SIL Methodology

Page 1 of 16

.0 ABBREVIATION............................................5 6.........................................................0 SCOPE...........................................................2 Roles and Responsibilities.......3 2................................................................13 ................................................................................................................13 APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA.....................................................................................................................................12 7.................................13 10..........................1 Risk Graph Technique..........................5.......................................................................................................................................................................................5...3 4...............1 General....................................3 5.........................................................................................3 SIL Team Composition...........................0 Responsibility and authority..........................................................................................6 SIL Target Level......11 6..........................................................................0 description of activities...................4 6........13 9...............................................0 REFERENCES................................................................................14 Page 2 of 16 ...........................CONTENTS 1............................................5 SIL Methodology.............................................3 6.......................................0 Records....................6 6..................4 6...................5 6........12 8...................................6 6.........................0 FOLLOW-UP AND CLOSE-OUT......7 SIL Assessment Report....................................................................4 SIL Study Schedule and Pre-requisites..........................................0 Appendices................9 6........3 3..0 SIL VERIFICATION.............................................................................4 6.............................................................................................................................................0 PURPOSE........2 Layer of Protection Analysis..................

by OREDA or any other handbook for generic data.1.0 REFERENCES  IEC 61508. 3. The recommended practice outlined in this procedure shall be adopted on a project where client’s specific guidelines are not available. 5. Electronics and Programmable Electronics Emergency Shutdown System Health Safety & Environment International Electro technical Commission Instrumented Protective Function Process Control System Probability of Failure on Demand Project Engineering Manager Programmable Logic Controller Quantitative Risk Assessment Safety Integrity Level Safety Instrumented System Safety Instrumented Function 4.0 PURPOSE The purpose of this procedure is to describe the recommended practice for performing Safety Integrity Level (SIL) assessment & verification studies of identified Instrumented Protective Functions.0 ABBREVIATION C&E E/E/PE ESD HSE IEC IPF PCS PFD PEM PLC QRA SIL SIS SIF Cause and Effects Electrical. Functional safety of electrical/electronic/programmable electronic safety-related systems  IEC 61511.0 SCOPE This procedure applies to the performance of SIL Studies on Oil & Gas facilities projects. Functional Safety – safety instrumented systems for the process industry sector  PFD data from vendors  Safety Equipment Reliability Handbook.0 RESPONSIBILITY AND AUTHORITY N/A Page 3 of 16 . 2.

1 DESCRIPTION OF ACTIVITIES General Instrument and control systems play a significant role in the management of hazards on oil and gas installations. 6. The safety and environmental harm and the economic loss will generally arise due to loss of containment. The chairman shall have experience of conducting a SIL or similar studies. SIL study workshop is conducted to perform a systematic review of plant process systems to identify failures in E/E/PE safety related control systems at each plant. to assets and to continued production. which have the potential for harm to personnel (through illness and injury or loss of life) or to the environment (temporary or permanent). The Chairman shall bring the SIL Assessment software. Responsible for recording the discussion of the meeting. Therefore. in accordance with IEC 61511.2 Roles and Responsibilities The SIL team should consist of the following persons: Chairman Responsible for chairing the SIL review meeting and ensuring the process runs smoothly in accordance with the procedure. instrumented protective functions need to be reviewed through a systematic assessment process to determine any requirement for increased reliability and/ or higher integrity and hence reducing risks. using the worksheets. The Lead HSE Page 4 of 16 Secretary Lead HSE Design Engineer . A secondary objective will be to identify where such failures have the potential to cause significant economic loss due to production loss and/or damage to capital equipment. The SIL Assessment and SIL Verification report shall be prepared by the Chairman. Shutdown systems are traditionally recognised as safety systems which contribute to reducing the likelihood and consequences of dangers to personnel. It is preferable that the SIL Secretary has a technical background in Instrumentation. The Lead HSE (Design) Engineer on the project shall to ensure that the SIL is performed to the standards set out in this procedure. The Chairman shall ensure the team remain focussed and do not deviate from the objective of the study. but also limiting risks to environment.0 6. The main objective of the SIL study is to assess the integrity level for all instrumented protection functions that have been provided for all process systems. either of the product or of a substance hazardous to health.6.

3 SIL Team Composition Presence of following team members both from Contractor and the Operating Company is essential during the full duration of the review: • • • • • Process Engineer Control and Instrumentation Engineer HSE/ Safety Engineer Operation Representative Other discipline engineers( Mechanical. Civil. The co-ordinator shall act on behalf of the PEM to facilitate and expedite the satisfactory close-out of recommendations raised by the SIL study. etc).) shall be available on need basis 6. distributing the documents. initiating devices.4 SIL Study Schedule and Pre-requisites The SIL study should be scheduled after completion of HAZOP study and incorporation of major HAZOP recommendations onto the P&IDs and Cause & Effects Charts. The Follow-up Coordinator shall be nominated by Project Engineering Manager (PEM) who can make project decisions on the conflicting requirements. Lead Instrument Engineer Lead Instrument Engineer shall be responsible to ensure completion of Project design documents necessary prior to SIL study including vendor documents.Engineer shall ensure the administrative tasks necessary to perform the SIL study completed (organisation of team. final elements and service description for each SIF to include into the worksheets. Lead Process Engineer Follow-up 6. Chairman Selection. He shall provide Chairman the list of tags. layout etc. selection of venue. The following project specific documents (latest revisions) shall be made available prior to the SIL workshop: Page 5 of 16 . Lead Process Engineer shall ensure that the P&ID’s are updated in line with the recommendations given in the HAZOP. The overall responsibility of SIL close-out process lies with PEM.

and should include the expected size of the hazard and the receptor’s vulnerability to the hazard. probability of avoiding the hazard (P). The probability of avoiding the hazard will depend on the methods that are available for personnel to know that a hazard exists and also the means for escaping from the hazard. Page 6 of 16 . 2] Risk graph analysis uses four parameters to make a SIL selection. the results tend to be quite subjective and lead to SIL levels biased on the high side.1 Risk Graph Technique The risk graph method is a qualitative approach to determine the level of integrity required for the identified Instrumented Protective Functions (IPF) for the project. In the absence of Client guideline follow LOPA methodology for Detailed Design. Occupancy (Exposure Time Parameter) is a measure of the amount of time that the area that would be impacted by the incident outcome is occupied. These parameters are consequence (C). IEC61511 [Ref. It is advisable to consider Risk Graph method at the FEED stage and LOPA technique during detail design phase. and demand rate (W). The approach is based on the International Electro technical Commission standard. The Layers of protection analysis technique is quantitative and more accurate and it is becoming the widely accepted technique for SIL determination.5. The risk graph is a qualitative technique. occupancy (F). 6.5 SIL Methodology The common methods used for Target Safety Integrity Level determination are: • • Risk Graph Layer of Protection Analysis (LOPA) Both these methods are included in the IEC61508 and IEC61511 standard.• • • • • Piping & Instrumentation Diagrams Cause and Effects Chart HAZOP Report QRA Reports Plot plans 6. Consequence represents the average number of fatalities that are likely to result from a hazard when the area is occupied. Appropriate methodology should be chosen by the Project group after considering client guidelines or advice.

Once those categories have been determined. but including all other non-SIS protection layers. The SIL is selected by drawing a path from the starting point on the left to the boxes at the right by following the categories that were selected for consequence. A combination of consequence. The combination of those three determines the row that is selected. as presented in IEC 61511-3. occupancy and probability of avoidance. likelihood. the risk graph is used to determine that SIL that will reduce the risk by the appropriate amount. occupancy. Figure 1 contains a typical risk graph. Page 7 of 16 . and probability of avoidance represents a level of unmitigated risk.The demand rate is the likelihood that the accident will occur without considering the effect of the SIF that is being studied.

1 Steps Prior to the assessment.e. Agree the economic loss parameter L and use the economic risk graph to determine the SIL required on economic risk considerations. Determine the cause of demand of the loop (most commonly control failure). Page 8 of 16 . close specified valves). Agree the consequence if the loop fails on demand. The above listed Steps are repeated for each of the IPF loops. W is the frequency of the cause of demand identified in step 3. 1.1. 4. For each loop. 9.Figure 1: Safety Integrity Level (SIL) Risk Graph (IEC 61511. 3. the SIL is determined and recorded on worksheets as follows. what is it for?). Agree the environmental loss parameter E and use the environmental risk graph to determine the SIL required on environmental risk considerations. the risk graphs will be calibrated according to Client Risk criteria. P and W on the safety risk graph. use combined judgement to agree the four parameters C. 11. 5.g. 6. F. Identify the loop to be examined. 7. At this point no credit is taken for other relevant risk reduction measures. Having gathered the above information. Apply the safety risk graph to determine the SIL required on safety risk considerations. and record the tag and P&ID number. 10. Identify the output actions (e. 8. 2. Ref.1. Agree the function of the loop (i. and 9. Determine the SIL required for the function identified in step 2 as the highest of the three SILs determined in steps 7. 8. 1) 1.

1. The mitigated event frequency for each cause is determined. The SIL is determined by comparing the established tolerable frequency (goal) with the total mitigated event frequency. Within the LOPA methodology the concept of the Independent Protective Layer (IPL) is well defined and important.1. The tolerable frequency will be selected from the reducible frequency band as per the table List all causes and likelihood for the initiating event For each cause identify all available layers of protection and assign failure probabilities for each layer • • Page 9 of 16 . For each cause of the initiating event. 6. its likelihood is established. Initially this was driven by industry codes of practice or guidance and latterly by the development of international standards such as IEC61508 [Ref 1] and IEC61511 [Ref 2]. This tolerable risk guideline needs to be reviewed and accepted by the Company at the start of the SIL review process.2 Layer of Protection Analysis LOPA is one of the techniques developed in response to a requirement within the process industry to be able to assess the adequacy of the layers of protection provided for an activity.” The SIL Selection is based on establishing a tolerable frequency for each consequence resulting from an initiating event. The layers of protection and associated PFD for each cause are then listed. which shall be addressed during SIL assessment sessions 1.The risk graph parameters and criteria to be used for this assessment are outlined in Appendix-I of this document. “An IPL is a device. Once the tolerable frequency for a SIF is established.5.2 Steps Following are the important steps. The effectiveness and independence of an IPL must be auditable. Identify and list all Safety Instrumented Functions for the unit(s) 2. all causes of the initiating event are listed. After each cause is analyzed the total event frequency due to all causes for the initiating event is determined. Categorize the consequence severity and tolerable frequency based on the Company Risk guidelines. For each SIF identified: • • Define the worst consequence if the SIF failed to operate when a demand occurs.1. system or action which is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario.

Typical SIL Assessment worksheet format is given in Appendix II. Auditability – The device should be proof tested and well maintained. (Maximum Risk reduction credited shall be 1 in 10). 1.1.4 Typical Protection Layers While no two situations are the identical. Specificity – An independent protection layer must be specifically designed to prevent the consequences of one potentially hazardous event. Calculate the total event frequency due to all causes Compare the tolerable frequency goal with the total event frequency Assign the required SIL based on the additional risk reduction required Document the results of each analysis in the SIL Selection and Analysis worksheet.1.• For each cause calculate the mitigated event frequency considering all the layers i. The criteria most used to determine whether the PCS system could be used.3 Independent Protection Layers (IPL) An Independent Protection Layer is a specific category of safeguard. Independence – The operation of the protection layer must be completely independent from all other protection layers. These protection layers are shown below: • PCS Controls – In many cases the PCS control system is designed to automatically move the process to a safe state under abnormal conditions (Control loop or an On/Off loop). Dependability – The device must be able to dependably prevent the consequence from occurring. The probability of failure of an independent protection layer must be demonstrated to be less than 10%. no common equipment can be shared with other protection layers. Independent protection layers must meet the following criteria.1. F = Fe*PA*PB*PC*PD where F is the mitigated event frequency. • • • • 1.1. Page 10 of 16 . as a layer of protection is that a failure of the PCS system did not contribute in causing the initiating event.e. Fe is non-mitigated event frequency based on the best industrial practices and PA/PB/PC/PD are the PFD values for each protection layer. These audits of operation are necessary to ensure that the specified level of risk reduction is being achieved. there are a few protection layers and mitigating events that should always be considered when performing a layer of protection analysis in the process industries. Include any notes and recommendations in the worksheet.

In such a situation.Many times. Maximum total risk reduction credited for PCS as an independent layer shall be no more than 1 in 100. Occupancy and External risk reduction facilities like F& G systems. credit for Alarm can be given only if the alarm signal is connected to an entirely independent initiator and I/O. the required SIL shall be specified in accordance with levels as stated in table below (Ref. Explosion Probability. piping or a vessel will be designed to withstand the highest temperatures and pressures generated as the result of abnormal conditions. rupture disks. other than the one carrying out the automatic controls. be trained in the proper reaction to the abnormal situation. Only the logic solver part could be shared provided. Dikes. This will considerably reduce any common mode failures. independent alarm in the PCS with operator action is provided to mitigate certain risks. (Maximum Risk reduction credited shall be 1 in 100) Ignition Probability – When a flammable material is released to the atmosphere the probability that the release will ignite will depend on factors such as auto-ignition temperature and source of ignition present Other layers to be considered – Use factor. For PCS to be credited with Two (2) IPLs. and thermal fusible plugs. • • • • 6. In these cases. In order for this safeguard to meet the level required of an independent protection layer. (Maximum Risk reduction credited shall be 1 in 10).6 SIL Target Level For each of the safety instrumented function operating in demand mode. If the initiating or enabling event involves the failure of a PCS loop. initiators. the mechanical integrity of the vessel is a protection layer. I/O cards and final control elements must be independent of each other. • Operator Intervention – Operator intervention to manually shut down a process when abnormal conditions are detected is a common safeguard. (Maximum Risk reduction credited shall be 1 in 10) Mechanical Integrity of Piping or Vessel – In many cases. logic solvers are redundant. be alerted to the abnormal situation. and have ample time to consider the alarm and respond. 2): Page 11 of 16 . then no more than one PCS loop should normally be credited as an IPL for the same scenario. the operator must always be present. etc. (Maximum Risk reduction credited shall be 1 in 100) Physical Relief Device – Physical relief devices are common safeguards and include such devices as relief valve.

2.0 SIL VERIFICATION During EPC phase of the project.Table 1: Probability of Failure on Demand for the SIL1. The outcome of the SIL assessment is followed by a SIL verification study. SIL verification study will be performed if it required contractually or any specific instruction from the Company. This average "probability of failure on demand" (PFD) is calculated and compared with the PFD average table to obtain a "design SIL. The risk reduction performance of any given SIF depends on the equipment chosen and the redundancy levels. SIL validation is not covered under this document as it is normally carried out during operation phase.7 SIL Assessment Report The SIL Assessment Report shall be prepared by Chairman using the company format and shall include the following as a minimum: • • • • • • Executive Summary The scope of SIL Study List of Participants The systems examined The results as captured in the worksheets Conclusions and Recommendations 7." If the design SIL is Page 12 of 16 . The safety performance evaluation is called SIL verification and requires reliability analysis of the equipment with a view toward a particular failure mode titled "failure to function on demand" or "fail danger. 3 and 4 Safety Integrity Level (SIL) SIL 4 SIL 3 SIL 2 SIL 1 Target average Probability of Failure on Demand 10-5to< 10 10-4 to< 10 10-3 to< 10 10-2to< 10 –4 –3 –2 –1 6. where the design of the safety instrumented system (SIS) is verified." A piece of equipment used to implement a SIF has a certain probability that it will not successfully protect a process if a dangerous condition (a demand) occurs.

the Chairman will present the findings of the study in the form of a SIL Assessment report. Failure rate data is available in a generic sense from several industry databases. The PEM shall be responsible to ensure that the adequate resources are available for timely completion of SIL study.0 APPENDICES Page 13 of 16 . or Markov analysis. Recommendations of the SIL assessment will be generally closed out by Instrumentation discipline. The PEM nominee shall prepare & issue the SIL Close-out report.0 FOLLOW-UP AND CLOSE-OUT Upon completion of the SIL assessment workshop. In general almost all SIL actions belong to instrument group. 8. therefore as a general practice PEM will nominate instrument engineer to own the SIL close-out responses. 9. better technology or more redundancy is required.not greater than or equal to the target SIL.0 RECORDS N/A 10. including AIChE and OREDA. There are two fundamental challenges faced during SIL verification: • • Gathering the failure rate/mode data and Building a PFD sub avg model. the designer calculates PFD sub avg using simplified equations. although it is often difficult to source. Failure rate data is also available from some manufacturers. fault-tree analysis. It is important that Project allocate adequate resources to not only perform the SIL study but to ensure that the recommendations raised in the SIL report are satisfactorily closed out. The first step in SIL verification is gathering failure rate data and failure mode data for the equipment selected. Thereafter.

CC and CD. Occupancy less than 0. The latter is the case with demands which occur at equipment start-up Possibility of avoiding the hazardous event (P) if the protection system PA Adopted if all conditions in column 4.For the interpretation of CA. CA CB Classification Minor injury Comments 1. PA should only be selected if all the FA In the hazardous zone. V=1 Rupture or explosion Exposure probability in the hazardous zone (F) This is calculated by determining the length of time the area is occupied during a normal working period. the consequences of the accident and normal healing shall be taken into account.1 Large release of flammable or toxic material V=0. NOTE . The Vulnerability will be determined by the nature of the hazard being protected against. Range 0.5 As above but with a high chance of igniting or highly toxic.IEC 61511 Safety Parameters Personnel Safety Risk parameter Consequence (C) Average number of Fatalities This can be calculated by determining the average numbers present when the area is occupied and multiplying by the vulnerability to the identified hazard.APPENDIX I–RISK GRAPH PARAMETERS AND CRITERIA (1) .1 3.It is only appropriate to use FA where it can be shown that the demand rate is random and not related o when occupancy could be higher than normal. Occupancy more than 0. See comment 1 above.1 to 1. The classification system has been developed to deal with injury and death to people.1 Page 14 of 16 . The following factors are proposed V=0.1 CC Range >0. NOTE .0 CD Range > 1. 2.01 Small release of flammable or toxic material V=0.01 to 0.If the time in the hazardous area is different depending on the shift being operated then the maximum should be selected.0 to 10 FB Frequent to permanent exposure in the hazardous zone. CB.

In determining the demand rate.03 per year 5.. limited credit can be allowed for W3 control system performance and intervention. The performance which can be claimed if the control system is not to be designed and maintained according to IEC61508. Demand rate between 3 and 0. PB Classification 4 are satisfied Adopted if all the conditions are not satisfied Comments following are true:• Facilities are provided to alert the operator that the protection has failed • Independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area • The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions. The purpose of the W factor Is to estimate the frequency of the hazard taking place without the addition of the SIS 6.3 per year Page 15 of 16 .IEC 61511 Asset Loss Parameters Demand rate less than 0. Demand rate of the unwanted W1 occurrence (W) given no protection system. 10 per year) then use failure rate and continuous demand method.3 and 0. If the demand rate is very high (e. is limited to below the performance ranges associated with SIL1. (2) .03 per year Demand rate between 0. To determine demand rate it is necessary to consider all sources of W2 failure that will lead to a demand on the protection system.g.Personnel Safety Risk parameter fails to operate.

The same conditions as personnel safety apply CA CB CC CD Possibility of avoiding the hazardous event (P) if the protection system fails to operate.g. soot. Release outside the fence with major damage which can be cleaned up quickly without significant lasting consequences Serious damage e. Release within the fence with significant damage Substantial damage e. ash) Liquid release that could affect groundwater NOTE.Asset Loss Consequence (C) CA CB CC CD Possibility of avoiding the hazardous event (P) if the protection system fails to operate.IEC 61511 Environmental Parameters Environmental Consequence (C) Classification A release with minor damage that is not very severe but is large enough to be reported to plant management or local authorities Moderate damage e. PA PB Classification Minor operational upset or equipment damage Moderate operational upset or equipment damage Major operational upset or equipment damage Damage to essential equipment. catalyst. PA PB Adopted if all conditions in column 4 are satisfied Adopted if all the conditions are not satisfied Page 16 of 16 . Release outside the fence with major damage which cannot be cleaned up quickly or with lasting consequences Comments A moderate leak from a flange or valve Small scale liquid spill Small scale soil pollution without affecting ground water A cloud of obnoxious vapour travelling beyond the unit following flange gasket blow-out or compressor seal failure A vapour or aerosol release with or without liquid fallout that causes temporary damage to plants or fauna Liquid spill into a river or sea A vapour or aerosol release with or without liquid fallout that causes lasting damage to plants or fauna Solids fallout (dust. The same conditions as personnel safety apply (3) .g. major economic loss Adopted if all conditions in column 4 are satisfied Adopted if all the conditions are not satisfied Comments Monetary values can be assigned to each consequence parameter NOTE.g.

Sign up to vote on this title
UsefulNot useful