ISA
TRANSACTIONS®
ISA Transactions 42 共2003兲 163–165
Derivation of an equation for quantitative SIL assignment
Edward M. Marszal,* P.E.
Principal Engineer, Exida
共Received 13 November 2000; accepted 9 July 2001兲
Abstract
Quantitative risk analysis for selection of safety integrity levels 共SIL’s兲 is becoming more prevalent due to the high
equipment costs associated with qualitative methods. Procedures for applying quantitative methods to the SIL selection
problem are in the early stages of development. Literature explaining quantitative methods is scarce and many engineers are forced to develop ad hoc procedures, some of which are mathematically flawed. One of the equations
popularly used to assign a probability of failure on demand 共PFD兲 to a safety instrumented function 共SIF兲 based on
tolerable risk and unmitigated event frequency is shown in the equation below. Variations of this equation are in use by
various SIS practitioners: PFDSIF⫽ f Tolerable Risk / f Unmitigated Event . This paper presents a rigorous derivation of this equa–
–
tion based on scientific laws of probability math and standardized definitions used in the field of SIS engineering. By
publishing this derivation the author hopes to lend more credibility to this type of SIL selection process and increase its
usage in the process industries. © 2003 ISA—The Instrumentation, Systems, and Automation Society.
Keywords: Safety; Integrity level
1. Introduction
As engineers become more experienced with the
application of safety instrumented systems 共SIS’s兲,
quantitative risk analysis for selection of safety integrity levels 共SIL’s兲 is becoming more and more
common. SIS practitioners have found that qualitative methods for selecting SIL’s are unsatisfactory because they are overly conservative. The inflated requirements yielded by these qualitative
methods are unnecessarily increasing both the
capital expense and the ongoing maintenance cost
of SIS’s.
To address the high equipment costs and poor
results associated with qualitative selection methods, many sophisticated users of SIS’s are turning
to quantitative methods such as layer of protection
*Fax:
共614兲
emarszal@exida.com
459-9764;
E-mail
address:
analysis and full quantitative risk analysis. Procedures for applying quantitative methods to the SIL
selection problem are in the early stages of development. Literature explaining the use of fully
quantitative methods for SIL selection is virtually
nonexistent. For these two reasons, many engineers are forced to use ad hoc methods for the
selection process, arriving at equations through
questionable methods, some of which are mathematically incorrect.
One of the equations popularly used to assign a
PFD to a safety instrumented function 共SIF兲 based
on tolerable risk and unmitigated event frequency
is shown in Eq. 共1兲. Variations of this equation are
in use by various SIS practitioners:
PFDSIF⫽
f Tolerable – Risk
f Unmitigated – Event
.
共1兲
Using Eq. 共1兲, the required PFD for a particular
SIF is calculated. Once the required PFD is
0019-0578/2003/$ - see front matter © 2003 ISA—The Instrumentation, Systems, and Automation Society.
164
Edward M. Marszal / ISA Transactions 42 (2003) 163–165
known, the required SIL is selected using the
tables provided in standards ISA 84.01 and IEC
61508/61511 which equate SIL categories to
ranges of PFD’s.
P Tolerable⫽ P UnmitigatedEventPFDSIF .
Solving the equation for probability of failure on
demand of the safety instrumented function yields
Eq. 共5兲:
2. Derivation
PFDSIF⫽
The derivation of the SIL assignment equation
begins with the law of probability multiplication,
as shown in Eq. 共2兲, which is a fundamental scientific law:
P (AandB) ⫽ P A P B .
共2兲
The probability of an unwanted event is the probability that an event occurs that will result in the
accident if not prevented by the safety instrumented function 共SIF兲, and the SIF that is protecting against the unwanted event fails to operate on
demand. Using the probability multiplication law,
this situation can be mathematically stated as
shown in Eq. 共2兲. The probability that an event
occurs, which if not prevented by the SIF will lead
to an unwanted event, is referred to as the unmitigated event:
P Unwanted – Event
⫽ P Unmitigated – EventP SIF – Failure – on – Demand .
共3兲
For the purposes of the SIL selection problem,
the terms whose probabilities are being discussed
should be clarified. In order to make this problem
useful, the probability at which an unwanted event
is allowed to occur must be limited to a tolerable
level. As such, the term P UnwantedEvent should be
redefined as P Tolerable – Risk . It is important to note
that the tolerable probability discussed here refers
to the probability at which the specific event that a
SIF is preventing is tolerable, as opposed to more
general tolerable risk goals such as individual risk
of fatality.
As defined in ISA 84.01 and IEC 615108/61511,
the probability that a SIF will fail is defined as the
probability of failure on demand 共PFD兲. It is also
important to note that PFD applies to a individual
loops, called SIF, as opposed to the entire system
that includes all of the safety functions performed
by a particular logic solver. A more accurate description for P SIF Failure would thus be PFDSIF . After making these substitutions, the equation is as
shown in Eq. 共4兲:
共4兲
P Tolerable
P UnmitigatedEvent
共5兲
.
The probability at which an event will occur is a
function of the frequency at which that event has
historically occurred and the time interval over
which the probability is calculated. The fundamental equation relating probability and frequency
is shown in Eq. 共6兲. Constant frequency is consistent with general assumptions used in reliability
engineering and is consistent with empirical evidence:
P⫽1⫺e ⫺ f t ,
共6兲
where
f is the frequency of the event,
t is the time interval over which the probability is calculated.
Using Eq. 共6兲 to describe both the probability of
a tolerable event and the probability of the occurrence of an unmitigated event in Eq. 共5兲 yields Eq.
共7兲:
PFDSIF⫽
1⫺e ⫺ f tolerablet Tolerable
1⫺e ⫺ f UnmitigatedEventt UnmitigatedEvent
共7兲
.
Taking the first two terms of a Taylor series expansion for each of the exponents yields Eqs. 共8兲
and 共9兲. It is important to note that this is only
valid for relatively small values of the f -t products in the exponentials.
e ⫺ f tolerable•t Tolerable⫽1⫹ 共 ⫺ f tolerable•t Tolerable兲 ,
共8兲
e ⫺ f UnmitigatedEvent•t UnmitigatedEvent
⫽1⫹ 共 ⫺ f UnmitigatedEvent•t UnmitigatedEvent兲 ,
共9兲
PFDSIF
⫽
1⫺ 共 1⫺ f tolerable•t Tolerable兲
1⫺ 共 1⫺ f UnmitigatedEvent•t UnmitigatedEvent兲
⫽
f tolerable•t Tolerable
.
f UnmitigatedEvent•t UnmitigatedEvent
共10兲
Edward M. Marszal / ISA Transactions 42 (2003) 163–165
The variable ‘‘t’’ represents the amount of time
over which a probability is calculated. In all cases,
solution of the problem requires that the probability for the tolerable event occurrence and the probability of unmitigated event occurrence be evaluated over the same reference time interval.
Therefore t Tolerable is equal to t UnmitigatedEvent. Since
the two terms are divided in Eq. 共10兲, they will
both drop out of the equation, yielding the final
result in Eq. 共11兲:
PFDSIF⫽
f Tolerable
f UnmitigatedEvent
.
共11兲
Therefore
PFDSIF⫽
f Tolerable – Risk
f Unmitigated – Event
.
共1兲
165
process control and release of gas and determined
that the event would occur once in 1000 years if
no SIF were fitted on the process.
In the scenario presented, the tolerable risk frequency is set at 1/100 000 per year and the unmitigated event frequency is set at 1/1000 per year.
The effectiveness of the SIF required to make the
risk of the process is then calculated using Eq. 共1兲
as shown below:
PFDSIF⫽
1/100 000
⫽0.01.
1/1000
共12兲
A SIF that has a PFD of 0.01 will reduce the risk
from its current level to the tolerable region. Table
4.1 of the ISA 84.01 standard correlates a PFD of
0.01 to safety integrity level 2. Thus the SIL that
should be selected as the integrity target for this
SIF is SIL 2.
Quod Erat Demonstratum.
4. Summary
3. Example of use
Consider the following example of use of Eq.
共1兲 for a SIL assignment in the process industries.
A chemical plant includes a process that handles a
flammable gas. There is a possibility that the flammable gas might be released when control of the
process is lost. The release of the flammable gas
could result in ignition and an explosion.
The loss prevention group reviewed the magnitude of the consequence and the corporate risk tolerance policy and determined that the tolerable
frequency of the event is once in 100 000 years.
The loss prevention group also performed a fault
tree analysis of the events surrounding the loss of
This paper presents a derivation of an equation
used for quantitatively calculating the PFD required for a SIF. The purpose for presenting this
derivation is to elevate the state of quantitative
risk analysis for the purpose of SIL selection by
providing background on the equations and methods that are used. Publishing a derivation of the
equation used by SIS practitioners to calculate required PFD will lend more credibility to this type
of SIL selection process. To that end, this paper
provided a derivation that demonstrated the evolution of the final equation from the scientific laws
of probability math and standardized definitions
used in the field of SIS engineering.