KOC-I-017 Rev 1_Implementation of Safety Instrumented Function.pdf

(s.e.2) uJeS;Il .

uC J - 3

KUWAIT OIL COMPANY (K.S.C.)

STANDARDS PUBLICATION-

KOC RECOMMENDED PRACTICE FOR IMPLEMENTATION OF SAFETY INSTRUMENTED FUNCTIONS (SIF)

DOC. NO. KOC-1-017

STANDARDS TEAM

KUWAIT OIL COMPANY (K.S.C.)

STANDARDS PUBLICATION

KOC RECOMMENDED PRACTICE FOR IMPLEMENTATION OF

SAFETY INSTRUMENTED FUNCTIONS (SIF)

STANDARDS TEAM

KOC RECOMMENDED PRACTICE FOR IMPLEMENTATION OF SAFETY INSTRUMENTED FUNCTIONS (SIF) DOC.NO. KOC-1-017

ISSUING AUTHORITY: STANDARDS TEAM

TABLE OF CONTENTS

FOREWORD

APPLICATION TERMINOLOGY REFERENCE CODES AND STANDARDS ENVIRONMENTAL CONDITIONS INTRODUCTION AND PURPOSE RISK ANALYSIS REQUIREMENTS SAFETY INTEGRITY LEVEL (SIL) STUDIES SAFETY REQUIREMENTS SPECIFICATION SIS DESIGN AND ENGINEERING 11.0

SIS DESIGN VERIFICATION

43

12.0

FACTORY ACCEPTANCE TEST (FAT)

44

13.0

SIS INSTALLATION, COMlSSlONlNG AND VALIDATION

46

14.0

SIS OPERATION AND MAINTENANCE

51

15.0

AUDITING OF SAFETY INSTRUMENTED SYSTEMS

60

16.0

SIS MODIFICATION

61

17.0

SIS DECOMMISSIONING

61

18.0

DOCUMENTATION

62

64 APPENDIX A: INDEPENDENT PROTECTION LAYER REQUIRMENTS APPENDIX B: SAFETY INTEGRITY LEVEL 'a' 69 APPENDIX C: MINIMUM REQUIREMENTS FOR SIF IMPLEMENTATION 70 74 APPENDIX D: TEMPLATE FOR SIF LIST APPENDIX E: GUIDELINES FOR INITIATING CAUSE FREQUENCY 75 77 APPENDIX F: EXAMPLE OF SIL SELECTION WORKSHEETS 78 APPENDIX G: SAMPLE SRS FOR SINGLE SIF APPENDIX H: TYPICAL ARCHITECTURES TO SATISFY SIL REQUIREMENTS 80 82- 103 APPENDIX I:CHECKLISTS 104 APPENDIX J: ROLES AND RESPONSIBILITIES MATRIX APPENDIX K: PROVEN IN USE EVALUATION CRITERIA 107

ACKNOWLEDGEMENT

112

FOREWORD

This document "KOC Recommended Practice for Implementation o f Safety lnstrumented Functions (SIF)" (KOC-1-017) provides the minimum requirements for life cycle management of Safety lnstrumented Functions from design, development, implementation, verification, validation, operation, maintenance 1 modification and decommissioning at various KOC facilities within Kuwait. Mr. Harry Cheddie, a well renowned SIS Expert from MIS Exida.com, Canada, has reviewed this Recommended Practice. This is the first instance where an external expert is involved in developing KOC Standards /Recommended Practices. This Recommended Practice (RP) has been approved by the Standards Team in consultation with the Standards Technical Committee (STC) for consistent use throughout the corporate engineering and operational functions o f Kuwait Oil Company,

This Recommended Practice sets out t o achieve the following objectives: a.

To provide technical guidance and establish the base document for developing project documents with a view t o achieve uniformity, safety, quality, reliability and efficiency in an economical manner;

b.

To assist all stakeholders of SIF, like design, operation, maintenance personnel b y providing technical information and engineering practices for life cycle management of Safety lnstrumented System;

c.

To maintain the KOC requirements of safety and security o f personnel and environment established by KOC Fire and Safety Regulations, Health, Safety and Environment Management System (HSE MS) in line w i t h HSE Policy.

Feedback, comments or suggestions, derived from the application o f this Recommended Practice at any stage of design, purchase, manufacture, installation, operation and maintenance are encouraged and should be directed to: The Team Leader Standards (Chairman, Standards Technical Committee) Industrial Services Group, KOC P.O. Box 9758, Ahmadi 6 1 0 0 8 State o f Kuwait

Task Force Res~onsiblefor this Recommended Practice The Standards Technical Committee (STC) has entrusted the preparation of this Recommended Practice t o the Task Force No. TF-1/07, consisting o f the following

Mr. Khalaf Hamada

Design Team

: Task Force Leader

Mr. D. Senthil Kumar

Design Team

: Author / Member

Mr. V.S. Kumar

Opns. Tech. Svcs.-WK

: Member

Mr. Barun Baruah

Safety Team

: Member

Mr. Ashok D. Thakare

Opns. Tech. Svcs (SK)

Mr. Mansour Al-Qabandi

Opns. Tech. Svcs (NK)

: Member : Member

Mr. Mr. Mr. Mr.

Opns. Tech. Svcs (EK) Prodn. Opns. (SK) Maintenance (EK) Lead Inst. Engr. (AMEC)

S. Chandra Sekhar Adnan Dashti Ali Qasem Hussain Myad Hassan

: Member

: Member : Member : Member

Tel. 6 1 8 3 3 Tel. 6 1 6 7 1

1.0

SCOPE This Recommended Practice (RP) describes the KOC requirements for the development and implementation of Safety lnstrumented Functions b y addressing all safety lifecycle phases as per IEC standard IEC 6 1 5 1 1 from initial concept t o final decommissioning including: The methodology t o be used t o identify Safety lnstrumented Functions

The methodology t o be used t o determine, allocate and assign the Safety lntegrity Level (SIL) for each Safety lnstrumented Function (SIF) that is required t o make the overall risk of the process tolerable; The format and contents of a Safety Requirements Specification for the Safety lnstrumented System (SIS) and associated SIFs; The design, implementation, decommissioning of each SIF;

operation,

and

maintenance through

to

The methodology t o be used t o validate / verify the achieved Safety Integrity Level for each Safety lnstrumented Function against initial requirements and objectives; Checklists to assist in verifying that key activities as per the safety lifecycle phases have been completed; Auditing o f the performance o f the SIS o n a periodic basis.

2.0

APPLICATION

2.1.

This KOC RP shall be applied for projects within KOC facilities. This RP shall also be used for reviewing the adequacy of existing Safety lnstrumented Systems within KOC facilities. (Also refer to clause 6.3 & 6.4). The methodology shall comply with the relevant requirements specified in this RP and the referred standards / codes mentioned herein.

2.2.

Any exceptions or deviations from the requirements of this RP, along w i t h their merits and justifications, shall be brought t o the attention o f KOC Controlling Team for their review, consideration and amendment b y Standards Team (if required).

2.3

Compliance w i t h this KOC RP does not of itself confer immunity from legal or statutory obligations. 1

3.0 TERMINOLOGY 3.1

For the purposes of this Recommended Practice, wherever IEC 61 51 1 Parts 1 t o 3 are referred, the references shall be inclusive of ANSI / ISA 84.00.01-2004 Parts 1 t o 3 (IEC 6 1 5 1 1 Mod).

3.2

Definitions For the purposes of this RP, the following definitions shall apply in accordance w i t h IEC 6 1 5 1 1-1.

3.2.1 Basic Process Control System (BPCS) System which responds t o input signals from the process, its associated equipment, other programmable systems and / or an operator and generates output signals causing the process and its associated equipment t o operate in the desired manner but which does not perform any Safety Instrumented Functions with a claimed SIL > 1. 3.2.2 Channel Element or a group o f elements that independently perform(s) a function. NOTE 1 - T h e elements within a channel could include input / output (110)modules, logic systems, sensors, final elements. NOTE 2 - A dual channel (i.e., a t w o channel) configuration is one w i t h t w o channels that independently perform the same function. NOTE 3 - T h e term can be used t o describe a complete system, or a portion of a system (for example, sensors or final elements). 3.2.3 Common Cause Failure Failure, which is the result of one or more events, causing failures of t w o or more separate channels in a multiple channel system, leading t o system failure. 3.2.4 Common Mode Failure Failure o f t w o or more channels in the same way, causing the same erroneous result. 3.2.5 Dangerous Failure Failure which has the potential t o put the Safety Instrumented System in a hazardous or fail-to-function state.

NOTE -

Whether or not the potential is realized may depend o n the channel architecture of the system; in systems w i t h multiple channels t o improve safety, a dangerous hardware failure is less likely t o lead t o the overall hazardous or fail-to-function state.

3.2.6 Dependent Failure Failure, whose probability can not be expressed as the simple product of the unconditional probabilities of the individual events, which caused it. NOTE

-

T w o events A and B are dependent, where P(z) is the probability of event z, if only P(A & B) > P(A) * P(B)

3.2.7 Diagnostic Coverage (DC) The diagnostic coverage of a component or subsystem is the ratio of the detected failure rate t o the total failure rate of the component or subsystem as detected by diagnostic tests. Diagnostic coverage does not include any faults detected b y proof tests. NOTE 1 -

The diagnostic coverage is used t o compute the detected failure rates (A,) and undetected failure rates (&) from the total failure rate (&) as follows: h, = DC * h, and = (1-DC) * h,

5

NOTE 2

-

Diagnostic coverage is applied t o components or subsystems of a Safety Instrumented System. For example, the diagnostic coverage is typically determined for a sensor, final element or a logic solver.

NOTE 3 -

For safety applications the diagnostic coverage is typically applied t o the safe and dangerous failures o f a component or subsystem. For example the diagnostic coverage for the dangerous failures of a component or subsystem is DC = h,, IA,,, where ,A, is the dangerous is the total dangerous failure rate. detected failure rate and hLDT

3.2.8 Electrical IElectronic/Programmable Electronic (EIEIPE) Based on electrical (E) and Ior electronic (E) and Ior programmable electronic (PE) technology. NOTE - The term is intended t o cover any and all devices or systems operating on electrical principles and would include: electro-mechanical devices (electrical); solid state non-programmable electronic devices (electronic); electronic devices based o n computer technology (programmable electronic)

3.2.9 External Risk Reduction Facilities Measures t o reduce or mitigate the risks, which are separate and distinct from the

NOTE

-

Examples include a drain system, firewall, bund (dike), etc

3.2.10 Failure Termination o f the ability of a functional unit t o perform a required function. 3.2.1 1 Fault Abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit t o perform a required function. 3.2.12 Fault Avoidance Use of techniques and procedures, which aim t o avoid the introduction of faults during any phase of the safety lifecycle of the Safety lnstrumented System. 3.2.1 3 Fault Tolerance Ability of a functional unit, t o continue t o perform a required function i n the presence of faults or errors. 3.2.14 Final Element Part o f a Safety lnstrumented System, which implements the physical action necessary t o achieve a safe state. NOTE

-

Examples are valves, switchgear, motors including their auxiliary elements, e.g., a solenoid valve and actuator if involved in the Safety lnstrumented Function.

3.2.1 5 Functional Safety Part of the overall safety relating t o the process and the BPCS which depends on the correct functioning of the SIS and other protection layers. 3.2.16 Functional Safety Assessment Investigation, based on evidence, t o judge the functional safety achieved by one or more protection layers. 3.2.17 Functional Safety Audit

Systematic and independent examination t o determine whether the procedures specific t o the functional safety requirements comply w i t h the planned arrangements, are implemented effectively and are suitable t o achieve the specified

NOTE

-

A functional safety audit may be carried out as part of a functional safety assessment.

3.2.18 Functional Unit Entity of hardware, or software or both capable o f accomplishing a specified purpose. 3.2.19 Hardware Safety Integrity Part of the safety integrity of the Safety lnstrumented Function relating t o random hardware failures in a dangerous mode of failure. NOTE - The term relates t o failures i n a dangerous mode. That is, those failures of a Safety lnstrumented Function that would impair its safety integrity. The t w o parameters that are relevant in this context are the overall dangerous failure rate and the probability of failure t o operate o n demand. 3.2.20 Impact Analysis Activity t o determine the effect that a change t o a function or component will have t o other functions or components in that system as well as t o other systems. 3.2.2 1 Input Function

Function, which monitors the process and its associated equipment in order t o provide input information for the logic solver. NOTE - A n input function could be a manual function. 3.2.22 Logic Function Function which performs the transformations between input information (provided b y one or more input functions) and output information (used by one or more output functions); logic functions provide the transformation from one or more input functions t o one or more output functions. 3.2.23 Logic Solver That portion o f either a BPCS or SIS that performs one or more logic function(s1. NOTE 1 - In IEC 6 1 51 1 the following logic systems are used:

electrical logic systems for electro-mechanical technology; electronic logic systems for electronic technology; PE logic systems for programmable electronic systems. NOTE 2

-

Examples are: electrical systems, electronic systems, programmable electronic systems, pneumatic systems, hydraulic systems, etc. Sensors and final elements are not part of the logic solver.

3.2.24 Safety Configured Logic Solver Purpose industrial grade PE logic solver, which is specifically configured for use in safety applications. 3.2.25 Maintenance / Engineering Interface Maintenance / engineering interface is that hardware and software provided t o allow proper SIS maintenance or modification. It can include instructions and diagnostics which may be found in software, programming terminals with appropriate communication protocols, diagnostic tools, indicators, bypass devices, test devices, and calibration devices. 3.2.26 Mitigation Action that reduces the consequence(s) of a hazardous event. NOTE - Examples include emergency depressurization o n detection of confirmed fire or gas leak. 3.2.27 Mode of Operation The way in which a Safety lnstrumented Function operates: Demand Mode Safety lnstrumented Function: where a specified action (e.g., closing of a valve) is taken i n response t o process conditions or other demands. In the event of a dangerous failure of the Safety lnstrumented Function, a potential hazard only occurs in the event o f a failure in the process or the BPCS. Continuous Mode Safety lnstrumented Function: where in the event of a dangerous failure of the Safety lnstrumented Function a potential hazard will occur without further failure unless action is taken t o prevent it. NOTE 1 - Continuous mode covers those safety related functions which implement continuous control t o maintain functional safety. NOTE 2 - In demand mode applications where the demand rate is more frequent than once per year, the hazard rate will n o t be higher that the dangerous

failure rate of the function. In such case, it will normally be appropriate t o use the continuous mode criteria. 3.2.28 Necessary Risk Reduction The risk reduction required t o ensure that the risk is reduced t o a tolerable level. 3.2.29 Non-Programmable (NP) System System based on non-computer (e.g., not using software) technologies and / or hardware devices (i.e., a system not based o n programmable electronics [PE]). NOTE

-

Examples would include hardwired electrical or electronic systems, mechanical, hydraulic, or pneumatic systems, etc.

3.2.30 Other Technology Safety-Related Systems Safety-related systems that are based on a technology other than electrical 1 electronic / programmable electronic. NOTE - A relief valve is an "other technology safety-related system". "Other technology safety-related systems" may include hydraulic and pneumatic systems. 3.2.31 Output Function Function which controls the process and its associated equipment according t o final actuator information from the logic function. 3.2.32 Prevention Action that reduces the frequency o f occurrence of a hazardous event. 3.2.33 Process Risk Risk arising from the process conditions caused by abnormal events (including BPCS malfunction). NOTE 1 - T h e risk in this context is that associated w i t h the specific hazardous event in which SIS are t o be used t o provide the necessary risk reduction, (i.e., the risk associated w i t h functional safety). NOTE 2 - T h e main purpose of determining the process risk is t o establish a reference point for the risk without taking into account the protection layers. NOTE 3 -Assessment of this risk should include associated human factor issues.

3.2.34 Proof Test Test performed t o reveal undetected faults i n a Safety lnstrumented System so that, if necessary, the system can be restored t o its designed functionality. 3.2.35 Independent Protection Layer Any independent mechanism that reduces risk b y control, prevention or mitigation. NOTE -

It could be a process engineering mechanism such as the size of vessels containing hazardous chemicals, a mechanical engineering mechanism such as a relief valve, a Safety lnstrumented System or an administrative procedure such as an emergency plan against an imminent hazard. These responses may be automated or initiated b y human actions.

3.2.36 Proven-In-Use A component may be considered as proven-in-use when a documented assessment has shown that there is appropriate evidence, based o n the previous use o f the component, that the component is suitable for use in a Safety lnstrumented System. 3.2.37 Random Hardware Failure Failure, occurring at a random time, which results from a variety o f degradation mechanisms in the hardware. NOTE 1 -There are many degradation mechanisms occurring at different rates in different components and since manufacturing tolerances cause components t o fail due t o these mechanisms after different times i n operation, failures of a total item of equipment comprising many components occur at predictable rates but at unpredictable (i.e., random) times. NOTE 2 - A major distinguishing feature between random hardware failures and systematic failures, is that system failure rates (or other appropriate measures), arising from random hardware failures, can be predicted but systematic failures, by their very nature, cannot be predicted. That is, system failure rates arising from random hardware failures can be quantified but those arising from systematic failures cannot be statistically quantified because the events leading t o them cannot easily be predicted. 3.2.38 Redundancy Use o f multiple elements or systems t o perform the same function; redundancy can be implemented b y identical elements (identical redundancy) or b y diverse elements (diverse redundancy).

NOTE 1 -Examples are the use of duplicate functional components and the addition of parity bits. NOTE 2 - Redundancy is used primarily t o improve reliability or availability.

3.2.39 Safe Failure Failure, which does not have the potential, t o put the Safety Instrumented System in a hazardous or fail-to-function state. NOTE 1 -Whether or not the potential is realized may depend on the channel architecture of the system. NOTE 2 -Other names used for safe failure are nuisance failure, spurious trip failure, false trip failure or fail t o safe failure. 3.2.40 Safe Failure Fraction The fraction of the overall random hardware failure rate of a device that results in either a safe failure or a dangerous detected failure 3.2.41 Safe State State of the process, when safety is achieved. NOTE 1 - In going from a potentially hazardous condition t o the final safe state the process may have t o go through a number of intermediate safe-states. For some situations, a safe state exists only so long as the process is continuously controlled. Such continuous control may be for a short or an indefinite period of time. NOTE 2 -This term deviates from the definition in 6 1 508-4 t o reflect differences in process sector terminology. 3.2.42 Safety Freedom from unacceptable risk. 3.2.43 Safety Function Function t o be implemented by a SIS, other technology safety-related system, or external risk reduction facilities, which is intended t o achieve or maintain a safe state for the process, in respect of a specific hazardous event.

3.2.44 Safety lnstrumented Control Function Safety lnstrumented Function with a specified SIL operating in continuous mode, which is necessary t o prevent a hazardous condition from arising and / or t o mitigate the consequences. 3.2.45 Safety lnstrumented Function (SIF) Safety function w i t h a specified Safety Integrity Level, which is necessary t o achieve functional safety. A Safety lnstrumented Function can be either a safety instrumented protection function or a safety instrumented control function. SlFs are action taken by a SIS t o bring the process equipment under control t o a pre-determined safe state. Each SIF consists o f set o f actions t o protect against a single specific hazard. One or more SIF can be implemented in a SIS for a common purpose. NOTE -

Sometimes the terminology of 'Safety Loop' is used in a very loose sense t o indicate a SIF.

3.2.46 Safety lnstrumented System (SIS) lnstrumented system used t o implement one or more Safety lnstrumented Functions. A SIS is composed of any combination of sensor (s), logic solver (s), and final elements(s). Safety lnstrumented Systems could include, but not limited t o ESD, F&G Systems, Burner Management Systems, Compressor Control Systems, etc. 3.2.47 Safety Integrity Average probability of a Safety lnstrumented System, satisfactorily performing the required Safety lnstrumented Functions under all the stated conditions within a stated period of time. NOTE 1 - T h e higher the level o f safety integrity o f the Safety lnstrumented Function (SIF), the lower the probability that the SIF should fail t o carry out the required Safety lnstrumented Functions. NOTE 2 -There are four levels o f safety integrity for Functions.

Safety lnstrumented

NOTE 3 - I n determining safety integrity, all causes of failures (both random hardware failures and systematic failures) which lead t o an unsafe state should be included; for example, hardware failures, software induced failures and failures due t o electrical interference. Some of these types o f failure, in particular random hardware failures, may be quantified using such measures as the failure rate in the dangerous mode of failure or the

probability of a Safety lnstrumented Function failing t o operate on demand. However, the safety integrity of a SIF also depends on many factors, which cannot be accurately quantified but can only be considered qualitatively. NOTE 4 -Safety integrity comprises hardware safety integrity and systematic safety integrity. 3.2.48 Safety lntegrity Level (SIL) Discrete level (one out of four) for specifying the safety integrity requirements o f the Safety lnstrumented Functions t o be allocated t o the Safety Instrumented Systems. Safety lntegrity Level 4 has the highest level o f safety integrity (i.e. lowest probability of failure); Safety lntegrity Level 1 has the lowest level of safety integrity (i.e. highest probability of failure). NOTE -1 A Safety lntegrity Level applies t o an entire SIF. SIL is used when implementing a SIF t o reduce process risk t o a tolerable risk level. NOTE -2 It is possible t o use several lower Safety lntegrity Level systems t o satisfy the need for a higher level function (e.g., using a SIL 2 and a SIL 1 system together t o satisfy the need for a SIL 3 function). 3.2.49 Safety lntegrity Requirements Specification Specification that contains the safety integrity requirements of the Safety lnstrumented Functions, t o be performed by the Safety lnstrumented System(S). 3.2.50 Safety Lifecycle Necessary activities involved in the implementation of Safety lnstrumented Function(s), occurring during a period of time that starts at the concept phase of a project and finishes when all of the Safety lnstrumented Functions are no longer available for use. 3.2.51 Safety Requirements Specification Specification that contains all the requirements o f the Safety lnstrumented Functions, t o be performed by the Safety lnstrumented Systems. 3.2.52 Systematic Failure Failure related in a deterministic way t o a certain cause, which can only be eliminated b y a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors. NOTE 1 - Corrective maintenance without modification would usually not eliminate the failure cause.

NOTE 2 - A systematic failure can be induced b y simulating the failure cause. NOTE 3 - Example causes of systematic failures include human error in: the Safety Requirements Specification; the design, manufacture, installation and operation of the hardware; the design, implementation, etc. o f the software. 3.2.53 Systematic Safety Integrity That part o f the safety integrity of Safety lnstrumented Function(s) relating to systematic failures in a dangerous mode o f failure. NOTE -

Systematic safety integrity cannot usually be quantified (as distinct from hardware safety integrity).

3.2.54 Target Failure Measure Intended probability of dangerous mode failures t o be achieved in respect of the safety integrity requirements, specified in terms of either: the average probability of failure t o perform the design function on demand (for a demand mode of operation); or the frequency of a dangerous failure t o perform the SIF per hour (for a continuous mode of operation). 3.2.55 Tolerable Risk Risk which is accepted i n a given context based o n the current values of society. 3.2.56 Total Mitigated Event Frequency The Total Mitigated Event Frequency (TMEF) is obtained b y summing the mitigated event frequency for each cause of the impact event (SIS process variable). 3.2.57 Validation The activity of demonstrating that the Safety lnstrumented Function(s) and Safety lnstrumented System(s) under consideration after installation meets in all respects the Safety Requirements Specification. 3.2.58 Verification The activity of demonstrating for each phase of the relevant safety lifecycle b y analysis and / or tests, that for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase. NOTE - Verification activities include:

reviews on outputs (documents from all phases of the safety lifecycle) t o ensure compliance w i t h the objectives and requirements of the phase taking into account the specific inputs t o that phase; design reviews; tests performed on the designed products t o ensure that they perform according t o their specification; integration tests performed where different parts of a system are put together in a step by step manner and by the performance of environmental tests t o ensure that all the parts work together i n the specified manner.

3.2.59 MOONSystem Safety lnstrumented System, or part thereof, made u p o f "N" independent channels, which are so connected, that "M" channel(s) is (are) sufficient t o perform the Safety lnstrumented Function.

3.2.60 Layers o f Protection Analysis (LOPA) Layers of Protection Analysis is semi-quantitative method t o determine the required SIL for SIF. LOPA evaluates the adequacy and takes credit for other protection layers t o prevent or mitigate the hazardous event associated w i t h Safety Function.

3.3

"Shall" means a mandatory requirement that has t o be followed.

3.4

Abbreviations

ALARP ANSI BDV BP BPCS C&E CFSE CPP CPU DC EIEIPE EIE IPES El A EMC ESD ETA EUC FAT

As Low As Reasonably Practicable American National Standards Institute Blow-down Valve Budget Proposal Basic Process Control System Cause and Effects Diagrams Certified Functional Safety Expert (visit www.cfse.org) Capital Project Proposal Central Processing Unit Diagnostic Coverage Electrical1 Electronic IProgrammable Electronic Electrical 1 Electronic IProgrammable Electronic System Environmental Impact Assessment Electro-Magnetic Compatibility Emergency Shutdown Event Tree Analysis Equipment under Control Factory Acceptance Test

Fire and Gas Functional Design Specification Front-End Engineering Design Failure Modes and Effects Analysis Functional Safety Consultant Fault Tree Analysis Hazard Analysis Hazard Identification Hazard and Operability Study Hardware Fault Tolerance Human Machine Interface Hazard & Risk Analysis Human Reliability Analysis Health, Safety and Environment

IS0 LOPA MOC MOON MTBF NP PE PES PFD PFDav,

PHA PHSER P&ID PLC PSD PST QA QRA RBD SAT SFF SIF SIL SIS SOE SRS S/W S/U THERP

International Electro-technical Commission Independent Protection Layer Instrumentation, Systems, and Automation Society International Organization for Standardization Layer of Protection Analysis Management of Change M out o f N Mean Time between Failures Non-Programmable Programmable Electronics Programmable Electronic System Probability of Failure on Demand Average Probability of Failure on Demand Process Hazard Analysis Project Health Safety Environment Review Piping and Instrumentation Diagram Programmable Logic Controller Process Shutdown Partial Stroke Testing Quality Assurance Quantitative Risk Analysis Reliability Block Diagram Site Acceptance Test Safe Failure Fraction Safety Instrumented Function Safety Integrity Level Safety Instrumented System Sequence o f Events Safety Requirements Specification Software Start-up Techniques for Human Error Rate Prediction

Total Mitigated Event Frequency Uninterrupted Power Supply

4.0

REFERENCE CODES AND STANDARDS

4.1

Conflicts

In the event o f conflicts between this RP and the latest edition of standards / codes referred herein, or other purchase or contractual requirements, the most stringent requirements shall apply.

4.2

List o f Standards and Codes Safety lnstrumented System(s) shall comply during the entire safety life cycle, except where otherwise specified, with the current issue and amendments o f the applicable codes, standards, 0 1 5 series o f KOC Specifications and KOC HSE M S Procedures, of which the following are listed i n this RP:

4.2.1 International / National Standards ISA S84.00.01 Functional Safety: Safety lnstrumented Systems Parts 1 t o 3 for the Process Industry Sector, Parts 1-3 IEC 6 1 5 0 8

Functional Safety of Electrical/ Electronic / Programmable Electronic Safety Related Systems Part 1 : General Requirements Part 2: Requirements for E/E/PE Safety Related Systems Part 3: Software Requirements Part 4: Definitions and Abbreviations Part 5: Examples of Methods for Determination of SIL Part 6: Guidelines on the Application of IEC 6 1 508-2 and 6 1 508-3 Part 7: Overview of Techniques and Measures

IEC 6 1 5 1 1

Functional Safety : Safety lnstrumented Systems for the Process Industry Sector Part 1 : Framework, Definitions, System, Hardware and Software Requirements Part 2 : Guidelines i n the Application o f IEC6151 1-1 Part 3 : Guidance for the Determination of the Required Safety Integrity Levels

4.2.2 KOC Standards KOC-G-002

KOC Standard for Hazardous Area Classification

KOC-G-004

KOC Standard for Packing, Marking and Documentation

KOC-G-007

KOC Standard for Basic Design Data

KOC-G-009

KOC Standard for Spare Parts and Maintenance Data

KOC-1-001

KOC Standard for Instrumentation and Control System Design

KOC-1-002

KOC Standard for Instrument Installation

KOC-1-004

KOC Standard for Shutdown Systems

KOC-1-005

KOC Recommended Practice for Fire and Gas System Panels

KOC-1-010

KOC Standard for Control and Shutdown Valves

KOC-1-011

KOC Standard for Instrument Cables

KOC-L-006

KOC Standard for Fire & Gas Detection Equipment

KOC-L-017

KOC Recommended Practice for HAZOP Study

4.2.3 0 1 5 Series o f KOC Specification 0 15-JH- 19 0 3

General Instruments

0 1 5-JH-1909

Instrumentation for Package Equipment

015-JH-1910

Mechanical Completion of Instrument Systems

0 1 5-JH-1911

Standard Auxiliary Control Room Cabinets

0 1 5-YH-1004

Emergency Shutdown & De-pressurizing System Requirements

4.2.4 KOC HSEMS Procedures KOC.GE.OO1

Health, Safety, (HSEMS) Manual

and

Environmental

Management

KOC.GE.006

Management of Change Procedure

KOC.GE.021

HAZOP Study Procedure

KOC.GE.048

Procedure for the Preparation o f Project HSE Plan

KOC.GE.050

Procedure for Project HSE Review (PHSER)

KOC.SA.018

HSE Procedure for Risk Assessment

KOC.SA.019

Guideline for HSE Procedure for Risk Assessment

System

KOC.SA.020

Plant Safety Override Registration Procedure

KOC.EV.OO1

Environmental Aspects Identification and Assessment Procedure

KOC.EV.003

Environmental Impact Assessment (EIA) Procedure

KOC Fire & Safety Regulations (Latest) 4.2.5 List o f Acceptable References A list of suitable and acceptable references for failure rate data is as per the list

a)

Safety Equipment Reliability Handbook, Exida, ISBN-1 3:978-0-9727234-1-1;

b)

Offshore Reliability Data Handbook 4th Edition, (OREDA 2002) SINTEF Technology and Society;

c)

Layer of Protection Analysis: Simplified Process Risk Assessment - Center for Chemical Process Safety (CCPS) ISBN: 0-81 69-081 1-7;

d)

IEC 6 1 5 0 8 - Functional Safety o f Electrical I Electronic I Programmable Electronic Safety Related Systems (Parts 1 t o 7)

e)

IEC 6 1 5 1 1 - Functional Safety: Safety lnstrumented Systems for the Process Industry Sector (Parts 1 t o 3)

f)

ANSI 1 ISA-84.01-1996 Parts 1 t o 3 - Functional Safety: lnstrumented Systems for the Process Industry Sector;

g)

Guidelines for Safe Automation of Chemical Processes, American Institute of Chemical Engineers, Center for Chemical Process Safety, ISBN 0-81690554-1, 1993, Phone 800-242-4363;

h)

Guidelines for Process Equipment Reliability Data with Data Tables, American lnstitute of Chemical Engineers, Center for Chemical Process Safety, 1989, ISBN 0-81 69-0422-7, Phone 800-242-4363;

i

Guidelines for Chemical Process Quantitative Risk Analysis, AlCHE CCPS, 1989, ISBN 0-81 69-0402-2, Phone 800-242-4363;

j)

Loss Prevention in the Process Industries, 2"d Edition, Lees, F.P., Elsevier Science Publishers B. V., Amsterdam, (1996).

Safety

I

5.0

ENVIRONMENTAL CONDITIONS Refer t o "KOC Standard for Basic Design Data" (KOC-G-007), which provides the detailed information regarding the environmental, site and utility supply conditions prevailing throughout the KOC Facilities.

6.0

INTRODUCTION AND PURPOSE

6.1

Introduction A Safety lnstrumented System (SIS) is one of several risk reduction measures used on a hazardous process t o minimize the risk o f fatalities or injury t o personnel, harm t o the environment, damage t o plant equipment, or loss o f production. The primary purpose of this RP is t o provide the guidelines and criteria for the specification, design, implementation, and support o f all SIS. The guidelines and criteria outlined in this RP are intended t o ensure that SIS are correctly specified, designed, and installed, and that adequate management systems are in place so that the required periodic inspections, modifications, and repairs are completed once the systems are in operation.

6.2

Purpose

6.2.1 This RP provides guidelines t o be used for the development o f Safety lnstrumented Functions consistent with the safety life cycle phases in accordance with IEC 61511. 6.2.2 It is expected that this RP should be used b y those, w h o are involved i n the following activities associated w i t h Safety lnstrumented Systems: Hazard and risk analysis Safety Integrity Level Selection Application, specification, design, selection and engineering Installation, commissioning, and Pre-Startup Acceptance Test Operation, maintenance, documentation, and testing 6.2.3A typical Safety lnstrumented System Life Cycle is shown in Fig. 1 of this RP. 6.2.4 Typical activities of safety life cycle from initial concept through decommissioning of a SIS are detailed in Table No. 1 of this RP. 6.2.5 These guidelines for developing Safety lnstrumented Functions shall be applied t o new as well as t o review 1 modifications 1 additions o f / t o existing Safety lnstrumented System within KOC facilities.

Typical Safetv Instrumented Svstem Life Cvcle

i

START

I

=--

Develop SIS Concfptual

t

Conceptual Process Design & Release

-

1

Verify Conceptual Design meets SRS, SIS ArchlFDS

Pre-Startup Safetv Review

ID lssue I F D ~ Process Hazards ReviewlRisk

Establish Operation & Maintenance Procedures

Develop SIS Detail Design per P&IDs

t SIS Startup. Operation, Maintenance, Periodic Functional Testina

1

*

Technical

Auditing

1 Confirm Target SlLs

t Confirm if SIS meets SIL reauirements

+

Identify SlFs

SIS Decommissionin

Define Target

t

SIS Installation, Commissioning and Pre-start-uo

Develop Safety Requirements Soecification

Analysis

+

END

Design

b4

Operations1 Maintenance

- b IFD - lssue for Design IFC - lssue for Construction RFQ - Request for Quotation

Figure 1:

Tvpical Safetv lnstrumented System Life Cycle

Table No. 1: SIS Safety Life Cycle Overview Safety Life Cycle Phase or Objectives Hazard and Risk

To determine the hazards and hazardous events of the process and associated equipment, the sequence of events leading t o the hazardous event, the process risks associated w i t h the hazardous event the requirements for risk reduction and the safety functions required t o achieve the necessary risk reduction.

Process design, layout, manning arrangements, safety targets.

A description of the hazards, of the required safety function(s1 and of the associated risk reduction.

Allocation of safety functions t o protection layers

Allocation of safety functions t o protection layers and for each Safety Instrumented Function, the associated Safety Integrity Level.

A description of the required Safety Instrumented Functions and associated safety integrity requirements. Description of allocation of safety requirements.

Description of allocation of safety requirements.

SIS & Software safety requirements.

Design of the SIS in conformance w i t h the SIS safety requirements; Planning for the SIS integration test. Fully functioning SIS, conforming t o the SlS design results of SIS integration tests. Results of the installation, commissioning and validation activities. Results of the operation and maintenance activities. Results of the verification of the SIS for each phase.

Requirements Specification

engineering

To specify the requirements for each SIS, in terms of the required Safety Instrumented Functions and their associated safety integrity, in order t o achieve the required functional safety. To design the SIS t o meet the requirements for Safety Instrumented Functions and safety integrity.

SIS installation commissioning & validation

To integrate and test the SIS.

6

SIS operation and maintenance

To ensure that the functional safety of the SIS is maintained during operation and maintenance.

7

SIS verification

8

SIS functional safety assessment

To test and evaluate the outputs of a given phase t o ensure correctness and consistency w i t h respect t o the products and standards provided as input t o that phase. T o investigate and arrive at a judgment on the functional safety achieved by the SIS.

9

Decommissioning

5

To validate that the SIS meets, in all respects, the requirements for safety in terms of the Required Safety Instrumented Functions and the required safety integrity.

To ensure proper review, sector organization, and ensure SIF remain appropriate.

SIS design; SIS integration test plan; SIS safety requirements. Plan for the safety validation of the SIS.

SIS requirements; SIS design. Plan for SIS operation and maintenance. Plan for the verification of the SIS for each phase.

Planning for SIS functional safety assessment. SIS safety requirement. As-built safety requirements and process information

SIS safety and Software safety requirements.

Results of SIS functional safety assessment. SIF placed out-ofservice.

6.3

A~plicability- N e w Facilities

Safety lifecycle activities as described i n IEC 61 51 1 shall be applied t o all new KOC facilities w i t h reference t o typical KOC project phases as follows: a)

Process Hazard and Risk Analysis and Protection Layer Design This activity shall start in the concept design phase at CPP & BP stage and continue during Front-End Engineering Design (FEED stage) and detail engineering b y Contractor. The activity should conclude with a risk analysis

b)

Allocation o f Safety Functions t o Protection Layers This activity shall start following the risk analysis performed i n the FEED stage, assuming that the preliminary risk analysis has identified the Safety lnstrumented Functions. However, it is necessary t o identify major risks at this stage also, t o allow them t o be considered in the design process and t o facilitate future SIL studies. The minimum SlLs for each Safety lnstrumented Functions shall be assigned and indicated in P&IDs; and all other relevant documents be based o n this Recommended Practice before finalization of the FEED. The activity shall continue during the detail engineering by the Contractor. The Contractor shall prepare a report (specification) in the detail engineering stage.

C)

Safety Requirements Specification for the Safety lnstrumented System This activity shall start in the FEED stage, continue in the detail engineering stage and shall be concluded with a report (specification) by Contractor.

d)

Design and Engineering of Safety lnstrumented System This activity starts in the FEED stage and concludes in the detail engineering stage.

e)

Installation, Commissioning and Validation This activity starts in the construction stage and concludes with the final commissioning.

f)

Operation and Maintenance This activity occurs throughout the operational stages of the system.

g)

Modification This activity occurs throughout the operational stages o f the system.

h)

Decommissioning This activity occurs during the decommissioning stage.

6.4

Ap~licabilitv- Existinq Facilities

6.4.1 The verification o f SIL o f each existing safety function shall be considered before implementing any changes t o existing facilities that would affect the safety o f the existing system i n order t o ensure that the risk is reduced t o an acceptable level. 6.4.2 Modifications involving changes t o process, changes in operation, maintenance and the associated safety functions shall also be subject t o verification of the Safety Integrity Level t o ensure that the integrity level is maintained and the system is operating according t o the specification. 6.4.3 These guidelines shall also be applied t o periodic revalidation of existing installations and reviews required as a result o f management of change or incident investigation activities. It should review existing plant Safety Functions, developing recommendations for further risk reduction and t o identify additional risks exceeding the threshold criteria for each potential hazard 1 operability problems which have not already become evident from operating experience. 6.4.4 For existing SIS designed and constructed in accordance w i t h codes, standards, or practices prior t o the issue of this RP, KOC shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.

7.0

RISK ANALYSIS REQUIREMENTS

7.1

HAZOP Data Reauired

7.1 .IProcess hazard analysis t o identify hazards, potential process deviations and their causes, available engineered systems, initiating events, and potential hazardous events (accidents) that may occur, shall be performed for the process. 7.1.2 This shall be accomplished using HAZOP techniques which shall be in full compliance w i t h the latest edition o f API recommended practices and "KOC Recommended Practice for HAZOP Studies" (KOC-L-017).

7.1.3 HAZOP shall develop the following data required for SIL analysis: Table No. 2 : HAZOP D e v e l o ~ e dData for SIL Analysis (LOPA method) SlL ANALYSIS (LOPA) REQUIRED INFORMATION

HAZOP DEVELOPED INFORMATION

Initiating Event

Deviation

Impact Event

Consequence

Severity Level

Consequence Severity

Initiating Cause

Cause

Impact event frequency

Cause Frequency

Protection Layers

Existing safeguards

Required Additional Mitigation

Recommended New Safeguards

7.1.4 Facilities QRA Requirements The following data from Facilities QRA studies shall be used t o obtain information relating t o likelihood and consequence values for the SIL determination: Risk Contours Consequence analysis Likelihood analysis Gas dispersion analysis Event trees

7.2

Identification of SlFs The Functional Safety Consultant will compile a list o f safety instrumented functions (SIF) that were determined t o be required for the process under consideration. The Consultant will perform this task by reviewing the documentation where required SIF have been identified and then compiling them into a document whose format will facilitate SIL selection, and will subsequently become an integral part of the safety requirements specification. The key documents t o be used b y the Functional Safety Consultant t o complete this task are: Hazop report P&IDs Cause and Effects diagrams Instrument Index

7.3

SIF List The results of the SIF Identification Support will be documented in a SIF list document, which will become an integral part o f the safety requirements specification. The Functional Safety Consultant will compile t w o separate SIF lists, one for personnel safety and another for process/equipment protection. The SIF list will contain the following information: A brief description of each SIF A tag number for each SIF (if available) A list of inputs and outputs for each SIF Reference information for each SIF, including drawing numbers where the SIF functionality is described. General requirements for all SIF and an explanation for use o f the SIF list Specific notes for individual SIF, as needed. After preparation o f the preliminary SIF lists, the Functional Safety Consultant will submit them t o KOC for review and approval. KOC will review the list t o determine if any additions or deletions are required, and also whether any personnel safety or process/equipment protection functions have been improperly assigned. The following items should not be included i n the SIL list: Any alarm Hand switches e.g. Start1 Stop/ Duty/ Standby1 Local/ Remote/ ESD (MCRI Local) Fire and Gas detector alarms Fusible plugs Control valve loops actuated b y SOVs Motor Control Center loops Air conditioner damper controls A template for SIF list is described in Appendix D of this RP.

8.0

SAFETY INTEGRITY LEVEL (SIL) STUDIES

8.1

General

8.1.1 Safety Integrity Level Studies shall be performed for all projects within KOC facilities. The services of a Third Party Functional Safety Consultant shall be used t o complete the following activities in accordance w i t h IEC 6 1 5 0 8 & IEC 6 1 5 1 1 and KOC Standards and Specifications listed under clause 4.2 of this RP. The SIL determination shall be performed b y a multi-disciplinary team knowledgeable o f the design for evaluation as per IEC 6 1 5 0 8 & IEC 6 1 51 1

.

standards. The team shall consist of people qualified t o review the chemical process, identify potential process hazards, and recommend actions t o be taken t o minimize risks. This team shall have at least one experienced representative from the Contractor, Project Management Consultant and the KOC project / concerned teams with the following functions: Functional Safety Consultant w i t h CFSE certification, trained in LOPA analysis. The Functional Safety Consultant shall be as designated Chairperson for SIL Analysis; Process and lnstrument Engineers from Design 1 Major Projects Teams as the case may be; Process and lnstrument Engineers from Operation Technical Services; Process and lnstrument Engineers from Operations & Maintenance; Inspection & Corrosion and Q A l QC; Representative of Package Equipment Manufacturer (e.g. Gas Turbine, Compressor, Heater etc.); Designated Secretary t o record the results of the meetings. 8.1.2

The following activities are t o be completed prior t o the start of the SIL review: a)

Review completed PHSER, HAZOP, EIA and QRA reports provided b y other Safety Services Consultants (if the Functional Safety Consultant does not conduct PHSER, HAZOP and QRA studies himself). These reports are t o be used b y the Functional Safety Consultant t o identify Safety functions and associated hazards including frequency and consequence data required for the detailed SIL study.

b)

The Functional Safety Consultant shall collect the required data from various sources and conduct detailed technical discussions with all concerned KOC Departments related t o the project, main Contractor of KOC project and other relevant parties and prepare a report of the same t o be approved b y KOC. The data collected t o be used for the SIL study.

C)

A detailed preliminary list of Safety functions to be prepared by the Functional Safety Consultant as per clauses 7.2 & 7.3 of this RP.

8.1.3 The following activities to be completed during and after the SIL review: a)

Determine the SIL number for the required SIS as per clause 8.2 of this RP.

b)

Develop Safety Requirements Specification (SRS) for SIS, as per clause 9.0 of this RP.

C)

Perform SIS detail design and verify against SRS using vendor data, as per clauses 10.1.2 & 10.1.3 of this RP.

d)

Establish operation and maintenance procedures for SIS systems, as per clause 14.0 of this RP.

e)

Ensure that appropriate SIS components are specified, produced and installed to meet the SRS, as per clauses 10.0, 11 .Of 12.0 and 13.0 of this RP.

f)

After commissioning, verify, validate and provide final certification that every SIS meets the requirements of the SRS, as per clause 13.0 of this RP.

8.1.4 Minimum qualifications required o f Functional Safety Consultant 1 Expert (this includes the individual employee - associate of a firm I company): The Functional Safety Consultant shall be: A Graduate Engineer w i t h CFSE certification Having at least fifteen (1 5) years experience i n Instrumentation & Control Systems Engineering Including no less than ten (10) years in Safety Systems of Oil & Gas Industry In addition, must have performed all of the works himself, independently, as per clause 8.1.1 of this RP for at least five (5) SIL studies in the past three (3) years prior t o the date of submitting his resume for KOC approval. The main Contractor of KOC project or the Functional Safety Consultant himself, i f undertaking the SIL study project, shall submit his resume for KOC approval prior t o commencement of SIL studies. 8.1.5 The individual Functional Safety Consultant and I or agency or any o f the employees -associates of the firm shall in any form, directly or indirectly be not associated w i t h the Contractor(s), w h o would execute the project Contract. 8.1.6 The SIL study must include all Safety Functions associated with the following as applicable: Main process Fire and Gas systems (F&G) Burner Management Systems (BMS) Anti surge systems Machinery Vibration I Temperature Monitoring System Package systems 8.1.7

The SIL review must cover the following risk receptors: People Environment Asset Company reputation

8.1.8 Safety functions are t o be limited t o functions that take automatic action t o prevent or mitigate hazardous events. As such there is n o requirement for a SIL review t o be completed for functions that are manually activated unless a special request is made b y KOC for a SIL review t o be completed for non-automatic functions. It has t o be recognized that it is very difficult t o meet even SIL 1 for manually activated functions.

8.2

Methodoloqv to Determine and Allocate SIL for Each SIF

8.2.1 Introduction a)

The purpose of these recommendations is t o provide the methodology for performing Safety Integrity Level (SIL) determination and allocation for projects within KOC facilities.

b)

SIL studies shall be undertaken only after completion of the following as part of the Hazard and Risk Analysis: Process Design Philosophies Process Descriptions Process Flow Diagrams P&IDs C&E Diagrams Control Systems Architecture Instrument Index Site Layouts HAZOP PHSER reports EIA Study Facilities QRA or any other risk technique.

C)

National and international standards, such as IEC 6 1 508 / IEC 61 51 1 represent a consensus o f best practices for implementing Safety lnstrumented Systems (SIS). These standards require that all electrical, electronic and programmable electronic systems used in a SIS shall be designed, operated, and maintained so that they should achieve a specified Safety Integrity Level (SIL).

d)

A SIL is assigned t o each individual Safety lnstrumented Function (SIF) or "safety loop" contained in the system. IEC 6 1 5 1 1 will define SIL for a SIF operating in demand mode, as a range of the Average Probability of Failure on Demand (PFD avg.). The relationship between the SIL and the required failure probability is shown i n Table No. 3 o f this RP. The categories are usually described both i n terms of PFDavg. and also in terms o f Risk Reduction Factor, which is the inverse of PFDavg.

Table No. 3 :

Safetv lnteqritv Levels - Probabilitv of Failure on Demand * '

*

' :2