(106c) Sil-3, Sil-2, and Unicorns (There Is a High Probability Your SIL 2 and SIL 3 SIFs Have No Better Performance Than SIL 1)

Safety Instrumented System (SIS) standards improved the definition of interlocks and introduced requirements for improved management systems to enforce independence from other Independent Protection Layers (IPLs). SIS standards require verification that the performance of each Safety Instrumented Function (SIF) will be met during its lifetime; where the performance criteria is documented as the target Safety Integrity Level (SIL) or risk reduction factor for the SIF. The SIL is in turn tied to specific values of probability of failure on demand (PFD). The current SIS standards and the TR (Technical Reports, from ISA) that explain how to do SIL Verification calculations do not include accounting for specific human error probabilities -- this is a major deficiency as even the probability of a single human error can be much larger than the target PFD of 0.001 for a SIL 3 and a little larger than the PFD 0f 0.01 for a SIL 2. While the SIL Verification methods outlined in the standards and technical reports like ANSI/ISA TR84.00.02 facilitate consistency for the component-only failure rates, as user companies seek to obtain greater risk reduction from their SIS to satisfy their corporate risk criteria, failure to adequately address potential systematic failures can lead to overly optimistic results and a misallocation of resources intended to reduce risk

This paper shows that specific human error during testing, calibration maintenance, and restoration of a SIF dominate the true PFD of the SIF, for SIL 2 and SIL 3 designs. Unless the human errors are accounted for and then compensated for, it is more likely to find a Unicorn than to actually get two or three orders of risk reduction from SIL 2 and SIL 3 SIFs.

Example methods for human error analysis related to a SIS are provided as well as some proven approaches for controlling human factors. It also discusses ways to prevent or else detect and recover from errors made in redundant channels (such as used in 1oo2, 1oo3, or 2oo3 voting).