Beruflich Dokumente
Kultur Dokumente
Page 1 of 16
CONTENTS
1.0 PURPOSE..............................................................................................3
2.0 SCOPE.................................................................................................3
3.0 ABBREVIATION.......................................................................................3
4.0 REFERENCES.........................................................................................3
6.1 General.............................................................................................................................4
6.2 Roles and Responsibilities...............................................................................................4
6.3 SIL Team Composition....................................................................................................5
6.4 SIL Study Schedule and Pre-requisites............................................................................5
6.5 SIL Methodology.............................................................................................................6
6.5.1 Risk Graph Technique...............................................................................................6
6.5.2 Layer of Protection Analysis.....................................................................................9
6.6 SIL Target Level............................................................................................................11
6.7 SIL Assessment Report..................................................................................................12
9.0 Records..............................................................................................13
10.0 Appendices........................................................................................13
...........................................................................................................13
Page 2 of 16
1.0 PURPOSE
2.0 SCOPE
This procedure applies to the performance of SIL Studies on Oil & Gas facilities
projects. The recommended practice outlined in this procedure shall be adopted
on a project where client’s specific guidelines are not available.
3.0 ABBREVIATION
4.0 REFERENCES
N/A
Page 3 of 16
6.0 DESCRIPTION OF ACTIVITIES
6.1 General
Presence of following team members both from Contractor and the Operating
Company is essential during the full duration of the review:
• Process Engineer
• Operation Representative
The SIL study should be scheduled after completion of HAZOP study and
incorporation of major HAZOP recommendations onto the P&IDs and Cause &
Effects Charts.
The following project specific documents (latest revisions) shall be made
available prior to the SIL workshop:
Page 5 of 16
• Piping & Instrumentation Diagrams
• HAZOP Report
• QRA Reports
• Plot plans
The common methods used for Target Safety Integrity Level determination are:
• Risk Graph
Both these methods are included in the IEC61508 and IEC61511 standard.
The risk graph is a qualitative technique, the results tend to be quite subjective
and lead to SIL levels biased on the high side. The Layers of protection analysis
technique is quantitative and more accurate and it is becoming the widely
accepted technique for SIL determination.
It is advisable to consider Risk Graph method at the FEED stage and LOPA
technique during detail design phase. Appropriate methodology should be
chosen by the Project group after considering client guidelines or advice. In the
absence of Client guideline follow LOPA methodology for Detailed Design.
Page 6 of 16
The demand rate is the likelihood that the accident will occur without
considering the effect of the SIF that is being studied, but including all other
non-SIS protection layers.
A combination of consequence, likelihood, occupancy, and probability of
avoidance represents a level of unmitigated risk. Once those categories have
been determined, the risk graph is used to determine that SIL that will reduce
the risk by the appropriate amount. Figure 1 contains a typical risk graph, as
presented in IEC 61511-3. The SIL is selected by drawing a path from the
starting point on the left to the boxes at the right by following the categories
that were selected for consequence, occupancy and probability of avoidance.
The combination of those three determines the row that is selected.
Page 7 of 16
Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511, Ref. 1)
1.1.1.1 Steps
Prior to the assessment, the risk graphs will be calibrated according to Client
Risk criteria. For each loop, the SIL is determined and recorded on worksheets
as follows.
1. Identify the loop to be examined, and record the tag and P&ID number.
2. Agree the function of the loop (i.e. what is it for?).
3. Determine the cause of demand of the loop (most commonly control
failure).
4. Identify the output actions (e.g. close specified valves).
5. Agree the consequence if the loop fails on demand. At this point no
credit is taken for other relevant risk reduction measures.
6. Having gathered the above information, use combined judgement to
agree the four parameters C, F, P and W on the safety risk graph.
7. W is the frequency of the cause of demand identified in step 3.
8. Apply the safety risk graph to determine the SIL required on safety risk
considerations.
9. Agree the economic loss parameter L and use the economic risk graph to
determine the SIL required on economic risk considerations.
10. Agree the environmental loss parameter E and use the environmental risk
graph to determine the SIL required on environmental risk
considerations.
11. Determine the SIL required for the function identified in step 2 as the
highest of the three SILs determined in steps 7, 8, and 9.
The above listed Steps are repeated for each of the IPF loops.
Page 8 of 16
The risk graph parameters and criteria to be used for this assessment are
outlined in Appendix-I of this document.
• For each cause identify all available layers of protection and assign
failure probabilities for each layer
Page 9 of 16
• For each cause calculate the mitigated event frequency considering all
the layers i.e. F = Fe*PA*PB*PC*PD where F is the mitigated event
frequency, Fe is non-mitigated event frequency based on the best
industrial practices and PA/PB/PC/PD are the PFD values for each
protection layer.
• Compare the tolerable frequency goal with the total event frequency
• Assign the required SIL based on the additional risk reduction required
• Document the results of each analysis in the SIL Selection and Analysis
worksheet. Include any notes and recommendations in the worksheet.
Typical SIL Assessment worksheet format is given in Appendix II.
Page 10 of 16
Many times, independent alarm in the PCS with operator action is
provided to mitigate certain risks. In such a situation, credit for Alarm
can be given only if the alarm signal is connected to an entirely
independent initiator and I/O, other than the one carrying out the
automatic controls. This will considerably reduce any common mode
failures. (Maximum Risk reduction credited shall be 1 in 10).
For PCS to be credited with Two (2) IPLs, initiators, I/O cards and final
control elements must be independent of each other. Only the logic
solver part could be shared provided, logic solvers are redundant.
If the initiating or enabling event involves the failure of a PCS loop, then
no more than one PCS loop should normally be credited as an IPL for the
same scenario.
Maximum total risk reduction credited for PCS as an independent layer
shall be no more than 1 in 100.
For each of the safety instrumented function operating in demand mode, the
required SIL shall be specified in accordance with levels as stated in table below
(Ref. 2):
Page 11 of 16
Table 1: Probability of Failure on Demand for the SIL1, 2, 3 and 4
SIL 1 10-2to< 10 –1
The SIL Assessment Report shall be prepared by Chairman using the company
format and shall include the following as a minimum:
• Executive Summary
• List of Participants
During EPC phase of the project, SIL verification study will be performed if it
required contractually or any specific instruction from the Company. SIL
validation is not covered under this document as it is normally carried out
during operation phase.
The outcome of the SIL assessment is followed by a SIL verification study, where
the design of the safety instrumented system (SIS) is verified. The risk reduction
performance of any given SIF depends on the equipment chosen and the
redundancy levels. The safety performance evaluation is called SIL verification
and requires reliability analysis of the equipment with a view toward a
particular failure mode titled "failure to function on demand" or "fail danger." A
piece of equipment used to implement a SIF has a certain probability that it will
not successfully protect a process if a dangerous condition (a demand) occurs.
This average "probability of failure on demand" (PFD) is calculated and
compared with the PFD average table to obtain a "design SIL." If the design SIL is
Page 12 of 16
not greater than or equal to the target SIL, better technology or more
redundancy is required.
The first step in SIL verification is gathering failure rate data and failure mode
data for the equipment selected. Thereafter, the designer calculates PFD sub
avg using simplified equations, fault-tree analysis, or Markov analysis. There
are two fundamental challenges faced during SIL verification:
Failure rate data is available in a generic sense from several industry databases,
including AIChE and OREDA. Failure rate data is also available from some
manufacturers, although it is often difficult to source.
Upon completion of the SIL assessment workshop, the Chairman will present the
findings of the study in the form of a SIL Assessment report. Recommendations
of the SIL assessment will be generally closed out by Instrumentation discipline.
It is important that Project allocate adequate resources to not only perform the
SIL study but to ensure that the recommendations raised in the SIL report are
satisfactorily closed out. The PEM shall be responsible to ensure that the
adequate resources are available for timely completion of SIL study. In general
almost all SIL actions belong to instrument group, therefore as a general
practice PEM will nominate instrument engineer to own the SIL close-out
responses. The PEM nominee shall prepare & issue the SIL Close-out report.
9.0 RECORDS
N/A
10.0 APPENDICES
Page 13 of 16
APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA
Page 14 of 16
Personnel Safety Risk parameter Classification Comments
Page 15 of 16
Asset Loss Classification Comments
Consequence (C) CA Minor operational upset or Monetary values can be
equipment damage assigned to each
CB Moderate operational upset or consequence
CC equipment damage parameter
Major operational upset or
CD equipment damage
Damage to essential equipment,
major economic loss
Possibility of PA Adopted if all conditions in NOTE.
avoiding the column 4 are satisfied The same conditions as
hazardous event (P) PB Adopted if all the conditions are personnel safety apply
if the protection not satisfied
system fails to
operate.
Page 16 of 16