Professional Documents
Culture Documents
Philosophy
for
Safety Integrity Levels
Onshore
Document No
TO-HQ-02-023-00
Issue Issue or Revision Description Origin Date Chkd Date Appd Date Appd Date
Rev By By By By
OMV Exploration & Production
Contents
3.0 ABBREVIATIONS...........................................................................................................6
4.0 INTRODUCTION.............................................................................................................6
1.0 PREFACE
This Philosophy defines the OMV Exploration & Production GmbH corporate
policy on the classification of Safety Integrity Levels for onshore
hydrocarbon production and processing facilities. The document specifies
basic requirements and criteria, defines the appropriate codes and
standards, and assists in the standardisation of facilities’ design across all
onshore operations.
The design process needs to consider project specific factors such as the
location, production composition, production rates and pressures, the
process selected and the size of the plant. This philosophy aims to address
a wide range of the above variables, however it is recognised that not all
circumstances can be covered. In situations where project specific
considerations may justify deviation from this philosophy, a document
supporting the request for deviation shall be submitted to OMV E&P for
approval.
2.0 DEFINITIONS
Safety Integrity The SIL is the designation of the required reliability and
Level quality of a safety function, expressed as the probability
of failure to perform its design function on demand. The
SIL assessment will consider the consequences of failure
on demand on personnel, plant and the environment. The
final SIL classification shall be derived from the highest
ranking of the SIL or equivalent EIL’s and CIL’s.
3.0 ABBREVIATIONS
4.0 INTRODUCTION
The purpose of this document is to establish a common basis for evaluating the
risk to the onshore process plants: personnel, plant and the environment from the
effects of a failure of the instrumented protective function during an abnormal
operating condition. In order to fulfil its purpose this document will:
5.2 References
TO-HQ-02-001 Develop Process Engineering Guidelines and Design
Philosophies Overview
TO-HQ-02-024 Philosophy for Emergency and Process Shutdown
Systems Onshore
TO-HQ-02-025 Philosophy for Fire and Gas Systems Onshore
This philosophy document defines the requirements for IPF risk analysis for
safety systems and fire and gas systems. The risk analysis shall be used to
determine the risk reduction required in the following areas.
The requirements of this philosophy shall apply to logic solvers and field
instrumentation which are based on E/E/PES systems. The requirements of this
philosophy may be also be applied to other technologies such as pneumatic and
hydraulic systems.
SIL Classification and Analysis shall be carried out in accordance with risk
analysis and ALARP definitions as detailed in Document No TO-HQ-02-071
Philosophy for HSEQ Management Onshore.
The following table provides the target performance requirements for each SIL as
based on the definition in IEC 61508. Appendix I details an example risk graph.
The risk graphs proposed for use in Appendix III are taken from the IEC
guidelines for instrument based protective systems which provide guidance on
good practice on the design, operation, maintenance and modifications of
instrument based protective systems.
Where it is proposed to use risk graphs other then those proposed in Appendix III
the type of risk graph selected and risk parameters used, should be calibrated to
Philosophy for Safety Integrity Levels Document Number Rev Page
Onshore TO-HQ-02-023 00 9 of 32
OMV Exploration & Production
ensure that the risk reduction achieved for E/E/PES protective layer and other
technologies are sufficient so that the necessary risk reduction is achieved and
that risk is reduced to tolerable levels see Figure 8.1.
The typical SIL classification Team should include the following personnel:
• SIL Facilitator;
• Process Engineer;
• Safety Engineer;
• Instrument Engineer;
• Operations Personnel.
• Secretary;
• Specialist Engineers and Technicians (for example HVAC and Rotating
Machinery).
The Team Members should have detailed knowledge of the design or experience
of the installation being classified. The Operations Representative should have
practical “hands-on” experience of the installation.
Where it is not possible for all the required team members to be present the SIL
Classification results, including any assumption / judgments made during the
classification process, must be reviewed by the relevant individuals.
The following list details some of the documentation types which should be made
available for the SIL classification of safety systems and fire and gas systems.
The documentation used should be selected based on the process being
assessed.
• C&E Drawings
• P&ID Drawings
• Fire and Gas Layout Drawings
• Maintenance and reliability data for the plant
• Relevant generic industry or company reliability data
• Safety Systems design documentation
• Fire protection system design documentation
• HVAC System design documentation
• Electrical area classifications
• Safety Case QRA data
SIL software tools may be used to facilitate the documentation of the
classification process and the calculation of the IPF loop reliabilities.
• Demand rate: the frequency of occurrence of the hazard event that the
IPF is designed to prevent / mitigate against.
• Personnel impact: the number of personnel impacted if the hazard event
occurs.
• Avoidance Criteria.
• Individual (SIL, EIL and CIL) and overall SIL Classification for the IPF
loop.
• Risk Graph: Reference to the risk graph used to assign the SIL
Classification
• Reference to QRA extracts.
• Cause and Effects Document Numbers.
• Detector layout document numbers.
• Source of reliability data used.
• Source of maintenance data used.
• One or more initiators (From the field element up to the logic solver input
card)
• The Logic Solver
• One or more end elements (From the output card to final field element
including hydraulic, pneumatic and other power supplies)
Alarms and process control equipment are not considered as IPF loops. Refer to
Section 10.1 for specific conditions and requirements where they can be
considered.
With reference to the Cause and Effect Diagrams, every cause and every effect
shall be reviewed on a loop / function basis as well as the initiating device failure
i.e. if input 1 activates 4 outputs a, b, d and e, then five loops shall be reviewed.
Each IPF loop shall be carried out considering the consequences of failure on
demand for the following areas:
• Consequence Severity
• Personnel Exposure
• Alternatives to Avoid Danger
• Demand Rate
The consequence severity has four possible outcomes. These are
• Ca Slight Injury
• Cb Serious Injuries or 1 Death
• Cc Multiple Deaths – Results in the death of several persons
• Cd Catastrophic – Results in the multiple deaths
The personnel exposure is defined as either rare or frequent.
The SIL rating is calculated using the response to the 4 questions and the
appropriate SIL level is generated using the IEC risk graph attached in Appendix
III.
Each of the loops reviewed as defined in Section 9.0 above shall be subjected to
an Asset Protection Review. This shall be carried out on the following basis:
• Consequence Severity
• Demand Rate
The consequence severity has five possible outcomes. These are:
The risk graph for asset / economic loss is provided in Appendix III. Before this
chart is used, it must be calibrated for the specific plant it is used on.
Consequence severity should represent the meaningful range of negative
impacts towards important asset or economic objectives (e.g. reliability,
replacement or repair costs)
The equivalent CIL rating is calculated using the response to the 2 questions and
the appropriate equivalent CIL level is generated using the IEC risk graph
attached in Appendix III.
Each of the loops reviewed as defined in Section 9.0 above shall be subjected to
an Environmental Review. This shall be carried out on the following basis:
• Consequence Severity
• Demand Rate
The consequence severity has five possible outcomes. These are:
Philosophy for Safety Integrity Levels Document Number Rev Page
Onshore TO-HQ-02-023 00 14 of 32
OMV Exploration & Production
The equivalent EIL rating is calculated using the response to the 2 questions and
the appropriate equivalent EIL level is generated using the IEC risk graph
attached in Appendix III.
Where process alarms are considered as part of the avoidance criteria the
assessment team shall take into consideration the process involved, the time
taken for the dangerous condition to occur on receipt of the process alarm and
the avoidance action taken by the operator to avert the hazardous condition.
Alarms system design shall take into consideration the guidelines for the design
and risk assessment principals detailed in EEMUA 191.
The fire detection system shall be assessed with respect to both the immediate
and the escalation consequences of a fire event, i.e. a two stage approach
should be used.
The immediate effect will consider the impact of the failure of the fire and gas
system to detect the initial fire, the incremental consequences of the undetected
event and the effect on personnel in the area.
The escalation scenario will consider the impact of the failure of the fire and gas
system to detect the initial fire event, the incremental consequences of the
undetected event and the effect on personnel in the area.
The gas detection system shall be assessed with respect to both the immediate
and the escalation consequences of a gas release / ignited event, i.e. a two
stage approach should be used.
The immediate effect will consider the impact of the failure of the fire and gas
system to detect the initial release, the incremental consequences of the
undetected event and the effect on personnel in the area.
The escalation scenario will consider the impact of the failure of the fire and gas
system to detect the initial ignited event, the incremental consequences of the
undetected event and the effect on personnel in the area.
The higher of the classifications should be selected as the SIL for the fire and gas
IPF under consideration.
11.1 Introduction
Each IPF loop shall be validated to ensure that the SIL level required by the
classification process is met by the system design.
The SIL validation process shall also provide input to setting and optimising the
proof test interval and renewal periods for the devices making up the IPF loop.
Where it is shown by the SIL validation results that the IPF loop cannot achieve
the reliability required then the design of the IPF loop shall be revisited.
In this case the classification of the loop shall be reassessed and the new design
revalidated in order to demonstrate that the SIL target level can be achieved.
11.2 Procedure
Each IPF loop which has been classified with a SIL level shall be analysed
considering the type, relevant reliability data, system architecture and
maintenance data for the devices making up the function.
Generic reliability models may be used to assist this process where common
system arrangements and common component types are used to implement the
IPF loops.
The PFD for each IPF shall be calculated in accordance with the guidance
offered in IEC 61508 Part 6.
When ever possible actual plant specific reliability data should be used;
• Beta Factor
• Test frequency
• Test duration (unavailable due to testing)
• Test coverage (Safe Failure Fraction)
• Repair duration (unavailability of the function due to repair periods)
• Maintenance interval (renewal period)
• Maintenance duration (unavailable due to renewal)
• Details and results from the initial SIL review including all assumptions
made.
• Equipment details such as Manufacturer, Model MTBF figures,
calculated figures and maintenance and frequencies.
This information shall be used to audit the safety system and if necessary, review
the SIL categorisation of the loops.
Note: SIL studies; The methods utilised may be different LOPA / Risk Graph, IEC
or Operator defined. Care to be taken that future reviews must always
benchmark the original method as errors can occur and lead to misrepresented
values of SIL Nos.
This data shall be kept “live” and updated for any changes to the safety functions
whether by addition or deletion.
W1 W2 W3
C1
a - -
1 a -
P1
C2 F1 P2
Starting 2 1 a
Point F2
P1
P2
C3 F1
F2
3 2 1
P1
P2
C4 F1 4 3 2
F2 P1
P2 b 4 3
Table A1.1: Example data relating to example risk graph (From Part 5 IEC 61508)
Notes:
1. The function of the initiator tag: a description of the detection technique and the hazard event that it is detecting specific to the area/zone it is
covering.
2. Design intent for the function: a description of the final element action triggered by the input.
3. Description of the consequences of failure of the IPF: the effect of failure of the IPF with regard to the safety of the facility personnel or environmental
impact.
1 - -
P1
C2
Starting P2 2 1 -
Point F1
2 1 1
F2 P1
P2 3 2 1
3 3 2
C3
F1
F2
NR 3 3
C4
NR NR NR
Table A3.1: IEC Process Safety Risk Graph Risk Graph Data
Starting
C2 - - -
Point
C3 1 1 -
C4 2 2 1
Starting
C2 2 1 -
Point
C3 3 3 2
C4 NR NR 3