saep-250

Previous Issue: 27 October 2007 Next Planned Update: 27 October 2012

Revised paragraphs are indicated in the right margin of 32

Primary contact: Brell, Austin on 966-3-8739455

Copyright©Saudi Aramco 2009. All rights reserved.

Engineering Procedure

SAEP-250 24 October 2009 Safety Integrity Level Assignment & Verification

Process Control Standards Committee Members Khalifah, Abdullah Hussain, Chairman

Assiry, Nasser Yahya, Vice Chairman

Awami, Luay Hussain

Ben Duheash, Adel Omar

Bu Sbait, Abdulaziz Mohammad

Baradie, Mostafa M.

Dunn, Alan Ray

Fadley, Gary Lowell

Genta, Pablo Daniel

Ghamdi, Ahmed Saeed

GREEN, CHARLIE M

Hazelwood, William Priest

Hubail, Hussain Makki

Jansen, Kevin Patrick

Khalifa, Ali Hussain

Khan, Mashkoor Anwar

Mubarak, Ahmad Mohd.

Qaffas, Saleh Abdal Wahab

Shaikh Nasir, Mohammad Abdullah

Trembley, Robert James

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope....................................................... 2 2 Conflicts and Deviations........................... 3 3 Applicable Documents.............................. 3 4 Definitions................................................. 4 5 Instructions………………………….……... 7 6 Responsibilities....................................... 16

Document Responsibility: Process Control SAEP-250

Issue Date: 24 October 2009 Safety Integrity Level

Next Planned Update: 27 October 2012 Assignment & Verification

of 32

Table of Contents (cont'd)

Appendix A - Required SIL Assignment Report Contents.............................. 18 Appendix B - Required SIL Verification Report Contents.............................. 20 Appendix C - Responsibilities for Engineering.. 22 Appendix D - SIF Specification Sheet.............. 23 Appendix E - SIL Assignment Worksheet....... 24 Appendix F - Risk Graph Tables and Worksheet................................ 25 Appendix G - Risk Matrix Table....................... 29 Appendix H - Quantitative Risk Criteria............ 30 Appendix I - General Notes.............................. 31

1 Scope

This Saudi Aramco Engineering Procedure provides procedures and guidelines for

the assignment and verification of Safety Integrity Levels (SIL) in ESD loops and

the analysis of the spurious trip rate (STR) that may result from introducing an ESD

safety instrumented function into the process facility.

The procedure applies a risk based approach to safety functions to validate that the

design of safety systems in Saudi Aramco are adequate to protect personnel,

environment and assets against potentially hazardous situations. The risk based

approach for SIL assignment and verification is required by SAES-J-601 based on

international standards ANSI/ISA 84.00.01 and IEC 61511. This procedure is to be

used for new facilities and modifications to existing facilities with safety

instrumented functions.

The document provides the risk tolerability criteria, recommended data sources for

commonly used control, instrument and process equipment and typical specification

sheets to document Safety Instrumented Functions (SIF).

The document also defines the roles and responsibilities for LPD, Proponent

Department, Project Management and P&CSD.

HIPS are a form of ESD and shall follow the same calculation procedures outlined

in this document and SAEP-354, High Integrity Protective Systems Design

Requirements.

As a minimum SIL studies shall be updated along with any changes to the facilities,

and also when major modifications in data basis, models or SIL estimating methods

occur.

http://standards/docs/SAES/PDF/SAES-J-601.pdf

http://standards/docs/SAEP/PDF/SAEP-354.pdf




of 32

2 Conflicts and Deviations

2.1 Any conflicts between this Procedure and other applicable Saudi Aramco

Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards

(SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi

Aramco Standard Drawings (SASDs), or industry standards, codes, and

forms shall be resolved in writing by the Company or Buyer Representative

through the Manager, Process & Control Systems Department of Saudi

Aramco, Dhahran.

2.2 Direct all requests to deviate from this Procedure in writing to the Company

or Buyer Representative, who shall follow internal company procedure

SAEP-302 and forward such requests to the Manager, Process & Control

Systems Department of Saudi Aramco, Dhahran.

3 Applicable Documents

All referenced Procedures, Standards, Specifications, Codes, Forms, Drawings, and

similar material or equipment supplied shall be considered part of this Procedure to

the extent specified herein and shall be of the latest issue (including all revisions,

addenda, and supplements) unless stated otherwise.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-302 Instructions for Obtaining a Waiver of a

Mandatory Saudi Aramco Engineering

Requirement

SAEP-354 High Integrity Protective Systems

Saudi Aramco Engineering Standards

SAES-J-002 Technically Acceptable Instruments

SAES-J-601 Emergency Shutdown & Isolation systems

3.2 Industry Codes and Standards

The Instrumentation, Systems, and Automation Society (ISA)

ANSI/ISA 84.00.01 Functional Safety – Safety Instrumented

Systems for the Process Industry Sector

ISA TR84.0.02 Safety Instrumented Functions – Evaluation

Techniques

The International Electrotechnical Commission (IEC)

IEC 61511 Functional Safety – Safety Instrumented

Systems for the Process Industry Sector









of 32

Reliability Data Sources

OREDA Offshore Equipment Reliability Handbook

EXIDA Safety Equipment Reliability Handbook

SHELL SIFPro Reliability Data Tables

4 Definitions

4.1 Acronyms

DCF Diagnostic Coverage Factor

ESD Emergency Shutdown System

ETA Event Tree Analysis

FTA Fault Tree Analysis

HAZOP Hazards and Operability Study

HIPS High Integrity Protective System

IO Input/Output

IPL Independent Protection Layer

LPD Loss Prevention Department

P&CSD Process and Control Systems Department

PFD Probability of Failure on Demand

PHA Preliminary Hazard Analysis

QRA Quantitative Risk Assessment

SAPMT Project Management Team

SIL Safety Integrity Level

SIF Safety Instrumented Function

SIS Safety Instrumented System

SRS Safety Requirements Specification

STR Spurious Trip Rate

UPS Uninterruptible Power Supply

ZV Power Operated Emergency Isolation Valve

4.2 Definition of Terms

Beta Factor: The number of common cause failures expressed as a fraction

of all possible failures. A common mode failure is a failure that may affect

duplicate components in redundant configurations.




of 32

Dangerous Failure: Failures that will prevent the safety function from

protecting the process.

Demand: A process or equipment condition which requires the safety

function to take action to prevent a hazardous situation.

Diagnostic Coverage Factor: The number of dangerous failures that

diagnostic features are capable of detecting as a fraction of all possible

dangerous failures.

Failure: An abnormal situation that prevents the operation of the safety

function/s.

Final Control Element: A device that manipulates a process variable.

Final elements include valves, relays, solenoids and switchgear.

Initiator: The input measuring device that initiates a trip signal to the ESD

system. Initiators include switches, transmitters and manual pushbuttons.

Inherent Safety: A design that removes the hazard at the source as opposed

to accepting the hazard and looking to mitigate the effects. Inherent Safety

therefore generates little or no damage in the event of an incident. The

principles of inherent safety design are to minimize, substitute, moderate,

and simplify.

Logic solver: The system that is used to perform the application logic.

Logic solvers may be programmable, relay based or solid state.

Mechanical Integrity: is the suitability of the equipment to operate safely

and reliably under normal and abnormal (upset) operating conditions to

which the equipment is exposed.

MTTF: "Mean Time To Failure" is the expected time to failure of a system

in a population of identical systems.

MTBF: "Mean Time Between Failure" is the expected time between

failures of a system including time to repair. It is derived in its simplest form

as:

MTBF = MTTF + MTTR

MTTR: "Mean Time To Repair" is the statistical average of time taken to

identify and repair a fault (including diagnosis), in a population of identical

systems.

Probability of Failure on Demand (PFD): The probability that the SIF

fails to respond to a demand or a manual initiation.




of 32

Process Safety Time: The time that it takes for a hazardous situation (such

as a release) to occur after process operates beyond the trip point of the

safety function.

Proof Test Coverage Factor: The fraction of dangerous failures detected

by a proof test.

Residual Risk: The risk remaining after protective measures have been

taken.

Safety Availability: The fraction of time that a safety system is able to

perform its designated function when the process is operating. The safety

system is unavailable when it has failed dangerously or is in bypass. Safety

availability is equal to 1 minus the PFD (dangerous) of the safety function.

Safe Failure: A failure that does not place the SIF in a dangerous state.

A safe failure results in a trip or an alarm to the operator.

Safe Failure Fraction: The fraction of all failures that drive the device to

its safe state i.e. a trip or an alarm.

Safety Instrumented Function (SIF): A safety instrumented function

consists of input devices, logic solver and final output devices. Another term

commonly used in Saudi Aramco is ESD Loop.

Safety Integrity Level (SIL): The level of overall availability for an ESD

loop or ESD system component calculated as 1 minus the sum of the average

probability of dangerous failure on demand.

Table 1 – Safety Integrity Levels (SIL)

SIL

RRF

(Risk Reduction

Factor)

PFDavg

(Probability of

Failure on Demand)

(1/RRF)

Safety

Availability

(1-PFDavg)

0/a Process Control

1 10 to 100 1/10 to 1/100 90 - 99%

2 100 to 1,000 1/100 to 1/1,000 99 - 99.9%

3 1,000 – 10,000 1/1,000 to 1/10,000 99.9 - 99.99%

4 10,000 – 100,000 1/10,000 to 1/100,000 99.99 -99.999%

Spurious Trip Rate (STR): The rate in years that a trip leading to a

shutdown of the process would occur.




of 32

Test Interval (TI): The interval in time that a test would be made on a

device or logic solver.

5 Instructions

5.1 SIL Assignment

5.1.1 General

The SIL assignment establishes the risk reduction needed for each

process system to protect against one or more hazards (such as

explosion, toxic release, leak, etc.). The risk reduction is calculated

as the gap between the existing risk posed by the process or

equipment and the risk target. Risk reduction is provided by

process and mechanical integrity, independent protection layers and

if so required safety instrumented systems (SIS).

5.1.2 Identification of Safety Instrumented Functions

Safety instrumented functions are to be identified during

engineering design phase to meet:

5.1.2.1 Licensor engineering requirements and previous design

experience for similar process.

5.1.2.2 Inplant or industry experience with process upsets,

incident or accident reports.

5.1.2.3 Engineering requirements of Saudi Aramco Standards.

5.1.2.4 HAZOP/PHA recommendations for process interlocks,

alarms and shutdown interlocks.

5.1.2.5 Recommendations from any process analysis such as the

study of the impact of control instrument failures.

control valve failure modes, pressure relief and flare

capacity studies, etc.

5.1.3 Acceptable SIL Assignment Techniques and Software Packages

5.1.3.1 Semi quantitative Risk Graph, modified Risk Matrix or

LOPA may be used for SIL assignment at project

proposal or detailed engineering on ESD loops.

5.1.3.2 Fully quantitative SIL analysis using consequence

modeling, ETA, FTA shall be used for all SIL#3 ESD

loops (SIFs).

5.1.3.3 Software packages which support consequence

modeling, ETA, FTA are recommended to assist in the




of 32

documentation and consistency of the assignment

process. Refer to Loss Prevention Department /

Technical Support Unit for recomemended concequence

modeling packages.

5.1.4 Documentation of Calculations

All assumptions and the source of data used, consequence and

frequency model calculations and any information necessary to

support the risk assessment shall be documented and maintained

with the project documentation as specified in Appendix A of this

procedure.

5.1.5 SIL Assignment at Project Proposal or Detailed Engineering

5.1.5.1 SIL Assignment at Project Proposal and Detailed Design

stage may use risk graph, modified risk matrix or Layers

of Protection Analysis (LOPA). SIL Assignment should

be completed in Project Proposal.

5.1.5.2 The SIL study should be conducted before the HAZOP

study, and before instrumentation and control equipment

is ordered.

5.1.5.3 The consequence and frequency criteria in Appendix F

are to be used for the risk graph, modified risk matrix

and LOPA methods.

5.1.5.4 SIL#4 assignments shall not be assigned for Saudi

Aramco facilities design, instead the process and

mechanical design shall be reviewed and modified to

reduce the residual risk required by a SIF to SIL#3 or

below.

5.1.6 SIL Assignment Planning

In order to follow a sound and well planned process, the following

is required in preparation for a SIL study:

5.1.6.1 The scope of the study and its limitations are to be

clearly defined including the documentation

requirements as outlined in Appendix A.

5.1.6.2 The study team must be formed by knowledgeable

personnel as specified in section 5.1.7 of this procedure.

5.1.6.3 The SIL Assignment methodologies and the risk criteria

are to be agreed upon prior to beginning the study.




of 32

5.1.6.4 Process Flow Diagrams which show both key control

and shutdown instrumentation shall be available to assist

the team in overviewing the process.

5.1.6.5 Supporting project documentation for the SIL Study and

required by the team are P&ID's, a Safey Instrumented

Functions List and Cause-and-Effect Charts.

5.1.6.6 Supporting software packages should be available and

understood by the Study Team Leader.

5.1.7 Personnel

The SIL Assignment team shall be formed, consisting of

knowledgeable and competent process engineer, instrument and

control engineer, senior operations personnel and safety engineer.

The team leader must have a working knowledge of the SIL

assignment process, familiar with the process under design and the

software tools being used during the study.

5.1.8 Independent Protection Layers (IPL)

Independent protection layers when applied to mitigate the hazard

shall reduce the identified risk by 10-1, be independent, dependable

and auditable. IPL's may include one or more of the following:

5.1.8.1 Mechanical Protection such as a Safety Relief Valve.

5.1.8.2 Operator Intervention providing that:

5.1.8.2.1 The operator has an adequate alarm system

(i.e., alarms are less than 280 per console

operator per day).

5.1.8.2.2 There are written procedures stating the

operator action.

5.1.8.2.3 The operator regularly completes the action

as a drilled exercise.

5.1.8.3 Dike, fire proofing, blast proofing.

5.1.8.4 Fire Suppression Systems.

5.1.9 SIL Assignment Procedure Using Risk Graph

5.1.9.1 Use Appendix F to assign SIL functions using Risk

Graph.

5.1.9.2 Use Appendix F, Figure 3 to document the Risk Graph

results.




of 32

5.1.10 SIL Assignment Procedure Using Risk Matrix

5.1.10.1 Use Appendix G to assign SIL functions using Risk

Matrix.

5.1.10.2 Use Appendix E to document the Risk Matrix results.

5.1.11 SIL Assignment for SIL#3

5.1.11.1 Fully quantitative SIL analysis using consequence

modeling, ETA, FTA shall be used for all SIL#3 loops.

5.1.11.2 The form depicted in Appendix E shall be used to

document the results of the study.

5.1.11.3 Develop accident scenarios for every initiating event.

This shall be accomplished using a ETA.

5.1.10.4 Develop accident scenarios for every initiating event.

This shall be accomplished using an ETA.

5.1.11.5 Evaluate the consequences of all significant accident

scenarios using consequence modeling software

recognized in the process industry.

5.1.11.6 Use Appendix I "Quantitative Risk Criteria" to

determine the Risk Target Frequency.

5.1.11.7 Determine the frequency of occurrence of each accident

scenario using a FTA, considering only the Process and

Control System risk. All protective systems shall be

disregarded for this purpose.

5.1.11.8 Compare the frequency of occurrence of each accident

scenario against its risk target. The risk reduction

required for each case is determined by the gap between

the actual risk of the process and the risk target for each

scenario.

5.1.11.9 Add all the IPLs that could reduce the risk gap. IPLs

that comply with all the criteria established in section

5.4 may be used.

5.1.11.10 SIL#3 functions that are designated as HIPS functions

shall follow SAEP-354 and perform a cost benefit

analysis.





of 32

5.2 SIL Verification


All assumptions, data sources, and any other information necessary

to define the final system availability and spurious trip rate shall be

documented and maintained with the shutdown system

documentation as required in Appendix B.

5.2.2 SIL Verification Techniques and Software Packages

Simplified Equations, Markov Models or Fault Tree Analysis may

be used to provide the calculations for system availability and

spurious trip rate. Software packages which support these

modeling techniques are recommended to assist in the

documentation and consistency of the calculations.

5.2.3 Assumptions used in Calculations

5.2.3.1 Failure rate data shall be sourced from recognized

industry sources such as OREDA, EXIDA, Shell

SIFPro, certified manufacturers technical sheets or TUV

reports.

5.2.3.2 Components used in the shutdown system shall be

technically acceptable per SAES-J-002 and proven in

use in Aramco facilities or TUV certified.

5.2.3.3 When calculating dangerous failures for an energized to

trip system the power supply shall be included in the

calculations for dangerous failures.

5.2.3.4 The failure rate for a logic solver shall include the input

and output module type for that function.

5.2.3.5 Failure rate values are to be taken from specific FMEA,

third party reports, TUV reports or references provided

in this report.

5.2.3.6 The calculated PFDavg should be verified as better than

the minimum required PFDavg value by a factor of 25%.

That is:

● SIL1 PFDavg < than 7.5 E-02

● SIL 2 PFDavg < 7.5 E-03 and

● SIL 3 PFDavg < 7.5 E-04.

5.2.3.7 The PFDavg calculations may assume that the calibration

and repair time is small compared to the MTTF.





of 32

5.2.3.8 The Standard requirement for proof test intervals of

instruments and control equipment shall be for

transmitters (1 year), switches (6 months), Valves

(partial stroke quarterly and full stroke yearly), logic

solvers (10 years). These proof test intervals may be

extended based on calculations to show that the PFDavg

meets the required target SIL.

5.2.3.9 Spurious trip calculations shall take into consideration

the failure mode of the transmitter and any time delay

shutdown logic which would inhibit spurious trip.

When a transmitter is configured to fail away from the

trip point, or the logic is such that the trip signal is

bypassed or delayed by a bad transmitter then the

spurious trip is inhibited. When the spurious trip is

inhibited in this way no spurious trip rate for the

transmitter is necessary.

5.2.3.10 The MTTR time for a transmitter, switch, valve or other

device to be offline is one shift (or 8 hours).

5.2.3.11 Partial stroke testing for valves shall use a 60%

contribution to the PFDavg. Full Stroke Testing shall use

a 40% contribution factor to the PFDavg.

5.2.3.12 Shutdowns which are initiated manually via a push/pull

button are exempt from SIL verification. These

shutdown buttons require an operator intervention that is

used for both prevention and mitigation of hazardous

events. Shutdowns which are manually initiated by the

operator via push/pull button shall be considered as

SIL#1 loops and included in the ESD system.

5.2.4 Calculation Procedure

Refer to ISA - TR84.00.02 Part 2

5.2.4.1 Identify the Safety Instrumented Functions and SIL

required.

5.2.4.2 List the components of the SIF. List the MTTF

(dangerous) for each component.

5.2.4.3 Calculate the PFDavg for each combination of

components (sensors, logic solver, Final Elements) and

then sum the values to obtain the PFDavg for the safety

instrumented function.




of 32

5.2.4.4 Determine whether the PFDavg meets the required

integrity requirements for the Safety Requirements

Specification.

5.2.4.5 The PFDavg shall meet or exceed the requirements of the

SIL specified otherwise the component selection and

redundancy shall be modified accordingly.

5.2.5 PFDavg/Availability Calculation References

5.2.5.1 See ISA TR84.0.02 Parts 1 and 2 for use of Simplified

Equations

5.2.5.2 See ISA TR84.0.02 Parts 3 for use of Fault Tree Models

5.2.5.3 See ISA TR84.0.02 Parts 4 for use of Markov Models.

5.2.6 Determining the PFDavg of Sensors

5.2.6.1 Identify the sensors, list their dangerous failure rates

(i.e., dangerous undetected failures), Test Interval (TI)

and calculate the PFDavg.

5.2.6.2 For dirty process conditions apply a severity factor for

the sensor failure rate effectively de-rating it for the

service conditions.

5.2.6.3 Sum the PFDavg for sensors.

5.2.7 Determining the PFDavg of Final Control Elements

5.2.7.1 Identify the valves, and each of the components on the

valve including solenoid valve, positioners, boosters and

multiplexers, etc.

5.2.7.2 Calculate the PFDavg for the valve package.

5.2.7.3 Sum the PFDavg for the Final Control Elements.

5.2.8 Determining the PFDavg of the Logic Solver

5.2.8.1 Identify the type and manufacturer of the hardware to be

used.

5.2.8.2 Identify the IO module types for the function and logic

solver combination.

5.2.8.3 Calculate the PFDavg using a system calculation tool.

5.2.9 Determining the PFDavg of the Separate Field Power Supplies and

UPS




of 32

5.2.9.1 If the ESD is designed for de-energize to trip the power

supply does not impact on the safety function as the

power supply failure will result on the action of bringing

the process equipment to the safe state. Identify the type

and manufacturer of the hardware to be used.

5.2.9.2 If the ESD is designed for energize to trip the power

supply does impact on the safety function as the power

supply failure will not allow the ESD to be initiated.

List the MTBF for each power supply both field power

supplies and UPS. Identify the IO module types for the

function and logic solver combination.

5.2.9.3 Calculate the PFDavg for the UPS and Field Power

Supplies.

5.2.10 Simplified Equations for PFDavg and STR

See ISA TR84.0.02 Parts 1 and 2 for use of Simplified Equations

including beta factors and dangerous detected failures. The

following table is a summary of the simplified equations without

these factors. Note that these simplified equations assume that the

voted components are the same which is not always the case. The

equations assume similar failure rates for redundant components.

Table 2 – Simplified Equations for Different Voting Architectures

Voting PFDavg Spurious Trip Rate (STR)

1oo1

1oo2

1oo2D

1oo3

2oo2

2oo3

2oo4




of 32

5.3 Spurious Trip Rate Calculation

STR calculations are made when a specific safety function may cause

unacceptable loss of production when the safety function fails.


All assumptions, data sources, and any other information necessary

to define the final system availability and spurious trip rate shall be

documented and maintained with the shutdown system

documentation.

5.3.2 Assumptions used in Calculations

5.3.2.1 The cost of the end device should include the total

installed cost including engineering.

5.3.2.2 Loss of production estimates should be clearly defined

in simple terms, average loss basis, number of hours

down, and % of turn down.

5.3.3 Calculation Procedure

5.3.3.1 Identify the initiators to shutdown in each SIF.

5.3.3.2 List the MTTF (spurious) for each sensor.

5.3.3.3 List the MTTR (spurious) for each sensor.

5.3.3.4 Calculate the spurious trip rate for the combination of

sensors.

5.3.3.5 Repeat 1-4 for final control elements.

5.3.3.5 Repeat 1-4 for logic solver and power supplies.

5.4 Safety Requirements Specification (SRS)

As part of the Safety Requirements Specification a SIF Specification Sheet

should be published to summarize the SIL Assignment, SIL Verification,

Spurious Trip Rate and a written narrative of the shutdown requirements.

See Appendix D for an example SIF Specification Sheet.




of 32

6 Responsibilities

6.1 Saudi Aramco Project Management Team (SAPMT)

a) Allocate a SIL Team to conduct a SIL Assignment Study.

b) Perform SIL Assignment and Verification for each safety instrumented

function per this procedure.

c) Submit the SIL Assignment report for review to appropriate Saudi

Aramco organizations.

d) Submit the SIL Verification report for review to appropriate Saudi

Aramco organizations.

e) Submit a SIF Specification Sheet for each ESD loop.

f) Conduct a Qauantitative assessment for all SIL#3 ESD loops.

6.2 Loss Prevention Department (LPD)

a) Support SAPMT and P&CSD organizations in planning and

performing SIL studies.

b) Support proponent organizations in maintaining the designed integrity

of installed SIS.

c) Review all projects SIL assignment reports to ensure compliance with

this procedure and applicable Saudi Aramco Standards.

6.3 Process & Control Systems Department (P&CSD)

a) Support PMT and Proponent organizations in planning and performing

SIL studies.

b) Support proponent organizations in maintaining the designed integrity

of installed SIS.

c) Review all projects SIL assignment reports to ensure compliance with


d) Review all projects SIL verification reports to ensure compliance with


e) Participate in SIL Assignment Studies as requested by SAPMT.

6.4 Proponent Organizations

a) Assign engineers to participate in SIL Assignment Studies

b) Review all projects SIL assignment reports to ensure compliance with


c) Review all projects SIL verification reports to ensure compliance with





of 32

d) Allocate resources and plan necessary equipment/facility shutdowns, to

ensure performance of periodic proof testing and maintenance along

the life cycle of the SIS during its operational life and for

decommissioning, as established in this document.

e) Ensure that the designed integrity of the SIS is maintained during the

operational life cycle of the system.

Revision Summary

27 October 2007 New Saudi Aramco Engineering Procedure. 24 October 2009 Editorial revision to replace Standards Committee Chairman.




of 32

Appendix A – Required SIL Assignment Report Contents

1. Introduction

1.1 Scope

This section shall define the scope of the ESD application, and shall define

its structure and summarize its content.

1.2 Objectives

This section shall define the intent of the SIL Assignment Report.

2. Definitions

This section shall provide a listing with definitions of terms and abbreviations used

in this document that are subject to interpretation by the user.

A simple translation of an abbreviation is not sufficient unless the meaning of the

translation is obvious.

3. Applicable Documents

All documents referenced within the SIL Assignment report shall be listed and

completely identified in this section.

4. Project Description

4.1 Introduction

This section shall provide an overall description of the Process and the

Process Control design.

4.2 SIL Study Methodology

This section shall summarize the SIL Assignment Methodology used in the

study.

5. Assumptions

State or reference all assumptions used in the quantitative and qualitative analysis in

this Section. Note assumptions relating to consequence and likelihood of hazardous

events.

6. Data Sources & Software Package

6.1 Data Sources

State the data sources or software packages used in this Section.




of 32

6.2 Models

Reference all consequence and likelihood models completed on the facility

including toxicity dispersion models, blast study models, and transient

pipeline analysis.

7. Results

7.1 Worksheet

Provide a completed risk graph or risk matrix worksheet (Appendix F)

showing all initiated SIFs and their respective SIL assignment.

7.2 Recommendations

Provide a summary of recommended proposals that would improve the

safety design or mitigate the process risk in this section.

8. Conclusions

This section provides a summary of the recommendations and any further

information to execute the engineering design. State any further information or

modeling required.




of 32

Appendix B – Required SIL Verification Report Contents

1. Introduction

1.1 Scope

This section shall define the scope of the ESD application, and shall define

its structure and summarize its content.

1.2 Objectives

This section shall define the intent of the SIL Verification Report.

2. Definitions

This section shall provide a listing with definitions of terms and abbreviations used

in this document that are subject to interpretation by the user.

A simple translation of abbreviations is not sufficient unless the meaning of the

translation is obvious.

3. Applicable Documents

All documents referenced within the SIL Verification report shall be listed and

completely identified in this section.

4. System Description

4.1 Introduction

This section shall provide an overall view of the Process Automation

System, its operation and capabilities, and its intended use.

4.2 Safety Instrumented Functions

This section shall provide a list of the SIFs being considered in the

verification. The following information shall be included:

a) SIF Number and Tag Name.

b) SIL required.

c) Initiator/s Tag Number/s.

d) Final Element/s Tag Number/s.

e) SIS architecture showing required fault tolerance per SAES-J-601 and

IEC 61511.





of 32

5. Assumptions

This section shall include all assumptions used in the calculations. These include

but not limited to:

5.1 Test Interval (TI) for instruments, logic solver and final control elements.

5.2 Common Cause Factors (Beta Factor).

Commentary Note:

Typical Common Cause Factors range from 1-5% for similar equipment. Otherwise Common Cause Factor can be provided from a Fault Mode and Effect Analysis (FMEA).

5.3 MTTR of instrumentation.

5.4 Service factors for process instruments.

5.5 The failure mode of transmitters to the trip condition.

6. Data Sources & Software Package (Version)

This section provides a reference or a complete list of Failure Rate data used for

instrumentation and control equipment.

7. Calculation Results

This section shall show the calculation results summarized for each Safety

Instrumented Function including those that verify the SIL and to calculate the

Spurious Trip Rate (STR) of the device/s that lead to a trip. Functions which have

the same instrumentation may be grouped, however the calculations must show

sufficient working so as to be checked and reviewed.




of 32

Appendix C – Responsibility for Engineering

Figure 1 - SIL and Engineering Design

Conceptua l Design

DBSP

Project Proposal

Detailed Design

PMT PMT

PMT

S t age - one

PHA, Hazard Identification

SIL Assignment

Qualitative

Consequence

SAES

S t age - two

SIL Assignment

Semi - Quantitative

Risk Graph

SAES

S t age - three

SIL 3 Only

SIL Assignment

Quantitative

SAES

By:

Review:

PMT

P & CSD

SIS Design

SIL 1, 2, and 3

PMT

P & CSD/ LPD

SIS Verification

SIL 1, 2, and 3

PMT

OPS/ AALPD

Installation

Validation

OME

Testing

Commiss - ioning

&OME

P & CSD/ LPD P & CSD/ LPD

P & CSD/ LPD




of 32

Appendix D – SIF Specification Sheet

This Section shall provide a completed SIF specification summarizing the SIL Assignment, SIL Verification, Spurious Trip Rate, SIF architecture, level of redundancy and suitability of components and sub-systems.

S I F SPECIFICATION SHEET

PEFS Number: Is it a Pre-Alarm?

Initiator Tag:

Logic Solver Tag:

Final Element Tag:

FAILURE ON DEMAND:

Design Intent:

Demand Scenarios:

Case A:

Case B:

Consequence of Failure:

Case A:

Case B:

Demand Rate: D: Process Safety Time:

Health and Safety Consequence:

S:

Exposure:

Possibility to Avert Hazard:

Loss Consequence: L:

Environmental consequence: E:

Overall SIL:

CONSEQUENCE OF SPURIOUS TRIP:

COST: C:

Initiator: Rate:

Final element: Rate:




of 32

Appendix E – SIL Assignment Worksheet

Team: Department: Date Prepared:

Division: Date Issued:

Facility/Project:

Process Equipment: Reviewed by: Approved by:

SIF Scenario Risk (yr-1 )

Risk Target (yr

-1 )

IPLs (Description)

IPLs RR

PFD Required

SIL

RR: Risk Reduction




of 32

Appendix F – Risk Graph Tables and Worksheet

The application of the Risk Graph Methodology requires the evaluation of the following

factors:

Consequences (C)

The consequence criteria shall be taken in accordance with table No. 2-1.

Occupancy (F)

This parameter should be estimated based on table No. 2-2. It is calculated by

determining the proportional length of time the area exposed to the hazard is

occupied during a normal working period. If the time in the hazardous area is

different depending on the shift being operated then the maximum should be

selected. It is only appropriate to use FA where it can be shown that the demand rate

is random and not related to when occupancy could be higher than normal. The

latter is usually the case with demands which occur at equipment start-up or during

the investigation of abnormalities. In any case, the factor should be selected based

on the most exposed person rather than the average across all people. It should be

noted that the concept of occupancy applies for personnel. For environmental and

assets damage, because they have no mobility only FB is used when applying the

risk graph.

Possibility of Avoiding the Hazard (P)

This parameter should be estimated based on table No. 2-3. It represents a measure

of the possibility of preventing the hazard. The parameter PA should only be used in

cases where the hazard can be prevented by the operator taking action.

Frequency of unwanted event (W)

The analysis of this aspect should follow table No. 2-4. It is important to note that

the frequency of the unwanted event (also called demand), shall be assessed as the

number of times per year that the hazardous situation would occur without the

addition of any safety instrumented system (E/E/PE or other technology), but

including any external risk reduction facilities (drain system, firewall, dike, etc.).




of 32

Table 3-1 – Consequence Criteria (C)

Consequence Description

CA

People: Employee injury or damage to health.

Environment: Minor and inside the fence.

Assets: Minor damage. Cost less than $1 million

CB

People: Employee fatality.

Environment: Localized effect affecting neighborhood.

Assets: Partial shutdown. Cost up to $100 million

CC

People: Employee multiple fatalities and some impact on third

parties.

Environment: Severe damage to environment to be extensively

restored by SA.

Assets: Partial operation loss. Costs up to $500 million

CD

People: Employees and third parties multiple fatalities.

Environment: Contamination over a public large area.

Major economic loss to SA.

Assets: Significant or total loss of facility. Costs above $500 million.

Table 3-2 – Occupancy Factor (F)

Risk Parameter Classification

FA Rare to more frequent exposure in the hazardous zone.

Occupancy less than 10%

FB Frequent to permanent exposure in the hazardous zone.

Table No. 3-3 – Probability of Avoiding the Hazardous Event (P)

Risk Parameter Classification Comments

PA Adopted if all conditions

in comments column are

satisfied

PA should be selected if all the following are

true:

o Facilities are provided to alert the

operator that the SIS has failed.

o Independent facilities are provided to

shutdown such that the hazard can be

avoided or which enable all persons to

escape to a safe area.

o The time between the operator being

alerted and a hazardous event occurring

exceeds 1 hour or is definitely sufficient

for the necessary actions.

PB Adopted if all conditions

in comments column are

not satisfied




of 32

Table 3-4 – Frequency of Unwanted Event (W)

Risk Parameter Frequency (yr-1 ) Description

W1 <1 x 10-6

Very Low. Never heard of in industry.

W2 1 x 10-3

to 1 x 10-6

Medium. Incident has occurred in SA.

W3 >1 x 10-3

High. Happens several times per year in SA.

Figure No. 2 – Risk Graph

Starting point

for risk reduction

estimation

a

b

1

1

2

2

23

3

34

4

C = Consequence risk parameter

F = Frequency and exposure time risk parameter

P = Possibility of failing to avoid hazard risk parameter

W = Probability of the unwanted occurrence

a

a

1

--- ---

---

--- = No safety requirements

a = No special safety requirements

b = A single E/E/PES is not sufficient

1, 2, 3, 4 = Safety integrity level

W W W123

C

C

C

C

F

F

P

P

P

A

B

D

C

A

B

F

F

P

P

P

A

B A

B

A

B

B

A

A

F

F P

PA

B

B

X

X6

X5

X4

X3

X2

1

Generalized arrangement

(in practical implementations

the arrangement is specific to

the applications to be covered

by the risk graph)




of 32

Figure 3 – Risk Graph SIL Summary

Team: Department: Date Prepared:

Division: Date Issued:

Facility/Project:

Process Equipment: Reviewed by: Approved by:

SIF Scenario

Factors SIL w/o IPLs

IPLs (Description)

IPLs RR

SIL C F P W

RR: Risk Reduction.




of 32

Appendix G – Risk Matrix Table

Saudi Aramco Risk Matrix for Safety Integrity

Level (SIL) Assignment

Likelihood Descriptions (Without IPLs, but

including the Control System)

Legend o EHRS: Extremely High Risk Scenario. Redesign of the process

system required.

o 3: A SIL 3 SIF is required. o 2: A SIL 2 SIF is required

o 1: A SIL 1 SIF is required.

o 0: No SIF required

Descriptions Categories

Scenario can be

expected to occur

several times per year in the facility.

1 Very High (>

10-2 yr-1)

Dec

reas

ing

Lik

elih

ood

2 2 3 EHRS EHRS

Scenario can be

expected to occur several times per

year in SA.

2 High. (10-2 to

10-3 yr-1) 1 2 3 3 EHRS

Scenario has

occurred in SA. 3 Medium(10-3

to 10-4 yr-1) 0 1 2 3 3

Some scenarios

have occurred in the

industry.

4 Low. (10-4 to

10-6 yr-1 ) 0 0 1 2 2

Very rare or never heard of in industry.

5 Very Low. (< 10-6 yr-1 )

0 0 0 1 1

Co

nse

qu

ence

cat

egori

es &

Des

crip

tio

n

(Wit

ho

ut

IPL

s, b

ut

incl

ud

ing

th

e C

on

tro

l S

yst

em)

Categories Decreasing Consequence

5 4 3 2 1 Insignificant Low Medium High Very High

Des

crip

tio

ns

People No injury or

damage to health

Minor injury

or damage to health.

Lost time injury or

limited health effects

Employee

fatalities and minor impact

on third parties.

Multiple

fatalities

Environment No impact Minor and

inside the fence

Localized effect

affecting neighborhood

Severe damage

to environment to be restored

by SA

Contaminati

on over a public large

area.

Assets Operational upset. Cost

less than

$100.000

Minor damage.

Costs up to

$25 million

Partial shutdown. Cost up to $100

million

Partial operation loss.

Costs up to

$500 million

Significant or total loss

of facility.

Cost above $500 million

Reputation No public

awareness

Some public

and media

awareness but no

concern.

Regional public

and some media

concern

National

impact. Public

and media concern

International

public and

media attention

About this matrix:

o The risk ranking is given by the risk to people and environment with no direct relationship with risks to assets.

o This matrix is endorsed for use across SA.

o Should any part of this matrix be changed or modified, adapted or customized. It is only to be used for SIL determination and by

competent personnel.

Notes:

o Facility loss includes capital loss, business interruption,

production deferment, legal liability and emergency response

costs.

o In applying this matrix it is important to bear in mind that it

is strongly recommended as far as possible designing the

process with a lower SIL (below SIL 2 ), and also, provide

Non-SIS protection layers.

o The consequence scenarios referred to in this matrix are

those fully developed, e.g. VCE, fire, toxic vapor cloud, etc.

ABBREVIATIONS:

o SIL: Safety Integrity Level

o SIS: Safety Instrumented System

o SIF: Safety Instrumented Function.

o IPL: Independent Protection Layer

o VCE: Vapor Cloud Explosion




of 32

Appendix H – Quantitative Risk Criteria

Risk Target Frequency (yr-1 )

Consequence Description

1 x 10-6

People: Employees and third parties multiple

fatalities.

Environment: Contamination over a public large

area.

Major economic loss to SA.

Assets: Significant or total loss of facility. Costs

above $500 million

1 x 10-5

People: Employee multiple fatalities and some

impact on third parties.

Environment: Severe damage to environment to

be extensively restored by SA.

Assets: Partial operation loss. Costs up to $500

million

1 x 10-4

People: Employee fatality.

Environment: Localized effect affecting

neighborhood.

Assets: Partial shutdown. Cost up to $100

million

1 x 10-3

People: Employee injury or damage to health.

Environment: Minor and inside the fence.

Assets: Minor damage. Cost less than $1 million




of 32

Appendix I – General Notes

Introduction

Applying a risk based approach to safety functions using SIL will validate that the

design of safety systems in Saudi Aramco are adequate to protect personnel,

environment and assets against potentially hazardous situations. In addition, the risk

based approach will provide additional understanding of the process, provide

opportunities to reduce capital and maintenance costs as well as avoidance of false

trips.

The starting point for risk based SIL assignment is to establish risk tolerability

criteria, so that the necessary risk reduction for each safety function can be

quantitatively or qualitatively ascertained. In some cases other safety protective

layers exist that may be used as credit when assessing the required safety integrity

level.

In order to meet the requirements of international standards it is required to:

● Identify safety functions.

● Determine SIL for each function.

● Develop safety requirement specifications

● Use life cycle approach for SIS design.

● Verify the integrity of SIS design.

● Demonstrate that integrity of SIS can be maintained.

● Document the process.

The SIL Concept

The SIL concept as applied by Saudi Aramco requires the identification of process

equipment with safety implication and establishing the risk reduction needed for

each of the safety functions required by each process equipment to operate safely.

Process equipment with safety implications are those process systems that can pose

one or more hazards (explosion, toxic release, leak, etc.). The risk reduction needed

is the gap between the existing risk posed by the equipment and the risk target. This

gap is to be covered firstly by inherently safer design and mechanical integrity, and

in the second place using independent protection layers (IPL). When all the above

mentioned measures by themselves are not sufficient to cover the risk reduction

needed, a safety instrumented systems (SIS) with the required technical specification

and architecture will be specified.




of 32

The Safety Life Cycle

The safety life cycle is another fundamental concept established by the international

standards. The safety life cycle represents the application of good engineering

practice to SISs. This safety life cycle is depicted in the figure 1 in Appendix C.

Good engineering practice is accomplished based on three fundamental aspects:

i) Design by Layers of Protection. Risk reduction is normally accomplished

using more than one protective system and more than one type of technology.

Some of these protective systems reduce the frequency of the hazardous

scenario, whereas others reduce the consequences. As a result, the total risk

reduction factor is obtained from the combination of the risk reduction factors

from each individual protective system.

ii) The second fundamental aspect of the safety lifecycle process is that it includes

design verification. The SIL for each section of the safety system is

calculated. Then, based on this calculated SIL each design must meet or

exceed these requirements. This aspect provides a control and verification

process that ensures that the design is optimal for the need. SIS over-design

can be easily and clearly identified and consequently changed. On the other

hand, SIS designs not fully covering the risk reduction needed can be

identified as well, and improved to meet the risk target.

iii) In third place, the safety life cycle includes inspection, testing and maintenance

planning, which address among others, testing intervals and testing schedules.

Furthermore, operation, maintenance and decommissioning are all part of the

safety life cycle.

Independent Protection Layers

Only those protection systems that meet the following criteria shall be classified as

independent protection layers, and therefore used in Saudi Aramco SIL studies.

These criteria are:

i) The protection provided reduces the identified risk by a large amount, that is, a

minimum of 10-1

.

ii) Specificity: An IPL is designed solely to prevent or to mitigate the

consequences of one potentially hazardous event (for example, a runaway

reaction, release of toxic material, a loss of containment, or a fire). Multiple

causes may lead to the same hazardous event; and, therefore, multiple event

scenarios may initiate action of one IPL.

iii) Independence: An IPL is independent of the other protection layers associated

with the identified danger.

iv) Dependability: It can be counted on to do what it was designed to do. Both

random and systematic failures modes are addressed in the design.