SAEP-250
March 30, 2017 | Author: aboalhassan | Category: N/A
Short Description
Download SAEP-250...
Description
Engineering Procedure SAEP-250 Safety Integrity Level Assignment & Verification Process Control Standards Committee Members
24 October 2009
Khalifah, Abdullah Hussain, Chairman Assiry, Nasser Yahya, Vice Chairman Awami, Luay Hussain Ben Duheash, Adel Omar Bu Sbait, Abdulaziz Mohammad Baradie, Mostafa M. Dunn, Alan Ray Fadley, Gary Lowell Genta, Pablo Daniel Ghamdi, Ahmed Saeed GREEN, CHARLIE M Hazelwood, William Priest Hubail, Hussain Makki Jansen, Kevin Patrick Khalifa, Ali Hussain Khan, Mashkoor Anwar Mubarak, Ahmad Mohd. Qaffas, Saleh Abdal Wahab Shaikh Nasir, Mohammad Abdullah Trembley, Robert James
Saudi Aramco DeskTop Standards Table of Contents 1 2 3 4 5 6
Scope....................................................... 2 Conflicts and Deviations........................... 3 Applicable Documents.............................. 3 Definitions................................................. 4 Instructions………………………….……... 7 Responsibilities....................................... 16
Previous Issue: 27 October 2007 Next Planned Update: 27 October 2012 Revised paragraphs are indicated in the right margin Primary contact: Brell, Austin on 966-3-8739455 Copyright©Saudi Aramco 2009. All rights reserved.
Page 1 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Table of Contents (cont'd) Appendix A - Required SIL Assignment Report Contents.............................. 18 Appendix B - Required SIL Verification Report Contents.............................. 20 Appendix C - Responsibilities for Engineering.. 22 Appendix D - SIF Specification Sheet.............. 23 Appendix E - SIL Assignment Worksheet....... 24 Appendix F - Risk Graph Tables and Worksheet................................ 25 Appendix G - Risk Matrix Table....................... 29 Appendix H - Quantitative Risk Criteria............ 30 Appendix I - General Notes.............................. 31 1
Scope This Saudi Aramco Engineering Procedure provides procedures and guidelines for the assignment and verification of Safety Integrity Levels (SIL) in ESD loops and the analysis of the spurious trip rate (STR) that may result from introducing an ESD safety instrumented function into the process facility. The procedure applies a risk based approach to safety functions to validate that the design of safety systems in Saudi Aramco are adequate to protect personnel, environment and assets against potentially hazardous situations. The risk based approach for SIL assignment and verification is required by SAES-J-601 based on international standards ANSI/ISA 84.00.01 and IEC 61511. This procedure is to be used for new facilities and modifications to existing facilities with safety instrumented functions. The document provides the risk tolerability criteria, recommended data sources for commonly used control, instrument and process equipment and typical specification sheets to document Safety Instrumented Functions (SIF). The document also defines the roles and responsibilities for LPD, Proponent Department, Project Management and P&CSD. HIPS are a form of ESD and shall follow the same calculation procedures outlined in this document and SAEP-354, High Integrity Protective Systems Design Requirements. As a minimum SIL studies shall be updated along with any changes to the facilities, and also when major modifications in data basis, models or SIL estimating methods occur.
Page 2 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
2
3
SAEP-250 Safety Integrity Level Assignment & Verification
Conflicts and Deviations 2.1
Any conflicts between this Procedure and other applicable Saudi Aramco Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards (SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi Aramco Standard Drawings (SASDs), or industry standards, codes, and forms shall be resolved in writing by the Company or Buyer Representative through the Manager, Process & Control Systems Department of Saudi Aramco, Dhahran.
2.2
Direct all requests to deviate from this Procedure in writing to the Company or Buyer Representative, who shall follow internal company procedure SAEP-302 and forward such requests to the Manager, Process & Control Systems Department of Saudi Aramco, Dhahran.
Applicable Documents All referenced Procedures, Standards, Specifications, Codes, Forms, Drawings, and similar material or equipment supplied shall be considered part of this Procedure to the extent specified herein and shall be of the latest issue (including all revisions, addenda, and supplements) unless stated otherwise. 3.1
Saudi Aramco References Saudi Aramco Engineering Procedures SAEP-302
Instructions for Obtaining a Waiver of a Mandatory Saudi Aramco Engineering Requirement
SAEP-354
High Integrity Protective Systems
Saudi Aramco Engineering Standards
3.2
SAES-J-002
Technically Acceptable Instruments
SAES-J-601
Emergency Shutdown & Isolation systems
Industry Codes and Standards The Instrumentation, Systems, and Automation Society (ISA) ANSI/ISA 84.00.01
Functional Safety – Safety Instrumented Systems for the Process Industry Sector
ISA TR84.0.02
Safety Instrumented Functions – Evaluation Techniques
The International Electrotechnical Commission (IEC) IEC 61511
Functional Safety – Safety Instrumented Systems for the Process Industry Sector
Page 3 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Reliability Data Sources
4
OREDA
Offshore Equipment Reliability Handbook
EXIDA
Safety Equipment Reliability Handbook
SHELL
SIFPro Reliability Data Tables
Definitions 4.1
4.2
Acronyms DCF
Diagnostic Coverage Factor
ESD
Emergency Shutdown System
ETA
Event Tree Analysis
FTA
Fault Tree Analysis
HAZOP
Hazards and Operability Study
HIPS
High Integrity Protective System
IO
Input/Output
IPL
Independent Protection Layer
LPD
Loss Prevention Department
P&CSD
Process and Control Systems Department
PFD
Probability of Failure on Demand
PHA
Preliminary Hazard Analysis
QRA
Quantitative Risk Assessment
SAPMT
Project Management Team
SIL
Safety Integrity Level
SIF
Safety Instrumented Function
SIS
Safety Instrumented System
SRS
Safety Requirements Specification
STR
Spurious Trip Rate
UPS
Uninterruptible Power Supply
ZV
Power Operated Emergency Isolation Valve
Definition of Terms Beta Factor: The number of common cause failures expressed as a fraction of all possible failures. A common mode failure is a failure that may affect duplicate components in redundant configurations.
Page 4 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Dangerous Failure: Failures that will prevent the safety function from protecting the process. Demand: A process or equipment condition which requires the safety function to take action to prevent a hazardous situation. Diagnostic Coverage Factor: The number of dangerous failures that diagnostic features are capable of detecting as a fraction of all possible dangerous failures. Failure: An abnormal situation that prevents the operation of the safety function/s. Final Control Element: A device that manipulates a process variable. Final elements include valves, relays, solenoids and switchgear. Initiator: The input measuring device that initiates a trip signal to the ESD system. Initiators include switches, transmitters and manual pushbuttons. Inherent Safety: A design that removes the hazard at the source as opposed to accepting the hazard and looking to mitigate the effects. Inherent Safety therefore generates little or no damage in the event of an incident. The principles of inherent safety design are to minimize, substitute, moderate, and simplify. Logic solver: The system that is used to perform the application logic. Logic solvers may be programmable, relay based or solid state. Mechanical Integrity: is the suitability of the equipment to operate safely and reliably under normal and abnormal (upset) operating conditions to which the equipment is exposed. MTTF: "Mean Time To Failure" is the expected time to failure of a system in a population of identical systems. MTBF: "Mean Time Between Failure" is the expected time between failures of a system including time to repair. It is derived in its simplest form as: MTBF = MTTF + MTTR MTTR: "Mean Time To Repair" is the statistical average of time taken to identify and repair a fault (including diagnosis), in a population of identical systems. Probability of Failure on Demand (PFD): The probability that the SIF fails to respond to a demand or a manual initiation.
Page 5 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Process Safety Time: The time that it takes for a hazardous situation (such as a release) to occur after process operates beyond the trip point of the safety function. Proof Test Coverage Factor: The fraction of dangerous failures detected by a proof test. Residual Risk: The risk remaining after protective measures have been taken. Safety Availability: The fraction of time that a safety system is able to perform its designated function when the process is operating. The safety system is unavailable when it has failed dangerously or is in bypass. Safety availability is equal to 1 minus the PFD (dangerous) of the safety function. Safe Failure: A failure that does not place the SIF in a dangerous state. A safe failure results in a trip or an alarm to the operator. Safe Failure Fraction: The fraction of all failures that drive the device to its safe state i.e. a trip or an alarm. Safety Instrumented Function (SIF): A safety instrumented function consists of input devices, logic solver and final output devices. Another term commonly used in Saudi Aramco is ESD Loop. Safety Integrity Level (SIL): The level of overall availability for an ESD loop or ESD system component calculated as 1 minus the sum of the average probability of dangerous failure on demand. Table 1 – Safety Integrity Levels (SIL)
SIL
RRF (Risk Reduction Factor)
0/a
PFDavg (Probability of Failure on Demand) (1/RRF)
Safety Availability (1-PFDavg)
Process Control
1
10 to 100
1/10 to 1/100
90 - 99%
2
100 to 1,000
1/100 to 1/1,000
99 - 99.9%
3
1,000 – 10,000
1/1,000 to 1/10,000
99.9 - 99.99%
4
10,000 – 100,000
1/10,000 to 1/100,000 99.99 -99.999%
Spurious Trip Rate (STR): The rate in years that a trip leading to a shutdown of the process would occur. Page 6 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Test Interval (TI): The interval in time that a test would be made on a device or logic solver. 5
Instructions 5.1
SIL Assignment 5.1.1
General The SIL assignment establishes the risk reduction needed for each process system to protect against one or more hazards (such as explosion, toxic release, leak, etc.). The risk reduction is calculated as the gap between the existing risk posed by the process or equipment and the risk target. Risk reduction is provided by process and mechanical integrity, independent protection layers and if so required safety instrumented systems (SIS).
5.1.2
Identification of Safety Instrumented Functions Safety instrumented functions are to be identified during engineering design phase to meet:
5.1.3
5.1.2.1
Licensor engineering requirements and previous design experience for similar process.
5.1.2.2
Inplant or industry experience with process upsets, incident or accident reports.
5.1.2.3
Engineering requirements of Saudi Aramco Standards.
5.1.2.4
HAZOP/PHA recommendations for process interlocks, alarms and shutdown interlocks.
5.1.2.5
Recommendations from any process analysis such as the study of the impact of control instrument failures. control valve failure modes, pressure relief and flare capacity studies, etc.
Acceptable SIL Assignment Techniques and Software Packages 5.1.3.1
Semi quantitative Risk Graph, modified Risk Matrix or LOPA may be used for SIL assignment at project proposal or detailed engineering on ESD loops.
5.1.3.2
Fully quantitative SIL analysis using consequence modeling, ETA, FTA shall be used for all SIL#3 ESD loops (SIFs).
5.1.3.3
Software packages which support consequence modeling, ETA, FTA are recommended to assist in the Page 7 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
documentation and consistency of the assignment process. Refer to Loss Prevention Department / Technical Support Unit for recomemended concequence modeling packages. 5.1.4
Documentation of Calculations All assumptions and the source of data used, consequence and frequency model calculations and any information necessary to support the risk assessment shall be documented and maintained with the project documentation as specified in Appendix A of this procedure.
5.1.5
5.1.6
SIL Assignment at Project Proposal or Detailed Engineering 5.1.5.1
SIL Assignment at Project Proposal and Detailed Design stage may use risk graph, modified risk matrix or Layers of Protection Analysis (LOPA). SIL Assignment should be completed in Project Proposal.
5.1.5.2
The SIL study should be conducted before the HAZOP study, and before instrumentation and control equipment is ordered.
5.1.5.3
The consequence and frequency criteria in Appendix F are to be used for the risk graph, modified risk matrix and LOPA methods.
5.1.5.4
SIL#4 assignments shall not be assigned for Saudi Aramco facilities design, instead the process and mechanical design shall be reviewed and modified to reduce the residual risk required by a SIF to SIL#3 or below.
SIL Assignment Planning In order to follow a sound and well planned process, the following is required in preparation for a SIL study: 5.1.6.1
The scope of the study and its limitations are to be clearly defined including the documentation requirements as outlined in Appendix A.
5.1.6.2
The study team must be formed by knowledgeable personnel as specified in section 5.1.7 of this procedure.
5.1.6.3
The SIL Assignment methodologies and the risk criteria are to be agreed upon prior to beginning the study.
Page 8 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.1.7
SAEP-250 Safety Integrity Level Assignment & Verification
5.1.6.4
Process Flow Diagrams which show both key control and shutdown instrumentation shall be available to assist the team in overviewing the process.
5.1.6.5
Supporting project documentation for the SIL Study and required by the team are P&ID's, a Safey Instrumented Functions List and Cause-and-Effect Charts.
5.1.6.6
Supporting software packages should be available and understood by the Study Team Leader.
Personnel The SIL Assignment team shall be formed, consisting of knowledgeable and competent process engineer, instrument and control engineer, senior operations personnel and safety engineer. The team leader must have a working knowledge of the SIL assignment process, familiar with the process under design and the software tools being used during the study.
5.1.8
Independent Protection Layers (IPL) Independent protection layers when applied to mitigate the hazard shall reduce the identified risk by 10-1, be independent, dependable and auditable. IPL's may include one or more of the following:
5.1.9
5.1.8.1
Mechanical Protection such as a Safety Relief Valve.
5.1.8.2
Operator Intervention providing that: 5.1.8.2.1
The operator has an adequate alarm system (i.e., alarms are less than 280 per console operator per day).
5.1.8.2.2
There are written procedures stating the operator action.
5.1.8.2.3
The operator regularly completes the action as a drilled exercise.
5.1.8.3
Dike, fire proofing, blast proofing.
5.1.8.4
Fire Suppression Systems.
SIL Assignment Procedure Using Risk Graph 5.1.9.1
Use Appendix F to assign SIL functions using Risk Graph.
5.1.9.2
Use Appendix F, Figure 3 to document the Risk Graph results. Page 9 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.1.10
5.1.11
SAEP-250 Safety Integrity Level Assignment & Verification
SIL Assignment Procedure Using Risk Matrix 5.1.10.1
Use Appendix G to assign SIL functions using Risk Matrix.
5.1.10.2
Use Appendix E to document the Risk Matrix results.
SIL Assignment for SIL#3 5.1.11.1
Fully quantitative SIL analysis using consequence modeling, ETA, FTA shall be used for all SIL#3 loops.
5.1.11.2
The form depicted in Appendix E shall be used to document the results of the study.
5.1.11.3
Develop accident scenarios for every initiating event. This shall be accomplished using a ETA.
5.1.10.4
Develop accident scenarios for every initiating event. This shall be accomplished using an ETA.
5.1.11.5
Evaluate the consequences of all significant accident scenarios using consequence modeling software recognized in the process industry.
5.1.11.6
Use Appendix I "Quantitative Risk Criteria" to determine the Risk Target Frequency.
5.1.11.7
Determine the frequency of occurrence of each accident scenario using a FTA, considering only the Process and Control System risk. All protective systems shall be disregarded for this purpose.
5.1.11.8
Compare the frequency of occurrence of each accident scenario against its risk target. The risk reduction required for each case is determined by the gap between the actual risk of the process and the risk target for each scenario.
5.1.11.9
Add all the IPLs that could reduce the risk gap. IPLs that comply with all the criteria established in section 5.4 may be used.
5.1.11.10 SIL#3 functions that are designated as HIPS functions shall follow SAEP-354 and perform a cost benefit analysis.
Page 10 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.2
SAEP-250 Safety Integrity Level Assignment & Verification
SIL Verification 5.2.1
Documentation of Calculations All assumptions, data sources, and any other information necessary to define the final system availability and spurious trip rate shall be documented and maintained with the shutdown system documentation as required in Appendix B.
5.2.2
SIL Verification Techniques and Software Packages Simplified Equations, Markov Models or Fault Tree Analysis may be used to provide the calculations for system availability and spurious trip rate. Software packages which support these modeling techniques are recommended to assist in the documentation and consistency of the calculations.
5.2.3
Assumptions used in Calculations 5.2.3.1
Failure rate data shall be sourced from recognized industry sources such as OREDA, EXIDA, Shell SIFPro, certified manufacturers technical sheets or TUV reports.
5.2.3.2
Components used in the shutdown system shall be technically acceptable per SAES-J-002 and proven in use in Aramco facilities or TUV certified.
5.2.3.3
When calculating dangerous failures for an energized to trip system the power supply shall be included in the calculations for dangerous failures.
5.2.3.4
The failure rate for a logic solver shall include the input and output module type for that function.
5.2.3.5
Failure rate values are to be taken from specific FMEA, third party reports, TUV reports or references provided in this report.
5.2.3.6
The calculated PFDavg should be verified as better than the minimum required PFDavg value by a factor of 25%. That is:
5.2.3.7
●
SIL1 PFDavg < than 7.5 E-02
●
SIL 2 PFDavg < 7.5 E-03 and
●
SIL 3 PFDavg < 7.5 E-04.
The PFDavg calculations may assume that the calibration and repair time is small compared to the MTTF. Page 11 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.2.4
SAEP-250 Safety Integrity Level Assignment & Verification
5.2.3.8
The Standard requirement for proof test intervals of instruments and control equipment shall be for transmitters (1 year), switches (6 months), Valves (partial stroke quarterly and full stroke yearly), logic solvers (10 years). These proof test intervals may be extended based on calculations to show that the PFDavg meets the required target SIL.
5.2.3.9
Spurious trip calculations shall take into consideration the failure mode of the transmitter and any time delay shutdown logic which would inhibit spurious trip. When a transmitter is configured to fail away from the trip point, or the logic is such that the trip signal is bypassed or delayed by a bad transmitter then the spurious trip is inhibited. When the spurious trip is inhibited in this way no spurious trip rate for the transmitter is necessary.
5.2.3.10
The MTTR time for a transmitter, switch, valve or other device to be offline is one shift (or 8 hours).
5.2.3.11
Partial stroke testing for valves shall use a 60% contribution to the PFDavg. Full Stroke Testing shall use a 40% contribution factor to the PFDavg.
5.2.3.12
Shutdowns which are initiated manually via a push/pull button are exempt from SIL verification. These shutdown buttons require an operator intervention that is used for both prevention and mitigation of hazardous events. Shutdowns which are manually initiated by the operator via push/pull button shall be considered as SIL#1 loops and included in the ESD system.
Calculation Procedure Refer to ISA - TR84.00.02 Part 2 5.2.4.1
Identify the Safety Instrumented Functions and SIL required.
5.2.4.2
List the components of the SIF. List the MTTF (dangerous) for each component.
5.2.4.3
Calculate the PFDavg for each combination of components (sensors, logic solver, Final Elements) and then sum the values to obtain the PFDavg for the safety instrumented function.
Page 12 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.2.5
5.2.7
5.2.8
5.2.9
SAEP-250 Safety Integrity Level Assignment & Verification
5.2.4.4
Determine whether the PFDavg meets the required integrity requirements for the Safety Requirements Specification.
5.2.4.5
The PFDavg shall meet or exceed the requirements of the SIL specified otherwise the component selection and redundancy shall be modified accordingly.
PFDavg/Availability Calculation References 5.2.5.1
See ISA TR84.0.02 Parts 1 and 2 for use of Simplified Equations
5.2.5.2
See ISA TR84.0.02 Parts 3 for use of Fault Tree Models
5.2.5.3
See ISA TR84.0.02 Parts 4 for use of Markov Models.
5.2.6
Determining the PFDavg of Sensors
5.2.6.1
Identify the sensors, list their dangerous failure rates (i.e., dangerous undetected failures), Test Interval (TI) and calculate the PFDavg.
5.2.6.2
For dirty process conditions apply a severity factor for the sensor failure rate effectively de-rating it for the service conditions.
5.2.6.3
Sum the PFDavg for sensors.
Determining the PFDavg of Final Control Elements 5.2.7.1
Identify the valves, and each of the components on the valve including solenoid valve, positioners, boosters and multiplexers, etc.
5.2.7.2
Calculate the PFDavg for the valve package.
5.2.7.3
Sum the PFDavg for the Final Control Elements.
Determining the PFDavg of the Logic Solver 5.2.8.1
Identify the type and manufacturer of the hardware to be used.
5.2.8.2
Identify the IO module types for the function and logic solver combination.
5.2.8.3
Calculate the PFDavg using a system calculation tool.
Determining the PFDavg of the Separate Field Power Supplies and UPS Page 13 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.2.10
SAEP-250 Safety Integrity Level Assignment & Verification
5.2.9.1
If the ESD is designed for de-energize to trip the power supply does not impact on the safety function as the power supply failure will result on the action of bringing the process equipment to the safe state. Identify the type and manufacturer of the hardware to be used.
5.2.9.2
If the ESD is designed for energize to trip the power supply does impact on the safety function as the power supply failure will not allow the ESD to be initiated. List the MTBF for each power supply both field power supplies and UPS. Identify the IO module types for the function and logic solver combination.
5.2.9.3
Calculate the PFDavg for the UPS and Field Power Supplies.
Simplified Equations for PFDavg and STR See ISA TR84.0.02 Parts 1 and 2 for use of Simplified Equations including beta factors and dangerous detected failures. The following table is a summary of the simplified equations without these factors. Note that these simplified equations assume that the voted components are the same which is not always the case. The equations assume similar failure rates for redundant components.
Table 2 – Simplified Equations for Different Voting Architectures Voting
PFDavg
Spurious Trip Rate (STR)
1oo1 1oo2
1oo2D
1oo3
2oo2 2oo3 2oo4
Page 14 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.3
SAEP-250 Safety Integrity Level Assignment & Verification
Spurious Trip Rate Calculation STR calculations are made when a specific safety function may cause unacceptable loss of production when the safety function fails. 5.3.1
Documentation of Calculations All assumptions, data sources, and any other information necessary to define the final system availability and spurious trip rate shall be documented and maintained with the shutdown system documentation.
5.3.2
5.3.3
5.4
Assumptions used in Calculations 5.3.2.1
The cost of the end device should include the total installed cost including engineering.
5.3.2.2
Loss of production estimates should be clearly defined in simple terms, average loss basis, number of hours down, and % of turn down.
Calculation Procedure 5.3.3.1
Identify the initiators to shutdown in each SIF.
5.3.3.2
List the MTTF (spurious) for each sensor.
5.3.3.3
List the MTTR (spurious) for each sensor.
5.3.3.4
Calculate the spurious trip rate for the combination of sensors.
5.3.3.5
Repeat 1-4 for final control elements.
5.3.3.5
Repeat 1-4 for logic solver and power supplies.
Safety Requirements Specification (SRS) As part of the Safety Requirements Specification a SIF Specification Sheet should be published to summarize the SIL Assignment, SIL Verification, Spurious Trip Rate and a written narrative of the shutdown requirements. See Appendix D for an example SIF Specification Sheet.
Page 15 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
6
SAEP-250 Safety Integrity Level Assignment & Verification
Responsibilities 6.1
6.2
6.3
6.4
Saudi Aramco Project Management Team (SAPMT) a)
Allocate a SIL Team to conduct a SIL Assignment Study.
b)
Perform SIL Assignment and Verification for each safety instrumented function per this procedure.
c)
Submit the SIL Assignment report for review to appropriate Saudi Aramco organizations.
d)
Submit the SIL Verification report for review to appropriate Saudi Aramco organizations.
e)
Submit a SIF Specification Sheet for each ESD loop.
f)
Conduct a Qauantitative assessment for all SIL#3 ESD loops.
Loss Prevention Department (LPD) a)
Support SAPMT and P&CSD organizations in planning and performing SIL studies.
b)
Support proponent organizations in maintaining the designed integrity of installed SIS.
c)
Review all projects SIL assignment reports to ensure compliance with this procedure and applicable Saudi Aramco Standards.
Process & Control Systems Department (P&CSD) a)
Support PMT and Proponent organizations in planning and performing SIL studies.
b)
Support proponent organizations in maintaining the designed integrity of installed SIS.
c)
Review all projects SIL assignment reports to ensure compliance with this procedure and applicable Saudi Aramco Standards.
d)
Review all projects SIL verification reports to ensure compliance with this procedure and applicable Saudi Aramco Standards.
e)
Participate in SIL Assignment Studies as requested by SAPMT.
Proponent Organizations a)
Assign engineers to participate in SIL Assignment Studies
b)
Review all projects SIL assignment reports to ensure compliance with this procedure and applicable Saudi Aramco Standards.
c)
Review all projects SIL verification reports to ensure compliance with this procedure and applicable Saudi Aramco Standards.
Page 16 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
27 October 2007 24 October 2009
SAEP-250 Safety Integrity Level Assignment & Verification
d)
Allocate resources and plan necessary equipment/facility shutdowns, to ensure performance of periodic proof testing and maintenance along the life cycle of the SIS during its operational life and for decommissioning, as established in this document.
e)
Ensure that the designed integrity of the SIS is maintained during the operational life cycle of the system. Revision Summary New Saudi Aramco Engineering Procedure. Editorial revision to replace Standards Committee Chairman.
Page 17 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix A – Required SIL Assignment Report Contents 1.
Introduction 1.1
Scope This section shall define the scope of the ESD application, and shall define its structure and summarize its content.
1.2
Objectives This section shall define the intent of the SIL Assignment Report.
2.
Definitions This section shall provide a listing with definitions of terms and abbreviations used in this document that are subject to interpretation by the user. A simple translation of an abbreviation is not sufficient unless the meaning of the translation is obvious.
3.
Applicable Documents All documents referenced within the SIL Assignment report shall be listed and completely identified in this section.
4.
Project Description 4.1
Introduction This section shall provide an overall description of the Process and the Process Control design.
4.2
SIL Study Methodology This section shall summarize the SIL Assignment Methodology used in the study.
5.
Assumptions State or reference all assumptions used in the quantitative and qualitative analysis in this Section. Note assumptions relating to consequence and likelihood of hazardous events.
6.
Data Sources & Software Package 6.1
Data Sources State the data sources or software packages used in this Section. Page 18 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
6.2
SAEP-250 Safety Integrity Level Assignment & Verification
Models Reference all consequence and likelihood models completed on the facility including toxicity dispersion models, blast study models, and transient pipeline analysis.
7.
Results 7.1
Worksheet Provide a completed risk graph or risk matrix worksheet (Appendix F) showing all initiated SIFs and their respective SIL assignment.
7.2
Recommendations Provide a summary of recommended proposals that would improve the safety design or mitigate the process risk in this section.
8.
Conclusions This section provides a summary of the recommendations and any further information to execute the engineering design. State any further information or modeling required.
Page 19 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix B – Required SIL Verification Report Contents 1.
Introduction 1.1
Scope This section shall define the scope of the ESD application, and shall define its structure and summarize its content.
1.2
Objectives This section shall define the intent of the SIL Verification Report.
2.
Definitions This section shall provide a listing with definitions of terms and abbreviations used in this document that are subject to interpretation by the user. A simple translation of abbreviations is not sufficient unless the meaning of the translation is obvious.
3.
Applicable Documents All documents referenced within the SIL Verification report shall be listed and completely identified in this section.
4.
System Description 4.1
Introduction This section shall provide an overall view of the Process Automation System, its operation and capabilities, and its intended use.
4.2
Safety Instrumented Functions This section shall provide a list of the SIFs being considered in the verification. The following information shall be included: a)
SIF Number and Tag Name.
b)
SIL required.
c)
Initiator/s Tag Number/s.
d)
Final Element/s Tag Number/s.
e)
SIS architecture showing required fault tolerance per SAES-J-601 and IEC 61511.
Page 20 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
5.
SAEP-250 Safety Integrity Level Assignment & Verification
Assumptions This section shall include all assumptions used in the calculations. These include but not limited to: 5.1
Test Interval (TI) for instruments, logic solver and final control elements.
5.2
Common Cause Factors (Beta Factor). Commentary Note: Typical Common Cause Factors range from 1-5% for similar equipment. Otherwise Common Cause Factor can be provided from a Fault Mode and Effect Analysis (FMEA).
6.
5.3
MTTR of instrumentation.
5.4
Service factors for process instruments.
5.5
The failure mode of transmitters to the trip condition.
Data Sources & Software Package (Version) This section provides a reference or a complete list of Failure Rate data used for instrumentation and control equipment.
7.
Calculation Results This section shall show the calculation results summarized for each Safety Instrumented Function including those that verify the SIL and to calculate the Spurious Trip Rate (STR) of the device/s that lead to a trip. Functions which have the same instrumentation may be grouped, however the calculations must show sufficient working so as to be checked and reviewed.
Page 21 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix C – Responsibility for Engineering Figure 1 - SIL and Engineering Design
Conceptua l Design
Project Proposal
Detailed Design
Commiss ioning &OME
DBSP
Stage-one PHA, Hazard Identification SIL Assignment Qualitative Consequence SAES
By: Review:
PMT P&CSD/ LPD
Stage-two
Stage-three SIL 3 Only
SIL Assignment Semi-Quantitative Risk Graph SAES
SIL Assignment Quantitative SAES
PMT P&CSD/ LPD
PMT P&CSD/ LPD
SIS Design SIL 1, 2, and 3
SIS Verification SIL 1, 2, and 3
Installation Validation OME Testing
PMT
PMT
PMT
P & CSD
P&CSD/ LPD
OPS/ AALPD
Page 22 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix D – SIF Specification Sheet This Section shall provide a completed SIF specification summarizing the SIL Assignment, SIL Verification, Spurious Trip Rate, SIF architecture, level of redundancy and suitability of components and sub-systems.
S I F SPECIFICATION SHEET PEFS Number: Initiator Tag: Logic Solver Tag: Final Element Tag:
Is it a Pre-Alarm?
FAILURE ON DEMAND: Design Intent:
Demand Scenarios: Case A:
Case B:
Consequence of Failure: Case A:
Case B:
Demand Rate: Health and Safety Consequence: Exposure: Possibility to Avert Hazard: Loss Consequence: Environmental consequence:
D: S:
Process Safety Time:
L: E: Overall SIL:
CONSEQUENCE OF SPURIOUS TRIP:
COST:
C:
Initiator: Final element:
Rate: Rate:
Page 23 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix E – SIL Assignment Worksheet Team:
Facility/Project: SIF
Department:
Date Prepared:
Division:
Date Issued:
Process Equipment: Scenario
Risk (yr-1 )
Reviewed by: Risk Target -1 (yr )
IPLs (Description)
Approved by: IPLs RR
PFD Required
RR: Risk Reduction
Page 24 of 32
SIL
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix F – Risk Graph Tables and Worksheet The application of the Risk Graph Methodology requires the evaluation of the following factors: Consequences (C) The consequence criteria shall be taken in accordance with table No. 2-1. Occupancy (F) This parameter should be estimated based on table No. 2-2. It is calculated by determining the proportional length of time the area exposed to the hazard is occupied during a normal working period. If the time in the hazardous area is different depending on the shift being operated then the maximum should be selected. It is only appropriate to use FA where it can be shown that the demand rate is random and not related to when occupancy could be higher than normal. The latter is usually the case with demands which occur at equipment start-up or during the investigation of abnormalities. In any case, the factor should be selected based on the most exposed person rather than the average across all people. It should be noted that the concept of occupancy applies for personnel. For environmental and assets damage, because they have no mobility only FB is used when applying the risk graph. Possibility of Avoiding the Hazard (P) This parameter should be estimated based on table No. 2-3. It represents a measure of the possibility of preventing the hazard. The parameter PA should only be used in cases where the hazard can be prevented by the operator taking action. Frequency of unwanted event (W) The analysis of this aspect should follow table No. 2-4. It is important to note that the frequency of the unwanted event (also called demand), shall be assessed as the number of times per year that the hazardous situation would occur without the addition of any safety instrumented system (E/E/PE or other technology), but including any external risk reduction facilities (drain system, firewall, dike, etc.).
Page 25 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Table 3-1 – Consequence Criteria (C) Consequence
CA
CB
CC
CD
Description
People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
People: Employee fatality.
Environment: Localized effect affecting neighborhood.
Assets: Partial shutdown. Cost up to $100 million
People: Employee multiple fatalities and some impact on third parties.
Environment: Severe damage to environment to be extensively restored by SA.
Assets: Partial operation loss. Costs up to $500 million
People: Employees and third parties multiple fatalities.
Environment: Contamination over a public large area. Major economic loss to SA.
Assets: Significant or total loss of facility. Costs above $500 million.
Table 3-2 – Occupancy Factor (F) Risk Parameter
Classification
FA
Rare to more frequent exposure in the hazardous zone. Occupancy less than 10%
FB
Frequent to permanent exposure in the hazardous zone.
Table No. 3-3 – Probability of Avoiding the Hazardous Event (P) Risk Parameter
Classification
Comments
PA
Adopted if all conditions in comments column are satisfied Adopted if all conditions in comments column are not satisfied
PA should be selected if all the following are true: o Facilities are provided to alert the operator that the SIS has failed. o Independent facilities are provided to shutdown such that the hazard can be avoided or which enable all persons to escape to a safe area. o The time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions.
PB
Page 26 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Table 3-4 – Frequency of Unwanted Event (W) Risk Parameter
Frequency (yr-1 )
W1
1 x 10
W3
Description
-6
Very Low. Never heard of in industry. Medium. Incident has occurred in SA.
-3
High. Happens several times per year in SA.
Figure No. 2 – Risk Graph
X1
CA
Starting point for risk reduction estimation
X2 PA CB
CC
FA
PB
FB
PA
FA FB
Generalized arrangement (in practical implementations the arrangement is specific to the applications to be covered by the risk graph)
CD
FA FB
PB
X3
X4
PA PB
X5
PA PB
X6
W3
W2
W1
a
---
---
1
a
---
2
1
a
3
2
1
4
3
2
b
4
3
C = Consequence risk parameter
--- = No safety requirements
F = Frequency and exposure time risk parameter
a = No special safety requirements
P = Possibility of failing to avoid hazard risk parameter
b = A single E/E/PES is not sufficient
W = Probability of the unwanted occurrence
1, 2, 3, 4 = Safety integrity level
Page 27 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Figure 3 – Risk Graph SIL Summary Team:
Facility/Project:
Process Equipment:
Factors SIF
Scenario
C
F
P
W
Department:
Date Prepared:
Division:
Date Issued:
Reviewed by:
Approved by:
SIL w/o IPLs
IPLs (Description)
IPLs RR
RR: Risk Reduction.
Page 28 of 32
SIL
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix G – Risk Matrix Table
Saudi Aramco Risk Matrix for Safety Integrity Level (SIL) Assignment Likelihood Descriptions (Without IPLs, but including the Control System) Descriptions Categories High (> 1 Very -2 -1 10 yr )
(10-2 to 2 High. -3 -1 10 yr )
-3 3 Medium(10 -4 -1
to 10 yr ) Low. (10-4 to 10-6 yr-1 )
4
Decreasing Likelihood
Scenario can be expected to occur several times per year in the facility. Scenario can be expected to occur several times per year in SA. Scenario has occurred in SA. Some scenarios have occurred in the industry. Very rare or never heard of in industry.
Low. (< 5 Very -6 -1 10 yr )
Legend
o o o o
Descriptions
EHRS: Extremely High Risk Scenario. Redesign of the process system required. 3: A SIL 3 SIF is required. 2: A SIL 2 SIF is required 1: A SIL 1 SIF is required. 0: No SIF required
2
2
3
EHRS
EHRS
1
2
3
3
EHRS
0
1
2
3
3
0
0
1
2
2
0
0
0
1
1
Categories Consequence categories & Description (Without IPLs, but including the Control System)
o
Decreasing Consequence 5
4
3
2
1
Insignificant
Low
Medium
High
Very High
Employee fatalities and minor impact on third parties. Severe damage to environment to be restored by SA Partial operation loss. Costs up to $500 million
People
No injury or damage to health
Minor injury or damage to health.
Lost time injury or limited health effects
Environment
No impact
Minor and inside the fence
Localized effect affecting neighborhood
Assets
Operational upset. Cost less than $100.000
Minor damage. Costs up to $25 million
Partial shutdown. Cost up to $100 million
Reputation
No public awareness
Some public and media awareness but no concern.
Regional public and some media concern
National impact. Public and media concern
Multiple fatalities Contaminati on over a public large area. Significant or total loss of facility. Cost above $500 million International public and media attention
About this matrix: o The risk ranking is given by the risk to people and environment with no direct relationship with risks to assets. o This matrix is endorsed for use across SA. o Should any part of this matrix be changed or modified, adapted or customized. It is only to be used for SIL determination and by competent personnel. Notes: ABBREVIATIONS: o Facility loss includes capital loss, business interruption, o SIL: Safety Integrity Level production deferment, legal liability and emergency response o SIS: Safety Instrumented System costs. o SIF: Safety Instrumented Function. o In applying this matrix it is important to bear in mind that it o IPL: Independent Protection Layer is strongly recommended as far as possible designing the o VCE: Vapor Cloud Explosion process with a lower SIL (below SIL 2 ), and also, provide Non-SIS protection layers. o The consequence scenarios referred to in this matrix are those fully developed, e.g. VCE, fire, toxic vapor cloud, etc.
Page 29 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix H – Quantitative Risk Criteria Risk Target Frequency (yr-1 )
1 x 10
-6
Consequence Description
People: Employees and third parties multiple fatalities.
Environment: Contamination over a public large area. Major economic loss to SA.
Assets: Significant or total loss of facility. Costs above $500 million
1 x 10-5
People: Employee multiple fatalities and some impact on third parties.
Environment: Severe damage to environment to be extensively restored by SA.
Assets: Partial operation loss. Costs up to $500 million
1 x 10-4
People: Employee fatality.
Environment: Localized effect affecting neighborhood.
Assets: Partial shutdown. Cost up to $100 million
1 x 10-3
People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
Page 30 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
Appendix I – General Notes Introduction Applying a risk based approach to safety functions using SIL will validate that the design of safety systems in Saudi Aramco are adequate to protect personnel, environment and assets against potentially hazardous situations. In addition, the risk based approach will provide additional understanding of the process, provide opportunities to reduce capital and maintenance costs as well as avoidance of false trips. The starting point for risk based SIL assignment is to establish risk tolerability criteria, so that the necessary risk reduction for each safety function can be quantitatively or qualitatively ascertained. In some cases other safety protective layers exist that may be used as credit when assessing the required safety integrity level. In order to meet the requirements of international standards it is required to: ●
Identify safety functions.
●
Determine SIL for each function.
●
Develop safety requirement specifications
●
Use life cycle approach for SIS design.
●
Verify the integrity of SIS design.
●
Demonstrate that integrity of SIS can be maintained.
●
Document the process.
The SIL Concept The SIL concept as applied by Saudi Aramco requires the identification of process equipment with safety implication and establishing the risk reduction needed for each of the safety functions required by each process equipment to operate safely. Process equipment with safety implications are those process systems that can pose one or more hazards (explosion, toxic release, leak, etc.). The risk reduction needed is the gap between the existing risk posed by the equipment and the risk target. This gap is to be covered firstly by inherently safer design and mechanical integrity, and in the second place using independent protection layers (IPL). When all the above mentioned measures by themselves are not sufficient to cover the risk reduction needed, a safety instrumented systems (SIS) with the required technical specification and architecture will be specified.
Page 31 of 32
Document Responsibility: Process Control Issue Date: 24 October 2009 Next Planned Update: 27 October 2012
SAEP-250 Safety Integrity Level Assignment & Verification
The Safety Life Cycle The safety life cycle is another fundamental concept established by the international standards. The safety life cycle represents the application of good engineering practice to SISs. This safety life cycle is depicted in the figure 1 in Appendix C. Good engineering practice is accomplished based on three fundamental aspects: i)
Design by Layers of Protection. Risk reduction is normally accomplished using more than one protective system and more than one type of technology. Some of these protective systems reduce the frequency of the hazardous scenario, whereas others reduce the consequences. As a result, the total risk reduction factor is obtained from the combination of the risk reduction factors from each individual protective system.
ii)
The second fundamental aspect of the safety lifecycle process is that it includes design verification. The SIL for each section of the safety system is calculated. Then, based on this calculated SIL each design must meet or exceed these requirements. This aspect provides a control and verification process that ensures that the design is optimal for the need. SIS over-design can be easily and clearly identified and consequently changed. On the other hand, SIS designs not fully covering the risk reduction needed can be identified as well, and improved to meet the risk target.
iii)
In third place, the safety life cycle includes inspection, testing and maintenance planning, which address among others, testing intervals and testing schedules. Furthermore, operation, maintenance and decommissioning are all part of the safety life cycle.
Independent Protection Layers Only those protection systems that meet the following criteria shall be classified as independent protection layers, and therefore used in Saudi Aramco SIL studies. These criteria are: i)
The protection provided reduces the identified risk by a large amount, that is, a minimum of 10-1.
ii)
Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (for example, a runaway reaction, release of toxic material, a loss of containment, or a fire). Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action of one IPL.
iii)
Independence: An IPL is independent of the other protection layers associated with the identified danger.
iv)
Dependability: It can be counted on to do what it was designed to do. Both random and systematic failures modes are addressed in the design.
Page 32 of 32
View more...
Comments
