Analyze Safety Integrity Levels (SIL) Using Fault Trees

Even before the adoption of ISA-S84.013 as a national standard, safety instrumented systems (SIS) were used to mitigate the risks of process hazards. With the establishment of the standard, there is now a framework for defining Safety Integrity Levels (SIL) for such systems and the associated reliability requirements. However, the standard does not address the topic of how to determine what SIL category is needed to fill the independent layers of protection (IPL) gap. It assumes (section 4.2.2) that this analysis is performed prior to applying the principles of the standard.

The IPL gap is usually addressed during a Process Hazard Analysis (PHA) or in a separate exercise such as Layer of Protection Analysis (LOPA) or Fault Tree Analysis (FTA). All of these involve some type of risk assessment (typically risk ranking) against established tolerability criteria. Needless to say, the quality of the IPL gap analysis is very critical to the overall risk mitigation benefit and implementation cost.

As part of the IPL gap analysis for existing plants, it is necessary to determine the SIL credit afforded by the current SIS IPLs. During the PHA, the tendency is to err on the conservative side to avoid overstating the credit. By using FTA, it may be possible to incorporate factors such as functional testing, and to allow the proper credit for existing IPLs.

FTA also has application in establishing the SIL credit for the design of new SISs that are required to address recommendations from PHAs or that are associated with new or modified plant projects. FTA is one of the evaluation techniques for which ISA has developed guidelines4 to be used for determining the SIL for Safety Instrumented Functions (SIF).

Because ANSI/ISA-S84.01 is a performance based standard, it provides the designer some flexibility as to how the required reliability is achieved. Section 6.2.3 of the standard states that the desired SIL shall be met through a combination of fifteen design considerations that include: separation, redundancy, failure rates and failure modes, and functional testing interval to mention a few. Furthermore, Appendix B.15.2 states, “The functional test interval should be selected to achieve the Safety Integrity Level (SIL).”

The use of functional testing to improve the reliability of interlocks and SISs is a well-established concept. Some examples of how functional test intervals can be adjusted to obtain equivalent SIL reliability are presented below. Fault tree analysis can be used to quantify the effect of adopting a certain functional testing interval on system reliability. Coupling this with cost-benefit analysis allows the designer to compare initial hardware cost against the ongoing maintenance expense of the additional functional testing. Furthermore, with voting SISs, FTA can provide insight on how to set the functional testing interval to obtain the required SIL reliability.


To download our resources, you must become a registered site user. After you register, you will receive an email with a login username and password.

Want to Get Full Access to our Technical Resources?

Register Now