an equipment specification this use would dangerously misrepresent the capability of the equipment. Rather, SIL is a quantification of the required additional risk reduction to be provided by one or more safety functions (the SIFs). The correct usage of SIL is:
1. Use proper hazard analysis and risk mitigation techniques to evaluate the capability of the system as designed
2. Determine if the system as designed can provide risk levels that are acceptable
3. If it cannot, quantify the gap as a SIL and provide additional safety functions to deliver the SIL
For example, following a comprehensive hazard analysis and risk mitigation process, it is determined that for a particular well control system, an additional 10-3 reduction in PFD of the system is required. This translates into a requirement for a SIL 2 safety function.
Note that this does not mean that you can simply acquire a BOP that the OEM specifies as SIL 2 (indicating that the BOP has a probability of failure on demand once every 100 to 1,000 years). While this is important information when selecting a BOP, it tells us nothing about the BOPs ability to provide a SIL 2 safety function for your specific well. To understand that, we must first understand “failure” and “demand” (the “F” and “D” in PFD) in the context of the hazard analysis and risk mitigation for the specific well control environment. As used above, “Failure” is defined as the inability to perform an intended function and “Demand” is the action of triggering the function.
In the case of the BOP the intended function could be defined as a functional operation, such as closing a valve or activating a shear ram. However, when the BOP is considered as a safety function, closing the valve or shearing the ram is not the intended function — the intended function is to seal the well and re-establish control. Closing the valve or shearing the ram are simply the methods used to provide the intended safety function of controlling the well.
Without a comprehensive hazard analysis and risk mitigation determination for the specific well to be controlled, the OEM cannot provide a SIL level for the safety function to be provided by the BOP. One SIL does not fit all.
Demand for the function can come from several places, including the two panels, the hot stab, and the dead man. Each of these is also highly configurable for each specific application. Therefore, a statement from the OEM that the BOP is a given SIL without specifically defining the “Demand” configuration is not possible.
In summary, SIL is not an equipment reliability specification, nor is it a replacement or a proxy for basic hazard and risk mitigation-based engineering and design practices. Used properly, SIL provides significant additional benefits to the end user. But the proper application of the Safety Integrity Level requires the end user to execute the well-proven practices of requirements definition and verification, hazard and failure modes analysis and risk mitigation.
For additional information about Athens Group SIL testing, please call Marcella Pena at 281-921-8989 Ext. 151 or send an email to firstname.lastname@example.org.
Copyright 2015 Athens Group. All Rights Reserved.