qp guideline for safety integrity level review

STANDARDS PUBLICATION

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC NO: QP-GDL-S-030

REVISION 1

CORPORATE HSE SUPPORT DEPARTMENT

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW DOC. No. QP-GDL-S-030 Rev1

Doc File No.: GDL-S-030 R1 Page 2 of 31 Custodian Dept: ST

TABLE OF CONTENT

FOREWORD

Page No

1.0 INTRODUCTION………………………………………………………………….. 5

2.0 SCOPE ……………………………………………………………………………. 5

3.0 APPLICATION ……………………………………………………………………. 5

4.0 POLICY …………………………………………………………………………….. 5

5.0 TERMINOLOGY …………………………………………………………………… 5 5.1 DEFINITIONS …………………………………………………………………….. 5 5.2 ABBREVIATIONS ………………………………………………………………… 7

6.0 REFERENCE STANDARDS.................……………………………………....... 8

7.0 METHODOLOGY/APPROACH …………………………................................... 8

8.0 TEAM STRUCTURE AND RESPONSIBILITIES........................................... 9 8.1 TEAM STRUCTURE......................................................................................... 9 8.2 ROLES AND RESPONSIBILITIES................................................................... 10

9.0 REQUIREMENTS............................................................................................. 11 9.1 PREPARATION OF THE REVIEW................................................................... 11 9.2 SIL REVIEW..................................................................................................... 12 9.3 VALIDATION OF SIF........................................................................................ 13 9.4 CAUSE DEMAND SCENARIO......................................................................... 13 9.5 CONSEQUENCES OF FAILURE ON DEMAND (CoFD)................................ 14 9.6 INDEPENDENT SAFEGUARDS...................................................................... 14 9.7 SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD........................ 14

10.0 PLANNING....................................................................................................... 20 10.1 PREPARATION OF THE REVIEW................................................................... 20 10.2 TIMING OF THE REVIEW................................................................................ 20

11.0 DOCUMENTS REQUIRED AND RECORDING............................................. 20 11.1 DOCUMENTS REQUIRED............................................................................... 20 11.2 RECORDING.................................................................................................... 20 11.3 REPORTING AND FOLLOW-UP..................................................................... 21

12.0 APPENDICES................................................................................................. 22 12.1 APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH

METHOD.......................................................................................................... 22 12.2 APPENDIX II: TYPICAL SIL ACTION SHEET.................................................. 23 12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT....... 24 12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST................. 25



12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH PARAMETERS................................................................................................. 26

12.6 APPENDIX VI - DEMAND RATE...................................................................... 27 12.7 APPENDIX VII – CORPORATE RISK MATRIX............................................... 28

REVISION HISTORY LOG ………………………………………………………. 31



FOREWORD This document has been developed by Corporate HSE Support Department, reviewed and

edited by Corporate Quality and Management System Department and circulated for review by

user departments before being endorsed by QP Management to provide guideline.

This document is published for QP Departments/ Contractors/ Consultants utilization. It shall be emphasized that the document to be used for QP operations wherever applicable and appropriate. This document is subjected to periodical review to re-affirm its adequacy or to conform to any changes in the corporate requirements or to include new developments on the subject. It is recognized that there will be cases where addenda or other clarifications need to be attached to the standard to suit a specific application or service environment. As such, the content of the document shall not be changed or re-edited by any user, but any addenda or clarifications entailing major changes shall be brought to the attention of the Custodian Department. The custodian of this document is Corporate HSE Support Department (ST). Therefore, all comments, views, recommendations, etc. on it shall be forwarded to the same and copied to Manager, Corporate Quality & Management Systems Department (QA).



1.0 INTRODUCTION

Safety Integrity Level (SIL) review is an analysis which aims at the determination of the appropriate reliability required from the elements of the Safety Instrumented Functions (SIF) identified in prior safety reviews (e.g. HAZOP).

The approach of this guideline is to remove the uncertainty regarding the safety integrity, cost effectiveness and availability requirements, reducing over and under engineering, in a traceable manner.

SIL study is a method to record all the SIF for a project development and document the expected reliability level. SIL study provides a basis for future maintenance and operating strategies. SIL shall be conducted during FEED phase and /or EPIC phase in accordance with Project HSE Plan or as required by the outcome of Safety Reviews of a project.

SIL assignment is based on the amount of risk reduction that is necessary to mitigate the risk associated with the process to a tolerable level. All of the Safety Instrumented Systems (SIS) design, operation and maintenance choices must then be verified

against the SIL assigned.

2.0 SCOPE

This guideline details the structure, responsibilities and techniques of the Safety Integrity Level (SIL) review.

3.0 APPLICATION

The SIL review of the project shall cover all Safety Instrumented Systems (SIS) in process and utility units where there is potential for hazard to human safety, environment or asset /production loss.

4.0 POLICY

QP is committed to protect the health and safety of its employees and others that may be affected by its activities and to give proper regard to the conservation of the environment. QP policy is to conduct its activities such that it strives towards an incident free, secure, safe and healthy workplace. Safety studies and reviews shall be performed during the course of a project or modifications to an existing facility. This is to identify, qualify, quantify and to establish that design safety measures shall provide adequate protection and mitigate any risk involved with the proposed project development or the modifications.

5.0 TERMINOLOGY

5.1 DEFINITIONS

Basic Process Control System (BPCS)

- A combination of Sensors, Logic Solvers and Final elements which automatically regulate the process within normal production limits. The BPCS provides control of a process in the desired manner.



Cause - Factor contributing alone or in combination with others to the release of a hazard (in this guideline synonymous to the “demand scenario” triggering a SIF).

Company - Means QATAR PETROLEUM or “QP”

Consequence (C) Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Effect on personnel safety, economic loss, environmental loss.

Consequences of Failure on Demand

- Escalation events that happen after the failure of the SIF during its solicitation. Effect on personnel safety, economic loss, environmental effect.

Demand Rate (W) - The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration.

Demand Scenario - The set of conditions triggering a SIF action (synonymous Cause).

Design Intent - The reason why a SIF is set. It’s purpose.

Final Element - A device which manipulates a process variable to achieve control. e.g. – Control Valve, Emergency Block Valve, motor starter.

Layers of Protection Analysis

- A process of evaluating the effectiveness of Independent Protection Layers in reducing the likelihood or severity of an undesirable event to meet organizational needs.

Logic Solver - The element of the BPCS or SIS that implements one or more logic functions.

Hazard - A source of potential harm or damage, or a situation with potential for harm or damage.

Licensor

- LICENSOR or PROCESS LICENSOR means each of the Companies which have granted (or will grant) to QP a Process License and have provided (or will provide) the corresponding Licensor Basic Engineering Package (BEP) during the FEED project.

Occupancy (F) - Probability that the exposed area is occupied at the time of the hazardous event .Determined by calculating the fraction of time the area is occupied at the time of the hazardous event.

Probability of Avoiding the Hazard (P)

- The probability that exposed persons is able to avoid the hazardous situation which exists if the SIF fails on demand.

Probability of Failure on Demand

- The probability that a system fail to perform a specified function on demand.



Recovery Measures - All technical, operational and organizational measures that limit the chain of consequences arising from a top event and assist return to normal operation.

Safety Integrity Level

- Defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function (SIF).Four level of SILs are defined, SIL 4 has the highest level of safety integrity and SIL 1 has the lowest.

Safety Instrumented Function

- It is a safety function with a specified safety integrity level which is necessary to achieve functional safety. A safety instrumented function can be either a safety instrumented protection function or a safety instrumented control function.

Safety Instrumented System

- Instrumented system used to implement one or more safety instrumented functions. A Safety Instrumented System is composed of any combination of sensor (s), logic solver (s), and final elements(s).

It performs specified safety instrumented functions to achieve or maintain a safe state of the process when unacceptable or dangerous process conditions are detected. Safety instrumented systems are separate and independent from regular control systems but are composed of similar elements, including sensors, logic solvers, and final elements.

5.2 ABBREVIATIONS

CoFD - Consequence of Failure on Demand

EPIC - Engineering, Procurement, Installation and Commissioning

ESD - Emergency Shut Down

FEED - Front End Engineering Design

F&G - Fire & Gas System

HAZOP - Hazard and Operability Study

LOPA - Layer of Protection Analysis

LP - Loss Prevention

P&ID - Piping & Instrumentation Diagram

PFD - Process Flow Diagram

PSD - Process Shut Down

QP - Qatar Petroleum.

SIL - Safety Integrity Level



SIF - Safety Instrumented Function

SIS - Safety Instrumented System

6.0 REFERENCE STANDARDS

IEC-61508 Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems -

Part 1: General requirements;

Part 2: Requirements for electrical/electronic/programmable electronic

safety-related systems;

Part 3: Software requirements;

Part 4: Definitions and abbreviations;

Part 5: Examples of methods for the determination of safety integrity

levels (supporting Information);

Part 6: Guidelines for the application of IEC 61508-2 and IEC 61508-3;

Part 7: Overview of techniques and measures.

IEC-61511 Functional safety – Safety instrumented systems for the process industry

sector

Part 1: Framework, definitions, system, hardware and software

requirements;

Part 2: Guidelines for the application of IEC 61511-1;

Part 3: Guidelines for the determination of the required safety integrity

levels.

7.0 METHODOLOGY/ APPROACH

The technical standard IEC 61511 sets out a good practice for engineering of safety

instrumented systems that ensure the safety of process industries. This standard

defines the functional safety requirements established by IEC 61508 in process industry

sector terminology.

It also focuses attention on one type of instrumented safety system used within the

process sector, the safety instrumented system (SIS).

IEC 61511 covers the design and management requirements for SISs. Its scope

includes initial concept, design, implementation, operation, and maintenance through

decommissioning. The standard starts in the earliest phase of a project and continues

through start up. It contains sections that cover modifications that come along later,

along with maintenance activities and the eventual decommissioning activities.

The standard consists of three parts as detailed under Clause 6.0.

The SIL review session is a guided team brainstorming activity that benefits from a

structured method and from the broad experience of a multidisciplinary team led by a

SIL facilitator.

The methodology that will be employed for the SIL determination is a technique uses a

semi qualitative method: calibrated risk graph, as defined in IEC 61511-3 Annex D.



Essentially the SIL derived rating is a measure of risk reduction that is required to be

achieved by the safety instrumented system in order that the residual risk is acceptable

or is as low as reasonably acceptable (ALARP)

There are four levels of Safety Integrity for Safety Instrumented Functions, SIL1 to SIL

4. SIL 4 has the highest level of safety integrity and SIL 1 has the lowest. For SIF which

are assigned SIL 1 or SIL 2 no further studies or action shall be required. However, for

SIF which are assigned SIL 3 or 4, the SIL classification shall be considered in detail

using a Quantitative method: Layer of Protection Analysis (LOPA) as defined in IEC

61511-3 Annex F.

SIL classification study shall be carried out for all the elements of SIS; i.e. PSD, ESD

and F&G as identified in the Cause & Effect matrix.

The outcome of the SIL assessment is followed by a SIL verification study, where the

reliability of the SIS is verified.

Dedicated computer spreadsheet or dedicated SIL software shall be used for recording

SIL proceedings. The software tool used for determining SIL shall be in accordance

with IEC 61508/61511 and shall have a provision to calibrate the Risk Graph based on

QP SIL review guideline.

Note: Contractor shall develop project specific SIL procedure and terms of reference

consistent with QP SIL guideline and shall submit to QP for prior approval.

8.0 TEAM STRUCTURE AND RESPONSIBILITIES

8.1 TEAM STRUCTURE

In performing a SIL review, the proper selection of team participants is very important.

The review team shall consist of personnel who are knowledgeable in the process

technology and experienced in the operations of the process. The team shall have the

necessary SIL review experience and obtained formal SIL training techniques. The

chairman will be independent of the CONTRACTOR. QP will review and approve the

Chairman’s resume prior to the SIL review.

The planned multidisciplinary core team necessary for the realisation of the SIL review

shall include the following disciplines and maximum number to be limited to 10 persons

excluding chairman and scribe.

a) Qatar Petroleum

Loss Prevention Engineer – Corporate HSE support

Process Engineer

Instrumentation Engineer

Operation Engineer

Loss Prevention Engineer

Maintenance Engineer

b) Independent Third Party

Chairman



c) Project Independent

Contractor’s LP Engineer

Scribe

d) Contractor

Process Engineer


Loss Prevention Engineer

e) LICENSOR (for LICENSOR units)

Process Engineer (knowledgeable of processes involved in project)


Additional specialists of other disciplines may be called to participate upon request

according to the needs identified by the other permanent members of the team.

8.2 ROLES AND RESPONSIBILITIES

The quality of the review highly results from the contribution of all team members and

from their global expertise.

In order to achieve a quality result, members of the team shall adhere to:

adopt a positive attitude toward other team members’ contribution,

provide their expertise on the project specifics and from similar experience

elsewhere,

be logical, open minded and creative,

focus on the objective of the SIL study.

8.2.1 Chairman

The Chairman shall require a high level of technical and managerial skills. He shall

require expertise and experience in conducting SIL reviews and SIL verification studies.

He needs to remain independent of the discussion and shall not associate with the

project. The Chairman’s resume shall be reviewed and approved by QP prior to a SIL

session.

The role of the Chairman is critical to the success of the meeting.

He shall:

Prepare, and make a presentation prior to the review on SIL techniques, rules

and assumptions to be used by the team during the review,

Lead the team through the SIL Determination technique,

Prompt the brainstorming effort, and manage the discussion,

Identify the key issues as they are raised by the team,

Facilitate the evaluation of demand rates and consequences and ensure

consistency of rating,

Manage the recording of the findings by the scribe,

Ensure that the minutes fully reflect the points identified,

Generate the report of the review.



8.2.2 Scribe

The role of scribe shall be skilled to record accurately outcome of the discussions. Without being highly experienced the scribe needs to be familiar with engineering terminology. He / She shall:

Be familiar with the computer software used to record the review findings

before the start of the review,

Follow the Chairman’s instruction in recording the team findings.

8.2.3 Instrumentation/ LP Engineer ( Contractor)

Prior to the review, the instrumentation engineer/specialist is in charge to complete the following elements for each SIF, based on the Cause & Effect Matrix /P&ID/ HAZOP/Safe Charts. For each SIF to be reviewed, SIL review work sheet to be provided with:

Listing the initiators,

Listing the final elements,

Defining the success criteria for initiators and final elements, and

Indicating the associated actions.

An example of SIL Review Worksheet is provided in Appendix I.

8.2.4 Process Engineer( Contractor)

Prior to the review, the process engineer is in charge of the description of the “Design

intent” of the SIF and to provide this information to Instrumentation Engineer for

implementation in the SIL review worksheet.

An example of how this is documented is provided in Appendix I (1st column on left of

the table).

9.0 REQUIREMENTS

9.1 PREPARATION OF THE REVIEW

Prior to the review, the chairman shall collect the SIF description (SIF name,

initiator(s), final elements, success criteria, associated actions and design

Intent from the instrumentation specialist/ LP engineer

The chairman shall make a presentation to the team about the purpose and

scope of the SIL review and to focus the efforts of the team members.

The chairman shall make a presentation to the team about the methodology to

be used in the SIL review. This establishes a common starting basis for the

team that is necessary to conduct an effective SIL review.

The parameters of the Project Risk Matrix shall be presented to the team for

subsequent use in the evaluation of SIL assessment (Ref Appendix VII).

The process engineer shall present an overall explanation of the plant’s

process so that all team members have a clear understanding of the basic

operations of the plant. This also acquaints the team members with typical

scenarios that may lead to a hazardous condition.



Dedicated SIL software or spreadsheets shall be introduced to the team to log

the SIL review session (Contractor shall specify the software /spreadsheet

proposed while submitting SIL methodology document for QP approval prior to

a SIL review session).

9.2 SIL REVIEW

The SIL review sequence process shall be divided into steps as follows:

Select the Safety Instrumented Function,

Validation of the SIF description (already documented in the SIL review

worksheet by instrumentation/ LP engineer),

Validation of the design intent (already documented in the SIL review

worksheet by process engineer,

Determine (by brainstorming) all the potential causes/ demand scenario which

trigger the SIF action,

Agree the credibility of each cause,

Identify potential hazard in terms of:

i. Consequences of SIS failure on Demand (C ) - Personnel Safety (S) - Environmental Effect (E) - Economic loss (A)

ii. Occupancy (F) iii. Probability of avoiding the hazardous situation (P) iv. Demand Rate (W)

Assess the preventive, protective and mitigation safety features,

Assign SIL based on C,F,P&W parameters,

Agree a recommendation for action or further consideration of the problem (if

applicable),

Apply the next cause (relevant to the selected SIF),

Move onto the next SIF of the system until the whole study has been examined.

Figure 1 given below is a pictorial description of the review procedure.



Figure 1: SIL Review Process Schematic

9.3 VALIDATION OF SIF

Instrumentation or LP engineer shall present each SIF to the review team to have the

same understanding of its purpose (design intend) among the team members.

9.4 CAUSE DEMAND SCENARIO

The team shall brainstorm to identify possible causes for the conditions that trigger the

SIF. The demand could be caused by any of a number of reasons, e.g., control

instrument malfunction, operator error, loss of feed, etc. Each cause shall be clearly

documented in the SIL review worksheet.

The team shall focus on all possible causes of the hazard against which the SIF is designed (design intend) and ensure all of them are indeed source of demand on the SIF.

ASSESS CLASSIFICATION



9.5 CONSEQUENCES OF FAILURE ON DEMAND (CoFD)

The team shall identify all the consequences of the identified demand scenario(s). The

location of the plant and of the relative positions of installations can have a significant

influence in the consequences.

The correct appreciation of these consequences is critical to the appropriate classification of the SIF.

9.6 INDEPENDENT SAFEGUARDS

Where applicable, the team may list of Independent safeguards (independent from SIF)

which can reduce the event probability.

9.7 SIL ASSESSMENT – CALIBRATED RISK GRAPH METHOD

After the evaluation of the Consequences of Failure on Demand, each SIF is assigned

with a Safety Integrity Level (SIL).

The SIL determination shall be based on calibrated risk graphs from IEC 61511-3. This Risk Graphs are based on the following:

The consequences of the hazardous situation for Personnel Safety,

Environment and Economic/ Asset loss (parameters S, E and A respectively),

The Occupancy (parameter F),

The probability of avoiding the hazardous situation (parameter P),

The Demand Rate (W).

9.7.1 Consequence (Parameters S, E and A)

The consequences of the hazardous situation for personnel safety, environment and economic/ asset loss (parameters S, E and A respectively) are further defined for various risk levels. These definitions are consistent with QP Risk Assessment Matrix.

Table 1 - Consequence Risk Parameter for Personnel Safety(S)

Consequence Risk

Parameter Definition

S1(CA) Minor injury or health effects

S2 (CB) Major injury or health effects

S3 (CC) Single fatality or Permanent total disability

S4(CD) Multiple fatalities

Notes:

The classification system has been developed to deal with injury and

death to people.

For the interpretation of S1, S2, S3 and S4 parameters, the

consequences of the accident and normal healing shall be taken into

account.



Table 2 - Environmental Consequence Parameter (E)

Level of

Environmental

Consequences

Definition

E1(CA)

Minor effect: Contamination; damage sufficiently large to impact the environment; single exceeding of statutory or prescribed limits; single complaint; no permanent effect on the environment.

E2(CB)

Localized effect: Limited loss of discharges of unknown toxicity; repeated exceeding of statutory or prescribed limits and beyond fence/ neighborhood.

E3(CC)

Major effect: Severe environmental damage; the company is required to take extensive measures to restore the contaminated environment to its original state. Extended exceeding of statutory or prescribed limits.

E4(CD)

Massive effect: Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major economic loss for the company. Constant high exceeding of statutory or prescribed limits.

Table 3- Economic/Asset Consequence Parameter (A)

Level of Economic

Consequences Definition

A1(CA) Minor damage: Brief disruption to operation with estimated costs less than QR 350,000.

A2(CB) Local Damage: Partial shutdown of operation; can be restarted but with estimated costs up to QR 3,500,000.

A3(CC) Major Damage: Partial loss of operation; 2 weeks shutdown with estimated costs up to QR 35,000,000.

A4(CD) Extensive Damage: Substantial or total loss of operation; with estimated costs in excess of QR 35,000,000.



9.7.2 Exposure time (Parameter F)

The exposure time of an individual in a hazardous situation are further defined for two

occupancy conditions.

Table 4- Occupancy Exposure Time Parameter (F)

Exposure time in the

hazardous zone Definition

F1

Rare to more often exposure in the hazardous zone (normally unmanned operation of the relevant part of the plant). Occupancy less than 10%.

F2

Frequent to permanent exposure in the hazardous zone (relevant part of plant is attended locally on a regular basis, e.g. every shift, or during the specific time of demand, e.g. start-up or shut-down, or relevant part of the plant is located near a continuously occupied road)

9.7.3 Probability of avoiding the Hazard (Parameter P)

This parameter represents the probability of avoiding the hazardous event if the

protection system fails. Two scenarios are defined for SIL review.

Table 5- Probability of avoiding the Hazard Parameter (P)

Probability of

avoiding the

hazardous event

Definition

P1

Possible under certain conditions – some warning available. (Operator is capable of getting away from the hazard or hazard is mitigated by other measures).

P2

Almost impossible – No warning available. (Operator may not be aware of hazard or may not be able to get away sufficiently quick).

Notes: This parameter takes into account:

Operation of a process (supervised i.e. operated by skilled or unskilled persons or unsupervised).

Rate of development of the hazardous event (suddenly, quickly and slowly).

Ease of recognition of danger (seen immediately, detected by technical measures or detected without technical measures).



Avoidance of hazardous event (escape possible, not possible or possible under certain conditions; independent facilities are provided to shutdown).

Facilities are provided to alert the operator that the SIS has failed.

The time between the operator being alerted and a hazardous event occurring exceeds 15 minutes or is definitely sufficient for the necessary actions.

Actual safety experience (such experience may exist with an identical unit or a similar unit or may not exist).

9.7.4 Demand Rate (W)

The purpose of the demand rate (W factor) is to estimate the frequency of the

unwanted occurrence in the absence of the SIF under consideration. This can be

determined by considering all failures which can lead to the hazardous event and

estimating the overall rate of occurrence. Other protection layers should be included in

the consideration. Three conditions are defined for SIL review.

Table 6- Demand Rate Parameter (W)

Likelihood of the

unwanted occurrence Definition

W1

A very slight probability that the unwanted occurrences will happen

and only a few unwanted occurrences are likely: Once in every 30

to 100 years.

W2

A slight probability that the unwanted occurrences will happen and

few unwanted occurrences are likely: Once in every three to 30

years.

W3

A relatively high probability that the unwanted occurrences will

happen and frequent unwanted occurrences are likely: more than

once in every one to three years.

9.7.5 Risk Graph – Personnel Safety, (Ref. IEC 61511-3 fig D.1)

Risk graph as referred in Figure 2 shall be used to determine SIL for personnel safety.

The consequences of the hazardous situation for personnel safety are determined as SIL

levels using risk graph.



Fig 2- Risk Graph: Personnel Safety

9.7.6 Risk Graph – Environmental Loss, (Ref. IEC 61511-3 fig D.2)

Risk graph as referred in Figure 3 shall be used to determine SIL for environmental loss.

The consequences of the hazardous situation for environmental loss are determined as

SIL levels using risk graph.

Fig 3- Risk Graph: Environmental Loss



9.7.7 Risk Graph – Economical Loss

The risk graph approach may also be used to determine the integrity level requirements where the consequences of failure include asset loss. Asset loss is the total economic loss associated with failure to function on demand. A similar risk graph to that used for environmental protection can be used for asset loss. It should be noted that the F parameter should not be used the concept of occupancy does not apply. Other parameter P and W apply and definitions can be identical to those applied above to safety consequences.

Fig 4- Risk graph: Economic loss

For each SIF operating in demand mode, the required SIL shall be specified in accordance with either Figs 2, 3 or 4. SIL assigned against various probability of failure demand is given in table 7 for reference. .

Table 7 - Safety Integrity Levels: Demand mode of operation

Safety Integrity

Level

Target average probability of failure on demand

4 10-5 to < 10-4

3 10-4 to < 10-3

2 10-3 to < 10-2

1 10-2 to < 10-1



The selected SIL level for a safety interlock function is the highest of the three individual SIL’s (Safety, Economical and Environmental) and defines a minimum SIL. It is always possible to select a higher SIL level than the required SIL, if the project team thinks this is preferred.

10.0 PLANNING

10.1 PREPARATION OF THE REVIEW

Once the dates and duration of the review(s) are known necessary logistical

arrangement shall be made.

Appendix IV provides a checklist of the SIL review preparation items.

10.2 TIMING OF THE REVIEW

The SIL review of Project shall take place after associated HAZOP review.

Dedicated session shall be performed for each unit.

11.0 DOCUMENTS REQUIRED AND RECORDING

11.1 DOCUMENTS REQUIRED

Before the start of the SIL review exercise the following documents shall be available to

serve as input information for the discussion:

Process Flow Diagrams (PFD).

Piping and Instrument Diagrams (P&ID). The P&ID’s used for the SIL

review will show all instruments, check valves, safety valves, controllers,

pressure and level switches that are included in the limits of supply.

Cause & Effect matrix.

Safe Charts.

Previous Hazard Analysis (HAZOP) review findings.

Control and Safeguarding philosophy.

Interlocks description.

Layout/ plot plan (if available).

For LICENSOR units, where applicable, LICENSOR recommendation for SIL

based on their design knowledge and operating experience.

Material balance information (information on request).

11.2 RECORDING

The findings of the application of the methodology presented above shall be recorded during the session by the scribe with the computer spreadsheet or dedicated SIL software. The scribe records the results of this identification activity in a table type file (see appendix I) using a computer and a video projector. Use of a video projector shall allow the team to visualise the record. A SIL review worksheet used for the report of the findings is presented in appendix I.



Upon completion of the review the chairman will produce a report, which discusses the findings of the review and details the critical findings.

11.3 REPORTING AND FOLLOW-UP

Subsequent to SIL study, SIL chairman shall issue the study report and shall document the following as minimum (See appendix III for full list of Table of Content of the report).

The scope of the study;

Study Methodology;

The study team;

The SIF’s reviewed and the reference used;

Summarise and present the SIL review proceeding, all the recommendations

and actions raised with proper reference for close out actions to be carried out;

Identify/List those responsible for preparing responses to the actions and

recommendations;

Schedule, monitor and record the execution of necessary close out actions.

Recommendation (Action /query items) shall be recorded and the corresponding SIL

ACTION SHEET (see Appendix II) shall be generated for subsequent follow-up by the

project.

The Project Engineer shall have the responsibility to ensure appropriate project follow-

up of the action recommendations generated during the review are implemented (see

Appendix II).

A Formal SIL Close out Report with SIL verification study shall be submitted to QP for

approval.



12.0 APPENDICES

12.1 APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH

METHOD

Project Name /No :

SIF No: Date Reviewed: DD MMM YYYY

SIF: Reference / name of the selected SIF

Initiators:

Final Elements:

Initiator Success Criteria:

Final Element Success Criteria:

Associated Operating Actions:

Drawings and Documents:

Documents used :

DESIGN INTENT CAUSE / DEMAND

SCENARIO

CONSEQUENCES

of FAILURE on

DEMAND (CoFD)

INDEPENDENT

SAFEGUARDS

RECOMMENDA

TIONS

Purpose of the SIF List here causes

that will trigger the

SIF to operate.

List here all the

consequences that

will occur in case

of Failure on

demand of the SIF

list here all the

independent

safeguards

recommendation

of the team (if

any)

Required SIL level

SIF Action Number:

Assigned to: Name of person

Consequence

Parameter

Occupancy

Parameter

Probability of

Avoiding the

hazard Parameter

Demand Rate

Parameter

SIL Level

Safety

Environment

Economic



12.2 APPENDIX II: TYPICAL SIL ACTION SHEET

SIF STUDY ACTION AND RESPONSE SHEET

SIF ACTION ON: RESPOND BY:

SIF ACTION NO: MEETING DATES: DD MMM YYYY

DRAWINGS AND DOCUMENTS:

documents used (from the front page list of documents studied)

SIF : (SIF Table 1)

Reference / name of the selected SIF

DESIGN INTENT:

purpose of the SIF

CAUSE / DEMAND SCENARIO:

list here causes that will trigger the SIF to operate

CONSEQUENCES of FAILURE on DEMAND (CoFD):

list here all the consequences that will occur in case of Failure on demand of the SIF

.

INDEPENDENT SAFEGUARDS:

list here all the independent safeguards

RECOMMENDATIONS:

recommendation of the team (if any)

RESPONSE: (Action ) DATED:

SIGNED:

ENTER YOUR RESPONSE IN THE BOX ABOVE, THEN SIGN AND RETURN TO:

NOTES (for use of Scribe only)



12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT

TABLE OF CONTENT

1.0 SUMMARY

2.0 INTRODUCTION

3.0 SCOPE

4.0 TEAM COMPOSITION

5.0 DOCUMENTS REFERENCES

(Including to the present procedure)

6.0 GENERAL DESCRIPTION

7.0 FINDINGS OF THE REVIEW (if any)

8.0 CONCLUSION (as required)

In attachment:

9.0 COPY OF REFERENCE DOCUMENTS MARQUED DURING

REVIEW

10.0 SIF CLASSIFICATION RISK MATRIX

11.0 SIL WORKSHEET TABLES

12.0 SIF CLASSIFICATION REVIEW ACTION SHEETS (if any)



12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST

Check-list up-dated by: Name: _ _ _ _ _ _ _ _ _ _ Date: _ _/ _ _/ _ _

Logistics:

Dates defined: start date: _ _/ _ _/ _ _ End date: _ _/ _ _/ _ _

Chairman selected: Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Scribe selected: Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Room booked for the period: Yes/No Room # _ _ _ _ _ _ _ _ _ _

Computer booked for the period: Yes/No

Data Projector booked for the period: Yes/No

Coffee/biscuits ordered for the period: Yes/No

Documents available:

Methodology, SIL Procedure: Yes/No

PFD: Yes/No

PID: Yes/No

Cause & Effect Matrix: Yes/No

Safe Charts: Yes/No

Process description, balance, layout, etc Yes/No

Previous hazard analysis Yes/No

Participants:

List of participants identified: Yes/No

Participants have been informed of review session dates: Yes/No

when ? Date: _ _/ _ _/ _ _

Documentation made available to participants: Yes/No



12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH

PARAMETERS

(REF.: IEC 61511-3)

Descriptions of Process Industry Risk Graph Parameters

Parameter Description

Consequence C

Number of fatalities and/or serious injuries likely to result from the occurrence of the hazardous event. Determined by calculating the numbers in the exposed area when the area is occupied taking in to account the vulnerability to the hazardous event.

Occupancy F

Probability that the exposed area is occupied at the time of the hazardous event. Determined by calculating the fraction of time the area is occupied at the time of the hazardous event. This should take in to account the possibility of an increased likelihood of persons being in the exposed area in order to investigate abnormal situations which may exist during the build-up to the hazardous event ( consider also if this changes the C parameter)

Probability of avoiding the

hazard P

The probability that exposed persons are able to avoid the hazardous situation which exists if the safety instrumented function fails on demand. This depends on there being independent methods of alerting the exposed persons to the hazard prior to the hazard occurring and there being methods of escape.

Demand rate W

The number of times per year that the hazardous event would occur in the absence of the safety instrumented function under consideration. This can be determined by considering all failures which can lead to the hazardous event and estimating the overall rate of occurrence. Other protection layers should be included in the consideration.



12.6 APPENDIX VI - DEMAND RATE

The demand rate will be determined using the team’s collective experience, along with reference from data bases from OREDA or USRMP or other accepted data bases. QP data base for failure rates shall be primarily considered when available. Failure rates for typical equipment items, as shown below for example.

Typical Failure Rate Date (from OREDA – Offshore Reliability Database)

Item: Mean Failure Rate per 106 hours

Per Year (Continuous Operation)

1 Failure per (years)

Pressure Switch (Pneumatic) 5.3 0.05 21

Level Switch (Pneumatic) 2.8 0.024 40

Level Switch (Electric) 9.6 0.084 12

Level Transducer 11 0.096 10

PCV / LCV (Ball) 10 to 16 (1 to 20”)

0.086 to 0.14 7 to 11

PCV / LCV (Globe) 19 to 24 (1 to 10”)

0.053 to 0.21 5 to 19

PSV 22 0.19 5.25

XSDV (Globe Valve) 25.94 0.227 4.4

XBDV (Ball Valve) 24 to 44 (1 to 10”)

0.21 to 0.39 2.5 to 5

Electric Relay (logic solver) 4.1 0.036 27.8

Pilot Valve (in SDP) 6.5 0.0575 17

Fusible Plug 0.27 0.00237 423

H2S Gas Detector 11.46 0.1004 9.96

IR HC Gas Detector 36.5 0.320 3.13

Item Leak Frequency (Offshore Hydrocarbon Release Statistics and Analysis, 2002, HID Statistics Report HSR 2002 002, UK Health and Safety Executive, February 2003.)

Item: Leak Frequency (per year)

1 leak per (years)

Flange 5.2 x 10-5

19230

Valve 4 x 10-4

2500

Instrument Connections 6 x 10-4

1700

Pressure Vessel 2 x 10-3

500

Centrifugal pump 5 x 10-3

200

Shell & Tube Heat Exchanger 3.5 x 10-3

290

Launcher / Receiver 1 x 10-2

100

Centrifugal Compressor 8 x 10-3

125

Reciprocating Compressor 7 x 10-2

15

Overall Leak Frequencies for a Platform:

Large Integrated Offshore Platform approx 1 leak per year

Minimum facilities wellhead platform approx 1 leak per 10 years

Riser Failure frequency approx. 1 x 10-3 per year or 1 in 1000 riser years



12.7 APPENDIX VII – QP CORPORATE RISK MATRIX

(Ref: Corporate Procedure for Incident management Doc# QPR-STM- 001)

Risk Assessment Matrix

A B C D E

Never heard in Industry

Has Occurred

in Industry

Has Occurred

in QP

Occurres several times a

year in QP

Occurres several times a

year this site

0 No injury No damage No Effect No Impact No Risk

1 Slight injury

or health effect

Slight damage No disruption to operation

Slight Effect Slight Impact Low Risk

2 Minor injury

or health effect

Minor damage ( < QR 350,000) Minor effect Limited

Impact

3 Major injury

or health effect

Local damage ( < QR

3,500,000)

Localised Effect

National Impact Medium Risk

4

Single Fatality or permanent

total disability

Major damage ( < QR

35,000,000) Major Effect Regional

Impact High Risk

5 Multiple fatalities

Extensive damage ( > QR

35,000,000)

Massive Effect

Internation al impact

FIGURE A- QP RISK ASSESSMENT MATRIX

INCREASING PROBABILITY CONSEQUENCES

IN

CR

EA

SIN

G S

EV

ER

ITY

SE

VE

RIT

Y

Potential Severity People Asset/

Production Environment Reputation



12.7 APPENDIX VII – Cont., QP CORPORATE RISK MATRIX

Risk Matrix (Explanation Sheet)

Consequence Category Definitions

1.0 PEOPLE

Harm to people is further explained for:

Slight injury or Health effects:

This includes first aid and medical treatment that does not affect work performance or

cause disability.

Minor injury or Health effects: A lost time injury that restricts a person's work

performance where the injury results in a work assignment after the day of the incident

that does not include al of the normal duties of that person's regular job. It may take a few

days off from work to fully recover (Lost Time Incident). Limited health effects that are

reversible, e.g. skin irritation, food poisoning.

Major injury or Health effects (Including permanent partial disability): Work performance

is affected in the long term, such as prolonged absence from work, irreversible damage to

health without loss of life. For example, noise induced hearing loss, chronic back injuries.

Single fatality or permanent total disability: This is either from a work - related incident

or an occupational illness such as poisoning or cancer.

Multiple fatalities: More than one fatality either from a work - related incident or an

occupational illness such as poisoning or cancer.

2.0 ENVIRONMENT

Harm to the Environment is further explained for:

Slight effect: Negligible financial consequences and local environmental risk within the

fence and within the system.

Minor effect: Contamination; damage sufficiently large to impact to impact the

environment; single exceeding of statutory or prescribed limits; single complaint; no

permanent effect on the environment.

Local effect: Limited loss of discharges of unknown toxicity; repeated exceeding of

statutory or prescribed limits and beyond fence or neighbourhood.



Major effect: Severe environmental damage; the company is required to take extensive

measures to restore the contaminated environment to its original state; Extended

exceeding of statutory or prescribed limits.

Massive effect: Persistent severe environmental damage or severe nuisance extending

over a large area; In terms of commercial or recreational use or nature conservancy, a

major economic loss for the company; Constant high exceeding of statutory or prescribed

limits.

3.0 ASSET DAMAGE/ LOSS OF PRODUCTION

Asset damage and loss of production is further explained for:

Slight damage: No disruption to operation with estimated cost less than QR 25,000.

Minor damage: Brief disruption to operation with estimated cost less than QR 350,000.

Local damage: Partial shutdown of operation; can be restarted with estimated cost up to

QR 3,500,000.

Major damage: Partial loss of operation; 2 weeks shutdown with estimated cost up to QR

35,000,000.

Massive damage: Substantial or total loss of operation with estimated cost in excess of

QR 35,000,000.

4.0 REPUTATION

Damage or loss of reputation is further explained for:

Slight impact: Public awareness may exist but there is no public concern.

Limited impact: Some local public concern; some local media and /or local political attention

with potentially adverse aspects for QP operations.

National impact: National public concern; extensive adverse attention in the national media.

Regional impact: Extensive adverse attention in the regional media; regional public and

political concern.

International impact: Extensive adverse attention in international media; international public

attention.



REVISION HISTORY LOG Revision: 1 Date: 24/03/2010

Item Revised:

Reason for Change/Amendment

Changes/Amendment: This new guideline is developed to cover the corporate requirements for safety integrity level review.

Note: The revision history log shall be updated with each revision of the document. It shall contain a written audit trail of the reason(s) why the changes/amendments have occurred, what the changes/amendments were and the date at which the changes/amendments were made.

qp guideline for safety integrity level review

Documents

typical sil review worksheet

appendix v

appendix iv

typical sil action sheet

r1 page

rev1 doc file

custodian dept

team structure