To-HQ-02-023 Rev 00 Philosophy For Safety Integrity Levels - Onshore

OMV Exploration & Production
Philosophy
for
Safety Integrity Levels
Onshore
Document No
TO-HQ-02-023-00
00 Final Issue RH 27/5/05 JEA 31/5/05 PZ 31/5/05 MF 3/6/05
A2 Client Comments Incorporated MP
A1 Issued for Comment SCK 13/01/05 MP 04/02/05
Issue Issue or Revision Description Origin Date Chkd Date Appd Date Appd Date
Rev By By By By
Revision Description of revision

A1 For Comment/Approval
A2 Client Comments Incorporated
00 Final Issue
Philosophy for Safety Integrity Levels Document Number Rev Page

Onshore TO-HQ-02-023 00 2 of 32
Contents
1.0 PREFACE .......................................................................................................................5
2.0 DEFINITIONS .................................................................................................................5
3.0 ABBREVIATIONS...........................................................................................................6
4.0 INTRODUCTION.............................................................................................................6
5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS........................................7

5.1 Codes and Standards List ........................................................................................................ 7
5.2 References ................................................................................................................................. 7
6.0 SIL CLASSIFICATION BOUNDARIES...........................................................................8
7.0 SIL CLASSIFICATION OBJECTIVES ............................................................................8
8.0 RISK ANALYSIS METHODOLOGY ...............................................................................9

8.1 Risk Analysis Team ................................................................................................................. 10
8.2 Risk Analysis Documentation ................................................................................................ 11
8.3 Risk Analysis Records ............................................................................................................ 11
9.0 CLASSIFICATION PROCESS......................................................................................12
10.0 GUIDANCE ON IEC 61508 / 61511 ..............................................................................15

10.1 Process Control and Alarm Systems..................................................................................... 15
10.2 Conflicts with API 14C............................................................................................................. 16
10.3 SIL 4 Functions ........................................................................................................................ 16
10.4 Manual Initiators ...................................................................................................................... 16
10.5 Low Pressure Initiators ........................................................................................................... 16
10.6 Mechanical Protection............................................................................................................. 16
10.7 Mitigative Functions ................................................................................................................ 16
10.8 Incremental Impact of Failure................................................................................................. 17
10.9 Area Demand Basis ................................................................................................................. 17
10.10 Use of QRA Data for SIL Classification. ................................................................................ 18

11.0 SIL VALIDATION..........................................................................................................18

11.1 Introduction.............................................................................................................................. 18
11.2 Procedure ................................................................................................................................. 18
11.3 Reliability Data ......................................................................................................................... 19
11.4 Maintenance Data .................................................................................................................... 19
12.0 SIL MANAGEMENT AND MAINTENANCE REQUIREMENTS....................................19
13.0 CERTIFYING AUTHORITY REVIEW REQUIREMENTS..............................................20
APPENDIX I EXAMPLE RISK GRAPH...............................................................................2
APPENDIX II SIL WORKSHEET / WORKSHOP FORMAT .................................................1
APPENDIX III IEC RISK GRAPHS .......................................................................................1

1.0 PREFACE
This Philosophy defines the OMV Exploration & Production GmbH corporate
policy on the classification of Safety Integrity Levels for onshore
hydrocarbon production and processing facilities. The document specifies
basic requirements and criteria, defines the appropriate codes and
standards, and assists in the standardisation of facilities’ design across all
onshore operations.
The design process needs to consider project specific factors such as the
location, production composition, production rates and pressures, the
process selected and the size of the plant. This philosophy aims to address
a wide range of the above variables, however it is recognised that not all
circumstances can be covered. In situations where project specific
considerations may justify deviation from this philosophy, a document
supporting the request for deviation shall be submitted to OMV E&P for
approval.
Reference should be made to the parent of this philosophy, document

number TO-HQ-02-001 for information on deviation procedures and
Technical Authorities, general requirements and definitions and
abbreviations not specific to this document.
2.0 DEFINITIONS
The following definitions are relevant to this document.
Equipment Equipment, machinery, apparatus or plant used for

Under Control manufacturing, process, transportation, medical or other
activities
Safety Integrity The SIL is the designation of the required reliability and
Level quality of a safety function, expressed as the probability
of failure to perform its design function on demand. The
SIL assessment will consider the consequences of failure
on demand on personnel, plant and the environment. The
final SIL classification shall be derived from the highest
ranking of the SIL or equivalent EIL’s and CIL’s.

3.0 ABBREVIATIONS
The following abbreviations are relevant to this document.

CIL Commercial Integrity Level
EIL Environmental Integrity Level
EUC Equipment Under Control
IPF Instrumented Protective Function
LOPA Layer of Protection Analysis
MTBF Mean Time Between Failures
OREDA Offshore Reliability Database
PFD Probability of Failure on Demand
SINTEF The Foundation for Scientific and Industrial Research at
the Norwegian Institute of Technology (NTH): (now: the
Norwegian University of Science and Technology:
NTNU).
UKOOA UK Offshore Operators Association
4.0 INTRODUCTION
The purpose of this document is to establish a common basis for evaluating the
risk to the onshore process plants: personnel, plant and the environment from the
effects of a failure of the instrumented protective function during an abnormal
operating condition. In order to fulfil its purpose this document will:
• Define the scope and boundaries of the assessment process.

• Define the methods for assigning the appropriate Safety Integrity Level to
each safety function.
• Define the method for calculating the probability of failure demand rate for
each loop.
• Define the requirements of Safety Integrity Level management system.

5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS
Codes, standards and regulations referred to in this philosophy shall be of the

latest edition and shall be applied in the following order of precedence: -
• Local Regulations,
• The provision of this document,
• International standards (e.g. ISO, IEC etc),
• National standards.
Design of the control system and field equipment shall comply with the standards
listed within this philosophy, however, for instances where local standards are
more onerous local standards shall apply.
5.1 Codes and Standards List

API 14C Recommended practice for analysis, design, installation, and
testing of basic surface safety systems for offshore production
platforms.
Note:- although this has been written for offshore it shall also be
used for the onshore design, subject to the exceptions listed
within this document.
EEMUA 191 Alarms Systems - A guide to design, management and
procurement.
IEC 61508 Functional Requirements of electronic / electrical / programmable
electronic safety related systems.
IEC 61511 Functional Safety: Safety Instrumented Systems for the Process
Industries.
OLF OLF Recommended Guidelines for the application of IEC61508
and IEC61511 in the Petroleum activities on the Norwegian
continental shelf.
UKOOA UKOOA Guidelines for Instrument Based Protective Systems.
5.2 References
TO-HQ-02-001 Develop Process Engineering Guidelines and Design
Philosophies Overview
TO-HQ-02-024 Philosophy for Emergency and Process Shutdown
Systems Onshore
TO-HQ-02-025 Philosophy for Fire and Gas Systems Onshore

TO-HQ-02-035 Philosophy for Overpressure Protection and

Safeguarding Onshore
TO-HQ-02-071 Philosophy for HSEQ Management Onshore
6.0 SIL CLASSIFICATION BOUNDARIES
This philosophy document defines the requirements for IPF risk analysis for
safety systems and fire and gas systems. The risk analysis shall be used to
determine the risk reduction required in the following areas.
• Process Safety Risk (Safety Integrity Levels)

• Environmental Risk (Environmental Integrity Levels)
• Commercial Risk (Commercial Integrity Levels)
The requirements of this philosophy shall apply to logic solvers and field
instrumentation which are based on E/E/PES systems. The requirements of this
philosophy may be also be applied to other technologies such as pneumatic and
hydraulic systems.
The design philosophy requirements of the emergency and process shutdown

system and fire and gas system are detailed in Document Nos TO-HQ-02-024 -
Philosophy for Emergency and Process Shutdown Systems Onshore and TO-
HQ-02-025 - Philosophy for Fire and Gas Systems Onshore.
SIL Classification and Analysis shall be carried out in accordance with risk
analysis and ALARP definitions as detailed in Document No TO-HQ-02-071
Philosophy for HSEQ Management Onshore.
7.0 SIL CLASSIFICATION OBJECTIVES
The primary objective of the SIL classification exercise is to detail:
• the SIL Classification of each of the instrumented protective functions;

• make recommendations in order that the target SIL can be achieved;
• to demonstrate that the designed or installed function can achieve its
target SIL.

8.0 RISK ANALYSIS METHODOLOGY
SIL classification is undertaken on safety systems for the purpose of defining a

SIL rating for instrumented protective functions. The SIL rating of an IPF loop
defines the integrity specification (and hence the minimum reliability requirement)
for system equipment.
The SIL classification process may be implemented to determine whether the

existing or proposed design meets the integrity specification and if not, what
changes are necessary to meet the integrity specification.
The following table provides the target performance requirements for each SIL as
based on the definition in IEC 61508. Appendix I details an example risk graph.
LOW DEMAND MODE OF

SIL OPERATION Risk Reduction Factor
(PFDavg)
b A single E/E/PES is not sufficient.
4 ≥1x10-5 to <1x10-4 10,000 to 100,000

3 ≥1x10-4 to <1x10-3 1,000 to 10,000
2 ≥1x10-3 to <1x10-2 100 to 1,000
1 ≥1x10-2 to <1x10-1 10 to 100
a No special safety requirements.
Table 8.1: IEC Table for low demand mode of operation
All instrument protective functions should be assessed in a qualitative manner.

The risk graph example shown in Appendix I is one method by which this may be
achieved, other examples of methods are shown in IEC 61508 / 61511. There
are other risk graphs categorised by each operator and the use of LOPA (IEC-
61511), dependent upon best competent utilisation by assessment teams
The risk graphs proposed for use in Appendix III are taken from the IEC
guidelines for instrument based protective systems which provide guidance on
good practice on the design, operation, maintenance and modifications of
instrument based protective systems.
Where it is proposed to use risk graphs other then those proposed in Appendix III
the type of risk graph selected and risk parameters used, should be calibrated to
ensure that the risk reduction achieved for E/E/PES protective layer and other
technologies are sufficient so that the necessary risk reduction is achieved and
that risk is reduced to tolerable levels see Figure 8.1.
RESIDUAL RISK ACCEPTABLE RISK EUC RISK
NECESSARY RISK REDUCTION

INCREASING
RISK
ACTUAL RISK REDUCTION
Partial risk reduction Partial risk covered by Partial risk covered by

covered by other technology E/E/PE safety related external risk reduction
safety related systems systems facilities
RISK REDUCTION ACHIEVED BY ALL SAFTY RELATED SYSTEMS AND EXTERNAL

RISK REDUCTION FACILITIES
Figure 8.1: IEC - Risk Reduction Model – ALARP Reduction
8.1 Risk Analysis Team
The typical SIL classification Team should include the following personnel:
• SIL Facilitator;
• Process Engineer;
• Safety Engineer;
• Instrument Engineer;
• Operations Personnel.
• Secretary;
• Specialist Engineers and Technicians (for example HVAC and Rotating
Machinery).
The Team Members should have detailed knowledge of the design or experience
of the installation being classified. The Operations Representative should have
practical “hands-on” experience of the installation.
Roles may be combined depending on the qualifications and experience of

individual team members.
Where it is not possible for all the required team members to be present the SIL
Classification results, including any assumption / judgments made during the
classification process, must be reviewed by the relevant individuals.
8.2 Risk Analysis Documentation
The following list details some of the documentation types which should be made
available for the SIL classification of safety systems and fire and gas systems.
The documentation used should be selected based on the process being
assessed.
• C&E Drawings
• P&ID Drawings
• Fire and Gas Layout Drawings
• Maintenance and reliability data for the plant
• Relevant generic industry or company reliability data
• Safety Systems design documentation
• Fire protection system design documentation
• HVAC System design documentation
• Electrical area classifications
• Safety Case QRA data
SIL software tools may be used to facilitate the documentation of the
classification process and the calculation of the IPF loop reliabilities.
8.3 Risk Analysis Records
The risk assessment process shall record the following data:
• Initiator tag number.

• The function of the initiator: a description of the detection technique and
the hazard event that it is detecting specific to the area/zone which is
being covered.
• Design intent for the function: a description of the final element action
triggered by the input.
• Description of the consequences of failure of the IPF: the effect of failure
of the IPF with regard to the safety of the facility personnel or
environmental impact.
• Demand rate: the frequency of occurrence of the hazard event that the
IPF is designed to prevent / mitigate against.
• Personnel impact: the number of personnel impacted if the hazard event
occurs.
• Avoidance Criteria.
• Individual (SIL, EIL and CIL) and overall SIL Classification for the IPF
loop.
• Risk Graph: Reference to the risk graph used to assign the SIL
Classification
• Reference to QRA extracts.
• Cause and Effects Document Numbers.
• Detector layout document numbers.
• Source of reliability data used.
• Source of maintenance data used.
9.0 CLASSIFICATION PROCESS
An IPF Loop is defined as a protective / mitigating function activated in order to

protect personnel, equipment or the environment against damage due to a
malfunction or process upset.
An IPF loop consists of three parts.
• One or more initiators (From the field element up to the logic solver input
card)
• The Logic Solver
• One or more end elements (From the output card to final field element
including hydraulic, pneumatic and other power supplies)
Alarms and process control equipment are not considered as IPF loops. Refer to
Section 10.1 for specific conditions and requirements where they can be
considered.
With reference to the Cause and Effect Diagrams, every cause and every effect
shall be reviewed on a loop / function basis as well as the initiating device failure
i.e. if input 1 activates 4 outputs a, b, d and e, then five loops shall be reviewed.

Each IPF loop shall be carried out considering the consequences of failure on
demand for the following areas:
• Process Safety Risk (Safety Integrity Levels)

• Environmental Risk (Environmental Integrity Levels)
• Commercial Risk (Commercial Integrity Levels)
9.1.1 Process Safety Risk Analysis
Each loop shall be reviewed on the following basis:
• Consequence Severity
• Personnel Exposure
• Alternatives to Avoid Danger
• Demand Rate
The consequence severity has four possible outcomes. These are
• Ca Slight Injury
• Cb Serious Injuries or 1 Death
• Cc Multiple Deaths – Results in the death of several persons
• Cd Catastrophic – Results in the multiple deaths
The personnel exposure is defined as either rare or frequent.
• P1 Rare is defined as personnel being in the close proximity to the

incident for a period less than 10% of their shift.
• P2 Frequent is defined as being present for more than 10% of their
shift.
Alternatives to avoid danger have two outcomes – Possible (F1) or Not Likely
(F2). This shall take into account escape routes, prior warning to the incident,
alarms or warning beacons.
The demand rate has three possible outcomes. These are:
• W1 Very Low – Demand Rate once in every 30 years or more.

• W2 Low – Demand Rate between 3 – 30 years.
• W3 Relatively High – Demand Rate between 0.3 – 3 years
The SIL rating is calculated using the response to the 4 questions and the
appropriate SIL level is generated using the IEC risk graph attached in Appendix
III.
9.1.2 Commercial Risk Analysis
Each of the loops reviewed as defined in Section 9.0 above shall be subjected to
an Asset Protection Review. This shall be carried out on the following basis:
• Demand Rate
The consequence severity has five possible outcomes. These are:
• No operational upset or equipment damage

• Minor operational upset or equipment damage
• Moderate operational upset or equipment damage
• Major operational upset or equipment damage
• Damage to essential equipment, major economic loss or loss of
containment
The demand rates are the same as defined in Section 9.1.1.
The risk graph for asset / economic loss is provided in Appendix III. Before this
chart is used, it must be calibrated for the specific plant it is used on.
Consequence severity should represent the meaningful range of negative
impacts towards important asset or economic objectives (e.g. reliability,
replacement or repair costs)
The equivalent CIL rating is calculated using the response to the 2 questions and
the appropriate equivalent CIL level is generated using the IEC risk graph
attached in Appendix III.
9.1.3 Environmental Risk Analysis
Each of the loops reviewed as defined in Section 9.0 above shall be subjected to
an Environmental Review. This shall be carried out on the following basis:
• Demand Rate
The consequence severity has five possible outcomes. These are:
• No release or negligible environmental impact

• Release with minor impact on the environment that should be reported
• Release with moderate impact on the environment
• Release with a temporary major impact on the environment
• Release with a permanent major impact on the environment
The demand rates are the same as defined in Section 9.1.1.
Environmental protective functions should be assessed against a risk graph that

provides the range of negative consequences with respect to important
environmental objectives for the specific plant, area of operation and local
legislative requirements. For example, violation of discharge permits or flare
consents spills of varying magnitude.
The equivalent EIL rating is calculated using the response to the 2 questions and
the appropriate equivalent EIL level is generated using the IEC risk graph
attached in Appendix III.
10.0 GUIDANCE ON IEC 61508 / 61511
10.1 Process Control and Alarm Systems

The process control system may only be considered where its functionality is
independent of the demand case. The maximum credit which may be applied to
the process control system in any case is SIL 1.
Where process alarms are considered as part of the avoidance criteria the
assessment team shall take into consideration the process involved, the time
taken for the dangerous condition to occur on receipt of the process alarm and
the avoidance action taken by the operator to avert the hazardous condition.
Note: Operator intervention is acceptable under LOPA as part of the FMEA

process but not normally accepted by Fault Tree Analysis under IEC-61508.
No single reliance shall be place on an operator or personnel to take independent

action in order to avert the hazardous condition. Operator intervention shall only
be considered with assistance from independent alarms.
Alarms system design shall take into consideration the guidelines for the design
and risk assessment principals detailed in EEMUA 191.

10.2 Conflicts with API 14C

Where IPF loops are classified as not SIL rated, however are still required by API
14C, these should be implemented within the Safety System.
10.3 SIL 4 Functions

Where the SIL classification exercise requires an IPF loop of SIL 4, the overall
concept and design shall be revisited so that the design is more inherently safe
and less risk reduction is required.
10.4 Manual Initiators

Manual initiation of a particular process shutdown level should be categorised at
the highest SIL associated with any of the automatic functions at that level. This
rule takes account of difficulties in identifying a demand rate for manual initiators.
10.5 Low Pressure Initiators

Low pressure initiators are generally installed to detect leaks in pipelines, process
piping and wellhead control panel headers. For leaks affecting process
areas/topsides, the gas detection system would normally be considered to
provide much quicker leak detection than low pressure detectors. This should be
taken into account when classifying the SIL’s of low pressure initiators. For
purposes of personnel safety, it may be appropriate to consider leak detection
functions of low pressure initiators as SIL Not Rated when it can be shown that
they are not relied upon to protect personnel from a hydrocarbon leak.
10.6 Mechanical Protection

If both an IPF and mechanical protection devices (e.g. relief valves) are present
that protect against the same hazard, the risk graph should be applied to
determine the required SIL for the combination of the IPF and mechanical
protection. The probability of failure on demand (PFD) of the IPF loop and the
PFD of the mechanical protection can then be allocated ensuring that the total
PFD is distributed within the constraints of the two systems.
This approach provides a quantified and auditable approach to IPF loop and
relief valve test intervals and allows optimisation of test intervals whilst
maintaining the overall integrity of the protection system. If required, the IPF loop
can also be classified separately if it has a function to prevent a demand being
placed on the relief valve.
10.7 Mitigative Functions

Fire and Gas demand events should be considered separately. For each fire or
gas event both the immediate and escalation scenarios should be considered.

The fire detection system shall be assessed with respect to both the immediate
and the escalation consequences of a fire event, i.e. a two stage approach
should be used.
The immediate effect will consider the impact of the failure of the fire and gas
system to detect the initial fire, the incremental consequences of the undetected
event and the effect on personnel in the area.
The escalation scenario will consider the impact of the failure of the fire and gas
system to detect the initial fire event, the incremental consequences of the
undetected event and the effect on personnel in the area.
The gas detection system shall be assessed with respect to both the immediate
and the escalation consequences of a gas release / ignited event, i.e. a two
stage approach should be used.
The immediate effect will consider the impact of the failure of the fire and gas
system to detect the initial release, the incremental consequences of the
The escalation scenario will consider the impact of the failure of the fire and gas
system to detect the initial ignited event, the incremental consequences of the
The higher of the classifications should be selected as the SIL for the fire and gas
IPF under consideration.
10.8 Incremental Impact of Failure

Only the incremental consequences of the fire and gas function working over the
fire and gas function not working will be considered. For the fire and gas system,
this incremental benefit should be based on:
• The potential for additional time to respond before injury occurs

• The potential for quicker activation of mitigating functions.
10.9 Area Demand Basis

Since fire and gas detection functions are arranged into areas, or fire zones, then
SIL classification should be based on the failure of fire and gas functions on an
area basis.

10.10 Use of QRA Data for SIL Classification.

Before using QRA data in SIL Classification, care must be taken to ensure that
the benefits are not "double-counted". For example:
• QRA personnel consequence data. QRA estimates for the number of

persons impacted by a flammable scenario likely include the benefits of
fire and gas functions; these must be removed before using the estimate.
• Ignition frequencies. QRA estimates for ignition of flammable releases
may include assumptions claiming benefit for non hazardous area
electrical isolation and other fire and gas functions; this benefit may need
to be removed for certain applications.
11.0 SIL VALIDATION
11.1 Introduction
Each IPF loop shall be validated to ensure that the SIL level required by the
classification process is met by the system design.
The SIL validation process shall also provide input to setting and optimising the
proof test interval and renewal periods for the devices making up the IPF loop.
Where it is shown by the SIL validation results that the IPF loop cannot achieve
the reliability required then the design of the IPF loop shall be revisited.
In this case the classification of the loop shall be reassessed and the new design
revalidated in order to demonstrate that the SIL target level can be achieved.
11.2 Procedure
Each IPF loop which has been classified with a SIL level shall be analysed
considering the type, relevant reliability data, system architecture and
maintenance data for the devices making up the function.
The Probability of Failure on Demand (PFDavg) is calculated; a range of initiator

and final element test intervals is considered and based on the selection of a
particular combination of test intervals, an overall function PFD can be calculated
and compared with target integrity specifications.
Generic reliability models may be used to assist this process where common
system arrangements and common component types are used to implement the
IPF loops.

The PFD for each IPF shall be calculated in accordance with the guidance
offered in IEC 61508 Part 6.
11.3 Reliability Data

Care should be taken when using and obtaining reliability data for devices and
equipment.
When ever possible actual plant specific reliability data should be used;
Generic reliability databases (for example Oreda, Sintef,etc) may be used to

source data however it should be noted that the best data available may give a
false availability reliability figure.
11.4 Maintenance Data

Where maintenance data is used it should be sourced with reference to the
actual equipment being installed and the guidance offered in IEC 61508 Part 6.
The following information will be required to complete the reliability analysis:
• Beta Factor
• Test frequency
• Test duration (unavailable due to testing)
• Test coverage (Safe Failure Fraction)
• Repair duration (unavailability of the function due to repair periods)
• Maintenance interval (renewal period)
• Maintenance duration (unavailable due to renewal)
12.0 SIL MANAGEMENT AND MAINTENANCE REQUIREMENTS
The SIL classification results and validation calculations shall be maintained in an

auditable system detailing all SIL categorised safety functions. The data recorded
shall include:
• Details and results from the initial SIL review including all assumptions
made.
• Equipment details such as Manufacturer, Model MTBF figures,
calculated figures and maintenance and frequencies.

This information shall be used to audit the safety system and if necessary, review
the SIL categorisation of the loops.
Note: SIL studies; The methods utilised may be different LOPA / Risk Graph, IEC
or Operator defined. Care to be taken that future reviews must always
benchmark the original method as errors can occur and lead to misrepresented
values of SIL Nos.
This data shall be kept “live” and updated for any changes to the safety functions
whether by addition or deletion.
13.0 CERTIFYING AUTHORITY REVIEW REQUIREMENTS
Where required by the certifying authority the following documents shall be

submitted as a minimum for review:
• SIL assessment methodology and scope of work,

• SIL validation results,
• Copies of the reference documentation used in the assessment process.
These should be issued to the CA in a timely manner to obtain approval before
commencing construction.

Appendix I Example Risk Graph

Onshore TO-HQ-02-023 00 Appendix I
W1 W2 W3
C1
a - -
1 a -
P1
C2 F1 P2
Starting 2 1 a
Point F2
P1
P2
C3 F1
F2
3 2 1
P1
P2
C4 F1 4 3 2
F2 P1
P2 b 4 3
C = Consequence risk parameter - = No safety requirements

F = Frequency and exposure risk parameter a = No special safety requirements
P = Possibility of failing to avoid hazard risk b = A single E/E/PES is not sufficient
parameter
1,2,3,4 = Safety integrity level
W = Probability of the unwanted occurrence
Figure A1.1: Example Risk Graph (From Part 5 IEC 61508)

Risk Parameter Classification Comments
1. The classification system has been

Consequence ( C) C1 Minor Injury developed to deal with injury and
C2 Serious permanent injury to death to people.
one or more persons; death 2. For the interpretation of C1, C2, C3
to one person and C4, the consequences of the
accident and normal healing shall be
C3 Death to several people taken into account.
C4 Very many people killed
3. See comment 1 above.

Frequency of, and F1 Rare to often exposure in the
exposure time in, the hazardous zone
hazardous zone (F)
Frequent to permanent
F2 exposure in the hazardous
zone
4. This parameter takes into account:

Possibility of avoiding the P1 Possible under certain - operation of a process (supervised
hazardous event (P) conditions (i.e. operated by skilled or unskilled
persons) or unsupervised);
P2 - rate of development of the hazardous
Almost impossible event (for example suddenly, quickly
or slowly);
- ease of recognition of danger (for
example seen immediately, detected
by technical measures or detected
without technical measures);
- avoidance of the hazardous event (for
example escape routs possible, not
possible or possible under certain
conditions);
- actual safety experience (such
experience may exist with an identical
EUC or a similar EUC or may not
exist)
5. The purpose of the W factor is to

Probability f the unwanted W1 A very slight probability that estimate the frequency of the
occurrence (W) the unwanted occurrence will unwanted occurrence taking place
come to pass and only a few without the addition of any safety-
unwanted occurrences are related systems (E/E/PES or other
likely. technology) but including any external
A slight probability that the risk reduction facilities
W2 unwanted occurrences will 6. If little or no experience exists of the
come to pass and few EUC, or the EUC control system, or of
unwanted occurrences are a similar EUC and EUC control
likely. system, the estimation of the W factor
may be made by calculation. In such
A relatively high probability an event a worst case prediction shall
W3
that the unwanted be made.
occurrences will come to
pass and frequent unwanted
occurrences are likely
Table A1.1: Example data relating to example risk graph (From Part 5 IEC 61508)

Appendix II SIL Worksheet / Workshop Format

Onshore TO-HQ-02-023 00 Appendix II
Tag P&ID / Role of Possible Assessment Integrity Assessment Overall Comments and
Number C&E Ref IPF Causes Assumptions Results SIL Actions
No. Function of
Demand C F P W SIL
Process Safety
C F P W SIL Action 1
Assumptions
Ref 1 Combined
Initiator Notes Commercial Classification
Tag Ref 2 Note 3 C - P W CIL Action 2
1&2 Assumptions
Number 1 SIL/CIL/EIL
Ref 3
Environmental
C - P W EIL Action 3
Assumptions
Notes:
1. The function of the initiator tag: a description of the detection technique and the hazard event that it is detecting specific to the area/zone it is
covering.
2. Design intent for the function: a description of the final element action triggered by the input.
3. Description of the consequences of failure of the IPF: the effect of failure of the IPF with regard to the safety of the facility personnel or environmental
impact.
Table A2.1: Example SIL Worksheet / Workshop Format

Onshore TO-HQ-02-023 A1 Appendix II
Appendix III IEC Risk Graphs

Onshore TO-HQ-02-023 A1 Appendix III
W1 W2 W3
C1
- - -
1 - -
P1
C2
Starting P2 2 1 -
Point F1
2 1 1
F2 P1
P2 3 2 1
3 3 2
C3
F1
F2
NR 3 3
C4
NR NR NR

F = Frequency and exposure risk parameter NR = Not recommended. Consider
alternatives
P = Possibility of failing to avoid hazard risk
parameter
Figure A3.1: IEC Process Safety Risk Graph

1. The classification system has been

Consequence ( C) C1 Slight Injury developed to deal with injury and
C2 Serious injury or 1 death death to people.
2. For the interpretation of C1, C2, C3
C3 Death to several people and C4, the consequences of the
accident and normal healing shall be
C4 Very many people killed taken into account.
3. See comment 1 above.

Frequency of, and F1 Rare to often exposure in the
exposure time in, the hazardous zone
hazardous zone (F)
Frequent to permanent
F2 exposure in the hazardous
zone

Possibility of avoiding the P1 Possible under certain - operation of a process (supervised
hazardous event (P) conditions (i.e. operated by skilled or unskilled
P2 - rate of development of the hazardous
Almost impossible event (for example suddenly, quickly
or slowly);
conditions);
exist)

Probability f the unwanted W1 Demand Rate once in every estimate the frequency of the
occurrence (W) 30 years or more. unwanted occurrence taking place
Demand Rate between 3 – without the addition of any safety-
W2 30 years. related systems (E/E/PES or other
technology) but including any
external risk reduction facilities
W3 6. If little or no experience exists of the
Demand Rate between 0.3 – EUC, or the EUC control system, or
3 years of a similar EUC and EUC control
system, the estimation of the W
factor may be made by calculation. In
such an event a worst case
prediction shall be made.
Table A3.1: IEC Process Safety Risk Graph Risk Graph Data

C0
W1 W2 W3
C1
- - -
Starting
C2 - - -
Point
C3 1 1 -
C4 2 2 1

alternatives
parameter
Figure A3.2: Commercial Risk Graph

1. Each facility will have specific

Consequence ( C) C0 No operational upset or economic consequences which
equipment damage should be considered. These should
Minor operational upset or be established before the
C1 equipment damage. classification commences. Risk
graphs should be selected and
Moderate operational upset calibrated to suit the specific
or equipment damage economic consequences and the
C2
local business model.
Major operational upset or
equipment damage.
C3
Damage to essential
equipment, major economic
loss or loss of containment
C4
2. While not used in this example the

Possibility of avoiding the P1 Possible under certain risk graph may be adapted to include
hazardous event (P) conditions this requirement
P2
Almost impossible - operation of a process (supervised
(i.e. operated by skilled or unskilled
- rate of development of the hazardous
event (for example suddenly, quickly
or slowly);
conditions);
exist)

Probability f the unwanted W1 Demand Rate once in every estimate the frequency of the
occurrence (W) 30 years or more. unwanted occurrence taking place
Demand Rate between 3 – without the addition of any safety-
W2 30 years. related systems (E/E/PES or other
Demand Rate between 0.3 – EUC, or the EUC control system, or
3 years of a similar EUC and EUC control
Table A3.2: Commercial Risk Graph Data

C0
W1 W2 W3
C1
1 - -
Starting
C2 2 1 -
Point
C3 3 3 2
C4 NR NR 3

alternatives
parameter
Figure A3.3: Environmental Risk Graph

1. Each facility will have specific

Consequence ( C) Co No release or a negligible environmental; consequences /
environmental impact regulations which should be
Release with minor impact on considered. These should be
C1 environmental – reportable established before the classification
commences. Risk graphs should be
selected and calibrated to suit the
C2 specific environmental
Release with moderate impact on consequences and the local
the environment. business model.
Release with temporary major
C3
impact on the environment.
C4
Release with permanent major
impact on the environment.
2. While not used in this example the

Possibility of avoiding P1 Possible under certain conditions risk graph may be adapted to include
the hazardous event this requirement
(P) 3. This parameter takes into account:
P2 Almost impossible
- operation of a process (supervised
(i.e. operated by skilled or unskilled
- rate of development of the hazardous
event (for example suddenly, quickly
or slowly);
conditions);
exist)

Probability f the W1 Demand Rate once in every 30 estimate the frequency of the
unwanted occurrence years or more. unwanted occurrence taking place
(W) without the addition of any safety-
Demand Rate between 3 – 30
W2 years. related systems (E/E/PES or other
Demand Rate between 0.3 – 3 EUC, or the EUC control system, or
years of a similar EUC and EUC control
Table A3.3: Environmental Risk Graph Data


To-HQ-02-023 Rev 00 Philosophy For Safety Integrity Levels - Onshore

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

To-HQ-02-023 Rev 00 Philosophy For Safety Integrity Levels - Onshore

Uploaded by

Copyright:

Available Formats

OMV Exploration & Production

00 Final Issue RH 27/5/05 JEA 31/5/05 PZ 31/5/05 MF 3/6/05

A2 Client Comments Incorporated MP

A1 Issued for Comment SCK 13/01/05 MP 04/02/05

Revision Description of revision

Philosophy for Safety Integrity Levels Document Number Rev Page

1.0 PREFACE .......................................................................................................................5

2.0 DEFINITIONS .................................................................................................................5

5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS........................................7

6.0 SIL CLASSIFICATION BOUNDARIES...........................................................................8

7.0 SIL CLASSIFICATION OBJECTIVES ............................................................................8

8.0 RISK ANALYSIS METHODOLOGY ...............................................................................9

9.0 CLASSIFICATION PROCESS......................................................................................12

10.0 GUIDANCE ON IEC 61508 / 61511 ..............................................................................15

Philosophy for Safety Integrity Levels Document Number Rev Page

11.0 SIL VALIDATION..........................................................................................................18

12.0 SIL MANAGEMENT AND MAINTENANCE REQUIREMENTS....................................19

13.0 CERTIFYING AUTHORITY REVIEW REQUIREMENTS..............................................20

APPENDIX I EXAMPLE RISK GRAPH...............................................................................2

APPENDIX II SIL WORKSHEET / WORKSHOP FORMAT .................................................1

APPENDIX III IEC RISK GRAPHS .......................................................................................1

Philosophy for Safety Integrity Levels Document Number Rev Page

Reference should be made to the parent of this philosophy, document

The following definitions are relevant to this document.

Equipment Equipment, machinery, apparatus or plant used for

Philosophy for Safety Integrity Levels Document Number Rev Page

The following abbreviations are relevant to this document.

• Define the scope and boundaries of the assessment process.

Philosophy for Safety Integrity Levels Document Number Rev Page

5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS

Codes, standards and regulations referred to in this philosophy shall be of the

5.1 Codes and Standards List

Philosophy for Safety Integrity Levels Document Number Rev Page

TO-HQ-02-035 Philosophy for Overpressure Protection and

6.0 SIL CLASSIFICATION BOUNDARIES

• Process Safety Risk (Safety Integrity Levels)

The design philosophy requirements of the emergency and process shutdown

7.0 SIL CLASSIFICATION OBJECTIVES

The primary objective of the SIL classification exercise is to detail:

• the SIL Classification of each of the instrumented protective functions;

Philosophy for Safety Integrity Levels Document Number Rev Page

8.0 RISK ANALYSIS METHODOLOGY

SIL classification is undertaken on safety systems for the purpose of defining a

The SIL classification process may be implemented to determine whether the

LOW DEMAND MODE OF

4 ≥1x10-5 to <1x10-4 10,000 to 100,000

Table 8.1: IEC Table for low demand mode of operation

All instrument protective functions should be assessed in a qualitative manner.

RESIDUAL RISK ACCEPTABLE RISK EUC RISK

NECESSARY RISK REDUCTION

Partial risk reduction Partial risk covered by Partial risk covered by

RISK REDUCTION ACHIEVED BY ALL SAFTY RELATED SYSTEMS AND EXTERNAL

Figure 8.1: IEC - Risk Reduction Model – ALARP Reduction

8.1 Risk Analysis Team

Roles may be combined depending on the qualifications and experience of

8.2 Risk Analysis Documentation

8.3 Risk Analysis Records

The risk assessment process shall record the following data:

• Initiator tag number.

9.0 CLASSIFICATION PROCESS

An IPF Loop is defined as a protective / mitigating function activated in order to

An IPF loop consists of three parts.

Philosophy for Safety Integrity Levels Document Number Rev Page