QP Guideline for Safety Integrity Level Review
Short Description
SIL level review guidelines...
Description
STANDARDS PUBLICATION
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC NO: QP-GDL-S-030
REVISION 1
CORPORATE HSE SUPPORT DEPARTMENT
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
TABLE OF CONTENT Page No FOREWORD 1.0
INTRODUCTION…………………………………………………………………..
5
2.0
SCOPE …………………………………………………………………………….
5
3.0
APPLICATION …………………………………………………………………….
5
4.0
POLICY ……………………………………………………………………………..
5
5.0 5.1 5.2
TERMINOLOGY …………………………………………………………………… DEFINITIONS …………………………………………………………………….. ABBREVIATIONS …………………………………………………………………
5 5 7
6.0
REFERENCE STANDARDS.................…………………………………….......
8
7.0
METHODOLOGY/APPROACH …………………………...................................
8
8.0 8.1 8.2
TEAM STRUCTURE AND RESPONSIBILITIES........................................... TEAM STRUCTURE......................................................................................... ROLES AND RESPONSIBILITIES...................................................................
9 9 10
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7
REQUIREMENTS............................................................................................. PREPARATION OF THE REVIEW................................................................... SIL REVIEW..................................................................................................... VALIDATION OF SIF........................................................................................ CAUSE DEMAND SCENARIO......................................................................... CONSEQUENCES OF FAILURE ON DEMAND (CoFD)................................ INDEPENDENT SAFEGUARDS...................................................................... SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD........................
11 11 12 13 13 14 14 14
10.0 10.1 10.2
PLANNING....................................................................................................... PREPARATION OF THE REVIEW................................................................... TIMING OF THE REVIEW................................................................................
20 20 20
11.0 11.1 11.2 11.3
DOCUMENTS REQUIRED AND RECORDING............................................. DOCUMENTS REQUIRED............................................................................... RECORDING.................................................................................................... REPORTING AND FOLLOW-UP.....................................................................
20 20 20 21
12.0 12.1
APPENDICES................................................................................................. APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH METHOD.......................................................................................................... APPENDIX II: TYPICAL SIL ACTION SHEET.................................................. APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT....... APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST.................
22
12.2 12.3 12.4
Doc File No.: GDL-S-030 R1
Page 2 of 31
22 23 24 25
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030 12.5 12.6 12.7
Rev1
APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH PARAMETERS................................................................................................. APPENDIX VI - DEMAND RATE...................................................................... APPENDIX VII – CORPORATE RISK MATRIX...............................................
26 27 28
REVISION HISTORY LOG ……………………………………………………….
31
Doc File No.: GDL-S-030 R1
Page 3 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
FOREWORD
This document has been developed by Corporate HSE Support Department, reviewed and edited by Corporate Quality and Management System Department and circulated for review by user departments before being endorsed by QP Management to provide guideline. This document is published for QP Departments/ Contractors/ Consultants utilization. It shall be emphasized that the document to be used for QP operations wherever applicable and appropriate. This document is subjected to periodical review to re-affirm its adequacy or to conform to any changes in the corporate requirements or to include new developments on the subject. It is recognized that there will be cases where addenda or other clarifications need to be attached to the standard to suit a specific application or service environment. As such, the content of the document shall not be changed or re-edited by any user, but any addenda or clarifications entailing major changes shall be brought to the attention of the Custodian Department. The custodian of this document is Corporate HSE Support Department (ST). Therefore, all comments, views, recommendations, etc. on it shall be forwarded to the same and copied to Manager, Corporate Quality & Management Systems Department (QA).
Doc File No.: GDL-S-030 R1
Page 4 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
1.0
Rev1
INTRODUCTION Safety Integrity Level (SIL) review is an analysis which aims at the determination of the appropriate reliability required from the elements of the Safety Instrumented Functions (SIF) identified in prior safety reviews (e.g. HAZOP). The approach of this guideline is to remove the uncertainty regarding the safety integrity, cost effectiveness and availability requirements, reducing over and under engineering, in a traceable manner. SIL study is a method to record all the SIF for a project development and document the expected reliability level. SIL study provides a basis for future maintenance and operating strategies. SIL shall be conducted during FEED phase and /or EPIC phase in accordance with Project HSE Plan or as required by the outcome of Safety Reviews of a project. SIL assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to a tolerable level. All of the Safety Instrumented Systems (SIS) design, operation and maintenance choices must then be verified against the SIL assigned.
2.0
SCOPE This guideline details the structure, responsibilities and techniques of the Safety Integrity Level (SIL) review.
3.0
APPLICATION The SIL review of the project shall cover all Safety Instrumented Systems (SIS) in process and utility units where there is potential for hazard to human safety, environment or asset /production loss.
4.0
POLICY QP is committed to protect the health and safety of its employees and others that may be affected by its activities and to give proper regard to the conservation of the environment. QP policy is to conduct its activities such that it strives towards an incident free, secure, safe and healthy workplace. Safety studies and reviews shall be performed during the course of a project or modifications to an existing facility. This is to identify, qualify, quantify and to establish that design safety measures shall provide adequate protection and mitigate any risk involved with the proposed project development or the modifications.
5.0
TERMINOLOGY
5.1
DEFINITIONS Basic Process Control System (BPCS)
Doc File No.: GDL-S-030 R1
-
A combination of Sensors, Logic Solvers and Final elements which automatically regulate the process within normal production limits. The BPCS provides control of a process in the desired manner. Page 5 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Cause
-
Factor contributing alone or in combination with others to the release of a hazard (in this guideline synonymous to the “demand scenario” triggering a SIF).
Company
-
Means QATAR PETROLEUM or “QP”
Consequence (C)
Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Effect on personnel safety, economic loss, environmental loss.
Consequences of Failure on Demand
-
Escalation events that happen after the failure of the SIF during its solicitation. Effect on personnel safety, economic loss, environmental effect.
Demand Rate (W)
-
The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration.
Demand Scenario
-
The set of conditions (synonymous Cause).
Design Intent
-
The reason why a SIF is set. It’s purpose.
Final Element
-
A device which manipulates a process variable to achieve control. e.g. – Control Valve, Emergency Block Valve, motor starter.
Layers of Protection Analysis
-
A process of evaluating the effectiveness of Independent Protection Layers in reducing the likelihood or severity of an undesirable event to meet organizational needs.
Logic Solver
-
The element of the BPCS or SIS that implements one or more logic functions.
Hazard
-
A source of potential harm or damage, or a situation with potential for harm or damage.
Licensor
-
triggering
a
SIF
action
LICENSOR or PROCESS LICENSOR means each of the Companies which have granted (or will grant) to QP a Process License and have provided (or will provide) the corresponding Licensor Basic Engineering Package (BEP) during the FEED project.
Occupancy (F)
-
Probability that the exposed area is occupied at the time of the hazardous event .Determined by calculating the fraction of time the area is occupied at the time of the hazardous event.
Probability of Avoiding the Hazard (P)
-
The probability that exposed persons is able to avoid the hazardous situation which exists if the SIF fails on demand.
Probability of Failure on Demand
-
The probability that a system fail to perform a specified function on demand.
Doc File No.: GDL-S-030 R1
Page 6 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Recovery Measures
-
All technical, operational and organizational measures that limit the chain of consequences arising from a top event and assist return to normal operation.
Safety Integrity Level
-
Defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).Four level of SILs are defined, SIL 4 has the highest level of safety integrity and SIL 1 has the lowest.
Safety Instrumented Function
-
It is a safety function with a specified safety integrity level which is necessary to achieve functional safety. A safety instrumented function can be either a safety instrumented protection function or a safety instrumented control function.
Safety Instrumented System
-
Instrumented system used to implement one or more safety instrumented functions. A Safety Instrumented System is composed of any combination of sensor (s), logic solver (s), and final elements(s). It performs specified safety instrumented functions to achieve or maintain a safe state of the process when unacceptable or dangerous process conditions are detected. Safety instrumented systems are separate and independent from regular control systems but are composed of similar elements, including sensors, logic solvers, and final elements.
5.2
ABBREVIATIONS CoFD
Consequence of Failure on Demand
F&G
-
HAZOP
-
Hazard and Operability Study
LOPA
-
Layer of Protection Analysis
LP
-
Loss Prevention
P&ID
-
Piping & Instrumentation Diagram
PFD
-
Process Flow Diagram
PSD
-
Process Shut Down
QP
-
Qatar Petroleum.
SIL
-
Safety Integrity Level
EPIC ESD FEED
Doc File No.: GDL-S-030 R1
Engineering, Procurement, Installation and Commissioning Emergency Shut Down Front End Engineering Design Fire & Gas System
Page 7 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
6.0
Rev1
SIF
-
Safety Instrumented Function
SIS
-
Safety Instrumented System
REFERENCE STANDARDS IEC-61508
Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems Part 1: General requirements; Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems; Part 3: Software requirements; Part 4: Definitions and abbreviations; Part 5: Examples of methods for the determination of safety integrity levels (supporting Information); Part 6: Guidelines for the application of IEC 61508-2 and IEC 61508-3; Part 7: Overview of techniques and measures. IEC-61511 Functional safety – Safety instrumented systems for the process industry sector Part 1: Framework, definitions, system, hardware and software requirements; Part 2: Guidelines for the application of IEC 61511-1; Part 3: Guidelines for the determination of the required safety integrity levels.
7.0
METHODOLOGY/ APPROACH The technical standard IEC 61511 sets out a good practice for engineering of safety instrumented systems that ensure the safety of process industries. This standard defines the functional safety requirements established by IEC 61508 in process industry sector terminology. It also focuses attention on one type of instrumented safety system used within the process sector, the safety instrumented system (SIS). IEC 61511 covers the design and management requirements for SISs. Its scope includes initial concept, design, implementation, operation, and maintenance through decommissioning. The standard starts in the earliest phase of a project and continues through start up. It contains sections that cover modifications that come along later, along with maintenance activities and the eventual decommissioning activities. The standard consists of three parts as detailed under Clause 6.0. The SIL review session is a guided team brainstorming activity that benefits from a structured method and from the broad experience of a multidisciplinary team led by a SIL facilitator. The methodology that will be employed for the SIL determination is a technique uses a semi qualitative method: calibrated risk graph, as defined in IEC 61511-3 Annex D.
Doc File No.: GDL-S-030 R1
Page 8 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Essentially the SIL derived rating is a measure of risk reduction that is required to be achieved by the safety instrumented system in order that the residual risk is acceptable or is as low as reasonably acceptable (ALARP) There are four levels of Safety Integrity for Safety Instrumented Functions, SIL1 to SIL 4. SIL 4 has the highest level of safety integrity and SIL 1 has the lowest. For SIF which are assigned SIL 1 or SIL 2 no further studies or action shall be required. However, for SIF which are assigned SIL 3 or 4, the SIL classification shall be considered in detail using a Quantitative method: Layer of Protection Analysis (LOPA) as defined in IEC 61511-3 Annex F. SIL classification study shall be carried out for all the elements of SIS; i.e. PSD, ESD and F&G as identified in the Cause & Effect matrix. The outcome of the SIL assessment is followed by a SIL verification study, where the reliability of the SIS is verified. Dedicated computer spreadsheet or dedicated SIL software shall be used for recording SIL proceedings. The software tool used for determining SIL shall be in accordance with IEC 61508/61511 and shall have a provision to calibrate the Risk Graph based on QP SIL review guideline. Note: Contractor shall develop project specific SIL procedure and terms of reference consistent with QP SIL guideline and shall submit to QP for prior approval.
8.0
TEAM STRUCTURE AND RESPONSIBILITIES
8.1
TEAM STRUCTURE In performing a SIL review, the proper selection of team participants is very important. The review team shall consist of personnel who are knowledgeable in the process technology and experienced in the operations of the process. The team shall have the necessary SIL review experience and obtained formal SIL training techniques. The chairman will be independent of the CONTRACTOR. QP will review and approve the Chairman’s resume prior to the SIL review. The planned multidisciplinary core team necessary for the realisation of the SIL review shall include the following disciplines and maximum number to be limited to 10 persons excluding chairman and scribe. a) Qatar Petroleum
Loss Prevention Engineer – Corporate HSE support Process Engineer Instrumentation Engineer Operation Engineer Loss Prevention Engineer Maintenance Engineer
b) Independent Third Party
Chairman
Doc File No.: GDL-S-030 R1
Page 9 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
c) Project Independent
Contractor’s LP Engineer Scribe
d) Contractor
Process Engineer Instrumentation Engineer Loss Prevention Engineer
e) LICENSOR (for LICENSOR units)
Process Engineer (knowledgeable of processes involved in project) Instrumentation Engineer
Additional specialists of other disciplines may be called to participate upon request according to the needs identified by the other permanent members of the team.
8.2
ROLES AND RESPONSIBILITIES The quality of the review highly results from the contribution of all team members and from their global expertise. In order to achieve a quality result, members of the team shall adhere to:
adopt a positive attitude toward other team members’ contribution, provide their expertise on the project specifics and from similar experience elsewhere, be logical, open minded and creative, focus on the objective of the SIL study.
8.2.1 Chairman The Chairman shall require a high level of technical and managerial skills. He shall require expertise and experience in conducting SIL reviews and SIL verification studies. He needs to remain independent of the discussion and shall not associate with the project. The Chairman’s resume shall be reviewed and approved by QP prior to a SIL session. The role of the Chairman is critical to the success of the meeting. He shall: Prepare, and make a presentation prior to the review on SIL techniques, rules and assumptions to be used by the team during the review, Lead the team through the SIL Determination technique, Prompt the brainstorming effort, and manage the discussion, Identify the key issues as they are raised by the team, Facilitate the evaluation of demand rates and consequences and ensure consistency of rating, Manage the recording of the findings by the scribe, Ensure that the minutes fully reflect the points identified, Generate the report of the review. Doc File No.: GDL-S-030 R1
Page 10 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
8.2.2 Scribe The role of scribe shall be skilled to record accurately outcome of the discussions. Without being highly experienced the scribe needs to be familiar with engineering terminology. He / She shall: Be familiar with the computer software used to record the review findings before the start of the review, Follow the Chairman’s instruction in recording the team findings. 8.2.3 Instrumentation/ LP Engineer ( Contractor) Prior to the review, the instrumentation engineer/specialist is in charge to complete the following elements for each SIF, based on the Cause & Effect Matrix /P&ID/ HAZOP/Safe Charts. For each SIF to be reviewed, SIL review work sheet to be provided with: Listing the initiators, Listing the final elements, Defining the success criteria for initiators and final elements, and Indicating the associated actions. An example of SIL Review Worksheet is provided in Appendix I. 8.2.4 Process Engineer( Contractor) Prior to the review, the process engineer is in charge of the description of the “Design intent” of the SIF and to provide this information to Instrumentation Engineer for implementation in the SIL review worksheet. An example of how this is documented is provided in Appendix I (1 st column on left of the table).
9.0
REQUIREMENTS
9.1
PREPARATION OF THE REVIEW
Prior to the review, the chairman shall collect the SIF description (SIF name, initiator(s), final elements, success criteria, associated actions and design Intent from the instrumentation specialist/ LP engineer The chairman shall make a presentation to the team about the purpose and scope of the SIL review and to focus the efforts of the team members. The chairman shall make a presentation to the team about the methodology to be used in the SIL review. This establishes a common starting basis for the team that is necessary to conduct an effective SIL review. The parameters of the Project Risk Matrix shall be presented to the team for subsequent use in the evaluation of SIL assessment (Ref Appendix VII). The process engineer shall present an overall explanation of the plant’s process so that all team members have a clear understanding of the basic operations of the plant. This also acquaints the team members with typical scenarios that may lead to a hazardous condition.
Doc File No.: GDL-S-030 R1
Page 11 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
9.2
Rev1
Dedicated SIL software or spreadsheets shall be introduced to the team to log the SIL review session (Contractor shall specify the software /spreadsheet proposed while submitting SIL methodology document for QP approval prior to a SIL review session).
SIL REVIEW The SIL review sequence process shall be divided into steps as follows:
Select the Safety Instrumented Function, Validation of the SIF description (already documented in the SIL review worksheet by instrumentation/ LP engineer), Validation of the design intent (already documented in the SIL review worksheet by process engineer, Determine (by brainstorming) all the potential causes/ demand scenario which trigger the SIF action, Agree the credibility of each cause, Identify potential hazard in terms of: i. Consequences of SIS failure on Demand (C ) - Personnel Safety (S) - Environmental Effect (E) - Economic loss (A) ii. Occupancy (F) iii. Probability of avoiding the hazardous situation (P) iv. Demand Rate (W) Assess the preventive, protective and mitigation safety features, Assign SIL based on C,F,P&W parameters, Agree a recommendation for action or further consideration of the problem (if applicable), Apply the next cause (relevant to the selected SIF), Move onto the next SIF of the system until the whole study has been examined. Figure 1 given below is a pictorial description of the review procedure.
Doc File No.: GDL-S-030 R1
Page 12 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
ASSESS CLASSIFICATION
Figure 1: SIL Review Process Schematic
9.3
VALIDATION OF SIF Instrumentation or LP engineer shall present each SIF to the review team to have the same understanding of its purpose (design intend) among the team members.
9.4
CAUSE DEMAND SCENARIO The team shall brainstorm to identify possible causes for the conditions that trigger the SIF. The demand could be caused by any of a number of reasons, e.g., control instrument malfunction, operator error, loss of feed, etc. Each cause shall be clearly documented in the SIL review worksheet. The team shall focus on all possible causes of the hazard against which the SIF is designed (design intend) and ensure all of them are indeed source of demand on the SIF.
Doc File No.: GDL-S-030 R1
Page 13 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030 9.5
Rev1
CONSEQUENCES OF FAILURE ON DEMAND (CoFD) The team shall identify all the consequences of the identified demand scenario(s). The location of the plant and of the relative positions of installations can have a significant influence in the consequences. The correct appreciation of these consequences is critical to the appropriate classification of the SIF.
9.6
INDEPENDENT SAFEGUARDS Where applicable, the team may list of Independent safeguards (independent from SIF) which can reduce the event probability.
9.7
SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD After the evaluation of the Consequences of Failure on Demand, each SIF is assigned with a Safety Integrity Level (SIL). The SIL determination shall be based on calibrated risk graphs from IEC 61511-3. This Risk Graphs are based on the following: The consequences of the hazardous situation for Personnel Safety, Environment and Economic/ Asset loss (parameters S, E and A respectively), The Occupancy (parameter F), The probability of avoiding the hazardous situation (parameter P), The Demand Rate (W).
9.7.1 Consequence (Parameters S, E and A) The consequences of the hazardous situation for personnel safety, environment and economic/ asset loss (parameters S, E and A respectively) are further defined for various risk levels. These definitions are consistent with QP Risk Assessment Matrix. Table 1 - Consequence Risk Parameter for Personnel Safety(S) Consequence Risk Parameter
Definition
S1(CA)
Minor injury or health effects
S2 (CB)
Major injury or health effects
S3 (CC)
Single fatality or Permanent total disability
S4(CD)
Multiple fatalities
Notes:
The classification system has been developed to deal with injury and death to people. For the interpretation of S1, S2, S3 and S4 parameters, the consequences of the accident and normal healing shall be taken into account.
Doc File No.: GDL-S-030 R1
Page 14 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Table 2 - Environmental Consequence Parameter (E) Level of Environmental Consequences
E1(CA)
E2(CB)
E3(CC)
E4(CD)
Definition
Minor effect: Contamination; damage sufficiently large to impact the environment; single exceeding of statutory or prescribed limits; single complaint; no permanent effect on the environment.
Localized effect: Limited loss of discharges of unknown toxicity; repeated exceeding of statutory or prescribed limits and beyond fence/ neighborhood. Major effect: Severe environmental damage; the company is required to take extensive measures to restore the contaminated environment to its original state. Extended exceeding of statutory or prescribed limits. Massive effect: Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major economic loss for the company. Constant high exceeding of statutory or prescribed limits.
Table 3- Economic/Asset Consequence Parameter (A) Level of Economic Consequences
Definition
A1(CA)
Minor damage: Brief disruption to operation with estimated costs less than QR 350,000.
A2(CB)
Local Damage: Partial shutdown of operation; can be restarted but with estimated costs up to QR 3,500,000.
A3(CC)
Major Damage: Partial loss of operation; 2 weeks shutdown with estimated costs up to QR 35,000,000.
A4(CD)
Extensive Damage: Substantial or total loss of operation; with estimated costs in excess of QR 35,000,000.
Doc File No.: GDL-S-030 R1
Page 15 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
9.7.2 Exposure time (Parameter F) The exposure time of an individual in a hazardous situation are further defined for two occupancy conditions. Table 4- Occupancy Exposure Time Parameter (F) Exposure time in the hazardous zone
Definition Rare to more often exposure in the hazardous zone (normally unmanned operation of the relevant part of the plant). Occupancy less than 10%.
F1
Frequent to permanent exposure in the hazardous zone (relevant part of plant is attended locally on a regular basis, e.g. every shift, or during the specific time of demand, e.g. start-up or shut-down, or relevant part of the plant is located near a continuously occupied road)
F2
9.7.3 Probability of avoiding the Hazard (Parameter P) This parameter represents the probability of avoiding the hazardous event if the protection system fails. Two scenarios are defined for SIL review. Table 5- Probability of avoiding the Hazard Parameter (P) Probability of avoiding the hazardous event
Definition
P1
Possible under certain conditions – some warning available. (Operator is capable of getting away from the hazard or hazard is mitigated by other measures).
P2
Almost impossible – No warning available. (Operator may not be aware of hazard or may not be able to get away sufficiently quick).
Notes: This parameter takes into account:
Operation of a process (supervised i.e. operated by skilled or unskilled persons or unsupervised). Rate of development of the hazardous event (suddenly, quickly and slowly). Ease of recognition of danger (seen immediately, detected by technical measures or detected without technical measures).
Doc File No.: GDL-S-030 R1
Page 16 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Avoidance of hazardous event (escape possible, not possible or possible under certain conditions; independent facilities are provided to shutdown). Facilities are provided to alert the operator that the SIS has failed. The time between the operator being alerted and a hazardous event occurring exceeds 15 minutes or is definitely sufficient for the necessary actions. Actual safety experience (such experience may exist with an identical unit or a similar unit or may not exist).
9.7.4 Demand Rate (W) The purpose of the demand rate (W factor) is to estimate the frequency of the unwanted occurrence in the absence of the SIF under consideration. This can be determined by considering all failures which can lead to the hazardous event and estimating the overall rate of occurrence. Other protection layers should be included in the consideration. Three conditions are defined for SIL review. Table 6- Demand Rate Parameter (W) Likelihood of the unwanted occurrence
W1
W2
W3
Definition A very slight probability that the unwanted occurrences will happen and only a few unwanted occurrences are likely: Once in every 30 to 100 years. A slight probability that the unwanted occurrences will happen and few unwanted occurrences are likely: Once in every three to 30 years. A relatively high probability that the unwanted occurrences will happen and frequent unwanted occurrences are likely: more than once in every one to three years.
9.7.5 Risk Graph – Personnel Safety, (Ref. IEC 61511-3 fig D.1) Risk graph as referred in Figure 2 shall be used to determine SIL for personnel safety. The consequences of the hazardous situation for personnel safety are determined as SIL levels using risk graph.
Doc File No.: GDL-S-030 R1
Page 17 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Fig 2- Risk Graph: Personnel Safety 9.7.6 Risk Graph – Environmental Loss, (Ref. IEC 61511-3 fig D.2) Risk graph as referred in Figure 3 shall be used to determine SIL for environmental loss. The consequences of the hazardous situation for environmental loss are determined as SIL levels using risk graph.
Fig 3- Risk Graph: Environmental Loss Doc File No.: GDL-S-030 R1
Page 18 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
9.7.7 Risk Graph – Economical Loss The risk graph approach may also be used to determine the integrity level requirements where the consequences of failure include asset loss. Asset loss is the total economic loss associated with failure to function on demand. A similar risk graph to that used for environmental protection can be used for asset loss. It should be noted that the F parameter should not be used the concept of occupancy does not apply. Other parameter P and W apply and definitions can be identical to those applied above to safety consequences.
Fig 4- Risk graph: Economic loss For each SIF operating in demand mode, the required SIL shall be specified in accordance with either Figs 2, 3 or 4. SIL assigned against various probability of failure demand is given in table 7 for reference. . Table 7 - Safety Integrity Levels: Demand mode of operation Safety Integrity Level
Target average probability of failure on demand
4
10-5 to < 10-4
3
10-4 to < 10-3
2
10-3 to < 10-2
1
10-2 to < 10-1
Doc File No.: GDL-S-030 R1
Page 19 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
The selected SIL level for a safety interlock function is the highest of the three individual SIL’s (Safety, Economical and Environmental) and defines a minimum SIL. It is always possible to select a higher SIL level than the required SIL, if the project team thinks this is preferred.
10.0 PLANNING 10.1
PREPARATION OF THE REVIEW Once the dates and duration of the review(s) are known necessary logistical arrangement shall be made. Appendix IV provides a checklist of the SIL review preparation items.
10.2
TIMING OF THE REVIEW The SIL review of Project shall take place after associated HAZOP review. Dedicated session shall be performed for each unit.
11.0 DOCUMENTS REQUIRED AND RECORDING 11.1
DOCUMENTS REQUIRED Before the start of the SIL review exercise the following documents shall be available to serve as input information for the discussion:
11.2
Process Flow Diagrams (PFD). Piping and Instrument Diagrams (P&ID). The P&ID’s used for the SIL review will show all instruments, check valves, safety valves, controllers, pressure and level switches that are included in the limits of supply. Cause & Effect matrix. Safe Charts. Previous Hazard Analysis (HAZOP) review findings. Control and Safeguarding philosophy. Interlocks description. Layout/ plot plan (if available). For LICENSOR units, where applicable, LICENSOR recommendation for SIL based on their design knowledge and operating experience. Material balance information (information on request).
RECORDING The findings of the application of the methodology presented above shall be recorded during the session by the scribe with the computer spreadsheet or dedicated SIL software. The scribe records the results of this identification activity in a table type file (see appendix I) using a computer and a video projector. Use of a video projector shall allow the team to visualise the record. A SIL review worksheet used for the report of the findings is presented in appendix I.
Doc File No.: GDL-S-030 R1
Page 20 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Upon completion of the review the chairman will produce a report, which discusses the findings of the review and details the critical findings.
11.3
REPORTING AND FOLLOW-UP Subsequent to SIL study, SIL chairman shall issue the study report and shall document the following as minimum (See appendix III for full list of Table of Content of the report).
The scope of the study; Study Methodology; The study team; The SIF’s reviewed and the reference used; Summarise and present the SIL review proceeding, all the recommendations and actions raised with proper reference for close out actions to be carried out; Identify/List those responsible for preparing responses to the actions and recommendations; Schedule, monitor and record the execution of necessary close out actions.
Recommendation (Action /query items) shall be recorded and the corresponding SIL ACTION SHEET (see Appendix II) shall be generated for subsequent follow-up by the project. The Project Engineer shall have the responsibility to ensure appropriate project followup of the action recommendations generated during the review are implemented (see Appendix II). A Formal SIL Close out Report with SIL verification study shall be submitted to QP for approval.
Doc File No.: GDL-S-030 R1
Page 21 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.0 APPENDICES 12.1
APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH METHOD
Project Name /No : SIF No:
Date Reviewed: DD MMM YYYY
SIF: Reference / name of the selected SIF Initiators: Final Elements: Initiator Success Criteria: Final Element Success Criteria: Associated Operating Actions: Drawings and Documents: Documents used : DESIGN INTENT
Purpose of the SIF
CAUSE / DEMAND
CONSEQUENCES
INDEPENDENT
RECOMMENDA
SCENARIO
of FAILURE on DEMAND (CoFD)
SAFEGUARDS
TIONS
List here causes that will trigger the SIF to operate.
List here all the consequences that will occur in case
list here all the independent safeguards
recommendation of the team (if any)
of Failure on demand of the SIF
Consequence Parameter
Occupancy Parameter
Probability of Avoiding the hazard Parameter
Demand Rate Parameter
SIL Level
Safety Environment Economic
Required SIL level SIF Action Number: Assigned to:
Doc File No.: GDL-S-030 R1
Name of person
Page 22 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.2 APPENDIX II: TYPICAL SIL ACTION SHEET SIF STUDY ACTION AND RESPONSE SHEET
SIF ACTION ON: SIF ACTION NO:
RESPOND BY: MEETING DATES: DD MMM YYYY
DRAWINGS AND DOCUMENTS: documents used (from the front page list of documents studied) SIF : Reference / name of the selected SIF
(SIF Table 1)
DESIGN INTENT: purpose of the SIF CAUSE / DEMAND SCENARIO: list here causes that will trigger the SIF to operate CONSEQUENCES of FAILURE on DEMAND (CoFD): list here all the consequences that will occur in case of Failure on demand of the SIF . INDEPENDENT SAFEGUARDS: list here all the independent safeguards RECOMMENDATIONS: recommendation of the team (if any) RESPONSE: (Action )
DATED:
SIGNED: ENTER YOUR RESPONSE IN THE BOX ABOVE, THEN SIGN AND RETURN TO:
NOTES (for use of Scribe only)
Doc File No.: GDL-S-030 R1
Page 23 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT
TABLE OF CONTENT
1.0 SUMMARY 2.0 INTRODUCTION 3.0 SCOPE 4.0 TEAM COMPOSITION 5.0 DOCUMENTS REFERENCES (Including to the present procedure) 6.0 GENERAL DESCRIPTION 7.0 FINDINGS OF THE REVIEW (if any) 8.0 CONCLUSION (as required) In attachment: 9.0 COPY OF REFERENCE DOCUMENTS MARQUED DURING REVIEW 10.0 SIF CLASSIFICATION RISK MATRIX 11.0 SIL WORKSHEET TABLES 12.0 SIF CLASSIFICATION REVIEW ACTION SHEETS (if any)
Doc File No.: GDL-S-030 R1
Page 24 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST Check-list up-dated by: Name: _ _ _ _ _ _ _ _ _ _
Date: _ _/ _ _/ _ _
Logistics: Dates defined: start date: _ _/ _ _/ _ _ Chairman selected: Scribe selected:
End date: _ _/ _ _/ _ _
Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Room booked for the period: Yes/No Room # _ _ _ _ _ _ _ _ _ _ Computer booked for the period: Yes/No Data Projector booked for the period: Yes/No Coffee/biscuits ordered for the period: Yes/No Documents available: Methodology, SIL Procedure: Yes/No PFD:
Yes/No
PID:
Yes/No
Cause & Effect Matrix: Yes/No Safe Charts: Yes/No Process description, balance, layout, etc Yes/No Previous hazard analysis Yes/No Participants: List of participants identified: Yes/No Participants have been informed of review session dates: Yes/No when ?
Date: _ _/ _ _/ _ _
Documentation made available to participants: Yes/No
Doc File No.: GDL-S-030 R1
Page 25 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH PARAMETERS
(REF.: IEC 61511-3)
Descriptions of Process Industry Risk Graph Parameters
Parameter
Description
Consequence
C
Occupancy
F
Probability of avoiding the hazard
P
Demand rate
W
Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Determined by calculating the numbers in the exposed area when the area is occupied taking in to account the vulnerability to the hazardous event. Probability that the exposed area is occupied at the time of the hazardous event. Determined by calculating the fraction of time the area is occupied at the time of the hazardous event. This should take in to account the possibility of an increased likelihood of persons being in the exposed area in order to investigate abnormal situations which may exist during the build-up to the hazardous event ( consider also if this changes the C parameter) The probability that exposed persons are able to avoid the hazardous situation which exists if the safety instrumented function fails on demand. This depends on there being independent methods of alerting the exposed persons to the hazard prior to the hazard occurring and there being methods of escape. The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration. This can be determined by considering all failures which can lead to the hazardous event and estimating the overall rate of occurrence. Other protection layers should be included in the consideration.
Doc File No.: GDL-S-030 R1
Page 26 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.6 APPENDIX VI - DEMAND RATE The demand rate will be determined using the team’s collective experience, along with reference from data bases from OREDA or USRMP or other accepted data bases. QP data base for failure rates shall be primarily considered when available. Failure rates for typical equipment items, as shown below for example.
Typical Failure Rate Date (from OREDA – Offshore Reliability Database) Item:
Mean Failure Rate per 106 hours
Per Year (Continuous Operation)
1 Failure per (years)
Pressure Switch (Pneumatic) Level Switch (Pneumatic) Level Switch (Electric) Level Transducer PCV / LCV (Ball)
0.05 0.024 0.084 0.096 0.086 to 0.14
21 40 12 10 7 to 11
0.053 to 0.21
5 to 19
0.19 0.227 0.21 to 0.39
5.25 4.4 2.5 to 5
Electric Relay (logic solver) Pilot Valve (in SDP)
5.3 2.8 9.6 11 10 to 16 (1 to 20”) 19 to 24 (1 to 10”) 22 25.94 24 to 44 (1 to 10”) 4.1 6.5
0.036 0.0575
27.8 17
Fusible Plug H2S Gas Detector IR HC Gas Detector
0.27 11.46 36.5
0.00237 0.1004 0.320
423 9.96 3.13
PCV / LCV (Globe) PSV XSDV (Globe Valve) XBDV (Ball Valve)
Item Leak Frequency (Offshore Hydrocarbon Release Statistics and Analysis, 2002, HID Statistics Report HSR 2002 002, UK Health and Safety Executive, February 2003.) Item:
Leak Frequency (per year)
Flange Valve Instrument Connections Pressure Vessel Centrifugal pump Shell & Tube Heat Exchanger Launcher / Receiver Centrifugal Compressor Reciprocating Compressor
5.2 x 10 -4 4 x 10 -4 6 x 10 -3 2 x 10 -3 5 x 10 -3 3.5 x 10 -2 1 x 10 -3 8 x 10 -2 7 x 10
-5
1 leak per (years) 19230 2500 1700 500 200 290 100 125 15
Overall Leak Frequencies for a Platform:
Large Integrated Offshore Platform approx 1 leak per year Minimum facilities wellhead platform approx 1 leak per 10 years Riser Failure frequency approx. 1 x 10-3 per year or 1 in 1000 riser years
Doc File No.: GDL-S-030 R1
Page 27 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.7 APPENDIX VII – QP CORPORATE RISK MATRIX (Ref: Corporate Procedure for Incident management Doc# QPR-STM- 001)
Risk Assessment Matrix
Potential Severity SEVERITY
INCREASING SEVERITY
CONSEQUENCES
0
People
Asset/ Production
No injury
No damage
INCREASING PROBABILITY A B C
Environment Reputation
No Effect
No Impact
1
Slight injury Slight damage or health No disruption Slight Effect effect to operation
Slight Impact
2
Minor injury Minor damage or health Minor effect ( < QR 350,000) effect
Limited Impact
3
Major injury Local damage or health ( < QR effect 3,500,000)
National Impact
4
5
Single Fatality or permanent total disability Multiple fatalities
Localised Effect
Major damage ( < QR Major Effect 35,000,000)
Extensive damage ( > QR 35,000,000)
Massive Effect
D
E Occurres Has Occurres Never Has several Occurred several heard in Occurred times a in times a Industry in QP year this Industry year in QP site No Risk
Low Risk
Regional Impact
Medium Risk
High Risk
Internation al impact
FIGURE A- QP RISK ASSESSMENT MATRIX
Doc File No.: GDL-S-030 R1
Page 28 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
12.7 APPENDIX VII – Cont., QP CORPORATE RISK MATRIX
Risk Matrix (Explanation Sheet)
Consequence Category Definitions 1.0 PEOPLE Harm to people is further explained for: Slight injury or Health effects: This includes first aid and medical treatment that does not affect work performance or cause disability. Minor injury or Health effects: A lost time injury that restricts a person's work performance where the injury results in a work assignment after the day of the incident that does not include al of the normal duties of that person's regular job. It may take a few days off from work to fully recover (Lost Time Incident). Limited health effects that are reversible, e.g. skin irritation, food poisoning. Major injury or Health effects (Including permanent partial disability): Work performance is affected in the long term, such as prolonged absence from work, irreversible damage to health without loss of life. For example, noise induced hearing loss, chronic back injuries. Single fatality or permanent total disability: This is either from a work - related incident or an occupational illness such as poisoning or cancer. Multiple fatalities: More than one fatality either from a work - related incident
or
an
occupational illness such as poisoning or cancer. 2.0 ENVIRONMENT Harm to the Environment is further explained for: Slight effect: Negligible financial consequences and local environmental risk within the fence and within the system. Minor effect: Contamination; damage sufficiently large to impact to impact the environment; single exceeding of statutory or prescribed limits; single complaint; no permanent effect on the environment. Local effect: Limited loss of discharges of unknown toxicity; repeated exceeding of statutory or prescribed limits and beyond fence or neighbourhood. Doc File No.: GDL-S-030 R1
Page 29 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
Major effect: Severe environmental damage; the company is required to take extensive measures to restore the contaminated environment to its original state; Extended exceeding of statutory or prescribed limits. Massive effect: Persistent severe environmental damage or severe nuisance extending over a large area; In terms of commercial or recreational use or nature conservancy, a major economic loss for the company; Constant high exceeding of statutory or prescribed limits. 3.0 ASSET DAMAGE/ LOSS OF PRODUCTION Asset damage and loss of production is further explained for: Slight damage: No disruption to operation with estimated cost less than QR 25,000. Minor damage: Brief disruption to operation with estimated cost less than QR 350,000. Local damage: Partial shutdown of operation; can be restarted with estimated cost up to QR 3,500,000. Major damage: Partial loss of operation; 2 weeks shutdown with estimated cost up to QR 35,000,000. Massive damage: Substantial or total loss of operation with estimated cost in excess of QR 35,000,000. 4.0 REPUTATION
Damage or loss of reputation is further explained for: Slight impact: Public awareness may exist but there is no public concern. Limited impact: Some local public concern; some local media and /or local political attention with potentially adverse aspects for QP operations. National impact: National public concern; extensive adverse attention in the national media. Regional impact: Extensive adverse attention in the regional media; regional public and political concern. International impact: Extensive adverse attention in international media; international public attention.
Doc File No.: GDL-S-030 R1
Page 30 of 31
Custodian Dept: ST
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
REVISION HISTORY LOG
Revision: 1
Date: 24/03/2010
Reason for Change/Amendment Item Revised: Changes/Amendment: This new guideline is developed to cover requirements for safety integrity level review.
the
corporate
Note: The revision history log shall be updated with each revision of the document. It shall contain a written audit trail of the reason(s) why the changes/amendments have occurred, what the changes/amendments were and the date at which the changes/amendments were made.
Doc File No.: GDL-S-030 R1
Page 31 of 31
Custodian Dept: ST
View more...
Comments