Process Pulse logoProcessPulse
Specialty Chemicals/SIL Assessment

SIL Assessment for a High-Hazard Chemical Processing Unit

Representative Industry Example

This case study illustrates representative methodology and findings for this engagement type. It does not describe a specific named client or disclose any client-identifying information.

Executive Summary

A specialty chemical processing unit operating a continuous exothermic reaction system required SIL determination and verification for a set of safety instrumented functions (SIFs) that had been specified at the design stage using a generic risk graph method, without subsequent LOPA-based validation. The facility's engineering team suspected — correctly, as the assessment confirmed — that several SIFs were specified to a higher SIL than the actual risk warranted, while at least one was potentially under-specified relative to a credible high-consequence scenario. This representative example illustrates the methodology and findings typical of SIL determination and verification work where original design-basis safety instrumentation was specified without rigorous, scenario-specific risk quantification.

Facility Background

The unit ran a continuous, exothermic catalytic reaction with multiple interlocking safety instrumented functions protecting against high-pressure excursion, high-temperature excursion (runaway potential), and loss of cooling water flow. At the original design stage, a contractor had assigned SIL targets to each SIF using a simplified risk graph method — a faster but less rigorous approach than LOPA, appropriate for screening but not always sufficiently precise for final SIL allocation on genuinely high-consequence scenarios. The unit had operated for several years without an incident involving these SIFs, but the facility's engineering team had accumulated operational experience suggesting some interlocks tripped more frequently than the underlying risk would justify, while a newer addition to the process — a higher-pressure feed stream added during a capacity expansion — had never been assessed against the original SIF architecture.

Hazard Profile

  • High-pressure excursion in the reactor system, with credible causes including feed control failure and downstream blockage
  • High-temperature excursion / runaway potential in the exothermic catalytic reaction, with credible causes including cooling water flow loss and catalyst activity drift
  • Loss of cooling water flow, a common-cause initiating event for both the pressure and temperature excursion scenarios, requiring careful independence analysis between the SIFs protecting against each
  • New high-pressure feed stream introduced during a capacity expansion, not present in the original hazard and SIL allocation basis

Study Methodology

  1. 1.LOPA workshop conducted for each high-severity scenario previously identified in the facility's HAZOP register, including the new high-pressure feed stream scenario not covered by the original design basis
  2. 2.Initiating event frequency assignment using recognized industry failure rate data sources, calibrated where possible against the facility's own maintenance and incident history
  3. 3.Independent Protection Layer identification and credit assignment — identifying that two original SIFs shared a common sensor input with a BPCS alarm informally credited as an additional layer, which did not meet IPL independence criteria
  4. 4.Mitigated event frequency calculation for each scenario, compared against the facility's risk tolerance criteria
  5. 5.SIL verification calculation (PFDavg, architecture constraints per IEC 61511, common cause failure factors) for each SIF's as-designed configuration
  6. 6.Comparison of LOPA-derived SIL targets against original risk-graph-derived targets to identify where the two methods diverged and why

Key Findings

  • Two SIFs were over-specified relative to LOPA-derived risk reduction requirements — the original risk graph method assigned SIL 2 where LOPA, crediting legitimate independent layers the risk graph missed, determined SIL 1 was sufficient
  • One SIF was potentially under-specified relative to the new high-pressure feed stream scenario, which had never triggered a SIL re-verification after the capacity expansion
  • A previously informally credited BPCS alarm did not qualify as an Independent Protection Layer due to a shared sensor with the safety-rated pressure transmitter
  • Common cause failure analysis identified that the cooling water flow loss initiating event affected both the temperature and pressure protection functions, requiring explicit independence verification not documented in the original design basis

Risk Reduction Measures

  • The under-specified SIF protecting the new high-pressure feed stream scenario was upgraded to SIL 2 architecture, with a revised proof-test interval calculated to maintain the required PFDavg
  • The two over-specified SIFs retained their existing SIL 2 architecture given remaining equipment service life, but the documented risk basis was corrected to the LOPA-validated SIL 1 requirement for future replacement decisions
  • The informally credited BPCS alarm was either re-instrumented with an independent sensor or removed from the documented risk reduction credit, per facility judgment on remaining value
  • A revised Safety Requirement Specification was issued for all affected SIFs, documenting the LOPA basis, IPL independence verification, and common cause failure treatment

Lessons Learned

Capacity and process changes must trigger SIL re-verification as a standing requirement, not a discretionary review.

The new high-pressure feed stream had gone through a capacity expansion MOC process that addressed mechanical and process engineering considerations but did not explicitly gate on re-verifying existing safety instrumented function adequacy against the changed hazard scenario.

Risk graph methods are appropriate for screening, not always for final allocation on genuinely high-consequence scenarios.

The discrepancy between risk-graph and LOPA-derived SIL targets in this case ran in both directions — over-specification in some scenarios, under-specification in another — illustrating that the simplified method's imprecision is not a conservative bias in either direction, but genuine imprecision LOPA's scenario-specific rigor resolves.

Informal IPL credit is a common and dangerous drift point.

Facilities often begin crediting a BPCS alarm or operator response as an additional layer of protection informally, based on operational experience, without revisiting whether that layer actually meets formal independence criteria — particularly shared-sensor independence, which is easy to overlook when the alarm appears to function correctly in practice.

Technical Takeaways

  • Treat any capacity, feedstock, or process condition change as a mandatory trigger for SIL re-verification of affected safety instrumented functions
  • Use LOPA rather than simplified risk graph methods for final SIL allocation on scenarios with genuinely high consequence severity, reserving risk graphs for initial screening
  • Audit existing IPL credits periodically for independence criteria compliance, with particular attention to shared sensor and shared logic solver dependencies
  • Document common cause failure analysis explicitly in the SRS for any SIFs sharing an initiating event, rather than treating each SIF's verification as fully independent
← Back to all case studies
Request a Quote