SIL Determination Guideline

September 22, 2017 | Author: Kareem Rasmy | Category: Risk Management, Quality, Risk, Prevention, Engineering

Share Embed Donate

Report this link

Short Description

SIL Determination Guideline , Worley Parson guideline...

Description

Safety Integrity Level (SIL) Determination Guideline

– EPP-0263 30 May 2008

Level 12, 141 Walker Street, North Sydney NSW 2060, Australia +61 2 8923 6866 +61 2 8923 6877 ABN 61 001 279 812

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

SYNOPSIS This guideline presents the WorleyParsons methodology for undertaking a Safety Integrity Level (SIL) determination study. The methodology follows the intent of ‘IEC 61511-3: Guidance for the determination of the required safety integrity levels’, which requires that the SIL rating of Safety Instrumented Functions (SIFs) to be determined. This guideline has been developed to assist engineers, designers and other project decision makers to deliver safe, reliable and sustainable design outcomes.

PROJECT - SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE REV

DESCRIPTION

1

Issued for use

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

ORIG

REVIEW

WORLEYPARSONS APPROVAL

K Bahrami

J Pohlner

L Wheeler

DATE

30-May-08

Corporate Base

CUSTOMER APPROVAL

DATE

N/A

Page 2 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

CONTENTS 1.

INTRODUCTION ............................................................................................................5 1.1

Application ..................................................................................................................... 7

1.2

Roles and Responsibilities.............................................................................................. 7

2.

ABBREVIATIONS AND TERMINOLOGIES ....................................................................8

3.

SIL DETERMINATION METHODOLOGY ..................................................................... 10

4.

SIL DETERMINATION - PREPARATION ..................................................................... 12 4.1

Charter ......................................................................................................................... 12

4.2

Timing .......................................................................................................................... 12

4.3

Attendees ..................................................................................................................... 13

4.4

Workshop Duration....................................................................................................... 13

4.5

Role of the Coordinator / Project Engineer .................................................................... 13

4.6

4.5.1

Before the Sessions ......................................................................................... 14

4.5.2

During the Sessions ......................................................................................... 14

4.5.3

After the Sessions ............................................................................................ 14

The Facilitator .............................................................................................................. 14 4.6.1

Before the Sessions ......................................................................................... 15

4.6.2

During the Sessions ......................................................................................... 15

4.6.3

After the Sessions ............................................................................................ 15

4.7

Technical Scribe........................................................................................................... 16

4.8

Documentation Requirements ...................................................................................... 16

5.

SIL DETERMINATION – WORKSHOP ......................................................................... 17 5.1

Workshop Procedure .................................................................................................... 17

5.2

SIF Assessment ........................................................................................................... 17 5.2.1

Establish Context for each System and the Safety Target of the Process ......... 17

5.2.2

Identify SIFs Needed........................................................................................ 17

5.2.3

Determine required SIL of the SIF .................................................................... 18

5.3

Recording..................................................................................................................... 18

5.4

SIL Determination Report ............................................................................................. 18

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 3 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

5.5 6.

Archiving ...................................................................................................................... 19 LAYER OF PROTECTION ANALYSIS (LOPA) METHOD ............................................. 20

6.1

Protection Layers ......................................................................................................... 21

6.2

LOPA Steps ................................................................................................................. 22

7.

SIL VERIFICATION ...................................................................................................... 25

8.

REFERENCES............................................................................................................. 26

APPENDIX 1 -

EXAMPLE WORKSHEET FOR SIL DETERMINATION - LOPA METHOD (ANNEX F - IEC 61511 PART 3)

APPENDIX 2 - SIL DETERMINATION – SIL MATRIX METHOD (ANNEX C - IEC 61511 PART 3) APPENDIX 3 - SIL DETERMINATION - RISK GRAPH METHOD (ANNEX D - IEC 61511 PART 3)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 4 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

1.

INT ROD UCT ION

Phase 2 of the safety life-cycle defined in IEC 61511-1 requires the determination of a Safety Integrity Level (SIL) for the design of a Safety Instrumented Function (SIF). The objectives of the Clause 9 of Phase 2 are allocation of safety functions to protection layers and for each safety instrumented function, determination of the associated safety integrity level. Inputs to this phase are a description of the required safety instrumented function(s) and associated safety integrity requirements and the outputs are description of allocation of safety requirements. Determination of the SIL rating of a SIF is an important process in ensuring that the design is adequate and that any risk associated with the SIF failure is tolerable (i.e. the residual risk is as low as is reasonably practicable – ALARP). Once the SIL rating has been established the SIF design must be analysed to ensure that it meets the required level of reliability. This is termed SIL Verification and is covered by SIL Verification Guideline EPP-0266. The primary focus of the SIL determination process is Safety. However, the integrity level determination process can also be used for any type of control that provides protection against Environmental risks (EIL rating) and Asset (Business or Financial and Property) risks (AIL rating). This guideline has been developed in accordance with the functional safety standard IEC 61511 which is process industry specific within the framework of IEC 61508 [Ref 1], [Ref 2]. Both of these standards are recognized and generally accepted as good engineering practices for Safety Instrumented Systems (SIS). This guideline contains the minimum requirements for the SIL study determination conducted by or for WorleyParsons to ensure that all the required information is available, the most suitable people are involved, and the documentation meets WorleyParsons requirements. The document assumes a reasonable working knowledge of the hazardous scenario identification (HAZID and HazOp) studies and the use of qualitative and semi-quantitative Risk assessment processes to determine risk and SIL ratings.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 5 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Figure 1-1: SIS safety life-cycle phases and functional safety assessment stages based on IEC 61511

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 6 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

1.1

Application

The SIL determination process is applicable to all Customer Sector Groups (CSGs) and to the three phases of project execution: 

Define - Front End Engineering Design (FEED)



Execute - Detailed Engineering,



Operate - Asset Services, Maintenance, Upgrade,

1.2

Roles and Responsibilities

This guideline makes reference to the following position titles: Project Manager - The Project Manager is responsible for ensuring the SIL Determination requirements are executed on the project in accordance with the Project Execution Plan. These responsibilities include appointment of a SIL Determination Coordinator and a SIL Determination Facilitator. SIL Determination Coordinator / Project Engineer – This is the person in charge of organizing the SIL Determination workshop, ensuring that the SIL Determination report is developed and circulated. SIL Determination Facilitator – The person in charge of running the SIL Determination workshop and developing the report. Workshop Technical Scribe - For most workshops, an experienced technical scribe is preferred.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 7 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

2.

ABBREVI AT IONS AND TERMI NOLOGIES

AIL

Asset Integrity Level

ALARP

As Low As Reasonably Practicable

BPCS

Basic Process Control System

E/E/PES

Electrical/Electronic/Programmable Electronic safety-related systems

EIL

Environment Integrity Level

ESD

Emergency Shutdown

IPL

Independent Protection Layer

LOPA

Layer of Protection Analysis

PFD

Probability of Failure on Demand

PHA

Process Hazard Analysis

PLC

Programmable Logic Controller

SRS

Safety Requirements Specification

SIF

Safety Instrumented Function

SIL

Safety Integrity Level

SIS

Safety Instrumented System

Safety Integrity Level (SIL): The IEC 61511 standard defines the Safety Integrity Level (SIL) as a discrete value (one out of four) for specifying the safety integrity requirements of the safety functions to be allocated to the safety instrumented functions. The higher the SIL, the higher the probability that the safety function is correctly executed, the lower the average Probability of Failure on Demand. A SIL 4 has the highest level of reliability and hence safety integrity and SIL 1 has the lowest. Independent Protection Layer (IPL): A safeguard / layer of protection that (with certain probability) will prevent an unsafe scenario from progressing regardless of the initiating event or the performance of another layer of protection. Safety Function: Function to be implemented by a safety instrumented system, other technology safety-related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the equipment, in respect of a specific hazardous event

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 8 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Mode of Operation: Safety Instrumented Systems are split into two types, based on the mode of operation in which the system is intended to be used, with respect to the frequency of demands made upon it. For SIS operating in a low demand mode of operation, the safety integrity measure of interest is the average probability of failure to perform its designed function on demand. For SIS operating in a continuous mode of operation, the safety integrity measure of interest is the frequency of a dangerous failure per hour, The SIL ratings and requirements relating to both systems and their application are shown below.

SIL

Continuous (High) Demand Mode of Operation

Low Demand Mode of Operation

Failure Rate / hour 1

< 10

-5

to 10

2

< 10

-6

to 10

3

< 10

-7

to 10

4

< 10-8 to 10-9

Probability of Failure on Demand

-6

< 10

-1

-7

< 10 to 10

-8

< 10

-2

-3

Risk Reduction Factor (RRF)

-2

< 1 in 10 to 1 in 100

10 – 100

-3

< 1 in 100 to 1 in 1000

100 – 1,000

-4

< 1 in 1000 to 1 in 10000

1,000 - 10,000

Less than 1 in 10000

10,000 – 100,000

to 10

to 10

< 10-4 to 10-5



High Demand Mode: where the frequency of demands for operation made on the system is greater than one per year or greater than twice the proof test frequency. An example of this could be the braking system on a car. The safety integrity measure of interest is the frequency of a dangerous failure per hour.



Low Demand Mode: where the frequency of demands for operation made on the system is no greater than one per year and no greater than twice the proof test frequency. An example of this could be an air bag within a car. The safety integrity measure of interest is the average probability of failure to perform its designed function on demand.

Necessary Risk Reduction: Risk reduction to be achieved by the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities in order to ensure that the tolerable risk is not exceeded. Intermediate Event Likelihood: The Intermediate Event Likelihood is calculated by multiplying the Initiating Event Likelihood by the PFDs of the protection layers and mitigating layers. Required (Target) Event Likelihood: Corporate (Customer) Criteria for Events of this Severity Level.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 9 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

3.

SIL DET ERMI NAT IO N MET HODOLOG Y

Safety function is implemented by an SIS, other technology safety related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event. The safety functions in process industries are more often delegated to electrical, electronic or programmable electronic (E/E/PE) Safety Instrumented Systems (SIS). The functional safety standards IEC 61508 and IEC 61511 propose guidelines which can be used in order to define the requirements for achieving a specified Safety Integrity Level (SIL) and in order to evaluate the actual availability of a SIS. There are several methods that can be used for SIL determination for a specific safety instrumented function. IEC 61511-3 presents information on a number of methods that have been used. The method selected for a specific application will depend on many factors, including: 

The customer



The complexity of the application



The guidelines from regulatory authorities



The nature of the risk and the required risk reduction



The experience and skills of the person available to undertake the work



The information available on the parameters relevant to the risk.

The following are basic and generic steps to determine a safety function SIL rating based on IEC 61511: 

Perform a hazard and risk analysis to evaluate existing risk



Identify safety function(s) needed



Allocate safety function(s) to independent protection layers



Determine if a SIF is required



Determine required SIL of the SIF.

The methods presented in this guideline are based on IEC 61511 and utilise a Workshop approach: 

Layer of Protection Analysis (LOPA)



SIL Matrix



Risk Graph

The LOPA methodology as covered in IEC 61508 Part 7 is one of the WorleyParsons preferred methods as it provides a logical means of evaluating a large number of SIF, and includes means to consider several key parameters (severity, likelihood, occupancy, and safeguards). As such LOPA

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 10 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

methodology is described in this Guideline. For completeness, SIL Matrix and Risk Graph methods are included in Appendices 2 and 3. In some applications more than one method may be used. A qualitative method may be used as a first pass to determine the required SIL of all the SIFs. Those which are assigned a high SIL by this method should then be considered in greater detail using a quantitative method to give a more rigorous understanding of their required safety integrity. Note: 1. Some customers may have their own SIL determination guidelines. If this is the case, then there needs to be clear agreement as to which process will be used before the SIL determination proceeds. 2. There is commercial SIL determination / documentation software available which can enhance the determination and documentation processes.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 11 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

4.

SIL DET ERMI NAT IO N - PREPAR AT ION

The SIL determination process is based on the principle that a team approach to risk assessment will identify more problems than when individuals working separately combine results. As such, the SIL determination should be conducted in a Brainstorming Workshop environment similar to a HazOp or HAZID session. The first major element for a successful SIL determination process is that it is well planned prior to the workshop taking place. This planning needs to ensure that: 

The design is sufficiently progressed and that it can be understood and questioned by the SIL workshop clearly and in sufficient detail to arrive at an appropriate SIL determination.



The SIL workshop attendees are invited early enough to be involved



Prior to the workshop, the responsible project designer (process or instrument) should produce a concise list of SIFs to be reviewed. The facilitator can work with the designer but ultimately it is their responsibility to generate the actual list of SIFs to be reviewed containing the following information. -

SIF descriptor

-

P&ID reference



4.1

The facilitator needs to ensure that these elements have been satisfactorily completed prior to the workshop taking place. If necessary the facilitator should postpone or cancel the workshop until he/she is satisfied.

Charter

The Safety Workshop Charter defines the scope of the SIL Determination, the attendees, the proposed duration, location and date. The use of the Charter is MANDATORY for all SIL Determination studies.

4.2

T iming

The SIL Determination study should be conducted after the process design (or equivalent) has been finalized, P&IDs developed (basic or detailed design), the design review is conducted, and the process design has been subjected to a process HazOp study. The SIL Determination workshop should not be undertaken before the design is complete to the extent required for the particular study and the HazOp study is done. The SIL Determination facilitator should not proceed with the study with a poorly completed design and HazOp study not done.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 12 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

4.3

Attendees

The workshop team shall be multi-disciplinary and comprise representatives from major groups involved. People should be selected for their knowledge of the process and/or equipment and/or ability to make a technical contribution. The attendees should include experienced project and/or operations personnel as set out in the functional safety standards. This requires that the team involved in making the SIL decisions consists of participants with certain types of expertise. It is generally appropriate to include the following personnel: 

Competent Facilitator



Technical Scribe/ secretary



Operator with experience in operating the process under consideration;



Process Engineer - Engineer with expertise in the process design;



Instrument/Control engineer with experience in the process under consideration;



Lead Safety and Risk engineer



Customer Safety Coordinator (if relevant)

The actual composition of the team depends on the particular study. The composition may also vary from meeting to meeting within a study as various technical specialists, are utilized on an as needed basis. The team composition shall be defined on the charter.

4.4

Wo rks hop Duration

Duration of the SIL Determination workshop depends on the complexity and size of the project, as well as the team size and composition. The expected duration of the SIL Determination should be discussed and agreed with the SIL Determination Facilitator once they have had an opportunity to review the project scope and drawings. The typical duration for a Greenfield site is about 2 to 3 hours per Safety Instrumented Function (SIF). SIL Determination must be planned with regular breaks and ideally they should be limited to 6 hrs per day. This enables personnel to keep in touch with their normal workload and prevents fatigue. Additionally it allows time for the facilitator and scribe to tidy up the existing records and plan for the next session.

4.5

Role of the Coordinator / Project En gineer

Main responsibilities of the Coordinator / Project Engineer according to the different stages of the study are described as follows:

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 13 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

4.5.1

Before the Sessions



Book the facilitator and select the team members with advice from the Facilitator.



Organise a Scribe if appropriate. Note the scribe must have a technical background.



Set a date, time and duration for the workshop and book an appropriate location.



Arrange a data projector and computer for use (Though there are different ways to record the minutes, WorleyParsons strongly advocates the projection of the minutes to ensure agreement and understanding between the team. This may mean a laptop and data projector, or it may be as simple as a printable whiteboard.)



Ensure the required documentation is available (see Section 5.6).



Issue the relevant document to the facilitator no less than 3-5 working days (depending on the project size) prior to the session.



Prepare and distribute the Charter.



Organise catering if appropriate.

4.5.2

Durin g th e Sessions



Provide an introduction to the Project.



Provide guidance on the Scope of the study.

4.5.3

Afte r the Ses sions

Every project has its own document control system. Normally the following steps are followed: 

Review the minutes of the meeting and circulate for review.



Distribute the Draft Report (Revision A) for review.



Gain sign-off on the Final Report (Revision 0).

4.6

The Facilitator

It is WorleyParsons requirement that an independent, competent facilitator and experienced in the field of study is used. The SIL determination facilitator should not be closely associated with designing or delivering the subject of the study, as there is a danger of real or perceived conflicts of interest in identification of hazards, operability problems or design flaws. This will help ensure compliance with the minimum required level of independence for carrying out SIL assessments (refer to IEC 61508). The major role of the facilitator is to guide the team in the process during the SIL determination session. However the facilitator should assist with the defining of objectives for the study, reviewing the Charter, choosing team members and adequately preparing for the study.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 14 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

The responsibilities of the facilitator according to the different phases of the study are described as follows.

4.6.1

Before the Sessions



Ensure the objectives and scope are clearly defined.



Ensure that the proposed team and facilities for the study are appropriate.



In conjunction with the Process / IE Engineer identify existing SIFs and determine a preliminary description of each (to be confirmed with the Study Team during the workshop).



In conjunction with the Coordinator estimate the duration of the workshop.



Review any previous HazOp and any SIL study, Safety Case or Risk Assessment documentation.



Plan the study sequence.



Calibrate the determination / recording software (if any)

4.6.2

Durin g th e Sessions



Ensure that the team members understand the method and their individual roles.



Guide the team in the technique.



Ensure that the full range of events are generated and that a full range of realistic causes and consequences is developed.



Ensure that all team members participate in the discussions and that those who have the specific technical knowledge or ability are given the opportunity to express their views, avoid one team member dominating the discussions.



Keep the discussions to the topic under review, minimize side track discussions.



Keep track of time, if discussion of a particular issue is taking too long, record an “action” to resolve outside of the meeting.



Ensure the results of the process are accurately recorded.

Note: The use of data projector to display the “minutes” as they are recorded allows the Facilitator to advise that the minutes / Study records represent the consensus of the meeting and an already “accepted” set of minutes of the meeting.

4.6.3

Afte r the Ses sions



The minutes of the meeting are reviewed and circulated to workshop attendees



Prepare the Draft report (normally as Rev A) and issue to the Coordinator - for distribution and review.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 15 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Incorporate any alterations and revise the minutes and reissue the Report as “Final” / “For Use” – normally as Rev 0.



4.7

T echnical Sc ribe

For most workshops, an experienced technical scribe is preferred as part of the Study Team since they can have a significant impact in terms of efficiency by enabling the facilitator to concentrate on the process and not the records. For large studies there may be value in having more than one scribe, using them in rotation to limit fatigue. For small and simple studies, the facilitator may elect to take on the responsibility of the technical scribe or secretary.

4.8

Docume ntation Requirements

For the LOPA study, it is required to have agreed tolerable risk criteria (specific limit per yr) for each of the consequence categories studied before the workshop can be started. Also there needs to be a list of proposed SIFs agreed and suitably documented. The following documents need to be available during the study session to the team: 

Basis of Design



Process Description



Process Flow Diagrams (PFDs - for process systems)



Utility Flow Diagrams (UFDs - for utility systems)



Piping and Instrumentation Diagrams (P&IDs -for both process and utility systems).



Plant / Equipment Layouts (preliminary)



Previous hazard study documents.



Cause and effect diagrams

In addition, the following documents should be available for reference, where applicable. 

Control Philosophy



Shutdown Philosophy



Isolation Philosophy



Fire & Safety Philosophy



Fire & Gas Detection Philosophy



Hazardous Area Drawings



Relief and Blow down Philosophy

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 16 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

5.

SIL DET ERMI NAT IO N – WORK SHOP

In order to determine the required SIL of the safety instrumented functions (SIFs), it is necessary to define the customer’s tolerable risk target in terms of probability and consequence of the process potential incidents. This would take place by discussion and agreement between the interested parties before the workshop (for example safety regulatory authorities, those producing the risks and those exposed to the risks). The following sections outline the main sequence of events associated with the SIL determination process as developed by WorleyParsons. This process is consistent with IEC 61511, IEC 61508 and the concepts of Risk Management in AS/NZ 4360.

5.1

Wo rks hop Proc edure

The procedure for each meeting/session is as follows: 1. Introduction of team members and their responsibilities (an attendance sheet should be circulated to formally record all attendees including their signature to confirm attendance). 2. Statement of the objectives and scope of the study (by the Coordinator and / or facilitator). 3. Brief outline of the plan for the study (by the facilitator). Going into the study process in more detail if any team member is not familiar with the method. 4. SIF Assessment as next step

5.2

SIF Assessme nt

5.2.1

Establish Contex t for eac h System a nd the Safety Target of the Pro cess

Based on the information prepared for each identified system, the context and design intent of each system or protective loop should be explained to the group. The responsible design person should provide this step as background to the group prior to assessment. The key issues to identify for each system or loop are: 

The equipment being protected



What it is being protected against (the hazard and incident)



What independent levels of protection exist

5.2.2

Identify S IFs Need ed

This step drives from the risk analysis what safety functions are required and what risk reduction they need to meet the safety target.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 17 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

This step determines whether a safety instrumented function is required. Protection layers of other technologies should be considered prior to establishing the need for a safety instrumented function implemented in a SIS. If no other non-SIS protection can meet the safety target level, a safety instrumented function implemented in a SIS is required to protect against the identified hazards.

5.2.3

Determine required SIL of the SIF

The required SIL rating of the identified SIF is determined in this step. 

Select first SIF (hazardous scenario) to be examined. The facilitator asks to explain the explicit purpose and intent of the SIF including any safeguards available.



The facilitator assesses the first SIF



The SIL rating of each SIF will be identified

5.3

Recording

The SIL determination process should be recorded thoroughly using a computer software used for SIL determination or MS Excel to ensure consistency. Refer to SIL Determination Worksheet EPF-0267 Appendix 1 shows a typical example of how the worksheet is used for LOPA. It is highly recommended that a data projector is used during the workshop such that all participants can view the record, recommend modifications and agree the minutes and actions, thereby minimizing any revisions and modifications required later on. The study team needs to agree on the similarity / equivalence of multiple units (in order to review only one unit). REMEMBER – The minutes of the study need to be understood by personnel who were NOT present at the study!

5.4

SIL Determina tion Re port

To comply with the standards the SIL determination process needs to be documented. The facilitator and/or scribe need to formally document the SIL determination process, this need to provide and contain information on; 

Scope of the SIL study



The team involved



The systems examined



Assumptions made / data sources used



Methodology used (LOPA / Matrix / Risk Graph)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 18 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE



The results as captured in the meeting

The report should be formally submitted for review and subsequently used as the basis for the SIL verification process. A typical outline for a summary report is given below. 

Standard WorleyParsons Report Cover pages



Standard WorleyParsons Report disclaimer



Introduction and project overview



Objectives and scope



Team composition



Recommendations and major outcomes



Attachments -

Drawings/ data used as the basis for the study;

-

Full Minutes.

-

Meeting attendance register with attendee’s signature included.

The Document Control for the report is per standard WorleyParsons procedure. Specifically, a ‘Revision A – Issued for Internal Review’ should be produced and distributed. Comments from this should then be used to finalize the report as a ‘Revision 0 – Issued for Use’. This may vary between projects depending on the customer’s project specific or document control procedures. The Report should be saved in the project directory (in accordance with the project File Index) with an appropriate file name as per the standard WorleyParsons or project specific document numbers.

5.5

Archi ving

A hard copy of the SIL determination report must be retained in accordance with the location archiving procedure.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 19 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

6.

LAYER OF PROT ECT ION ANAL YSI S ( LOPA) M ET HOD

The role that safety functions play in achieving the necessary risk reduction is illustrated in the figures below taken from IEC 61511:

The Layers of Protection Analysis (LOPA) method requires that the customer’s tolerable risk level (e.g. per scenario or cumulative) be stated explicitly as a numerical target. Once the tolerable risk frequency target is known, the required risk reduction - in terms of Probability of Failure on Demand

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 20 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

(PFD) of the SIF - can be determined. LOPA evaluates risk in order of magnitude of selected unwanted event scenarios. The information required for the LOPA is contained in the data collected and developed in the HazOp study. Table below shows the relationship between the data required for LOPA and the data developed during the HazOp study.

LOPA required information

HazOp developed information

Impact event

Consequence

Impact event severity level

Consequence severity

Initiating cause

Cause

Initiating likelihood

Cause frequency

Protection layers

Existing safeguards

Required additional mitigation

Recommended new safeguards

LOPA provides basis for specification of Independent Protection Layers (IPLs) and support compliance with good process safety practices as per IEC 61508 and IEC 61511. A worked example for LOPA method is presented in Appendix 1.

6.1

Protection Lay ers

In a typical chemical process various layers of protection against incidents are in place. The main purpose of the layers is to reduce the frequency of undesired consequences. These layers consist of preventive, protective or mitigating measures. Examples are: 

Inherently safe design features;



Basic Process Control System (BPCS);



Critical alarms and Operator intervention;



Safety Instrumented System (SIS) or Emergency Shutdown System;



Pressure Relief Device;



Mechanical Integrity of Vessel;



Fire Suppression System;

The layers of protection identified must be considered to be sufficiently independent to avoid common cause failure. An Independent Protection Layer (IPL) is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating 002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 21 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

event or the action of any other layer of protection associated with the scenario to control, prevent and/or mitigate process risk.

6.2

LOPA Steps

The method starts with data developed in the Hazard and Operability analysis (HazOp study) and accounts for each identified hazard by documenting the initiating cause and the protection layers that prevent or mitigate the hazard. The total amount of risk reduction can then be determined and the need for more risk reduction analyzed. If additional risk reduction is required and if it is to be provided in the form of a SIF, the LOPA methodology allows the determination of the appropriate SIL for the SIF. The method is illustrated in the figure below. Steps are: 1.

Select a SIF identifier (tag number) from the Cause & Effect Tables. 

Develop an ‘impact event scenario’ based on the HazOp workshop records. The ‘consequences’ identified in the HazOp records are listed as ‘impact events’. Each ‘hazard and consequence’ is a single ‘impact event scenario’.



For each impact event scenario evaluate the severity consequences on HSE, and Assets

2.

Set the impact event scenario ‘Target Likelihoods’ after mitigation to meet the HSE and Assets tolerable risks on the basis of severity of consequences on HSE and Assets

3.

Initiating Cause(s) Determine the initiating causes of each impact event, i.e. all of the Initiating Causes of the hazard determined in the HazOp are listed.

4.

Select an initiating cause and its Frequency Calculate the enabled initiating event(s) frequency. The hazard initiating cause likelihood (in events per year) is agreed on, i.e. a likelihood is estimated for each initiating cause.

5.

Independent Protection Layers ‘IPLs’ Independent Protection Layers (IPLs) are listed. Each IPL is assigned a Probability of Failure on Demand (PFD) value. Among IPLs are: 

General Process Design / Inherent Safety: The general process design to reduce the likelihood of hazard manifesting itself, when an Initiating Cause occurs. An example of this would be a jacketed pipe or vessel. The jacket would prevent the release of process material if the integrity of the primary pipe or vessel were compromised.



BPCS: If a control loop in the BPCS prevents the impacted event from occurring when the Initiating Cause occurs, credit based on its PFD is claimed.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 22 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE



6.

Operator Intervention (Alarms): This takes credit for alarms that alert the operator and utilize operator intervention. Ensure that the alarm is independent of the cause, and the BPCS (if credit given).

Other Protection Layers For each event the following probabilities are also determined:

7.



Occupancy - The probability of a person being in the area.



Ignition - The probability that a release of flammable material will ignited / explodes (given that it has already released). The probability that a release will be ignited depends on a number of factors, including the chemical’s reactivity, volatility, auto-ignition temperature, and physical state as well as the potential sources of ignition that are present. For a blast to result from vapor cloud combustion, a reasonable amount of obstructions and confinement must exist to cause the flame front to burn turbulently and reach sonic velocity.



Fatality - The probability that a person will die given a release of hazardous material and a person is already there. Allow for escape and/or avoidance.

Intermediate Event Likelihood The Intermediate Event Likelihood is calculated by multiplying the Initiating Likelihood by the PFDs of the protection layers and mitigating layers. The calculated number is in units of events per year. If the Intermediate Event Likelihood is less than the Corporate Criteria for Events of this Severity Level, additional PLs are not required. Further risk reduction should, however, be applied if economically appropriate.

8.

Mitigated Event Likelihood Mitigated event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs for the applicable IPLs. The mitigated event likelihood is then compared to a criterion linked to the corporation’s criteria for unacceptable risk levels. Additional IPLs can be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate of the risk for the whole process. Mitigated event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs for the applicable IPLs. The mitigated event likelihood is then compared to a criterion linked to the corporation’s criteria for unacceptable risk levels. Additional IPLs can be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate of the risk for the whole process.

9.

Select other initiating causes and their Frequencies Repeat all the previous steps

10.

Safety Integrity Level Selection The SIFs required Integrity Level can be calculated by dividing the Corporate Risk Criteria for the event by the Required Event Likelihood (for all causes). A PFD for the SIF below this number is selected as a maximum for the SIS and entered.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 23 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition * Probability of Occupancy * Probability of Fatality) 11.

Environmental Integrity Level ‘EIL’ Selection Exposure factor for Environmental effects and consequences are determined and inserted in corresponding cell. As a result the Environmental Integrity Level ‘EIL’ will be determined. If a new SIF is needed to prevent environmental consequences, the Required Integrity Level can be calculated by dividing the Corporate Risk Criteria for the event by the Required Event Likelihood. A PFD for the SIF below this number is selected as a maximum for the SIS and entered. Required Event Likelihood = (Intermediate Event Likelihood) x (Exposure factor)

12.

Asset / Economical Integrity Level ‘AIL’ Selection Exposure factor for Asset / Economical effects and consequences are determined and inserted in corresponding cell. As a result the Asset / Economical Integrity Level ‘AIL’ will be determined. If a new SIF is needed, the Required Integrity Level can be calculated by dividing the Corporate Criteria for the event by the Required Event Likelihood. A PFD for the SIF below this number is selected as a maximum for the SIS and entered. Required Event Likelihood = Intermediate Event Likelihood x (Probability of Ignition * Probability of Occupancy * Probability of Fatality) x (PFD of safety instrumented function)

13.

Select another SIF identifier (tag number) from the Cause & Effect Tables Repeat the process above

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 24 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

7.

SIL VERIFIC AT ION

Phase 4 of the safety life-cycle defined in IEC 61511-1 requires verification to be performed on the design to verify that the required SIL rating has been achieved. Refer to SIL Verification Guideline EPP-0266.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 25 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

8.

REFER ENCES

1. IEC 61508 – Functional Safety of electrical/electronic/programmable electronic safety-related systems (Parts 1 to 7) 2. IEC 61511 – Functional Safety – Safety Instrumented Systems for the process industry sector (Parts 1 to 3) 3. AS 4360 – Risk Management (2004)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 26 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Appendix 1 - Example Worksheet for SIL Determination LOPA Method (Annex F - IEC 61511 part 3)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 27 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Example for Layer of Protection Analysis (LOPA) report format [Annex F – Layer of Protection Analysis from the IEC 61511 Part 3 Standard]

002-000-PDW-167 (016099) EPP-0099 Rev 1 (30-May-08)

Corporate Base

Page 28 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Appendix 2 - SIL Determination – SIL Matrix Method (Annex C - IEC 61511 part 3)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 29 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Hazardous Event Severity Matrix - SIL Matrix One common technique, among international refining, chemical and petrochemical companies, is to use a risk matrix, which provides a correlation of risk severity and risk likelihood to SIL. The method allows the probability of the potential event to be considered during the assignment of SIL. It should also be noted that many companies already use a risk matrix and have their own guidelines. WorleyParsons recommend that for each customer the matrix’s compatibility be assessed and calibrated with the customers risk management requirements prior to any SIL determination. A corporate risk matrix provides control of the SIL assigned for a particular severity and likelihood. During the assessment of the incident severity and likelihood, the available layers of protection must be evaluated and their effect on the incident severity and likelihood must be determined. The safe guards must be independent, verifiable, dependable, and designed for the prevention of the specific risk. The SIL matrix given here has been developed based on the guidelines given in IEC 61508 part 5, and IEC 61511 and also AS 4360 Risk Management [Ref. 3]. The matrix identifies the potential risk reduction that can be associated with the use of a SIS protection layer. The risk matrix is based on the operating experience and risk criteria of the specific company, the design, operating and protection philosophy of the company, and the level of safety that the company has established as its safety target level. Note that the use of a SIL matrix carries the inherent assumption that a ‘Low’’ risk is acceptable. Explanation and Use of SIL Matrix The underlying principle is that for any system, hazards that present unacceptable risks need to be prevented or mitigated against to reduce the risk to ALARP. A SIL 1 protective system moves the risk associated with a hypothetical hazardous scenario 1 column to the right or 1 row down (i.e. reduced frequency or reduced consequence respectively by 1 order of magnitude). Likewise a SIL 2 system would move the risk associated with a hazardous scenario 2 columns left or 2 rows down or 2 orders of magnitude. And so on. Therefore, to determine the SIL requirements of a system the risk associated with a hazardous scenario need to be determined without the SIS in place. Based on where the hazardous scenario is then located on the Risk Matrix, the number of columns or rows that then need to be moved to reduce the hazardous scenario to an acceptable risk, determines the SIL level(s) of the system(s). The two essential parameters of the SIL matrix are Consequence Severity and Frequency of Occurrence. Consequence Severity Associated with each hazardous event, the potential severity of the consequence without the protective system or loops in place needs to be defined. The SIL matrix has a few levels of consequence severity. 002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 30 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Frequency of Occurrence of the Initiating Event The Frequency of Occurrence must be evaluated on the basis that the protective system(s) or loop(s) are excluded. It is the likelihood that the hazardous event occurs without account for the specific Safety Instrumented Systems. It should be noted that it is important to link the Frequency of Occurrence with the end event consequence severity defined above. An example of a SIL matrix is given below. Note: For each customer the matrix’s compatibility should be assessed and calibrated with the company’s risk management requirements prior to any SIL determination.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 31 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Example of other Consequence Identifiers is as below:

Safety

Environmental

Asset Protection

Nationwide attention

$10 million

2 Major

Attract Regulatory Attention

$1 million

3 Moderate

Breach of EPA regulations

$100 thousand

Small uncontained

$10 thousand

Contained

$1 thousand

1 Catastrophic

4 Minor 5 Negligible

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 32 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Appendix 3 - SIL Determination - Risk Graph Method (Annex D - IEC 61511 part 3)

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 33 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Risk Graph Risk graph is a semi-quantitative method that enables the safety integrity level of a safety instrumented function to be determined from knowledge of the risk factors associated with the process and basic process control system. The method uses a number of parameters which together describe the nature of the hazardous situation when safety instrumented systems fail or are not available. The approach is based on Annex D of IEC 61511 part 3 and the following relationship: R=fxC Where ‘R’ is the risk; ‘f’ is the frequency of hazardous event; and ‘C’ Consequence of the hazardous event - with no SIS in place, but with all other risk reduction facilities in place. The frequency of the hazardous event, f, is made up of three factors: F:

Frequency of the exposure time in the hazardous zone.

P:

Possibility of failing to avoid the hazardous event.

W: The probability of the hazardous event taking place in the absence of any safety related system (but having in place the external risk reduction facilities) – this is termed the probability of an ‘unwanted occurrence”. One parameter is chosen from each of four sets, and the selected parameters are then combined to decide the safety integrity level allocated to the safety instrumented functions. The risk graph approach can also be used to determine the need for risk reduction where the consequences include acute environmental damage or asset loss. For example if overpressure can lead to catastrophic vessel failure, that is considered by the team to have the potential to result in a single fatality, then the frequency of this event, taking into account the likelihood of exposure of personnel to the event should be estimated. This takes into account the ‘Exposure Factor’, F, described in the risk graph method of IEC 61511 and IEC 61508. Following pages present more practical information required to apply the risk graph methodology in SIL determination exercise.

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 34 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

W3

W2

W1

a

-

-

1

a

-

2

1

a

X4

3

2

1

X5

4

3

2

b

4

3

Ca

X2 Pa Fa Cb

Pb Fb

X3

Pa

Fa Cc

Pb Fb

Pa

Fa Cd

Pb Fb Pa

X6 Pb

NB – ‘a’ – means a SIF not required ‘b’ means a single SIF is not adequate

Risk Parameter

Classification

Comments 1. The classification system has been developed to deal with injury and death to people.

Consequence (C)

Ca

Minor Injury

Number of fatalities

Cb

Range 0.01 to 0.1

This can be calculated by determining the numbers of people present when the area exposed to the hazard is occupied and multiplying by the vulnerability to the identified hazard (V)

Cc

Range >0.1 to 1.0

Cd

Range >1.0

The vulnerability is determined by the nature of the hazard being protected against. The following factors can be used:

2. For the interpretation of Ca, Cb, Cc and Cd the consequences of the accident and normal healing should be taken into account.

V=0.01 – Small release of flammable or toxic material V=0.1 – Large release of flammable or toxic material V=0.5 – As above but a high probability of catching fire or highly toxic material V=1 – Rupture or explosion

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 35 of 36

SAFETY INTEGRITY LEVEL (SIL) DETERMINATION GUIDELINE

Risk Parameter Occupancy (F)

Classification Fa

Rare to more frequent exposure in the hazardous zone. Occupancy less than 0.1

Fb

Frequent to permanent exposure in the hazardous zone

Pa

Adopted if all condition in column 4 are satisfied

This is calculated by determining the proportional length of time the area exposed to the hazard is occupied during a normal working period. NOTE 1 if the time in the hazardous area is different depending on the shift being operated then the maximum should be selected. NOTE 2 It is only appropriate to use Fa where it can be shown that the demand rate is random and not related to when occupancy could be higher than normal. The latter is usually the case with demands which occur at equipment start-up or during the investigation of abnormalities. Probability of avoiding the hazardous event (P) if the protection system fails to operate

Pb

Adopted if all the conditions are not satisfied

Demand rate (W). the number of times per year that the hazardous event would occur in absence of SIF under consideration.

W1

Demand rate less than 0.1D* per year

To determine the demand rate it is necessary to consider all sources of failure that can lead to one hazardous event. In determining the demand rate, limited credit can be allowed for control system performance and intervention. The performance which can be claimed if the control system is not to be designed and maintained according to IEC 61511 is limited to below the performance ranges associated with SIL 1

W2

Demand rate between 0.1D and D per year

W3

Demand rate between D and 10D per year

Comments See comment 1 above

Pa should only be selected if all the following are true: 

facilities are provided to alert the operator that the SIS has failed



independent facilities are provided to shut down such that the hazard can be avoided or which enable all persons to escape to a safe area



the time between the operator being alerted and a hazardous event occurring exceeds 1 hour or is definitely sufficient for the necessary actions

1. The purpose of W is to estimate the frequency of the hazardous taking place without the addition of the SIS. 2. If W is very high, the SIL has to be determined by another method or the risk graph recalibrated.

For demand rates higher than 10D per year higher integrity shall be needed

*D is a calibration factor. The value of which should be determined so that the risk graph results in a level of residual risk which is tolerable taking into consideration other risks to exposed persons and corporate criteria. Note – The WorleyParsons default value for ‘D’ is 0.1

002-000-PDW-228 (019056) EPP-0263 Rev 1 (30-May-08)

Corporate Base

Page 36 of 36

SIL Determination Guideline

Short Description

Description

Comments

We need your help!