STANDARDS PUBLICATION
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC NO: QP-GDL-S-030
REVISION 1
CORPORATE HSE SUPPORT DEPARTMENT
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 2 of 31 Custodian Dept: ST
TABLE OF CONTENT
FOREWORD
Page No
1.0 INTRODUCTION………………………………………………………………….. 5
2.0 SCOPE ……………………………………………………………………………. 5
3.0 APPLICATION ……………………………………………………………………. 5
4.0 POLICY …………………………………………………………………………….. 5
5.0 TERMINOLOGY …………………………………………………………………… 5 5.1 DEFINITIONS …………………………………………………………………….. 5 5.2 ABBREVIATIONS ………………………………………………………………… 7
6.0 REFERENCE STANDARDS.................……………………………………....... 8
7.0 METHODOLOGY/APPROACH …………………………................................... 8
8.0 TEAM STRUCTURE AND RESPONSIBILITIES........................................... 9 8.1 TEAM STRUCTURE......................................................................................... 9 8.2 ROLES AND RESPONSIBILITIES................................................................... 10
9.0 REQUIREMENTS............................................................................................. 11 9.1 PREPARATION OF THE REVIEW................................................................... 11 9.2 SIL REVIEW..................................................................................................... 12 9.3 VALIDATION OF SIF........................................................................................ 13 9.4 CAUSE DEMAND SCENARIO......................................................................... 13 9.5 CONSEQUENCES OF FAILURE ON DEMAND (CoFD)................................ 14 9.6 INDEPENDENT SAFEGUARDS...................................................................... 14 9.7 SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD........................ 14
10.0 PLANNING....................................................................................................... 20 10.1 PREPARATION OF THE REVIEW................................................................... 20 10.2 TIMING OF THE REVIEW................................................................................ 20
11.0 DOCUMENTS REQUIRED AND RECORDING............................................. 20 11.1 DOCUMENTS REQUIRED............................................................................... 20 11.2 RECORDING.................................................................................................... 20 11.3 REPORTING AND FOLLOW-UP..................................................................... 21
12.0 APPENDICES................................................................................................. 22 12.1 APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH
METHOD.......................................................................................................... 22 12.2 APPENDIX II: TYPICAL SIL ACTION SHEET.................................................. 23 12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT....... 24 12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST................. 25
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 3 of 31 Custodian Dept: ST
12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH PARAMETERS................................................................................................. 26
12.6 APPENDIX VI - DEMAND RATE...................................................................... 27 12.7 APPENDIX VII – CORPORATE RISK MATRIX............................................... 28
REVISION HISTORY LOG ………………………………………………………. 31
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 4 of 31 Custodian Dept: ST
FOREWORD This document has been developed by Corporate HSE Support Department, reviewed and
edited by Corporate Quality and Management System Department and circulated for review by
user departments before being endorsed by QP Management to provide guideline.
This document is published for QP Departments/ Contractors/ Consultants utilization. It shall be emphasized that the document to be used for QP operations wherever applicable and appropriate. This document is subjected to periodical review to re-affirm its adequacy or to conform to any changes in the corporate requirements or to include new developments on the subject. It is recognized that there will be cases where addenda or other clarifications need to be attached to the standard to suit a specific application or service environment. As such, the content of the document shall not be changed or re-edited by any user, but any addenda or clarifications entailing major changes shall be brought to the attention of the Custodian Department. The custodian of this document is Corporate HSE Support Department (ST). Therefore, all comments, views, recommendations, etc. on it shall be forwarded to the same and copied to Manager, Corporate Quality & Management Systems Department (QA).
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 5 of 31 Custodian Dept: ST
1.0 INTRODUCTION
Safety Integrity Level (SIL) review is an analysis which aims at the determination of the appropriate reliability required from the elements of the Safety Instrumented Functions (SIF) identified in prior safety reviews (e.g. HAZOP).
The approach of this guideline is to remove the uncertainty regarding the safety integrity, cost effectiveness and availability requirements, reducing over and under engineering, in a traceable manner.
SIL study is a method to record all the SIF for a project development and document the expected reliability level. SIL study provides a basis for future maintenance and operating strategies. SIL shall be conducted during FEED phase and /or EPIC phase in accordance with Project HSE Plan or as required by the outcome of Safety Reviews of a project.
SIL assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to a tolerable level. All of the Safety Instrumented Systems (SIS) design, operation and maintenance choices must then be verified
against the SIL assigned.
2.0 SCOPE
This guideline details the structure, responsibilities and techniques of the Safety Integrity Level (SIL) review.
3.0 APPLICATION
The SIL review of the project shall cover all Safety Instrumented Systems (SIS) in process and utility units where there is potential for hazard to human safety, environment or asset /production loss.
4.0 POLICY
QP is committed to protect the health and safety of its employees and others that may be affected by its activities and to give proper regard to the conservation of the environment. QP policy is to conduct its activities such that it strives towards an incident free, secure, safe and healthy workplace. Safety studies and reviews shall be performed during the course of a project or modifications to an existing facility. This is to identify, qualify, quantify and to establish that design safety measures shall provide adequate protection and mitigate any risk involved with the proposed project development or the modifications.
5.0 TERMINOLOGY
5.1 DEFINITIONS
Basic Process Control System (BPCS)
- A combination of Sensors, Logic Solvers and Final elements which automatically regulate the process within normal production limits. The BPCS provides control of a process in the desired manner.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 6 of 31 Custodian Dept: ST
Cause - Factor contributing alone or in combination with others to the release of a hazard (in this guideline synonymous to the “demand scenario” triggering a SIF).
Company - Means QATAR PETROLEUM or “QP”
Consequence (C) Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Effect on personnel safety, economic loss, environmental loss.
Consequences of Failure on Demand
- Escalation events that happen after the failure of the SIF during its solicitation. Effect on personnel safety, economic loss, environmental effect.
Demand Rate (W) - The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration.
Demand Scenario - The set of conditions triggering a SIF action (synonymous Cause).
Design Intent - The reason why a SIF is set. It’s purpose.
Final Element - A device which manipulates a process variable to achieve control. e.g. – Control Valve, Emergency Block Valve, motor starter.
Layers of Protection Analysis
- A process of evaluating the effectiveness of Independent Protection Layers in reducing the likelihood or severity of an undesirable event to meet organizational needs.
Logic Solver - The element of the BPCS or SIS that implements one or more logic functions.
Hazard - A source of potential harm or damage, or a situation with potential for harm or damage.
Licensor
- LICENSOR or PROCESS LICENSOR means each of the Companies which have granted (or will grant) to QP a Process License and have provided (or will provide) the corresponding Licensor Basic Engineering Package (BEP) during the FEED project.
Occupancy (F) - Probability that the exposed area is occupied at the time of the hazardous event .Determined by calculating the fraction of time the area is occupied at the time of the hazardous event.
Probability of Avoiding the Hazard (P)
- The probability that exposed persons is able to avoid the hazardous situation which exists if the SIF fails on demand.
Probability of Failure on Demand
- The probability that a system fail to perform a specified function on demand.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 7 of 31 Custodian Dept: ST
Recovery Measures - All technical, operational and organizational measures that limit the chain of consequences arising from a top event and assist return to normal operation.
Safety Integrity Level
- Defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).Four level of SILs are defined, SIL 4 has the highest level of safety integrity and SIL 1 has the lowest.
Safety Instrumented Function
- It is a safety function with a specified safety integrity level which is necessary to achieve functional safety. A safety instrumented function can be either a safety instrumented protection function or a safety instrumented control function.
Safety Instrumented System
- Instrumented system used to implement one or more safety instrumented functions. A Safety Instrumented System is composed of any combination of sensor (s), logic solver (s), and final elements(s).
It performs specified safety instrumented functions to achieve or maintain a safe state of the process when unacceptable or dangerous process conditions are detected. Safety instrumented systems are separate and independent from regular control systems but are composed of similar elements, including sensors, logic solvers, and final elements.
5.2 ABBREVIATIONS
CoFD - Consequence of Failure on Demand
EPIC - Engineering, Procurement, Installation and Commissioning
ESD - Emergency Shut Down
FEED - Front End Engineering Design
F&G - Fire & Gas System
HAZOP - Hazard and Operability Study
LOPA - Layer of Protection Analysis
LP - Loss Prevention
P&ID - Piping & Instrumentation Diagram
PFD - Process Flow Diagram
PSD - Process Shut Down
QP - Qatar Petroleum.
SIL - Safety Integrity Level
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 8 of 31 Custodian Dept: ST
SIF - Safety Instrumented Function
SIS - Safety Instrumented System
6.0 REFERENCE STANDARDS
IEC-61508 Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related Systems -
Part 1: General requirements;
Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems;
Part 3: Software requirements;
Part 4: Definitions and abbreviations;
Part 5: Examples of methods for the determination of safety integrity
levels (supporting Information);
Part 6: Guidelines for the application of IEC 61508-2 and IEC 61508-3;
Part 7: Overview of techniques and measures.
IEC-61511 Functional safety – Safety instrumented systems for the process industry
sector
Part 1: Framework, definitions, system, hardware and software
requirements;
Part 2: Guidelines for the application of IEC 61511-1;
Part 3: Guidelines for the determination of the required safety integrity
levels.
7.0 METHODOLOGY/ APPROACH
The technical standard IEC 61511 sets out a good practice for engineering of safety
instrumented systems that ensure the safety of process industries. This standard
defines the functional safety requirements established by IEC 61508 in process industry
sector terminology.
It also focuses attention on one type of instrumented safety system used within the
process sector, the safety instrumented system (SIS).
IEC 61511 covers the design and management requirements for SISs. Its scope
includes initial concept, design, implementation, operation, and maintenance through
decommissioning. The standard starts in the earliest phase of a project and continues
through start up. It contains sections that cover modifications that come along later,
along with maintenance activities and the eventual decommissioning activities.
The standard consists of three parts as detailed under Clause 6.0.
The SIL review session is a guided team brainstorming activity that benefits from a
structured method and from the broad experience of a multidisciplinary team led by a
SIL facilitator.
The methodology that will be employed for the SIL determination is a technique uses a
semi qualitative method: calibrated risk graph, as defined in IEC 61511-3 Annex D.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 9 of 31 Custodian Dept: ST
Essentially the SIL derived rating is a measure of risk reduction that is required to be
achieved by the safety instrumented system in order that the residual risk is acceptable
or is as low as reasonably acceptable (ALARP)
There are four levels of Safety Integrity for Safety Instrumented Functions, SIL1 to SIL
4. SIL 4 has the highest level of safety integrity and SIL 1 has the lowest. For SIF which
are assigned SIL 1 or SIL 2 no further studies or action shall be required. However, for
SIF which are assigned SIL 3 or 4, the SIL classification shall be considered in detail
using a Quantitative method: Layer of Protection Analysis (LOPA) as defined in IEC
61511-3 Annex F.
SIL classification study shall be carried out for all the elements of SIS; i.e. PSD, ESD
and F&G as identified in the Cause & Effect matrix.
The outcome of the SIL assessment is followed by a SIL verification study, where the
reliability of the SIS is verified.
Dedicated computer spreadsheet or dedicated SIL software shall be used for recording
SIL proceedings. The software tool used for determining SIL shall be in accordance
with IEC 61508/61511 and shall have a provision to calibrate the Risk Graph based on
QP SIL review guideline.
Note: Contractor shall develop project specific SIL procedure and terms of reference
consistent with QP SIL guideline and shall submit to QP for prior approval.
8.0 TEAM STRUCTURE AND RESPONSIBILITIES
8.1 TEAM STRUCTURE
In performing a SIL review, the proper selection of team participants is very important.
The review team shall consist of personnel who are knowledgeable in the process
technology and experienced in the operations of the process. The team shall have the
necessary SIL review experience and obtained formal SIL training techniques. The
chairman will be independent of the CONTRACTOR. QP will review and approve the
Chairman’s resume prior to the SIL review.
The planned multidisciplinary core team necessary for the realisation of the SIL review
shall include the following disciplines and maximum number to be limited to 10 persons
excluding chairman and scribe.
a) Qatar Petroleum
Loss Prevention Engineer – Corporate HSE support
Process Engineer
Instrumentation Engineer
Operation Engineer
Loss Prevention Engineer
Maintenance Engineer
b) Independent Third Party
Chairman
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 10 of 31 Custodian Dept: ST
c) Project Independent
Contractor’s LP Engineer
Scribe
d) Contractor
Process Engineer
Instrumentation Engineer
Loss Prevention Engineer
e) LICENSOR (for LICENSOR units)
Process Engineer (knowledgeable of processes involved in project)
Instrumentation Engineer
Additional specialists of other disciplines may be called to participate upon request
according to the needs identified by the other permanent members of the team.
8.2 ROLES AND RESPONSIBILITIES
The quality of the review highly results from the contribution of all team members and
from their global expertise.
In order to achieve a quality result, members of the team shall adhere to:
adopt a positive attitude toward other team members’ contribution,
provide their expertise on the project specifics and from similar experience
elsewhere,
be logical, open minded and creative,
focus on the objective of the SIL study.
8.2.1 Chairman
The Chairman shall require a high level of technical and managerial skills. He shall
require expertise and experience in conducting SIL reviews and SIL verification studies.
He needs to remain independent of the discussion and shall not associate with the
project. The Chairman’s resume shall be reviewed and approved by QP prior to a SIL
session.
The role of the Chairman is critical to the success of the meeting.
He shall:
Prepare, and make a presentation prior to the review on SIL techniques, rules
and assumptions to be used by the team during the review,
Lead the team through the SIL Determination technique,
Prompt the brainstorming effort, and manage the discussion,
Identify the key issues as they are raised by the team,
Facilitate the evaluation of demand rates and consequences and ensure
consistency of rating,
Manage the recording of the findings by the scribe,
Ensure that the minutes fully reflect the points identified,
Generate the report of the review.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 11 of 31 Custodian Dept: ST
8.2.2 Scribe
The role of scribe shall be skilled to record accurately outcome of the discussions. Without being highly experienced the scribe needs to be familiar with engineering terminology. He / She shall:
Be familiar with the computer software used to record the review findings
before the start of the review,
Follow the Chairman’s instruction in recording the team findings.
8.2.3 Instrumentation/ LP Engineer ( Contractor)
Prior to the review, the instrumentation engineer/specialist is in charge to complete the following elements for each SIF, based on the Cause & Effect Matrix /P&ID/ HAZOP/Safe Charts. For each SIF to be reviewed, SIL review work sheet to be provided with:
Listing the initiators,
Listing the final elements,
Defining the success criteria for initiators and final elements, and
Indicating the associated actions.
An example of SIL Review Worksheet is provided in Appendix I.
8.2.4 Process Engineer( Contractor)
Prior to the review, the process engineer is in charge of the description of the “Design
intent” of the SIF and to provide this information to Instrumentation Engineer for
implementation in the SIL review worksheet.
An example of how this is documented is provided in Appendix I (1st column on left of
the table).
9.0 REQUIREMENTS
9.1 PREPARATION OF THE REVIEW
Prior to the review, the chairman shall collect the SIF description (SIF name,
initiator(s), final elements, success criteria, associated actions and design
Intent from the instrumentation specialist/ LP engineer
The chairman shall make a presentation to the team about the purpose and
scope of the SIL review and to focus the efforts of the team members.
The chairman shall make a presentation to the team about the methodology to
be used in the SIL review. This establishes a common starting basis for the
team that is necessary to conduct an effective SIL review.
The parameters of the Project Risk Matrix shall be presented to the team for
subsequent use in the evaluation of SIL assessment (Ref Appendix VII).
The process engineer shall present an overall explanation of the plant’s
process so that all team members have a clear understanding of the basic
operations of the plant. This also acquaints the team members with typical
scenarios that may lead to a hazardous condition.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 12 of 31 Custodian Dept: ST
Dedicated SIL software or spreadsheets shall be introduced to the team to log
the SIL review session (Contractor shall specify the software /spreadsheet
proposed while submitting SIL methodology document for QP approval prior to
a SIL review session).
9.2 SIL REVIEW
The SIL review sequence process shall be divided into steps as follows:
Select the Safety Instrumented Function,
Validation of the SIF description (already documented in the SIL review
worksheet by instrumentation/ LP engineer),
Validation of the design intent (already documented in the SIL review
worksheet by process engineer,
Determine (by brainstorming) all the potential causes/ demand scenario which
trigger the SIF action,
Agree the credibility of each cause,
Identify potential hazard in terms of:
i. Consequences of SIS failure on Demand (C ) - Personnel Safety (S) - Environmental Effect (E) - Economic loss (A)
ii. Occupancy (F) iii. Probability of avoiding the hazardous situation (P) iv. Demand Rate (W)
Assess the preventive, protective and mitigation safety features,
Assign SIL based on C,F,P&W parameters,
Agree a recommendation for action or further consideration of the problem (if
applicable),
Apply the next cause (relevant to the selected SIF),
Move onto the next SIF of the system until the whole study has been examined.
Figure 1 given below is a pictorial description of the review procedure.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 13 of 31 Custodian Dept: ST
Figure 1: SIL Review Process Schematic
9.3 VALIDATION OF SIF
Instrumentation or LP engineer shall present each SIF to the review team to have the
same understanding of its purpose (design intend) among the team members.
9.4 CAUSE DEMAND SCENARIO
The team shall brainstorm to identify possible causes for the conditions that trigger the
SIF. The demand could be caused by any of a number of reasons, e.g., control
instrument malfunction, operator error, loss of feed, etc. Each cause shall be clearly
documented in the SIL review worksheet.
The team shall focus on all possible causes of the hazard against which the SIF is designed (design intend) and ensure all of them are indeed source of demand on the SIF.
ASSESS CLASSIFICATION
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 14 of 31 Custodian Dept: ST
9.5 CONSEQUENCES OF FAILURE ON DEMAND (CoFD)
The team shall identify all the consequences of the identified demand scenario(s). The
location of the plant and of the relative positions of installations can have a significant
influence in the consequences.
The correct appreciation of these consequences is critical to the appropriate classification of the SIF.
9.6 INDEPENDENT SAFEGUARDS
Where applicable, the team may list of Independent safeguards (independent from SIF)
which can reduce the event probability.
9.7 SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD
After the evaluation of the Consequences of Failure on Demand, each SIF is assigned
with a Safety Integrity Level (SIL).
The SIL determination shall be based on calibrated risk graphs from IEC 61511-3. This Risk Graphs are based on the following:
The consequences of the hazardous situation for Personnel Safety,
Environment and Economic/ Asset loss (parameters S, E and A respectively),
The Occupancy (parameter F),
The probability of avoiding the hazardous situation (parameter P),
The Demand Rate (W).
9.7.1 Consequence (Parameters S, E and A)
The consequences of the hazardous situation for personnel safety, environment and economic/ asset loss (parameters S, E and A respectively) are further defined for various risk levels. These definitions are consistent with QP Risk Assessment Matrix.
Table 1 - Consequence Risk Parameter for Personnel Safety(S)
Consequence Risk
Parameter Definition
S1(CA) Minor injury or health effects
S2 (CB) Major injury or health effects
S3 (CC) Single fatality or Permanent total disability
S4(CD) Multiple fatalities
Notes:
The classification system has been developed to deal with injury and
death to people.
For the interpretation of S1, S2, S3 and S4 parameters, the
consequences of the accident and normal healing shall be taken into
account.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 15 of 31 Custodian Dept: ST
Table 2 - Environmental Consequence Parameter (E)
Level of
Environmental
Consequences
Definition
E1(CA)
Minor effect: Contamination; damage sufficiently large to impact the environment; single exceeding of statutory or prescribed limits; single complaint; no permanent effect on the environment.
E2(CB)
Localized effect: Limited loss of discharges of unknown toxicity; repeated exceeding of statutory or prescribed limits and beyond fence/ neighborhood.
E3(CC)
Major effect: Severe environmental damage; the company is required to take extensive measures to restore the contaminated environment to its original state. Extended exceeding of statutory or prescribed limits.
E4(CD)
Massive effect: Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major economic loss for the company. Constant high exceeding of statutory or prescribed limits.
Table 3- Economic/Asset Consequence Parameter (A)
Level of Economic
Consequences Definition
A1(CA) Minor damage: Brief disruption to operation with estimated costs less than QR 350,000.
A2(CB) Local Damage: Partial shutdown of operation; can be restarted but with estimated costs up to QR 3,500,000.
A3(CC) Major Damage: Partial loss of operation; 2 weeks shutdown with estimated costs up to QR 35,000,000.
A4(CD) Extensive Damage: Substantial or total loss of operation; with estimated costs in excess of QR 35,000,000.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 16 of 31 Custodian Dept: ST
9.7.2 Exposure time (Parameter F)
The exposure time of an individual in a hazardous situation are further defined for two
occupancy conditions.
Table 4- Occupancy Exposure Time Parameter (F)
Exposure time in the
hazardous zone Definition
F1
Rare to more often exposure in the hazardous zone (normally unmanned operation of the relevant part of the plant). Occupancy less than 10%.
F2
Frequent to permanent exposure in the hazardous zone (relevant part of plant is attended locally on a regular basis, e.g. every shift, or during the specific time of demand, e.g. start-up or shut-down, or relevant part of the plant is located near a continuously occupied road)
9.7.3 Probability of avoiding the Hazard (Parameter P)
This parameter represents the probability of avoiding the hazardous event if the
protection system fails. Two scenarios are defined for SIL review.
Table 5- Probability of avoiding the Hazard Parameter (P)
Probability of
avoiding the
hazardous event
Definition
P1
Possible under certain conditions – some warning available. (Operator is capable of getting away from the hazard or hazard is mitigated by other measures).
P2
Almost impossible – No warning available. (Operator may not be aware of hazard or may not be able to get away sufficiently quick).
Notes: This parameter takes into account:
Operation of a process (supervised i.e. operated by skilled or unskilled persons or unsupervised).
Rate of development of the hazardous event (suddenly, quickly and slowly).
Ease of recognition of danger (seen immediately, detected by technical measures or detected without technical measures).
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 17 of 31 Custodian Dept: ST
Avoidance of hazardous event (escape possible, not possible or possible under certain conditions; independent facilities are provided to shutdown).
Facilities are provided to alert the operator that the SIS has failed.
The time between the operator being alerted and a hazardous event occurring exceeds 15 minutes or is definitely sufficient for the necessary actions.
Actual safety experience (such experience may exist with an identical unit or a similar unit or may not exist).
9.7.4 Demand Rate (W)
The purpose of the demand rate (W factor) is to estimate the frequency of the
unwanted occurrence in the absence of the SIF under consideration. This can be
determined by considering all failures which can lead to the hazardous event and
estimating the overall rate of occurrence. Other protection layers should be included in
the consideration. Three conditions are defined for SIL review.
Table 6- Demand Rate Parameter (W)
Likelihood of the
unwanted occurrence Definition
W1
A very slight probability that the unwanted occurrences will happen
and only a few unwanted occurrences are likely: Once in every 30
to 100 years.
W2
A slight probability that the unwanted occurrences will happen and
few unwanted occurrences are likely: Once in every three to 30
years.
W3
A relatively high probability that the unwanted occurrences will
happen and frequent unwanted occurrences are likely: more than
once in every one to three years.
9.7.5 Risk Graph – Personnel Safety, (Ref. IEC 61511-3 fig D.1)
Risk graph as referred in Figure 2 shall be used to determine SIL for personnel safety.
The consequences of the hazardous situation for personnel safety are determined as SIL
levels using risk graph.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 18 of 31 Custodian Dept: ST
Fig 2- Risk Graph: Personnel Safety
9.7.6 Risk Graph – Environmental Loss, (Ref. IEC 61511-3 fig D.2)
Risk graph as referred in Figure 3 shall be used to determine SIL for environmental loss.
The consequences of the hazardous situation for environmental loss are determined as
SIL levels using risk graph.
Fig 3- Risk Graph: Environmental Loss
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 19 of 31 Custodian Dept: ST
9.7.7 Risk Graph – Economical Loss
The risk graph approach may also be used to determine the integrity level requirements where the consequences of failure include asset loss. Asset loss is the total economic loss associated with failure to function on demand. A similar risk graph to that used for environmental protection can be used for asset loss. It should be noted that the F parameter should not be used the concept of occupancy does not apply. Other parameter P and W apply and definitions can be identical to those applied above to safety consequences.
Fig 4- Risk graph: Economic loss
For each SIF operating in demand mode, the required SIL shall be specified in accordance with either Figs 2, 3 or 4. SIL assigned against various probability of failure demand is given in table 7 for reference. .
Table 7 - Safety Integrity Levels: Demand mode of operation
Safety Integrity
Level
Target average probability of failure on demand
4 10-5 to < 10-4
3 10-4 to < 10-3
2 10-3 to < 10-2
1 10-2 to < 10-1
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 20 of 31 Custodian Dept: ST
The selected SIL level for a safety interlock function is the highest of the three individual SIL’s (Safety, Economical and Environmental) and defines a minimum SIL. It is always possible to select a higher SIL level than the required SIL, if the project team thinks this is preferred.
10.0 PLANNING
10.1 PREPARATION OF THE REVIEW
Once the dates and duration of the review(s) are known necessary logistical
arrangement shall be made.
Appendix IV provides a checklist of the SIL review preparation items.
10.2 TIMING OF THE REVIEW
The SIL review of Project shall take place after associated HAZOP review.
Dedicated session shall be performed for each unit.
11.0 DOCUMENTS REQUIRED AND RECORDING
11.1 DOCUMENTS REQUIRED
Before the start of the SIL review exercise the following documents shall be available to
serve as input information for the discussion:
Process Flow Diagrams (PFD).
Piping and Instrument Diagrams (P&ID). The P&ID’s used for the SIL
review will show all instruments, check valves, safety valves, controllers,
pressure and level switches that are included in the limits of supply.
Cause & Effect matrix.
Safe Charts.
Previous Hazard Analysis (HAZOP) review findings.
Control and Safeguarding philosophy.
Interlocks description.
Layout/ plot plan (if available).
For LICENSOR units, where applicable, LICENSOR recommendation for SIL
based on their design knowledge and operating experience.
Material balance information (information on request).
11.2 RECORDING
The findings of the application of the methodology presented above shall be recorded during the session by the scribe with the computer spreadsheet or dedicated SIL software. The scribe records the results of this identification activity in a table type file (see appendix I) using a computer and a video projector. Use of a video projector shall allow the team to visualise the record. A SIL review worksheet used for the report of the findings is presented in appendix I.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 21 of 31 Custodian Dept: ST
Upon completion of the review the chairman will produce a report, which discusses the findings of the review and details the critical findings.
11.3 REPORTING AND FOLLOW-UP
Subsequent to SIL study, SIL chairman shall issue the study report and shall document the following as minimum (See appendix III for full list of Table of Content of the report).
The scope of the study;
Study Methodology;
The study team;
The SIF’s reviewed and the reference used;
Summarise and present the SIL review proceeding, all the recommendations
and actions raised with proper reference for close out actions to be carried out;
Identify/List those responsible for preparing responses to the actions and
recommendations;
Schedule, monitor and record the execution of necessary close out actions.
Recommendation (Action /query items) shall be recorded and the corresponding SIL
ACTION SHEET (see Appendix II) shall be generated for subsequent follow-up by the
project.
The Project Engineer shall have the responsibility to ensure appropriate project follow-
up of the action recommendations generated during the review are implemented (see
Appendix II).
A Formal SIL Close out Report with SIL verification study shall be submitted to QP for
approval.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 22 of 31 Custodian Dept: ST
12.0 APPENDICES
12.1 APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH
METHOD
Project Name /No :
SIF No: Date Reviewed: DD MMM YYYY
SIF: Reference / name of the selected SIF
Initiators:
Final Elements:
Initiator Success Criteria:
Final Element Success Criteria:
Associated Operating Actions:
Drawings and Documents:
Documents used :
DESIGN INTENT CAUSE / DEMAND
SCENARIO
CONSEQUENCES
of FAILURE on
DEMAND (CoFD)
INDEPENDENT
SAFEGUARDS
RECOMMENDA
TIONS
Purpose of the SIF List here causes
that will trigger the
SIF to operate.
List here all the
consequences that
will occur in case
of Failure on
demand of the SIF
list here all the
independent
safeguards
recommendation
of the team (if
any)
Required SIL level
SIF Action Number:
Assigned to: Name of person
Consequence
Parameter
Occupancy
Parameter
Probability of
Avoiding the
hazard Parameter
Demand Rate
Parameter
SIL Level
Safety
Environment
Economic
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 23 of 31 Custodian Dept: ST
12.2 APPENDIX II: TYPICAL SIL ACTION SHEET
SIF STUDY ACTION AND RESPONSE SHEET
SIF ACTION ON: RESPOND BY:
SIF ACTION NO: MEETING DATES: DD MMM YYYY
DRAWINGS AND DOCUMENTS:
documents used (from the front page list of documents studied)
SIF : (SIF Table 1)
Reference / name of the selected SIF
DESIGN INTENT:
purpose of the SIF
CAUSE / DEMAND SCENARIO:
list here causes that will trigger the SIF to operate
CONSEQUENCES of FAILURE on DEMAND (CoFD):
list here all the consequences that will occur in case of Failure on demand of the SIF
.
INDEPENDENT SAFEGUARDS:
list here all the independent safeguards
RECOMMENDATIONS:
recommendation of the team (if any)
RESPONSE: (Action ) DATED:
SIGNED:
ENTER YOUR RESPONSE IN THE BOX ABOVE, THEN SIGN AND RETURN TO:
NOTES (for use of Scribe only)
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 24 of 31 Custodian Dept: ST
12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT
TABLE OF CONTENT
1.0 SUMMARY
2.0 INTRODUCTION
3.0 SCOPE
4.0 TEAM COMPOSITION
5.0 DOCUMENTS REFERENCES
(Including to the present procedure)
6.0 GENERAL DESCRIPTION
7.0 FINDINGS OF THE REVIEW (if any)
8.0 CONCLUSION (as required)
In attachment:
9.0 COPY OF REFERENCE DOCUMENTS MARQUED DURING
REVIEW
10.0 SIF CLASSIFICATION RISK MATRIX
11.0 SIL WORKSHEET TABLES
12.0 SIF CLASSIFICATION REVIEW ACTION SHEETS (if any)
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 25 of 31 Custodian Dept: ST
12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST
Check-list up-dated by: Name: _ _ _ _ _ _ _ _ _ _ Date: _ _/ _ _/ _ _
Logistics:
Dates defined: start date: _ _/ _ _/ _ _ End date: _ _/ _ _/ _ _
Chairman selected: Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Scribe selected: Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Room booked for the period: Yes/No Room # _ _ _ _ _ _ _ _ _ _
Computer booked for the period: Yes/No
Data Projector booked for the period: Yes/No
Coffee/biscuits ordered for the period: Yes/No
Documents available:
Methodology, SIL Procedure: Yes/No
PFD: Yes/No
PID: Yes/No
Cause & Effect Matrix: Yes/No
Safe Charts: Yes/No
Process description, balance, layout, etc Yes/No
Previous hazard analysis Yes/No
Participants:
List of participants identified: Yes/No
Participants have been informed of review session dates: Yes/No
when ? Date: _ _/ _ _/ _ _
Documentation made available to participants: Yes/No
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 26 of 31 Custodian Dept: ST
12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH
PARAMETERS
(REF.: IEC 61511-3)
Descriptions of Process Industry Risk Graph Parameters
Parameter Description
Consequence C
Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Determined by calculating the numbers in the exposed area when the area is occupied taking in to account the vulnerability to the hazardous event.
Occupancy F
Probability that the exposed area is occupied at the time of the hazardous event. Determined by calculating the fraction of time the area is occupied at the time of the hazardous event. This should take in to account the possibility of an increased likelihood of persons being in the exposed area in order to investigate abnormal situations which may exist during the build-up to the hazardous event ( consider also if this changes the C parameter)
Probability of avoiding the
hazard P
The probability that exposed persons are able to avoid the hazardous situation which exists if the safety instrumented function fails on demand. This depends on there being independent methods of alerting the exposed persons to the hazard prior to the hazard occurring and there being methods of escape.
Demand rate W
The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration. This can be determined by considering all failures which can lead to the hazardous event and estimating the overall rate of occurrence. Other protection layers should be included in the consideration.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 27 of 31 Custodian Dept: ST
12.6 APPENDIX VI - DEMAND RATE
The demand rate will be determined using the team’s collective experience, along with reference from data bases from OREDA or USRMP or other accepted data bases. QP data base for failure rates shall be primarily considered when available. Failure rates for typical equipment items, as shown below for example.
Typical Failure Rate Date (from OREDA – Offshore Reliability Database)
Item: Mean Failure Rate per 106 hours
Per Year (Continuous Operation)
1 Failure per (years)
Pressure Switch (Pneumatic) 5.3 0.05 21
Level Switch (Pneumatic) 2.8 0.024 40
Level Switch (Electric) 9.6 0.084 12
Level Transducer 11 0.096 10
PCV / LCV (Ball) 10 to 16 (1 to 20”)
0.086 to 0.14 7 to 11
PCV / LCV (Globe) 19 to 24 (1 to 10”)
0.053 to 0.21 5 to 19
PSV 22 0.19 5.25
XSDV (Globe Valve) 25.94 0.227 4.4
XBDV (Ball Valve) 24 to 44 (1 to 10”)
0.21 to 0.39 2.5 to 5
Electric Relay (logic solver) 4.1 0.036 27.8
Pilot Valve (in SDP) 6.5 0.0575 17
Fusible Plug 0.27 0.00237 423
H2S Gas Detector 11.46 0.1004 9.96
IR HC Gas Detector 36.5 0.320 3.13
Item Leak Frequency (Offshore Hydrocarbon Release Statistics and Analysis, 2002, HID Statistics Report HSR 2002 002, UK Health and Safety Executive, February 2003.)
Item: Leak Frequency (per year)
1 leak per (years)
Flange 5.2 x 10-5
19230
Valve 4 x 10-4
2500
Instrument Connections 6 x 10-4
1700
Pressure Vessel 2 x 10-3
500
Centrifugal pump 5 x 10-3
200
Shell & Tube Heat Exchanger 3.5 x 10-3
290
Launcher / Receiver 1 x 10-2
100
Centrifugal Compressor 8 x 10-3
125
Reciprocating Compressor 7 x 10-2
15
Overall Leak Frequencies for a Platform:
Large Integrated Offshore Platform approx 1 leak per year
Minimum facilities wellhead platform approx 1 leak per 10 years
Riser Failure frequency approx. 1 x 10-3 per year or 1 in 1000 riser years
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 28 of 31 Custodian Dept: ST
12.7 APPENDIX VII – QP CORPORATE RISK MATRIX
(Ref: Corporate Procedure for Incident management Doc# QPR-STM- 001)
Risk Assessment Matrix
A B C D E
Never heard in Industry
Has Occurred
in Industry
Has Occurred
in QP
Occurres several times a
year in QP
Occurres several times a
year this site
0 No injury No damage No Effect No Impact No Risk
1 Slight injury
or health effect
Slight damage No disruption to operation
Slight Effect Slight Impact Low Risk
2 Minor injury
or health effect
Minor damage ( < QR 350,000) Minor effect Limited
Impact
3 Major injury
or health effect
Local damage ( < QR
3,500,000)
Localised Effect
National Impact Medium Risk
4
Single Fatality or permanent
total disability
Major damage ( < QR
35,000,000) Major Effect Regional
Impact High Risk
5 Multiple fatalities
Extensive damage ( > QR
35,000,000)
Massive Effect
Internation al impact
FIGURE A- QP RISK ASSESSMENT MATRIX
INCREASING PROBABILITY CONSEQUENCES
IN
CR
EA
SIN
G S
EV
ER
ITY
SE
VE
RIT
Y
Potential Severity People Asset/
Production Environment Reputation
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 29 of 31 Custodian Dept: ST
12.7 APPENDIX VII – Cont., QP CORPORATE RISK MATRIX
Risk Matrix (Explanation Sheet)
Consequence Category Definitions
1.0 PEOPLE
Harm to people is further explained for:
Slight injury or Health effects:
This includes first aid and medical treatment that does not affect work performance or
cause disability.
Minor injury or Health effects: A lost time injury that restricts a person's work
performance where the injury results in a work assignment after the day of the incident
that does not include al of the normal duties of that person's regular job. It may take a few
days off from work to fully recover (Lost Time Incident). Limited health effects that are
reversible, e.g. skin irritation, food poisoning.
Major injury or Health effects (Including permanent partial disability): Work performance
is affected in the long term, such as prolonged absence from work, irreversible damage to
health without loss of life. For example, noise induced hearing loss, chronic back injuries.
Single fatality or permanent total disability: This is either from a work - related incident
or an occupational illness such as poisoning or cancer.
Multiple fatalities: More than one fatality either from a work - related incident or an
occupational illness such as poisoning or cancer.
2.0 ENVIRONMENT
Harm to the Environment is further explained for:
Slight effect: Negligible financial consequences and local environmental risk within the
fence and within the system.
Minor effect: Contamination; damage sufficiently large to impact to impact the
environment; single exceeding of statutory or prescribed limits; single complaint; no
permanent effect on the environment.
Local effect: Limited loss of discharges of unknown toxicity; repeated exceeding of
statutory or prescribed limits and beyond fence or neighbourhood.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 30 of 31 Custodian Dept: ST
Major effect: Severe environmental damage; the company is required to take extensive
measures to restore the contaminated environment to its original state; Extended
exceeding of statutory or prescribed limits.
Massive effect: Persistent severe environmental damage or severe nuisance extending
over a large area; In terms of commercial or recreational use or nature conservancy, a
major economic loss for the company; Constant high exceeding of statutory or prescribed
limits.
3.0 ASSET DAMAGE/ LOSS OF PRODUCTION
Asset damage and loss of production is further explained for:
Slight damage: No disruption to operation with estimated cost less than QR 25,000.
Minor damage: Brief disruption to operation with estimated cost less than QR 350,000.
Local damage: Partial shutdown of operation; can be restarted with estimated cost up to
QR 3,500,000.
Major damage: Partial loss of operation; 2 weeks shutdown with estimated cost up to QR
35,000,000.
Massive damage: Substantial or total loss of operation with estimated cost in excess of
QR 35,000,000.
4.0 REPUTATION
Damage or loss of reputation is further explained for:
Slight impact: Public awareness may exist but there is no public concern.
Limited impact: Some local public concern; some local media and /or local political attention
with potentially adverse aspects for QP operations.
National impact: National public concern; extensive adverse attention in the national media.
Regional impact: Extensive adverse attention in the regional media; regional public and
political concern.
International impact: Extensive adverse attention in international media; international public
attention.
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1
Doc File No.: GDL-S-030 R1 Page 31 of 31 Custodian Dept: ST
REVISION HISTORY LOG Revision: 1 Date: 24/03/2010
Item Revised:
Reason for Change/Amendment
Changes/Amendment: This new guideline is developed to cover the corporate requirements for safety integrity level review.
Note: The revision history log shall be updated with each revision of the document. It shall contain a written audit trail of the reason(s) why the changes/amendments have occurred, what the changes/amendments were and the date at which the changes/amendments were made.
Top Related