Embed Size (px)
Citation preview
SIL Methodology
Page 1 of 18
CONTENTS
1.0 PURPOSE...................................................................................3
2.0 SCOPE.......................................................................................3
3.0 ABBREVIATION..........................................................................3
4.0 REFERENCES.............................................................................3
5.0 RESPONSIBILITY AND AUTHORITY...............................................3
6.0 DESCRIPTION OF ACTIVITIES.......................................................4
6.1 General...................................................................................................................................46.2 Roles and Responsibilities......................................................................................................46.3 SIL Team Composition............................................................................................................56.4 SIL Study Schedule and Pre-requisites...................................................................................56.5 SIL Methodology.....................................................................................................................66.5.1 Risk Graph Technique............................................................................................................66.5.2 Layer of Protection Analysis...................................................................................................86.6 SIL Target Level....................................................................................................................116.7 SIL Assessment Report.........................................................................................................12
7.0 SIL VERIFICATION....................................................................12
8.0 FOLLOW-UP AND CLOSE-OUT....................................................13
9.0 RECORDS.................................................................................13
10.0 APPENDICES............................................................................13
APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA........................14
APPENDIX II–LOPA SIL ASSESSMENT WORKSHEET...............................17
Page 2 of 18
1.0 PURPOSE
The purpose of this procedure is to describe the recommended practice
for performing Safety Integrity Level (SIL) assessment & verification
studies of identified Instrumented Protective Functions.
2.0 SCOPE
This procedure applies to the performance of SIL Studies on Oil & Gas
facilities projects. The recommended practice outlined in this procedure
shall be adopted on a project where client’s specific guidelines are not
available.
3.0 ABBREVIATION
C&E Cause and Effects
E/E/PEElectrical, Electronics and Programmable Electronics
ESD Emergency Shutdown System
HSE Health Safety & Environment
IEC International Electro technical Commission
IPF Instrumented Protective Function
PCS Process Control System
PFD Probability of Failure on Demand
PEM Project Engineering Manager
PLC Programmable Logic Controller
QRA Quantitative Risk Assessment
SIL Safety Integrity Level
SISSIF
Safety Instrumented SystemSafety Instrumented Function
4.0 REFERENCES
IEC 61508, Functional safety of
electrical/electronic/programmable electronic safety-related
systems
IEC 61511, Functional Safety – safety instrumented systems for
the process industry sector
PFD data from vendors
Safety Equipment Reliability Handbook, by OREDA or any other
handbook for generic data.
Page 3 of 18
5.0 RESPONSIBILITY AND AUTHORITY
N/A
6.0 DESCRIPTION OF ACTIVITIES
6.1 General
Instrument and control systems play a significant role in the
management of hazards on oil and gas installations. Shutdown systems
are traditionally recognised as safety systems which contribute to
reducing the likelihood and consequences of dangers to personnel, but
also limiting risks to environment, to assets and to continued
production. Therefore, instrumented protective functions need to be
reviewed through a systematic assessment process to determine any
requirement for increased reliability and/ or higher integrity and hence
reducing risks.
The main objective of the SIL study is to assess the integrity level for all
instrumented protection functions that have been provided for all
process systems, in accordance with IEC 61511.
SIL study workshop is conducted to perform a systematic review of
plant process systems to identify failures in E/E/PE safety related
control systems at each plant, which have the potential for harm to
personnel (through illness and injury or loss of life) or to the
environment (temporary or permanent). A secondary objective will be
to identify where such failures have the potential to cause significant
economic loss due to production loss and/or damage to capital
equipment. The safety and environmental harm and the economic loss
will generally arise due to loss of containment, either of the product or
of a substance hazardous to health.
6.2 Roles and Responsibilities
The SIL team should consist of the following persons:
Chairman Responsible for chairing the SIL review
meeting and ensuring the process runs
smoothly in accordance with the procedure.
The Chairman shall ensure the team remain
focussed and do not deviate from the
objective of the study. The chairman shall
have experience of conducting a SIL or
similar studies. The Chairman shall bring the
SIL Assessment software. The SIL
Assessment and SIL Verification report shall
be prepared by the Chairman.
Page 4 of 18
Secretary Responsible for recording the discussion of
the meeting, using the worksheets. It is
preferable that the SIL Secretary has a
technical background in Instrumentation.
Lead HSE Design EngineerThe Lead HSE (Design) Engineer on the
project shall to ensure that the SIL is
performed to the standards set out in this
procedure. The Lead HSE Engineer shall
ensure the administrative tasks necessary to
perform the SIL study completed
(organisation of team, distributing the
documents, Chairman Selection, selection of
venue, etc).
Lead Instrument Engineer Lead Instrument Engineer shall be
responsible to ensure completion of Project
design documents necessary prior to SIL
study including vendor documents. He shall
provide Chairman the list of tags, initiating
devices, final elements and service
description for each SIF to include into the
worksheets.
Lead Process Engineer Lead Process Engineer shall ensure that the
P&ID’s are updated in line with the
recommendations given in the HAZOP.
Follow-up The Follow-up Coordinator shall be nominated by Project Engineering Manager (PEM) who can make project decisions on the conflicting requirements. The co-ordinator shall act on behalf of the PEM to facilitate and expedite the satisfactory close-out of recommendations raised by the SIL study. The overall responsibility of SIL close-out process lies with PEM.
6.3 SIL Team Composition
Presence of following team members both from Contractor and the
Operating Company is essential during the full duration of the review:
Process Engineer
Control and Instrumentation Engineer
HSE/ Safety Engineer
Operation Representative
Page 5 of 18
Other discipline engineers( Mechanical, Civil, layout etc.) shall be
available on need basis
6.4 SIL Study Schedule and Pre-requisites
The SIL study should be scheduled after completion of HAZOP study and
incorporation of major HAZOP recommendations onto the P&IDs and
Cause & Effects Charts.
The following project specific documents (latest revisions) shall be
made available prior to the SIL workshop:
Piping & Instrumentation Diagrams
Cause and Effects Chart
HAZOP Report
QRA Reports
Plot plans
6.5 SIL Methodology
The common methods used for Target Safety Integrity Level
determination are:
Risk Graph
Layer of Protection Analysis (LOPA)
Both these methods are included in the IEC61508 and IEC61511
standard.
The risk graph is a qualitative technique, the results tend to be quite
subjective and lead to SIL levels biased on the high side. The Layers of
protection analysis technique is quantitative and more accurate and it
is becoming the widely accepted technique for SIL determination.
It is advisable to consider Risk Graph method at the FEED stage and
LOPA technique during detail design phase. Appropriate methodology
should be chosen by the Project group after considering client
guidelines or advice. In the absence of Client guideline follow LOPA
methodology for Detailed Design.
6.5.1 Risk Graph Technique
The risk graph method is a qualitative approach to determine the level
of integrity required for the identified Instrumented Protective Functions
(IPF) for the project. The approach is based on the International Electro
technical Commission standard, IEC61511 [Ref. 2]
Page 6 of 18
Risk graph analysis uses four parameters to make a SIL selection. These
parameters are consequence (C), occupancy (F), probability of avoiding
the hazard (P), and demand rate (W).
Consequence represents the average number of fatalities that are likely
to result from a hazard when the area is occupied, and should include
the expected size of the hazard and the receptor’s vulnerability to the
hazard.
Occupancy (Exposure Time Parameter) is a measure of the amount of
time that the area that would be impacted by the incident outcome is
occupied.
The probability of avoiding the hazard will depend on the methods that
are available for personnel to know that a hazard exists and also the
means for escaping from the hazard.
The demand rate is the likelihood that the accident will occur without
considering the effect of the SIF that is being studied, but including all
other non-SIS protection layers.
A combination of consequence, likelihood, occupancy, and probability of
avoidance represents a level of unmitigated risk. Once those categories
have been determined, the risk graph is used to determine that SIL that
will reduce the risk by the appropriate amount. Figure 1 contains a
typical risk graph, as presented in IEC 61511-3. The SIL is selected by
drawing a path from the starting point on the left to the boxes at the
right by following the categories that were selected for consequence,
occupancy and probability of avoidance. The combination of those three
determines the row that is selected.
Page 7 of 18
Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511,
Ref. 1)
6.5.1.1 Steps
Prior to the assessment, the risk graphs will be calibrated according to
Client Risk criteria. For each loop, the SIL is determined and recorded
on worksheets as follows.
1. Identify the loop to be examined, and record the tag and P&ID
number.
2. Agree the function of the loop (i.e. what is it for?).
3. Determine the cause of demand of the loop (most commonly
control failure).
4. Identify the output actions (e.g. close specified valves).
Page 8 of 18
5. Agree the consequence if the loop fails on demand. At this point
no credit is taken for other relevant risk reduction
measures.
6. Having gathered the above information, use combined
judgement to agree the four parameters C, F, P and W on the
safety risk graph.
7. W is the frequency of the cause of demand identified in step 3.
8. Apply the safety risk graph to determine the SIL required on
safety risk considerations.
9. Agree the economic loss parameter L and use the economic risk
graph to determine the SIL required on economic risk
considerations.
10.Agree the environmental loss parameter E and use the
environmental risk graph to determine the SIL required on
environmental risk considerations.
11.Determine the SIL required for the function identified in step 2 as
the highest of the three SILs determined in steps 7, 8, and 9.
The above listed Steps are repeated for each of the IPF loops.
The risk graph parameters and criteria to be used for this assessment
are outlined in Appendix-I of this document.
6.5.2 Layer of Protection Analysis
LOPA is one of the techniques developed in response to a requirement
within the process industry to be able to assess the adequacy of the
layers of protection provided for an activity. Initially this was driven by
industry codes of practice or guidance and latterly by the development
of international standards such as IEC61508 [Ref 1] and IEC61511 [Ref
2].
Within the LOPA methodology the concept of the Independent
Protective Layer (IPL) is well defined and important.
“An IPL is a device, system or action which is capable of preventing a
scenario from proceeding to its undesired consequence independent of
the initiating event or the action of any other layer of protection
associated with the scenario. The effectiveness and independence of an
IPL must be auditable.”
The SIL Selection is based on establishing a tolerable frequency for
each consequence resulting from an initiating event. This tolerable risk
guideline needs to be reviewed and accepted by the Company at the
start of the SIL review process.
Page 9 of 18
Once the tolerable frequency for a SIF is established, all causes of the
initiating event are listed. For each cause of the initiating event, its
likelihood is established. The layers of protection and associated PFD for
each cause are then listed. The mitigated event frequency for each
cause is determined. After each cause is analyzed the total event
frequency due to all causes for the initiating event is determined. The
SIL is determined by comparing the established tolerable frequency
(goal) with the total mitigated event frequency.
6.5.2.1 Steps
Following are the important steps, which shall be addressed during SIL
assessment sessions
1. Identify and list all Safety Instrumented Functions for the unit(s)
2. For each SIF identified:
Define the worst consequence if the SIF failed to operate when a
demand occurs.
Categorize the consequence severity and tolerable frequency
based on the Company Risk guidelines. The tolerable frequency
will be selected from the reducible frequency band as per the
table
List all causes and likelihood for the initiating event
For each cause identify all available layers of protection and
assign failure probabilities for each layer
For each cause calculate the mitigated event frequency
considering all the layers i.e. F = Fe*PA*PB*PC*PD where F is the
mitigated event frequency, Fe is non-mitigated event frequency
based on the best industrial practices and PA/PB/PC/PD are the
PFD values for each protection layer.
Calculate the total event frequency due to all causes
Compare the tolerable frequency goal with the total event
frequency
Assign the required SIL based on the additional risk reduction
required
Document the results of each analysis in the SIL Selection and
Analysis worksheet. Include any notes and recommendations in
the worksheet. Typical SIL Assessment worksheet format is given
in Appendix II.
6.5.2.2 Independent Protection Layers (IPL)
Page 10 of 18
An Independent Protection Layer is a specific category of safeguard.
Independent protection layers must meet the following criteria.
Specificity – An independent protection layer must be specifically
designed to prevent the consequences of one potentially hazardous
event.
Independence – The operation of the protection layer must be
completely independent from all other protection layers, no common
equipment can be shared with other protection layers.
Dependability – The device must be able to dependably prevent the
consequence from occurring. The probability of failure of an
independent protection layer must be demonstrated to be less than
10%.
Auditability – The device should be proof tested and well maintained.
These audits of operation are necessary to ensure that the specified
level of risk reduction is being achieved.
6.5.2.3 Typical Protection Layers
While no two situations are the identical, there are a few protection
layers and mitigating events that should always be considered when
performing a layer of protection analysis in the process industries.
These protection layers are shown below:
PCS Controls – In many cases the PCS control system is
designed to automatically move the process to a safe state under
abnormal conditions (Control loop or an On/Off loop). The criteria
most used to determine whether the PCS system could be used,
as a layer of protection is that a failure of the PCS system did not
contribute in causing the initiating event. (Maximum Risk
reduction credited shall be 1 in 10).
Many times, independent alarm in the PCS with operator action is
provided to mitigate certain risks. In such a situation, credit for
Alarm can be given only if the alarm signal is connected to an
entirely independent initiator and I/O, other than the one carrying
out the automatic controls. This will considerably reduce any
common mode failures. (Maximum Risk reduction credited shall
be 1 in 10).
For PCS to be credited with Two (2) IPLs, initiators, I/O cards and
final control elements must be independent of each other. Only
the logic solver part could be shared provided, logic solvers are
redundant.
If the initiating or enabling event involves the failure of a PCS
loop, then no more than one PCS loop should normally be
credited as an IPL for the same scenario.
Page 11 of 18
Maximum total risk reduction credited for PCS as an independent
layer shall be no more than 1 in 100.
Operator Intervention – Operator intervention to manually
shut down a process when abnormal conditions are detected is a
common safeguard. In order for this safeguard to meet the level
required of an independent protection layer, the operator must
always be present, be alerted to the abnormal situation, be
trained in the proper reaction to the abnormal situation, and have
ample time to consider the alarm and respond. (Maximum Risk
reduction credited shall be 1 in 10)
Mechanical Integrity of Piping or Vessel – In many cases,
piping or a vessel will be designed to withstand the highest
temperatures and pressures generated as the result of abnormal
conditions. In these cases, the mechanical integrity of the vessel
is a protection layer. (Maximum Risk reduction credited shall be 1
in 100)
Physical Relief Device – Physical relief devices are common
safeguards and include such devices as relief valve, rupture
disks, and thermal fusible plugs. (Maximum Risk reduction
credited shall be 1 in 100)
Ignition Probability – When a flammable material is released to
the atmosphere the probability that the release will ignite will
depend on factors such as auto-ignition temperature and source
of ignition present
Other layers to be considered – Use factor, Explosion
Probability, Occupancy and External risk reduction facilities like
F& G systems, Dikes, etc.
6.6 SIL Target Level
For each of the safety instrumented function operating in demand
mode, the required SIL shall be specified in accordance with levels as
stated in table below (Ref. 2):
Table 1: Probability of Failure on Demand for the SIL1, 2, 3 and
4
Safety Integrity Level (SIL)Target average Probability of
Failure on Demand
SIL 4 10-5to< 10 –4
SIL 3 10-4 to< 10 –3
Page 12 of 18
SIL 2 10-3 to< 10 –2
SIL 1 10-2to< 10 –1
6.7 SIL Assessment Report
The SIL Assessment Report shall be prepared by Chairman using the
company format and shall include the following as a minimum:
Executive Summary
The scope of SIL Study
List of Participants
The systems examined
The results as captured in the worksheets
Conclusions and Recommendations
7.0 SIL VERIFICATION
During EPC phase of the project, SIL verification study will be performed
if it required contractually or any specific instruction from the Company.
SIL validation is not covered under this document as it is normally
carried out during operation phase.
The outcome of the SIL assessment is followed by a SIL verification
study, where the design of the safety instrumented system (SIS) is
verified. The risk reduction performance of any given SIF depends on
the equipment chosen and the redundancy levels. The safety
performance evaluation is called SIL verification and requires reliability
analysis of the equipment with a view toward a particular failure mode
titled "failure to function on demand" or "fail danger." A piece of
equipment used to implement a SIF has a certain probability that it will
not successfully protect a process if a dangerous condition (a demand)
occurs. This average "probability of failure on demand" (PFD) is
calculated and compared with the PFD average table to obtain a
"design SIL." If the design SIL is not greater than or equal to the target
SIL, better technology or more redundancy is required.
The first step in SIL verification is gathering failure rate data and failure
mode data for the equipment selected. Thereafter, the designer
calculates PFD sub avg using simplified equations, fault-tree analysis, or
Markov analysis. There are two fundamental challenges faced during
SIL verification:
Page 13 of 18
Gathering the failure rate/mode data and
Building a PFD sub avg model.
Failure rate data is available in a generic sense from several industry
databases, including AIChE and OREDA. Failure rate data is also
available from some manufacturers, although it is often difficult to
source.
8.0 FOLLOW-UP AND CLOSE-OUT
Upon completion of the SIL assessment workshop, the Chairman will
present the findings of the study in the form of a SIL Assessment report.
Recommendations of the SIL assessment will be generally closed out by
Instrumentation discipline.
It is important that Project allocate adequate resources to not only
perform the SIL study but to ensure that the recommendations raised in
the SIL report are satisfactorily closed out. The PEM shall be responsible
to ensure that the adequate resources are available for timely
completion of SIL study. In general almost all SIL actions belong to
instrument group, therefore as a general practice PEM will nominate
instrument engineer to own the SIL close-out responses. The PEM
nominee shall prepare & issue the SIL Close-out report.
9.0 RECORDS
N/A
10.0APPENDICES
Page 14 of 18
APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA
(1) - IEC 61511 Safety Parameters
Personnel Safety Risk parameter Classification Comments
Consequence (C) Average
number of Fatalities This can be
calculated by determining the
average numbers present when
the area is occupied and
multiplying by the vulnerability
to the identified hazard.
The Vulnerability will be
determined by the nature of the
hazard being protected against.
The following factors are
proposed
V=0.01 Small release of
flammable or toxic material
V=0.1 Large release of
flammable or toxic material
V=0.5 As above but with a high
chance of igniting or highly
toxic.
V=1 Rupture or explosion
CA
CB
CC
CD
Minor injury
Range 0.01 to 0.1
Range >0.1 to 1.0
Range > 1.0 to 10
1. The
classification
system has been
developed to deal
with injury and
death to people.
2.For the
interpretation of
CA,
CB, CC and CD, the
consequences of
the accident and
normal healing
shall be taken into
account.
Exposure probability in the
hazardous zone (F)
This is calculated by
determining the length of time
the area is occupied during a
normal working period.
NOTE - If the time in the
hazardous area is different
depending on the shift being
operated then the maximum
should be selected.
NOTE - It is only appropriate to
use FA where it can be shown
that the demand rate is random
and not related o when
FA
FB
In the hazardous
zone. Occupancy
less than 0.1
Frequent to
permanent
exposure in the
hazardous zone.
Occupancy more
than 0.1
3. See comment 1
above.
Page 15 of 18
Personnel Safety Risk parameter Classification Comments
occupancy could be higher than
normal. The latter is the case
with demands which occur at
equipment start-up
Possibility of avoiding the
hazardous event (P) if the
protection system fails to
operate.
PA
PB
Adopted if all
conditions in
column 4 are
satisfied
Adopted if all the
conditions are not
satisfied
4. PA should only
be selected if all
the following are
true:-
• Facilities are
provided to alert
the
operator that the
protection has
failed
• Independent
facilities are
provided to shut
down such that
the hazard can be
avoided or which
enable all persons
to escape to a safe
area
• The time
between the
operator being
alerted and a
hazardous event
occurring exceeds
1 hour or is
definitely sufficient
for the necessary
actions.
Demand rate of the unwanted
occurrence (W) given no
protection system.
To determine demand rate it is
necessary to consider all
sources of failure that will lead
W1
W2
Demand rate less
than 0.03 per year
Demand rate
between 0.3 and
5. The purpose of
the W factor Is to
estimate the
frequency of the
hazard taking
place without the
Page 16 of 18
Personnel Safety Risk parameter Classification Comments
to a demand on the protection
system. In determining the
demand rate, limited credit can
be allowed for control system
performance and intervention.
The performance which can be
claimed if the control system is
not to be designed and
maintained according to
IEC61508, is limited to below
the performance ranges
associated with
SIL1.
W3
0.03 per year
Demand rate
between 3 and 0.3
per year
addition of the SIS
6. If the demand
rate is very high
(e.g., 10 per year)
then use failure
rate and
continuous
demand method.
(2) - IEC 61511 Asset Loss Parameters
Asset Loss Classification CommentsConsequence (C) CA
CB
CC
CD
Minor operational upset or equipment damageModerate operational upset or equipment damageMajor operational upset or equipment damageDamage to essential equipment, major economic loss
Monetary values can be assigned to each consequence parameter
Possibility of avoiding the hazardous event (P) if the protection system fails to operate.
PA
PB
Adopted if all conditions in column 4 are satisfiedAdopted if all the conditions are not satisfied
NOTE.The same conditions as personnel safety apply
(3) - IEC 61511 Environmental Parameters
Environmental Classification CommentsConsequence (C) CA
CB
CC
A release with minor damage that is not very severe but is large enough to be reported to plant management or local authorities
Moderate damage e.g. Release within the fence with significant damage
Substantial damage e.g.
A moderate leak from a flange or valve Small scale liquid spill Small scale soil pollution without affecting ground waterA cloud of obnoxious vapour travelling beyond the unit following flange gasket blow-out or compressor seal
Page 17 of 18
Environmental Classification CommentsCD Release outside the fence
with major damage which can be cleaned up quickly without significant lasting consequencesSerious damage e.g. Release outside the fence with major damage which cannot be cleaned up quickly or with lasting consequences
failureA vapour or aerosol release with or without liquid fallout that causes temporary damage to plants or fauna Liquid spill into a river or sea A vapour or aerosol release with or without liquid fallout that causes lasting damage to plants or faunaSolids fallout (dust, catalyst, soot, ash) Liquid release that could affect groundwater
Possibility of avoiding the hazardous event (P) if the protection system fails to operate.
PA
PB
Adopted if all conditions in column 4 are satisfiedAdopted if all the conditions are not satisfied
NOTE.The same conditions as personnel safety apply
Page 18 of 18
