When initiating a Safety Integrity Level (SIL) assessment workshop, an ideal scenario would involve having a comprehensive and precise list of Safety Instrumented Functions (SIFs) ready for analysis. However, in practice, this is rarely the case. Instead, developing an accurate SIF list from available information becomes a critical step to ensure the success of later lifecycle phases. This process can be challenging, especially when input data is not in an immediately usable format.
The following sources of information are suitable for SIF list development, ranked from most convenient to more complex and time-consuming:
- Process control narratives and interlock descriptions
- Cause and effect diagrams (C&EDs)
- HAZOP study reports and previous SIL assessment reports
- Binary logic diagrams
- Interlock logic diagrams
- Piping & Instrumentation Diagrams (P&IDs)
Regardless of the source, the goal is to create a comprehensive SIF list and establish a minimal set of input information for each function, including:
- Sensors and final elements, described in ‘On’ statements (e.g., “On high pressure in V-100 from PT-1201 or low level in Tank-101 from LT-1202: stop Pump P-130 and close valve XV-1001.”)
- Causes of demand on the SIF, which could be equipment failures, operator errors, planned events, or unintended but credible scenarios.
If time allows, developing a SIF list before the SIL assessment workshop can be beneficial, particularly when input data is detailed, extensive, and understandable without requiring expert clarification.
1. Using Process Control Narratives and Interlock Descriptions
Process control narratives provide textual explanations of control and safety functions within a system. Both the Basic Process Control System (BPCS) and Safety Instrumented System (SIS) functions are included, making them a good starting point for SIF identification.
Challenges include:
- Some functions may need to be divided into multiple SIFs if they include conditional cases (e.g., different actions during startup vs. normal operation).
- Complex interlocks may require assistance from the design team to break them down into constituent SIFs.
2. Using Cause & Effect Diagrams (C&EDs)
C&EDs present SIS initiators on one axis and final elements on another, showing how they interact. Symbols can be chosen to indicate the specific behaviour of the final element (such as C = close, O = open, E = energize, D = de-energise), or a general symbol can be used (X = do something).
These diagrams are useful for quickly identifying SIFs but often have drawbacks such as small text size, outdated information, or inconsistencies with other documents.
Steps for SIF identification from C&EDs:
- Identify initiators on the left of the diagram and their logical groupings (e.g., OR, AND, 2oo3 logic).
- Group initiators in ‘OR’ categories only if they detect the same initiating events. Otherwise, split up the SIFs into groups of initiating events, with the appropriate subset of initiators for each group.
- Create separate SIFs for initiators in ‘AND’ or MooN groups.
3. Using HAZOP and Previous SIL Assessment Reports
Risk analysis reports, especially SIL assessment studies, provide direct inputs for SIF identification. However, modifications may be needed to account for design changes.
Preparing a SIF list from a HAZOP report requires:
- Reviewing HAZOP worksheets to identify safety functions labeled as ‘trips’ in the column of safeguards and noting the
corresponding causes. - The list of demand cases is converted into a preliminary SIF list. For each demand case, obtain the following data from the HAZOP report and note it in the SIF list: 1. all the sensors provided to detect the dangerous condition, and the logic applied to them (OR, AND, MooN), 2. any unusual conditions which cause the harm to occur, 3. the final element(s) provided to achieve the safe state.
- Any demand cases having the same sensors and final elements can be grouped into a single SIF.
- Ensuring additional cases like double failures, mechanical causes, and human errors are considered.
- Filtering out BPCS trips that do not impact safety significantly.
Including BPCS trips in SIF analysis is generally avoided unless:
- Any BPCS trips not backed up by a SIF in the SIS have been studied in a previous SIL assessment study and found to require a RRF of 10 or less.
- No significant design changes have been made that could affect the outcome of that SIL assessment study.
- Previous SIL assessments confirmed the trip does not need SIL rating.
4. Using Binary Logic Diagrams
Binary logic diagrams depict the logic performed by a SIF and often indicate pre-existing SIFs and therefore should have had SIL assessment done already. These diagrams are useful starting points but should not be assumed to be complete.
Key steps:
- Convert each diagram into a SIF description, ensuring initiators, logic (e.g., 1ooN, MooN), and outputs are included.
- If the binary logic diagram shows conditionals, such that the SIF’s behavior varies according to the state of other parameters (such as whether we are in startup), it will probably be necessary to split the SIF and write separate SIFs for each state.
- Supplement missing information on SIF purpose and consequences from other sources like HAZOP reports.
5. Using Interlock Logic Diagrams
Interlock logic diagrams display the logical flow from initiators to final elements and can be complex to interpret. They are
often drawn so that the overall flow is from top to bottom, with initiators at the top of the page and final elements at the bottom. These diagrams may span multiple pages, requiring careful examination, however, the diagram is likely to show less detail than a binary logic diagram.
One way to approach the task is to start at the bottom, with final elements, and work upwards to the corresponding initiators.
A typical workflow could be like this;
- Select the first final element, and any other final elements that are obviously grouped with this element on the same horizontal ‘bar’.
- Work upwards through the logic flow to the first ‘merge’ point the point where vertical lines from other final elements meet the one you first selected. Note which final elements are connected to this merge point and include them in the SIF.
- Work upwards to the first ‘split’ point the point where the logic flow splits in a Y shape, to encompass inputs from various signals. If all the signals are from initiators include them in the SIF and move on to the next SIF.
- First SIF is now complete. Move on to the next final element and repeat the process.
Like binary logic diagrams, interlock logic diagrams often lack information on demand causes and failure consequences, which must be supplemented from other sources.
6. Using Piping & Instrumentation Diagrams (P&IDs)
When no other sources are available, P&IDs can serve as a last resort for identifying SIFs. However, they present several limitations:
- Systematic identification is difficult, leading to potential omissions.
- P&IDs may lack up-to-date information on sensors and final elements.
- Differentiating safety functions from BPCS functions can be challenging.
- Logical links between safety functions may not show directionality.
- Conditionals will most likely not be depicted.
- The causes of SIF demand and consequence of failure cannot be deduced from the P&ID alone.
Steps for extracting SIFs from P&IDs:
- Identify safety functions marked by interlock symbols (typically diamonds with labels starting with ‘S’ or ‘IS’). Separate diamonds may be shown linked to each initiator and each final element.
- Interlocks that appear to be triggered from other interlocks can be treated as secondary functions at this stage, in
other words, treat the triggering SIF as the initiator. - Write down the interlocks in a table, grouping the S number, the initiators and the final elements together.
- Follow textual interlock descriptions to define individual SIFs and for splitting the list into SIFs.
References
Functional Safety from Scratch by Peter Clarke
