saep-250
DESCRIPTION
Saudi Aramco ProcedureTRANSCRIPT
Previous Issue: 27 October 2007 Next Planned Update: 27 October 2012
Revised paragraphs are indicated in the right margin Page 1 of 32
Primary contact: Brell, Austin on 966-3-8739455
Copyright©Saudi Aramco 2009. All rights reserved.
Engineering Procedure
SAEP-250 24 October 2009 Safety Integrity Level Assignment & Verification
Process Control Standards Committee Members Khalifah, Abdullah Hussain, Chairman
Assiry, Nasser Yahya, Vice Chairman
Awami, Luay Hussain
Ben Duheash, Adel Omar
Bu Sbait, Abdulaziz Mohammad
Baradie, Mostafa M.
Dunn, Alan Ray
Fadley, Gary Lowell
Genta, Pablo Daniel
Ghamdi, Ahmed Saeed
GREEN, CHARLIE M
Hazelwood, William Priest
Hubail, Hussain Makki
Jansen, Kevin Patrick
Khalifa, Ali Hussain
Khan, Mashkoor Anwar
Mubarak, Ahmad Mohd.
Qaffas, Saleh Abdal Wahab
Shaikh Nasir, Mohammad Abdullah
Trembley, Robert James
Saudi Aramco DeskTop Standards
Table of Contents
1 Scope....................................................... 2 2 Conflicts and Deviations........................... 3 3 Applicable Documents.............................. 3 4 Definitions................................................. 4 5 Instructions………………………….……... 7 6 Responsibilities....................................... 16
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 2 of 32
Table of Contents (cont'd)
Appendix A - Required SIL Assignment Report Contents.............................. 18 Appendix B - Required SIL Verification Report Contents.............................. 20 Appendix C - Responsibilities for Engineering.. 22 Appendix D - SIF Specification Sheet.............. 23 Appendix E - SIL Assignment Worksheet....... 24 Appendix F - Risk Graph Tables and Worksheet................................ 25 Appendix G - Risk Matrix Table....................... 29 Appendix H - Quantitative Risk Criteria............ 30 Appendix I - General Notes.............................. 31
1 Scope
This Saudi Aramco Engineering Procedure provides procedures and guidelines for
the assignment and verification of Safety Integrity Levels (SIL) in ESD loops and
the analysis of the spurious trip rate (STR) that may result from introducing an ESD
safety instrumented function into the process facility.
The procedure applies a risk based approach to safety functions to validate that the
design of safety systems in Saudi Aramco are adequate to protect personnel,
environment and assets against potentially hazardous situations. The risk based
approach for SIL assignment and verification is required by SAES-J-601 based on
international standards ANSI/ISA 84.00.01 and IEC 61511. This procedure is to be
used for new facilities and modifications to existing facilities with safety
instrumented functions.
The document provides the risk tolerability criteria, recommended data sources for
commonly used control, instrument and process equipment and typical specification
sheets to document Safety Instrumented Functions (SIF).
The document also defines the roles and responsibilities for LPD, Proponent
Department, Project Management and P&CSD.
HIPS are a form of ESD and shall follow the same calculation procedures outlined
in this document and SAEP-354, High Integrity Protective Systems Design
Requirements.
As a minimum SIL studies shall be updated along with any changes to the facilities,
and also when major modifications in data basis, models or SIL estimating methods
occur.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 3 of 32
2 Conflicts and Deviations
2.1 Any conflicts between this Procedure and other applicable Saudi Aramco
Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards
(SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi
Aramco Standard Drawings (SASDs), or industry standards, codes, and
forms shall be resolved in writing by the Company or Buyer Representative
through the Manager, Process & Control Systems Department of Saudi
Aramco, Dhahran.
2.2 Direct all requests to deviate from this Procedure in writing to the Company
or Buyer Representative, who shall follow internal company procedure
SAEP-302 and forward such requests to the Manager, Process & Control
Systems Department of Saudi Aramco, Dhahran.
3 Applicable Documents
All referenced Procedures, Standards, Specifications, Codes, Forms, Drawings, and
similar material or equipment supplied shall be considered part of this Procedure to
the extent specified herein and shall be of the latest issue (including all revisions,
addenda, and supplements) unless stated otherwise.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
SAEP-354 High Integrity Protective Systems
Saudi Aramco Engineering Standards
SAES-J-002 Technically Acceptable Instruments
SAES-J-601 Emergency Shutdown & Isolation systems
3.2 Industry Codes and Standards
The Instrumentation, Systems, and Automation Society (ISA)
ANSI/ISA 84.00.01 Functional Safety – Safety Instrumented
Systems for the Process Industry Sector
ISA TR84.0.02 Safety Instrumented Functions – Evaluation
Techniques
The International Electrotechnical Commission (IEC)
IEC 61511 Functional Safety – Safety Instrumented
Systems for the Process Industry Sector
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 4 of 32
Reliability Data Sources
OREDA Offshore Equipment Reliability Handbook
EXIDA Safety Equipment Reliability Handbook
SHELL SIFPro Reliability Data Tables
4 Definitions
4.1 Acronyms
DCF Diagnostic Coverage Factor
ESD Emergency Shutdown System
ETA Event Tree Analysis
FTA Fault Tree Analysis
HAZOP Hazards and Operability Study
HIPS High Integrity Protective System
IO Input/Output
IPL Independent Protection Layer
LPD Loss Prevention Department
P&CSD Process and Control Systems Department
PFD Probability of Failure on Demand
PHA Preliminary Hazard Analysis
QRA Quantitative Risk Assessment
SAPMT Project Management Team
SIL Safety Integrity Level
SIF Safety Instrumented Function
SIS Safety Instrumented System
SRS Safety Requirements Specification
STR Spurious Trip Rate
UPS Uninterruptible Power Supply
ZV Power Operated Emergency Isolation Valve
4.2 Definition of Terms
Beta Factor: The number of common cause failures expressed as a fraction
of all possible failures. A common mode failure is a failure that may affect
duplicate components in redundant configurations.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 5 of 32
Dangerous Failure: Failures that will prevent the safety function from
protecting the process.
Demand: A process or equipment condition which requires the safety
function to take action to prevent a hazardous situation.
Diagnostic Coverage Factor: The number of dangerous failures that
diagnostic features are capable of detecting as a fraction of all possible
dangerous failures.
Failure: An abnormal situation that prevents the operation of the safety
function/s.
Final Control Element: A device that manipulates a process variable.
Final elements include valves, relays, solenoids and switchgear.
Initiator: The input measuring device that initiates a trip signal to the ESD
system. Initiators include switches, transmitters and manual pushbuttons.
Inherent Safety: A design that removes the hazard at the source as opposed
to accepting the hazard and looking to mitigate the effects. Inherent Safety
therefore generates little or no damage in the event of an incident. The
principles of inherent safety design are to minimize, substitute, moderate,
and simplify.
Logic solver: The system that is used to perform the application logic.
Logic solvers may be programmable, relay based or solid state.
Mechanical Integrity: is the suitability of the equipment to operate safely
and reliably under normal and abnormal (upset) operating conditions to
which the equipment is exposed.
MTTF: "Mean Time To Failure" is the expected time to failure of a system
in a population of identical systems.
MTBF: "Mean Time Between Failure" is the expected time between
failures of a system including time to repair. It is derived in its simplest form
as:
MTBF = MTTF + MTTR
MTTR: "Mean Time To Repair" is the statistical average of time taken to
identify and repair a fault (including diagnosis), in a population of identical
systems.
Probability of Failure on Demand (PFD): The probability that the SIF
fails to respond to a demand or a manual initiation.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 6 of 32
Process Safety Time: The time that it takes for a hazardous situation (such
as a release) to occur after process operates beyond the trip point of the
safety function.
Proof Test Coverage Factor: The fraction of dangerous failures detected
by a proof test.
Residual Risk: The risk remaining after protective measures have been
taken.
Safety Availability: The fraction of time that a safety system is able to
perform its designated function when the process is operating. The safety
system is unavailable when it has failed dangerously or is in bypass. Safety
availability is equal to 1 minus the PFD (dangerous) of the safety function.
Safe Failure: A failure that does not place the SIF in a dangerous state.
A safe failure results in a trip or an alarm to the operator.
Safe Failure Fraction: The fraction of all failures that drive the device to
its safe state i.e. a trip or an alarm.
Safety Instrumented Function (SIF): A safety instrumented function
consists of input devices, logic solver and final output devices. Another term
commonly used in Saudi Aramco is ESD Loop.
Safety Integrity Level (SIL): The level of overall availability for an ESD
loop or ESD system component calculated as 1 minus the sum of the average
probability of dangerous failure on demand.
Table 1 – Safety Integrity Levels (SIL)
SIL
RRF
(Risk Reduction
Factor)
PFDavg
(Probability of
Failure on Demand)
(1/RRF)
Safety
Availability
(1-PFDavg)
0/a Process Control
1 10 to 100 1/10 to 1/100 90 - 99%
2 100 to 1,000 1/100 to 1/1,000 99 - 99.9%
3 1,000 – 10,000 1/1,000 to 1/10,000 99.9 - 99.99%
4 10,000 – 100,000 1/10,000 to 1/100,000 99.99 -99.999%
Spurious Trip Rate (STR): The rate in years that a trip leading to a
shutdown of the process would occur.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 7 of 32
Test Interval (TI): The interval in time that a test would be made on a
device or logic solver.
5 Instructions
5.1 SIL Assignment
5.1.1 General
The SIL assignment establishes the risk reduction needed for each
process system to protect against one or more hazards (such as
explosion, toxic release, leak, etc.). The risk reduction is calculated
as the gap between the existing risk posed by the process or
equipment and the risk target. Risk reduction is provided by
process and mechanical integrity, independent protection layers and
if so required safety instrumented systems (SIS).
5.1.2 Identification of Safety Instrumented Functions
Safety instrumented functions are to be identified during
engineering design phase to meet:
5.1.2.1 Licensor engineering requirements and previous design
experience for similar process.
5.1.2.2 Inplant or industry experience with process upsets,
incident or accident reports.
5.1.2.3 Engineering requirements of Saudi Aramco Standards.
5.1.2.4 HAZOP/PHA recommendations for process interlocks,
alarms and shutdown interlocks.
5.1.2.5 Recommendations from any process analysis such as the
study of the impact of control instrument failures.
control valve failure modes, pressure relief and flare
capacity studies, etc.
5.1.3 Acceptable SIL Assignment Techniques and Software Packages
5.1.3.1 Semi quantitative Risk Graph, modified Risk Matrix or
LOPA may be used for SIL assignment at project
proposal or detailed engineering on ESD loops.
5.1.3.2 Fully quantitative SIL analysis using consequence
modeling, ETA, FTA shall be used for all SIL#3 ESD
loops (SIFs).
5.1.3.3 Software packages which support consequence
modeling, ETA, FTA are recommended to assist in the
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 8 of 32
documentation and consistency of the assignment
process. Refer to Loss Prevention Department /
Technical Support Unit for recomemended concequence
modeling packages.
5.1.4 Documentation of Calculations
All assumptions and the source of data used, consequence and
frequency model calculations and any information necessary to
support the risk assessment shall be documented and maintained
with the project documentation as specified in Appendix A of this
procedure.
5.1.5 SIL Assignment at Project Proposal or Detailed Engineering
5.1.5.1 SIL Assignment at Project Proposal and Detailed Design
stage may use risk graph, modified risk matrix or Layers
of Protection Analysis (LOPA). SIL Assignment should
be completed in Project Proposal.
5.1.5.2 The SIL study should be conducted before the HAZOP
study, and before instrumentation and control equipment
is ordered.
5.1.5.3 The consequence and frequency criteria in Appendix F
are to be used for the risk graph, modified risk matrix
and LOPA methods.
5.1.5.4 SIL#4 assignments shall not be assigned for Saudi
Aramco facilities design, instead the process and
mechanical design shall be reviewed and modified to
reduce the residual risk required by a SIF to SIL#3 or
below.
5.1.6 SIL Assignment Planning
In order to follow a sound and well planned process, the following
is required in preparation for a SIL study:
5.1.6.1 The scope of the study and its limitations are to be
clearly defined including the documentation
requirements as outlined in Appendix A.
5.1.6.2 The study team must be formed by knowledgeable
personnel as specified in section 5.1.7 of this procedure.
5.1.6.3 The SIL Assignment methodologies and the risk criteria
are to be agreed upon prior to beginning the study.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 9 of 32
5.1.6.4 Process Flow Diagrams which show both key control
and shutdown instrumentation shall be available to assist
the team in overviewing the process.
5.1.6.5 Supporting project documentation for the SIL Study and
required by the team are P&ID's, a Safey Instrumented
Functions List and Cause-and-Effect Charts.
5.1.6.6 Supporting software packages should be available and
understood by the Study Team Leader.
5.1.7 Personnel
The SIL Assignment team shall be formed, consisting of
knowledgeable and competent process engineer, instrument and
control engineer, senior operations personnel and safety engineer.
The team leader must have a working knowledge of the SIL
assignment process, familiar with the process under design and the
software tools being used during the study.
5.1.8 Independent Protection Layers (IPL)
Independent protection layers when applied to mitigate the hazard
shall reduce the identified risk by 10-1, be independent, dependable
and auditable. IPL's may include one or more of the following:
5.1.8.1 Mechanical Protection such as a Safety Relief Valve.
5.1.8.2 Operator Intervention providing that:
5.1.8.2.1 The operator has an adequate alarm system
(i.e., alarms are less than 280 per console
operator per day).
5.1.8.2.2 There are written procedures stating the
operator action.
5.1.8.2.3 The operator regularly completes the action
as a drilled exercise.
5.1.8.3 Dike, fire proofing, blast proofing.
5.1.8.4 Fire Suppression Systems.
5.1.9 SIL Assignment Procedure Using Risk Graph
5.1.9.1 Use Appendix F to assign SIL functions using Risk
Graph.
5.1.9.2 Use Appendix F, Figure 3 to document the Risk Graph
results.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 10 of 32
5.1.10 SIL Assignment Procedure Using Risk Matrix
5.1.10.1 Use Appendix G to assign SIL functions using Risk
Matrix.
5.1.10.2 Use Appendix E to document the Risk Matrix results.
5.1.11 SIL Assignment for SIL#3
5.1.11.1 Fully quantitative SIL analysis using consequence
modeling, ETA, FTA shall be used for all SIL#3 loops.
5.1.11.2 The form depicted in Appendix E shall be used to
document the results of the study.
5.1.11.3 Develop accident scenarios for every initiating event.
This shall be accomplished using a ETA.
5.1.10.4 Develop accident scenarios for every initiating event.
This shall be accomplished using an ETA.
5.1.11.5 Evaluate the consequences of all significant accident
scenarios using consequence modeling software
recognized in the process industry.
5.1.11.6 Use Appendix I "Quantitative Risk Criteria" to
determine the Risk Target Frequency.
5.1.11.7 Determine the frequency of occurrence of each accident
scenario using a FTA, considering only the Process and
Control System risk. All protective systems shall be
disregarded for this purpose.
5.1.11.8 Compare the frequency of occurrence of each accident
scenario against its risk target. The risk reduction
required for each case is determined by the gap between
the actual risk of the process and the risk target for each
scenario.
5.1.11.9 Add all the IPLs that could reduce the risk gap. IPLs
that comply with all the criteria established in section
5.4 may be used.
5.1.11.10 SIL#3 functions that are designated as HIPS functions
shall follow SAEP-354 and perform a cost benefit
analysis.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 11 of 32
5.2 SIL Verification
5.2.1 Documentation of Calculations
All assumptions, data sources, and any other information necessary
to define the final system availability and spurious trip rate shall be
documented and maintained with the shutdown system
documentation as required in Appendix B.
5.2.2 SIL Verification Techniques and Software Packages
Simplified Equations, Markov Models or Fault Tree Analysis may
be used to provide the calculations for system availability and
spurious trip rate. Software packages which support these
modeling techniques are recommended to assist in the
documentation and consistency of the calculations.
5.2.3 Assumptions used in Calculations
5.2.3.1 Failure rate data shall be sourced from recognized
industry sources such as OREDA, EXIDA, Shell
SIFPro, certified manufacturers technical sheets or TUV
reports.
5.2.3.2 Components used in the shutdown system shall be
technically acceptable per SAES-J-002 and proven in
use in Aramco facilities or TUV certified.
5.2.3.3 When calculating dangerous failures for an energized to
trip system the power supply shall be included in the
calculations for dangerous failures.
5.2.3.4 The failure rate for a logic solver shall include the input
and output module type for that function.
5.2.3.5 Failure rate values are to be taken from specific FMEA,
third party reports, TUV reports or references provided
in this report.
5.2.3.6 The calculated PFDavg should be verified as better than
the minimum required PFDavg value by a factor of 25%.
That is:
● SIL1 PFDavg < than 7.5 E-02
● SIL 2 PFDavg < 7.5 E-03 and
● SIL 3 PFDavg < 7.5 E-04.
5.2.3.7 The PFDavg calculations may assume that the calibration
and repair time is small compared to the MTTF.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 12 of 32
5.2.3.8 The Standard requirement for proof test intervals of
instruments and control equipment shall be for
transmitters (1 year), switches (6 months), Valves
(partial stroke quarterly and full stroke yearly), logic
solvers (10 years). These proof test intervals may be
extended based on calculations to show that the PFDavg
meets the required target SIL.
5.2.3.9 Spurious trip calculations shall take into consideration
the failure mode of the transmitter and any time delay
shutdown logic which would inhibit spurious trip.
When a transmitter is configured to fail away from the
trip point, or the logic is such that the trip signal is
bypassed or delayed by a bad transmitter then the
spurious trip is inhibited. When the spurious trip is
inhibited in this way no spurious trip rate for the
transmitter is necessary.
5.2.3.10 The MTTR time for a transmitter, switch, valve or other
device to be offline is one shift (or 8 hours).
5.2.3.11 Partial stroke testing for valves shall use a 60%
contribution to the PFDavg. Full Stroke Testing shall use
a 40% contribution factor to the PFDavg.
5.2.3.12 Shutdowns which are initiated manually via a push/pull
button are exempt from SIL verification. These
shutdown buttons require an operator intervention that is
used for both prevention and mitigation of hazardous
events. Shutdowns which are manually initiated by the
operator via push/pull button shall be considered as
SIL#1 loops and included in the ESD system.
5.2.4 Calculation Procedure
Refer to ISA - TR84.00.02 Part 2
5.2.4.1 Identify the Safety Instrumented Functions and SIL
required.
5.2.4.2 List the components of the SIF. List the MTTF
(dangerous) for each component.
5.2.4.3 Calculate the PFDavg for each combination of
components (sensors, logic solver, Final Elements) and
then sum the values to obtain the PFDavg for the safety
instrumented function.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 13 of 32
5.2.4.4 Determine whether the PFDavg meets the required
integrity requirements for the Safety Requirements
Specification.
5.2.4.5 The PFDavg shall meet or exceed the requirements of the
SIL specified otherwise the component selection and
redundancy shall be modified accordingly.
5.2.5 PFDavg/Availability Calculation References
5.2.5.1 See ISA TR84.0.02 Parts 1 and 2 for use of Simplified
Equations
5.2.5.2 See ISA TR84.0.02 Parts 3 for use of Fault Tree Models
5.2.5.3 See ISA TR84.0.02 Parts 4 for use of Markov Models.
5.2.6 Determining the PFDavg of Sensors
5.2.6.1 Identify the sensors, list their dangerous failure rates
(i.e., dangerous undetected failures), Test Interval (TI)
and calculate the PFDavg.
5.2.6.2 For dirty process conditions apply a severity factor for
the sensor failure rate effectively de-rating it for the
service conditions.
5.2.6.3 Sum the PFDavg for sensors.
5.2.7 Determining the PFDavg of Final Control Elements
5.2.7.1 Identify the valves, and each of the components on the
valve including solenoid valve, positioners, boosters and
multiplexers, etc.
5.2.7.2 Calculate the PFDavg for the valve package.
5.2.7.3 Sum the PFDavg for the Final Control Elements.
5.2.8 Determining the PFDavg of the Logic Solver
5.2.8.1 Identify the type and manufacturer of the hardware to be
used.
5.2.8.2 Identify the IO module types for the function and logic
solver combination.
5.2.8.3 Calculate the PFDavg using a system calculation tool.
5.2.9 Determining the PFDavg of the Separate Field Power Supplies and
UPS
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 14 of 32
5.2.9.1 If the ESD is designed for de-energize to trip the power
supply does not impact on the safety function as the
power supply failure will result on the action of bringing
the process equipment to the safe state. Identify the type
and manufacturer of the hardware to be used.
5.2.9.2 If the ESD is designed for energize to trip the power
supply does impact on the safety function as the power
supply failure will not allow the ESD to be initiated.
List the MTBF for each power supply both field power
supplies and UPS. Identify the IO module types for the
function and logic solver combination.
5.2.9.3 Calculate the PFDavg for the UPS and Field Power
Supplies.
5.2.10 Simplified Equations for PFDavg and STR
See ISA TR84.0.02 Parts 1 and 2 for use of Simplified Equations
including beta factors and dangerous detected failures. The
following table is a summary of the simplified equations without
these factors. Note that these simplified equations assume that the
voted components are the same which is not always the case. The
equations assume similar failure rates for redundant components.
Table 2 – Simplified Equations for Different Voting Architectures
Voting PFDavg Spurious Trip Rate (STR)
1oo1
1oo2
1oo2D
1oo3
2oo2
2oo3
2oo4
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 15 of 32
5.3 Spurious Trip Rate Calculation
STR calculations are made when a specific safety function may cause
unacceptable loss of production when the safety function fails.
5.3.1 Documentation of Calculations
All assumptions, data sources, and any other information necessary
to define the final system availability and spurious trip rate shall be
documented and maintained with the shutdown system
documentation.
5.3.2 Assumptions used in Calculations
5.3.2.1 The cost of the end device should include the total
installed cost including engineering.
5.3.2.2 Loss of production estimates should be clearly defined
in simple terms, average loss basis, number of hours
down, and % of turn down.
5.3.3 Calculation Procedure
5.3.3.1 Identify the initiators to shutdown in each SIF.
5.3.3.2 List the MTTF (spurious) for each sensor.
5.3.3.3 List the MTTR (spurious) for each sensor.
5.3.3.4 Calculate the spurious trip rate for the combination of
sensors.
5.3.3.5 Repeat 1-4 for final control elements.
5.3.3.5 Repeat 1-4 for logic solver and power supplies.
5.4 Safety Requirements Specification (SRS)
As part of the Safety Requirements Specification a SIF Specification Sheet
should be published to summarize the SIL Assignment, SIL Verification,
Spurious Trip Rate and a written narrative of the shutdown requirements.
See Appendix D for an example SIF Specification Sheet.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 16 of 32
6 Responsibilities
6.1 Saudi Aramco Project Management Team (SAPMT)
a) Allocate a SIL Team to conduct a SIL Assignment Study.
b) Perform SIL Assignment and Verification for each safety instrumented
function per this procedure.
c) Submit the SIL Assignment report for review to appropriate Saudi
Aramco organizations.
d) Submit the SIL Verification report for review to appropriate Saudi
Aramco organizations.
e) Submit a SIF Specification Sheet for each ESD loop.
f) Conduct a Qauantitative assessment for all SIL#3 ESD loops.
6.2 Loss Prevention Department (LPD)
a) Support SAPMT and P&CSD organizations in planning and
performing SIL studies.
b) Support proponent organizations in maintaining the designed integrity
of installed SIS.
c) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
6.3 Process & Control Systems Department (P&CSD)
a) Support PMT and Proponent organizations in planning and performing
SIL studies.
b) Support proponent organizations in maintaining the designed integrity
of installed SIS.
c) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
d) Review all projects SIL verification reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
e) Participate in SIL Assignment Studies as requested by SAPMT.
6.4 Proponent Organizations
a) Assign engineers to participate in SIL Assignment Studies
b) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
c) Review all projects SIL verification reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 17 of 32
d) Allocate resources and plan necessary equipment/facility shutdowns, to
ensure performance of periodic proof testing and maintenance along
the life cycle of the SIS during its operational life and for
decommissioning, as established in this document.
e) Ensure that the designed integrity of the SIS is maintained during the
operational life cycle of the system.
Revision Summary
27 October 2007 New Saudi Aramco Engineering Procedure. 24 October 2009 Editorial revision to replace Standards Committee Chairman.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 18 of 32
Appendix A – Required SIL Assignment Report Contents
1. Introduction
1.1 Scope
This section shall define the scope of the ESD application, and shall define
its structure and summarize its content.
1.2 Objectives
This section shall define the intent of the SIL Assignment Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of an abbreviation is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Assignment report shall be listed and
completely identified in this section.
4. Project Description
4.1 Introduction
This section shall provide an overall description of the Process and the
Process Control design.
4.2 SIL Study Methodology
This section shall summarize the SIL Assignment Methodology used in the
study.
5. Assumptions
State or reference all assumptions used in the quantitative and qualitative analysis in
this Section. Note assumptions relating to consequence and likelihood of hazardous
events.
6. Data Sources & Software Package
6.1 Data Sources
State the data sources or software packages used in this Section.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 19 of 32
6.2 Models
Reference all consequence and likelihood models completed on the facility
including toxicity dispersion models, blast study models, and transient
pipeline analysis.
7. Results
7.1 Worksheet
Provide a completed risk graph or risk matrix worksheet (Appendix F)
showing all initiated SIFs and their respective SIL assignment.
7.2 Recommendations
Provide a summary of recommended proposals that would improve the
safety design or mitigate the process risk in this section.
8. Conclusions
This section provides a summary of the recommendations and any further
information to execute the engineering design. State any further information or
modeling required.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 20 of 32
Appendix B – Required SIL Verification Report Contents
1. Introduction
1.1 Scope
This section shall define the scope of the ESD application, and shall define
its structure and summarize its content.
1.2 Objectives
This section shall define the intent of the SIL Verification Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of abbreviations is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Verification report shall be listed and
completely identified in this section.
4. System Description
4.1 Introduction
This section shall provide an overall view of the Process Automation
System, its operation and capabilities, and its intended use.
4.2 Safety Instrumented Functions
This section shall provide a list of the SIFs being considered in the
verification. The following information shall be included:
a) SIF Number and Tag Name.
b) SIL required.
c) Initiator/s Tag Number/s.
d) Final Element/s Tag Number/s.
e) SIS architecture showing required fault tolerance per SAES-J-601 and
IEC 61511.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 21 of 32
5. Assumptions
This section shall include all assumptions used in the calculations. These include
but not limited to:
5.1 Test Interval (TI) for instruments, logic solver and final control elements.
5.2 Common Cause Factors (Beta Factor).
Commentary Note:
Typical Common Cause Factors range from 1-5% for similar equipment. Otherwise Common Cause Factor can be provided from a Fault Mode and Effect Analysis (FMEA).
5.3 MTTR of instrumentation.
5.4 Service factors for process instruments.
5.5 The failure mode of transmitters to the trip condition.
6. Data Sources & Software Package (Version)
This section provides a reference or a complete list of Failure Rate data used for
instrumentation and control equipment.
7. Calculation Results
This section shall show the calculation results summarized for each Safety
Instrumented Function including those that verify the SIL and to calculate the
Spurious Trip Rate (STR) of the device/s that lead to a trip. Functions which have
the same instrumentation may be grouped, however the calculations must show
sufficient working so as to be checked and reviewed.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 22 of 32
Appendix C – Responsibility for Engineering
Figure 1 - SIL and Engineering Design
Conceptua l Design
DBSP
Project Proposal
Detailed Design
PMT PMT
PMT
S t age - one
PHA, Hazard Identification
SIL Assignment
Qualitative
Consequence
SAES
S t age - two
SIL Assignment
Semi - Quantitative
Risk Graph
SAES
S t age - three
SIL 3 Only
SIL Assignment
Quantitative
SAES
By:
Review:
PMT
P & CSD
SIS Design
SIL 1, 2, and 3
PMT
P & CSD/ LPD
SIS Verification
SIL 1, 2, and 3
PMT
OPS/ AALPD
Installation
Validation
OME
Testing
Commiss - ioning
&OME
P & CSD/ LPD P & CSD/ LPD
P & CSD/ LPD
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 23 of 32
Appendix D – SIF Specification Sheet
This Section shall provide a completed SIF specification summarizing the SIL Assignment, SIL Verification, Spurious Trip Rate, SIF architecture, level of redundancy and suitability of components and sub-systems.
S I F SPECIFICATION SHEET
PEFS Number: Is it a Pre-Alarm?
Initiator Tag:
Logic Solver Tag:
Final Element Tag:
FAILURE ON DEMAND:
Design Intent:
Demand Scenarios:
Case A:
Case B:
Consequence of Failure:
Case A:
Case B:
Demand Rate: D: Process Safety Time:
Health and Safety Consequence:
S:
Exposure:
Possibility to Avert Hazard:
Loss Consequence: L:
Environmental consequence: E:
Overall SIL:
CONSEQUENCE OF SPURIOUS TRIP:
COST: C:
Initiator: Rate:
Final element: Rate:
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 24 of 32
Appendix E – SIL Assignment Worksheet
Team: Department: Date Prepared:
Division: Date Issued:
Facility/Project:
Process Equipment: Reviewed by: Approved by:
SIF Scenario Risk (yr-1 )
Risk Target (yr
-1 )
IPLs (Description)
IPLs RR
PFD Required
SIL
RR: Risk Reduction
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 25 of 32
Appendix F – Risk Graph Tables and Worksheet
The application of the Risk Graph Methodology requires the evaluation of the following
factors:
Consequences (C)
The consequence criteria shall be taken in accordance with table No. 2-1.
Occupancy (F)
This parameter should be estimated based on table No. 2-2. It is calculated by
determining the proportional length of time the area exposed to the hazard is
occupied during a normal working period. If the time in the hazardous area is
different depending on the shift being operated then the maximum should be
selected. It is only appropriate to use FA where it can be shown that the demand rate
is random and not related to when occupancy could be higher than normal. The
latter is usually the case with demands which occur at equipment start-up or during
the investigation of abnormalities. In any case, the factor should be selected based
on the most exposed person rather than the average across all people. It should be
noted that the concept of occupancy applies for personnel. For environmental and
assets damage, because they have no mobility only FB is used when applying the
risk graph.
Possibility of Avoiding the Hazard (P)
This parameter should be estimated based on table No. 2-3. It represents a measure
of the possibility of preventing the hazard. The parameter PA should only be used in
cases where the hazard can be prevented by the operator taking action.
Frequency of unwanted event (W)
The analysis of this aspect should follow table No. 2-4. It is important to note that
the frequency of the unwanted event (also called demand), shall be assessed as the
number of times per year that the hazardous situation would occur without the
addition of any safety instrumented system (E/E/PE or other technology), but
including any external risk reduction facilities (drain system, firewall, dike, etc.).
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 26 of 32
Table 3-1 – Consequence Criteria (C)
Consequence Description
CA
People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
CB
People: Employee fatality.
Environment: Localized effect affecting neighborhood.
Assets: Partial shutdown. Cost up to $100 million
CC
People: Employee multiple fatalities and some impact on third
parties.
Environment: Severe damage to environment to be extensively
restored by SA.
Assets: Partial operation loss. Costs up to $500 million
CD
People: Employees and third parties multiple fatalities.
Environment: Contamination over a public large area.
Major economic loss to SA.
Assets: Significant or total loss of facility. Costs above $500 million.
Table 3-2 – Occupancy Factor (F)
Risk Parameter Classification
FA Rare to more frequent exposure in the hazardous zone.
Occupancy less than 10%
FB Frequent to permanent exposure in the hazardous zone.
Table No. 3-3 – Probability of Avoiding the Hazardous Event (P)
Risk Parameter Classification Comments
PA Adopted if all conditions
in comments column are
satisfied
PA should be selected if all the following are
true:
o Facilities are provided to alert the
operator that the SIS has failed.
o Independent facilities are provided to
shutdown such that the hazard can be
avoided or which enable all persons to
escape to a safe area.
o The time between the operator being
alerted and a hazardous event occurring
exceeds 1 hour or is definitely sufficient
for the necessary actions.
PB Adopted if all conditions
in comments column are
not satisfied
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 27 of 32
Table 3-4 – Frequency of Unwanted Event (W)
Risk Parameter Frequency (yr-1 ) Description
W1 <1 x 10-6
Very Low. Never heard of in industry.
W2 1 x 10-3
to 1 x 10-6
Medium. Incident has occurred in SA.
W3 >1 x 10-3
High. Happens several times per year in SA.
Figure No. 2 – Risk Graph
Starting point
for risk reduction
estimation
a
b
1
1
2
2
23
3
34
4
C = Consequence risk parameter
F = Frequency and exposure time risk parameter
P = Possibility of failing to avoid hazard risk parameter
W = Probability of the unwanted occurrence
a
a
1
--- ---
---
--- = No safety requirements
a = No special safety requirements
b = A single E/E/PES is not sufficient
1, 2, 3, 4 = Safety integrity level
W W W123
C
C
C
C
F
F
P
P
P
A
B
D
C
A
B
F
F
P
P
P
A
B A
B
A
B
B
A
A
F
F P
PA
B
B
X
X6
X5
X4
X3
X2
1
Generalized arrangement
(in practical implementations
the arrangement is specific to
the applications to be covered
by the risk graph)
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 28 of 32
Figure 3 – Risk Graph SIL Summary
Team: Department: Date Prepared:
Division: Date Issued:
Facility/Project:
Process Equipment: Reviewed by: Approved by:
SIF Scenario
Factors SIL w/o IPLs
IPLs (Description)
IPLs RR
SIL C F P W
RR: Risk Reduction.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 29 of 32
Appendix G – Risk Matrix Table
Saudi Aramco Risk Matrix for Safety Integrity
Level (SIL) Assignment
Likelihood Descriptions (Without IPLs, but
including the Control System)
Legend o EHRS: Extremely High Risk Scenario. Redesign of the process
system required.
o 3: A SIL 3 SIF is required. o 2: A SIL 2 SIF is required
o 1: A SIL 1 SIF is required.
o 0: No SIF required
Descriptions Categories
Scenario can be
expected to occur
several times per year in the facility.
1 Very High (>
10-2 yr-1)
Dec
reas
ing
Lik
elih
ood
2 2 3 EHRS EHRS
Scenario can be
expected to occur several times per
year in SA.
2 High. (10-2 to
10-3 yr-1) 1 2 3 3 EHRS
Scenario has
occurred in SA. 3 Medium(10-3
to 10-4 yr-1) 0 1 2 3 3
Some scenarios
have occurred in the
industry.
4 Low. (10-4 to
10-6 yr-1 ) 0 0 1 2 2
Very rare or never heard of in industry.
5 Very Low. (< 10-6 yr-1 )
0 0 0 1 1
Co
nse
qu
ence
cat
egori
es &
Des
crip
tio
n
(Wit
ho
ut
IPL
s, b
ut
incl
ud
ing
th
e C
on
tro
l S
yst
em)
Categories Decreasing Consequence
5 4 3 2 1 Insignificant Low Medium High Very High
Des
crip
tio
ns
People No injury or
damage to health
Minor injury
or damage to health.
Lost time injury or
limited health effects
Employee
fatalities and minor impact
on third parties.
Multiple
fatalities
Environment No impact Minor and
inside the fence
Localized effect
affecting neighborhood
Severe damage
to environment to be restored
by SA
Contaminati
on over a public large
area.
Assets Operational upset. Cost
less than
$100.000
Minor damage.
Costs up to
$25 million
Partial shutdown. Cost up to $100
million
Partial operation loss.
Costs up to
$500 million
Significant or total loss
of facility.
Cost above $500 million
Reputation No public
awareness
Some public
and media
awareness but no
concern.
Regional public
and some media
concern
National
impact. Public
and media concern
International
public and
media attention
About this matrix:
o The risk ranking is given by the risk to people and environment with no direct relationship with risks to assets.
o This matrix is endorsed for use across SA.
o Should any part of this matrix be changed or modified, adapted or customized. It is only to be used for SIL determination and by
competent personnel.
Notes:
o Facility loss includes capital loss, business interruption,
production deferment, legal liability and emergency response
costs.
o In applying this matrix it is important to bear in mind that it
is strongly recommended as far as possible designing the
process with a lower SIL (below SIL 2 ), and also, provide
Non-SIS protection layers.
o The consequence scenarios referred to in this matrix are
those fully developed, e.g. VCE, fire, toxic vapor cloud, etc.
ABBREVIATIONS:
o SIL: Safety Integrity Level
o SIS: Safety Instrumented System
o SIF: Safety Instrumented Function.
o IPL: Independent Protection Layer
o VCE: Vapor Cloud Explosion
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 30 of 32
Appendix H – Quantitative Risk Criteria
Risk Target Frequency (yr-1 )
Consequence Description
1 x 10-6
People: Employees and third parties multiple
fatalities.
Environment: Contamination over a public large
area.
Major economic loss to SA.
Assets: Significant or total loss of facility. Costs
above $500 million
1 x 10-5
People: Employee multiple fatalities and some
impact on third parties.
Environment: Severe damage to environment to
be extensively restored by SA.
Assets: Partial operation loss. Costs up to $500
million
1 x 10-4
People: Employee fatality.
Environment: Localized effect affecting
neighborhood.
Assets: Partial shutdown. Cost up to $100
million
1 x 10-3
People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 31 of 32
Appendix I – General Notes
Introduction
Applying a risk based approach to safety functions using SIL will validate that the
design of safety systems in Saudi Aramco are adequate to protect personnel,
environment and assets against potentially hazardous situations. In addition, the risk
based approach will provide additional understanding of the process, provide
opportunities to reduce capital and maintenance costs as well as avoidance of false
trips.
The starting point for risk based SIL assignment is to establish risk tolerability
criteria, so that the necessary risk reduction for each safety function can be
quantitatively or qualitatively ascertained. In some cases other safety protective
layers exist that may be used as credit when assessing the required safety integrity
level.
In order to meet the requirements of international standards it is required to:
● Identify safety functions.
● Determine SIL for each function.
● Develop safety requirement specifications
● Use life cycle approach for SIS design.
● Verify the integrity of SIS design.
● Demonstrate that integrity of SIS can be maintained.
● Document the process.
The SIL Concept
The SIL concept as applied by Saudi Aramco requires the identification of process
equipment with safety implication and establishing the risk reduction needed for
each of the safety functions required by each process equipment to operate safely.
Process equipment with safety implications are those process systems that can pose
one or more hazards (explosion, toxic release, leak, etc.). The risk reduction needed
is the gap between the existing risk posed by the equipment and the risk target. This
gap is to be covered firstly by inherently safer design and mechanical integrity, and
in the second place using independent protection layers (IPL). When all the above
mentioned measures by themselves are not sufficient to cover the risk reduction
needed, a safety instrumented systems (SIS) with the required technical specification
and architecture will be specified.
Document Responsibility: Process Control SAEP-250
Issue Date: 24 October 2009 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification
Page 32 of 32
The Safety Life Cycle
The safety life cycle is another fundamental concept established by the international
standards. The safety life cycle represents the application of good engineering
practice to SISs. This safety life cycle is depicted in the figure 1 in Appendix C.
Good engineering practice is accomplished based on three fundamental aspects:
i) Design by Layers of Protection. Risk reduction is normally accomplished
using more than one protective system and more than one type of technology.
Some of these protective systems reduce the frequency of the hazardous
scenario, whereas others reduce the consequences. As a result, the total risk
reduction factor is obtained from the combination of the risk reduction factors
from each individual protective system.
ii) The second fundamental aspect of the safety lifecycle process is that it includes
design verification. The SIL for each section of the safety system is
calculated. Then, based on this calculated SIL each design must meet or
exceed these requirements. This aspect provides a control and verification
process that ensures that the design is optimal for the need. SIS over-design
can be easily and clearly identified and consequently changed. On the other
hand, SIS designs not fully covering the risk reduction needed can be
identified as well, and improved to meet the risk target.
iii) In third place, the safety life cycle includes inspection, testing and maintenance
planning, which address among others, testing intervals and testing schedules.
Furthermore, operation, maintenance and decommissioning are all part of the
safety life cycle.
Independent Protection Layers
Only those protection systems that meet the following criteria shall be classified as
independent protection layers, and therefore used in Saudi Aramco SIL studies.
These criteria are:
i) The protection provided reduces the identified risk by a large amount, that is, a
minimum of 10-1
.
ii) Specificity: An IPL is designed solely to prevent or to mitigate the
consequences of one potentially hazardous event (for example, a runaway
reaction, release of toxic material, a loss of containment, or a fire). Multiple
causes may lead to the same hazardous event; and, therefore, multiple event
scenarios may initiate action of one IPL.
iii) Independence: An IPL is independent of the other protection layers associated
with the identified danger.
iv) Dependability: It can be counted on to do what it was designed to do. Both
random and systematic failures modes are addressed in the design.