-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Criteria for Design, Operation and

Maintenance of Safety Instrumented
Systems in Industrial Units
Procedure
This Standard replaces and cancels its previous revision.
The CONTEC - Authoring Subcommittee provides guidance on the
interpretation of this Standard when questions arise regarding its contents. The
Department of PETROBRAS that uses this Standard is responsible for adopting
and applying the sections, subsections and enumerates thereof.

CONTEC
Comisso de Normalizao
Tcnica

Technical Requirement: A provision established as the most adequate and

which shall be used strictly in accordance with this Standard. If a decision is
taken not to follow the requirement (non-conformity to this Standard) it shall be
based on well-founded economic and management reasons, and be approved
and registered by the Department of PETROBRAS that uses this Standard. It is
characterized by imperative nature.
Recommended Practice: A provision that may be adopted under the conditions
of this Standard, but which admits (and draws attention to) the possibility of
there being a more adequate alternative (not written in this Standard) to the
particular application. The alternative adopted shall be approved and registered
by the Department of PETROBRAS that uses this Standard. It is characterized
by verbs of a nonmandatory nature. It is indicated by the expression:
[Recommended Practice].

SC - 10
Instrumentation and
Industrial Automation

Copies of the registered non-conformities to this Standard that may contribute

to the improvement thereof shall be submitted to the CONTEC - Authoring
Subcommittee.
Proposed revisions to this Standard shall be submitted to the CONTEC Authoring Subcommittee, indicating the alphanumeric identification and revision
of the Standard, the section, subsection and enumerate to be revised, the
proposed text, and technical/economic justification for revision. The proposals
are evaluated during the work for alteration of this Standard.
The present Standard is the exclusive property of PETRLEO
BRASILEIRO S.A. - PETROBRAS, for internal use in the Company, and any
reproduction for external use or disclosure, without previous and express
authorization from the owner, will imply an unlawful act pursuant to the
relevant legislation through which the applicable responsibilities shall be
imputed. External circulation shall be regulated by a specific clause of
Secrecy and Confidentiality pursuant to the terms of intellectual and
industrial property law.

Introduction
PETROBRAS Technical Standards are prepared by Working Groups - WG
(consisting specialized of Technical Collaborators from Company and its Subsidiaries), are
commented by Company Units and its Subsidiaries, are approved by the Authoring Subcommittees SCs (consisting of technicians from the same specialty, representing the various Company Units and
its Subsidiaries), and ratified by the Executive Nucleus (consisting of representatives of the Company
Units and its Subsidiaries). A PETROBRAS Technical Standard is subject to revision at any time by its
Authoring Subcommittee and shall be reviewed every 5 years to be revalidated, revised or cancelled.
PETROBRAS Technical Standards are prepared in accordance with PETROBRAS Technical
Standard N-1. For complete information about PETROBRAS Technical Standards see PETROBRAS
Technical Standards Catalog.

.
PROPERTY OF PETROBRAS

70 pages, Index of Revisions and WG

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Summary

Foreword.................................................................................................................................................. 6
1 Scope................................................................................................................................................... 6
2 Normative References......................................................................................................................... 6
3 Terms and Definitions.......................................................................................................................... 7
4 Symbols and Abbreviations ............................................................................................................... 15
5 Evaluation of SISs Need and Basic Designs Structuring ................................................................ 16
5.1 Hazard Analysis ................................................................................................................... 16
5.2 Protection Layers ................................................................................................................. 17
5.3 Safety Life Cycle .................................................................................................................. 18
5.4 SISs Basic Design Structuring ............................................................................................ 19
6 SISs Basic Design - SIFs Assessments ........................................................................................... 20
6.1 General Considerations ....................................................................................................... 20
6.2 SIFs Assessment Teams Composition ............................................................................... 21
6.3 Preparation for SIFs Assessment ........................................................................................ 22
6.4 Assessment of the Safety Integrity Level required for a SIF................................................ 22
7 SIS Basic Design - Implementation Requirements ........................................................................... 24
7.1 Segregation between SIS and BPCS................................................................................... 24
7.3 Segregation between Redundant Channels of a SIF........................................................... 25
7.4 Power Supply ....................................................................................................................... 25
7.6 Sensors ................................................................................................................................ 26
7.7 Final Elements...................................................................................................................... 27
7.9 Manual Trip Command......................................................................................................... 30
7.11 SIF By-Pass ....................................................................................................................... 31
7.12 Operation Interface ............................................................................................................ 32
7.14 Communication Interface with the BPCS........................................................................... 33
8 SIS Basic Design - Verification of the SIL and the MTTFS required for Each SIF............................ 34
9 SIS Detailing Design.......................................................................................................................... 35
9.1 General Requirements ......................................................................................................... 35

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

9.2 Documentation ..................................................................................................................... 35

10 Factory Acceptance Test and Preservation .................................................................................... 36
10.1 Factory Acceptance Test - FAT ......................................................................................... 36
10.2 Prerequisites for FAT Implementation................................................................................ 37
10.3 FAT Execution.................................................................................................................... 37
10.4 Preservation ....................................................................................................................... 38
11 Installation and Precommissioning for SIS Operation Start ............................................................ 39
11.1 Installation .......................................................................................................................... 39
11.2 Precommissioning .............................................................................................................. 39
12 SIS Pre Operation and Final Acceptance........................................................................................ 40
12.1 Pre Operation ..................................................................................................................... 40
12.2 SIS Final Acceptance ......................................................................................................... 41
13 Operation, Maintenance, Periodic tests and Modifications ............................................................. 41
13.1 Operation............................................................................................................................ 41
13.2 Maintenance....................................................................................................................... 42
13.3 Periodic tests...................................................................................................................... 43
13.4 Modifications ...................................................................................................................... 45
Annex A - Determination of the Required Safety Integrity Level Using the Risk Graphs Method ........ 47
A.1 Introduction ..................................................................................................................................... 47
A.2 Risk Graphic Summary .................................................................................................................. 47
A.3 Documentation Related to the Results of Safety Integrity Level Determination (SIL) ...................... 48
A.4 Usage of Risk Graph Relative to People Safety ............................................................................ 49
A.5 Risk Graphic Usage for Environmental Consequences................................................................. 51
A.6 Risk Graph Usage for Material Consequences ............................................................................. 53
A.7 Determination of Integrity Level of the Safety Instrumented Function when its Failure Leads to
More than One Type of Consequence .................................................................................................. 54
Annex B - Layers of Protection Analysis (LOPA) ................................................................................. 55
B.1 Introduction .................................................................................................................................... 55
B.2 Procedure....................................................................................................................................... 55
B.2.1 Scenario Selection for Analysis ........................................................................................ 57
B.2.2 Severity Classification....................................................................................................... 57
3

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.3 Tolerable Frequency (FTOL)............................................................................................... 57

B.2.4 Initiating Cause Frequency ............................................................................................... 57
B.2.5 Enabling Event (EE) ......................................................................................................... 59
B.2.6 Modification Factors (MF) ................................................................................................. 60
B.2.6.1 Ignition Probability .................................................................................................... 60
B.2.6.2 Presence of People .................................................................................................. 61
B.2.7 Independent Protection Layers (IPL) ................................................................................ 61
B.2.7.1 General Conditions ................................................................................................... 64
B.2.7.2 Overflow Line............................................................................................................ 65
B.2.7.3 Fireproof Insulation ................................................................................................... 65
B.2.7.4 BPCS Control loop.................................................................................................... 65
B.2.7.5 Operator response to Alarms ................................................................................... 66
B.2.7.6 Mechanical Relief Device / Pressure Safety Valve .................................................. 66
B.2.7.7 Retention Valve ........................................................................................................ 67
B.2.7.8 Self-Regulating Valve ............................................................................................... 67
Car-Sealed or Locked Valves ................................................................................................ 67
B.2.7.10 Active Protection against Fire................................................................................. 67
B.2.7.11 Mitigating IPLs ........................................................................................................ 68
B.3 Analysis Conclusion ....................................................................................................................... 68
B.3.1 Scenario Residual Risk Without Considering SIF ............................................................ 68
B.3.2 Determination of SIL Required to the SIF......................................................................... 69
B.3.3 Documentation.................................................................................................................. 69
B.4 Result Management ....................................................................................................................... 70
B.4.1 Auditing ............................................................................................................................. 70
B.4.2 Revalidation ...................................................................................................................... 70

Figures

Figure A.1 - Risk Graph Relative to People Safety ............................................................................... 49

Figure A.2 - Risk Graph Related to Environmental Safety.................................................................... 52

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Figure A.3 - Risk Graph for Material Consequences ............................................................................ 53

Figure B.1 - LOPA Procedure Flowchart............................................................................................... 56
Figure B.2 - Mitigating Protection Layer ................................................................................................ 68

Table
Table 1 - SIL Scale for Demand Mode .................................................................................................. 22
Table 2 - Criteria for Determination of the Acceptable MTTFS ............................................................. 24
Table A.1 - Description of the Parameters of the Process Industry Risk Graph ................................... 48
Table A.2 - Descriptions of the Parameters Used in Figure A.1 ........................................................... 50
Table A.3 - General Environment Consequences................................................................................. 52
Table A.4 - Material Consequences Classes ........................................................................................ 53
Table B.1 - Tolerable Frequency (FTOL)................................................................................................. 57
Table B.2 - Frequencies of Initiating Causes ........................................................................................ 58
Table B.3 - Ignition Probability Modification factors by Ignition Sources Quantity ................................ 61
Table B.4 - Ignition Probability Modification Factors by Flammable Material Type .............................. 61
Table B.5 - Modification Factors by Presence of People ...................................................................... 61
Table B.6 - Safeguards Usually not Considered IPL............................................................................. 62
Table B.7 - Passive IPL and their Typical PFDavg ................................................................................. 63
Table B.8 - Active IPL and their Typical PFDavg .................................................................................... 64

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Foreword
This Standard is the English version (issued in 11/2012) of PETROBRAS N-2595 REV. C 12/2010,
including its Amendment - 07/2012 and Erratum - 01/2011. In case of doubt, the Portuguese version,
which is the valid document for all intents and purposes, shall be used.

1 Scope
1.1 This Standard aims to provide guidelines and establish the minimum conditions required for
design, operation and maintenance of the Safety Instrumented Systems - SIS on PETROBRAS
onshore facilities.
1.2 This Standard contains Technical Requirements and Recommended Practices and establishes
the conditions required for designs starting after the date of its issue.
1.3 Fire and gas detection systems are not considered in this Standard.
1.4 Any function with exclusive manual actuation does not fit in the Safety Instrumented Systems. For
example: inventories isolation and depressurization.

2 Normative References
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document applies.
PETROBRAS N-329 - Bateria de Acumuladores;
PETROBRAS N-332 - Retificador para Uso Industrial;
PETROBRAS N-858 - Construo, Montagem e Condicionamento de Instrumentao;
PETROBRAS N-1219 - Cores;
PETROBRAS N-1756 - Projeto e Aplicao de Proteo Contra Fogo em Instalaes
Terrestres;
PETROBRAS N-1883 - Apresentao de Projetos de Instrumentao / Automao;
PETROBRAS N-2782 - Tcnicas Aplicveis Anlise de Riscos Industriais;
ABNT NBR 12712 - Projeto de Sistemas de Transmisso e Distribuio de Gs
Combustvel;
ISA TR 84.00.02 Part 2:2002 - Safety Instrumented Functions (SIF) - Safety Integrity Level
(SIL) Evaluation Techniques Part 2: Determining the SIL of a SIF via Simplified Equations;
ISA TR 84.00.03 - Guidance for Testing of Process Sector Safety Instrumented Functions
(SIF) Implemented as or Within Safety Instrumented System (SIS);
ISA TR 84.00.04 Part 1 - Guideline for the Implementation of ANSI/ISA-84.00.01-2004
(IEC 61511);
ISA 91.00.01 - Identification of Emergency Shutdown Systems and Controls that are Critical
to Maintaining Safety in Process Industries;
ISA TR 96.05.01 - Partial Stroke Testing of Automated Block Valves;
6

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

API RP 554 - Process Instrumentation and Control - First Edition 1995

API STD 670 - Machinery Protection Systems;
IEC 61131-3 - Programmable Controllers, Part 3: Programming Languages;
IEC 61508-1 - Functional Safety of Electrical/Electronic/Programmable
Safety-Related Systems - Part 1: General Requirements;

Electronic

IEC 61508-2 - Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems - Part 2: Requirements for Electrical/Electronic/Programmable
Electronic Safety-Related Systems;
IEC 61508-3 - Functional Safety of Electrical/Electronic/Programmable
Safety-Related Systems - Part 3: Software Requirements;

Electronic

IEC 61508-4 - Functional Safety of Electrical/Electronic/Programmable

Safety-Related Systems - Part 4: Definitions And Abbreviations;

Electronic

IEC 61511-1:2003 - Functional Safety - Safety Instrumented Systems for the Process
Industry Sector - Part 1: Framework, Definitions, System, Hardware and Software
Requirements;
IEC 61511-3 - Functional Safety - Safety Instrumented Systems for the Process Industry
Sector - Part 3: Guidance for the Determination of the Required Safety Integrity Levels;
IEC 62337 - Commissioning of Electrical, Instrumentation and Control Systems in the
Process Industry - Specific Phases and Milestones;
IEC 62381 - Automation Systems in the Process Industry - Factory Acceptance Test (FAT),
Site Acceptance Test (SAT) and Site Integration Test (SIT);
NFPA 72 - National Fire Alarm and Signaling Code.
NOTE

For documents referred in this Standard and for which only the Portuguese version is
available, the PETROBRAS department that uses this Standard should be consulted for any
information required for the specific application.

3 Terms and Definitions

For the purposes of this document, the following terms and definitions apply.

3.1
Layers of Protection Analysis - LOPA
semi-quantitative technique for assessing process risks reduction, achieved by the use of protection
layers.

3.2
Process Hazard Analysis - PHA
systematizated and organized effort using one or more techniques listed on
PETROBRAS N-2782 (APR, HAZOP etc) to identify and evaluate the relevance of potential hazards
associated with the processing or handling of hazardous products focusing on equipment,
instrumentation, utilities, human actions and external conditions that may affect the process.

3.3
protection layer
resource specifically adopted, designed or developed to reduce the risk associated with one or more
scenarios.
7

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

NOTE 1 The adopted resource may be a process engineering technique such as sizing of vessel
containing hazardous product, a piece of mechanical equipment such as a safety valve, a
Safety Instrumented Function or even an administrative procedure such as an emergency
plan for situations of imminent danger.
NOTE 2 A protection layer may be preventive when it aims to reduce the expected frequency of
occurrence of a hazardous event, or it may be mitigating, when it aims to reduce the severity
of a harm associated with the hazardous event.
NOTE 3 A protection layer may be passive (when it does not need to execute an action to fulfill its
function of protection) or active (when it needs to change from a particular state to another in
response to a change in the measurable process property in question). In the second case,
its action may be initiated automatically or by human action.

3.4
Independent Protection Layer - IPL
a protection layer that keeps its preventive or mitigating function autonomously, without taking into
account the initiating cause or any other protection layer action associated with the scenario.
3.5
initiating cause
an equipment failure, an inappropriate human action or an external event that sets off a scenario.

3.6
scenario
event or sequence of events resulting from an initiating cause that culminates in a hazardous
consequence.

3.7
SIS safety life cycle
set of activities involved on SIFs implementation during the time interval that begins in the conceptual
design phase and ends when the referred SIFs are disabled.

3.8
Enabling Event - EE
action or state that does not cause the scenario, but needs to exist to allow the initiating cause to lead
to the unintended consequence considered.

3.9
consequence
accidental scenarios undesired effect
NOTE 1 An example of consequence is the loss of containment leading to product release with fire
risk.
NOTE 2 Consequence severity is a qualitative or quantitative measure of the impact of a
consequence to safety of people, environment and company's property. This concept can be
exemplified by the possibility of death due to fire.

3.10
Programmable Electronics - PE
programmable controller designed and developed specifically to act as SISs Logic solver.
NOTE

The CP safety denomination replaces the former term PES that was used by Petrobras, in
order to eliminate conflict with IEC 61508-4 and IEC 61511-1, in which the term PES
designates the entire set of devices (sensors + Logic solver + final elements) of SIS.

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

3.11
harm
impact, achieved consequence or the final outcome of a hazardous event on human beings,
environment and/or property, expressed in terms of fatalities, environmental damages, destruction of
property, production loss, etc.
NOTE 1 Environmental impacts may include expenses on facilities cleaning and environmental
decontamination, fines from supervision bodies, civil and labor reparation, difficulties in
obtaining new licenses, harm to the companys image etc.
NOTE 2 Property is understood as equipment, facilities, products, and processes.

3.12
fault
abnormal condition that may cause reduction or loss of the ability of a device to performing its function
3.13
demand
hazardous condition or event that requires the action of a SIF
3.14
device
equipment capable of performing a specific function
3.15
final element
a device, part of the SIS, that implements the physical action required to achieve a safe state
NOTE

The more usual examples are:

a) valve, including actuator and solenoid;
b) control circuit and interposing relay for electric motor.

3.16
Safety Requirements Specification - SRS
documentation containing all the requirements that each SIF shall present when implemented in the
SIS
3.17
safe state
state of a process or equipment whose risk is within the limits established as tolerable
3.18
Hazards and Operability Study - HAZOP
inductive and structured technique to identify any hazard process and potential operational problems,
associating, in a systematic way, a set of keywords to the process variables; for each identified
deviation, its causes, consequences, detection modes, and existing safeguards are listed, and
additional measures are recommended when necessary

3.19
logic solver
a device, part of the SIS, that receives signals from the sensors, processes programmed functions and
sends commands to the final elements

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

3.20
failure
an event characterized by the cessation of a device's ability to perform its function
NOTE

All disabilities caused by planned actions, as preventive maintenance, are excluded from this
concept.

3.21
random hardware failure
failure that occurs on an unpredictable moment as a result of a variety of degradation processes
acting on the internal components of a device
NOTE 1 Due to manufacturing tolerances, such degradation processes have different dynamics on
distinct components, giving a random character to the failures instant.
NOTE 2 Due to its nature, the random hardware failure can be quantified in a statistic way. For
example: by observing various identical devices, operating under the same conditions, the
respective failure rate can be determined.

3.22
common cause failure
failures on more than one device, component or system as a result of the same direct cause, in a
relatively short period of time, being the failures not a consequence of one another
NOTE

As examples of common causes one can mention the action of corrosive atmosphere,
electromagnetic interference, mechanical vibration, clogging of stand-pipe taps, loss of
electrical power, loss of pneumatic or hydraulic pressure, fire, explosion, lightning, improper
procedure (of manufacturing, installation, precommissioning, operation, or maintenance),
inadequate training (ditto), design fault or limitation.

3.23
failure on demand
non-actuation of a SIF when it is subjected to an actual demand

3.24
undetected failure
failure that is only noticed when a SIF is either demanded or tested

3.25
dangerous failure, unsafe failure, fail-to-function failure
failure that has potential to prevent a safety function from acting when there is an actual demand
NOTE

A single dangerous failure is often insufficient to prevent a redundant safety function from
acting when required.

3.26
safe failure, spurious trip failure, nuisance trip failure, false trip failure, fail-to-safe failure
failure that presents potential to cause a safety function actuation when it is not required
NOTE

A single failure is usually insufficient to effectively cause a spurious trip in a redundant safety
function.

3.27
systematic failure
failure related in a deterministic way with a certain cause
NOTE 1 Three main types of errors may lead to systematic failures:
10

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

design error (wrong or omissive specifications, such as: incorrect equipment sizing,
improper selection of materials);
equipment failure (error in the manufacturing process, improper installation, improper
maintenance or operation procedure);
program error (software programming or change).
NOTE 2 A systematic failure can only be eliminated through appropriate changes on its cause.
Corrective maintenance interventions without the implementation of these modifications do
not eliminate the systematic failure.
NOTE 3 Due to its nature, the causes of systematic failures cannot be easily predicted or quantified
in a statistical way.

3.28
coverage
number that ranges from 0 to 1 (100%) which indicates the percentage of undetected failures that are
discovered when a SIS device is subject to a certain test or diagnostic

3.29
Risk Reduction Factor - RRF
performance measure of a protection layer given by the ratio between risks with and without the
implementation of this protection layer; it can be expressed mathematically as the inverse of the
considered protection layers PFDavg : RRF = 1/ PFDavg
3.30
Modification Factor - MF
specific condition that may alter the consequence of a scenario
3.31
Initiating Cause Frequency - ICF
expected frequency of occurrence of the cause which may lead to the considered scenario

3.32
Frequency of Consequence - FC
expected frequency of occurrence of the undesired consequence, taking into account the frequency of
the initiating cause, the probability of ocurring the enabling event, the average probabilities of failure
on demand of the non-SIF protection layers and the applicable modification factors.
3.33
Scenario risk tolerance criteria - FTOL
risk tolerability criterion given by the frequency above which incidents of a given severity are not
tolerated
3.34
Safety Instrumented Function - SIF
a protection function implemented in a SIS in order to achieve or maintain a safe state of a process or
equipment through a specific automatic action against a certain operational deviation
NOTE

For each SIF one SIL and one MTTFS are associated.

3.35
risk graphs
technique for qualitative assessment of risk reduction that uses graphical representations of the risk
tolerability criterion
11

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

3.36
sensor
device or combination of devices that provide information to the Logic solver on the value or state of
process variables or monitored equipment that initiates the SIF action.
NOTE 1 The most common examples are:
a) transmitters, including process connections, sensors and complete wiring;
b) limit switches, including complete wiring;
c) manual trip switches and complete wiring.
NOTE 2 The term sensor as defined on this standard is equivalent to the term "iniciador" defined on
the portuguese version.

3.37
operator interface
means by which communication is established between the human operator and the SIS. The
operation interface is also known as Human-Machine Interface (HMI)
NOTE

As examples of operator interface one can mention: video monitors, indicator lamps, pushbuttons, sirens and alarm speakers.

3.38
Safety Integrity Level - SIL
Discrete indicator of a SIF performance, in terms of its PFDavg and its RRF, expressed on a scale of
integer numbers from 1 to 4
NOTE

The SIF design shall consider all failures (random hardware and systematic ones) that might
prevent the safe state from being reached. For hardware random failures, the SIL is related
to the quantified SIFs PFDavg. For systematic failures, it is necessary to use specific
approaches such as FMEA, FMECA, fault trees, etc.

3.39
hazard
condition or property inherent to a substance, an activity, a system or a process, with potential to harm
peoples physical integrity, the environment, property or production loss
NOTE

The term includes hazards that are presented in short time intervals (e.g., fire or explosion)
and in long periods of time (e.g., release of toxic products).

3.40
Probability of Failure on Demand - PFD
probability of a protection layer to fail to perform its specific function in response to a demand

3.41
Average Probability of Failure on Demand - PFDavg
reliability indicator of a protection layer given by the average probability, in a given time interval, of
such layer to fail when demanded
NOTE

The time interval considered for calculating the average is usually the interval between
periodic tests (usually equal to the plant or equipment campaign period).

3.42
application software
a specific program for user application; it generally contains logic sequences, permissions, limits and
expressions necessary to meet its functional requirements
12

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

3.43
embedded software
a specific program which is part of the programmable electronic system, supplied by the respective
manufacturer, essential for the operation and not accessible for modifications by the user; also known
as the systems firmware or software

3.44
utility software
a set of programming tools necessary for creation, modification and documentation of the application
software; these programming tools are not necessary for the programmable electronic systems
operation

3.45
redundancy
existence of more than one way to perform the same function, usually to increase the reliability and/or
availability of a system
NOTE

Redundancy can be implemented through identical devices (identical redundancy) or

different devices (diverse redundancy).

3.46
diverse redundancy
resource usually used to reduce the influence of common cause failures by using different
technologies, designs, manufacturing, programming, etc to perform the same function
NOTE

As examples of usual methods for obtaining diverse redundancy one can mention:
a) measurement of different process variables, such as pressure and temperature, in cases
where the correlation between these variables is well established and known;
b) measurement of a single process variable by means of different technologies such as
flow measurement via vortex and coriolis;
c) use of aerial and underground routes with different paths for redundant communication
means;
d) use of different models of controllers in a redundant architecture, programmed with
distinct methods, by technicians with different specializations.

3.47
risk
combination of either the probability or the expected frequency of occurrence of a hazardous event
with the consequence severity of this hazardous event
NOTE 1 The risk can be expressed mathematically as the product of the expected frequency of a
hazardous events occurrence by the severity of its consequence:
Risk = frequency x severity
NOTE 2 The expected occurrences frequency is usually expressed in terms of number of events per
year;
NOTE 3 The consequences severity is usually expressed in terms of monetary value (production
losses and/or property harm) and/or the number of fatalities.

3.48
process risk
risk inherent to the process or equipment conditions caused by abnormal events (including faults in
the BPCS), without taking into account the protection layers

13

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

NOTE 1 In the context of this standard, the process or equipment risk is the specific risk to which a
protection layer provides reduction.
NOTE 2 Process hazards include fire, explosion, toxic release, and exposure to ionizing radiation, but
they do not include hazards not related to the process, normally controlled by other means,
such as hearing protection, gloves, safety goggles, guardrail, or housekeeping and
occupational hazards such as slips, stumbles and falls.

3.49
tolerable risk
risk defined as acceptable in a given context
NOTE

In the context of this standard, the term "acceptable" refers to an agreement between the
society, risk analysts and specialized agencies (e.g., HSE) in dealing with a particular risk to
obtain certain benefits, trusting that this risk is being properly controlled and, therefore, these
benefits compensates the assumed risk.

3.50
Safety Instrumented System - SIS
instrumented system used to implement one or more safety instrumented functions; a SIS is
composed of a set of sensors, logic solvers and final elements

3.51
Basic Process Control System - BPCS
system that monitors and processes input signals from the process or equipment, and responds by
generating output signals that lead them to operate as desired, through continuous regulatory controls
(PID type), discrete controls (on-off type) and sequential controls

3.52
SIF response time
time interval between the ocurrence of a demand and the completion of a SIF actuation; this time
includes the time required by the sensor(s) to detect the demand condition (rise time) , the signals
processing time on the Logic solver and the time for actuation of the final element (s)

3.53
SIF delay time
time delay intentionally added to a SIF logics processing, which is insufficient to check the harm(s) to be
avoided against an actual demand, and necessary to avoid spurious trips by normal/expected process
oscillations that although do not represent any hazard, may reach the SIFs actuation threshold

3.54
process safety time
time interval between the ocurrence of an actual demand and the hazard
NOTE 1 It is recommended that the time required to reach the safe state is less or equal than half the
time of the process safety . [Recommended Practice]
NOTE 2 Time required to reach the safe state is usually the sum of the SIFs response time plus the
SIFs delay time.

3.55
failure on demand tolerance
capacity of a SIF to perform its function when demanded, even in the presence of dangerous failure(s)
NOTE

As an example of an architecture that has tolerance to failure on demand, one can mention
the voting type 1 out of 2.

14

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

3.56
spurious trip tolerance
SIFs capacity of not causing a spurious trip, even in the presence of safe failure(s)
NOTE 1 As an example of architecture that has tolerance to spurious trip, the voting architecture type
2 out of 2 can be cited.
NOTE 2 The voting architecture type 2 out of 3 is generally used in SIS devices when it is desired to
achieve simultaneously failure on demand tolerance and spurious trip tolerance.

3.57
trip
SIFs final element(s) actuation, either by actual demand, by manual forcing, or by a SIF failure
(spurious trip)

3.58
spurious trip
trip occurred either without an actual demand or an intentional forcing (manual trip) of this condition; it
usually occurs due to a failure of one or more SIF devices.
NOTE

Not every spurious trip may be categorized as a safe failure, since total or partial spurious
actuation of some SIFs may be initiating causes of risk scenarios.

3.59
validation
activity for demonstrating that the installed SIS effectively meets its SIFs specifications, including all
aspects of their functionalities and performance requirements.

3.60
verification
activity for demonstrating for each safety life cycle phase, through analysis and/or tests that, for the
specified conditions, all objectives and requirements established in the functional specification for that
phase are achieved
NOTE

Examples of verification activities include:

products reviews (e.g., documents) at all phases of the safety life cycle to ensure
compliance with each phases objectives and requirements, taking into account their
specific entries;
design reviews;
tests made with the products designed in that phase to ensure that their performance is in
accordance with their specification;
integration tests made with different parts of a system being put together, step by step,
and with execution of environmental tests to ensure that all parts work together in the
specified manner.

4 Symbols and Abbreviations

ABNT
AIChE
ALARP
ANSI
API

Brazilian Association of Technical Standards;

American Institute of Chemical Engineers;
As Low As Reasonably Practicable;
American National Standards Institute;
American Petroleum Institute;
15

-PUBLIC-

N-2595
APR
CCPS
CP
EE
EEL
FC
FCC
FTOL
HAZOP
HSE
ICF
IEC
IHM
IPL
ISA
LOPA
MF
MTBF
MTTF
MTTFS
MTTR
NFPA
PCC
PFD
PFDavg
RRF
SDV
SIF
SIL
SIS
SRS
BPCS
FAT
TV
UPS

REV. C

ENGLISH

12 / 2010

Preliminary Hazard Analysis;

Center for Chemical Process Safety;
Programmable Controller;
Enabling Event;
Enabling Event Likelihood;
Frequency of Consequence;
Fluid Catalytic Cracking;
Tolerable Frequency;
Hazards and Operability Study;
UK Health & Safety Executive;
Initiating Cause Frequency
International Electrotechnical Commission;
Human Machine Interface;
Independent Protection Layer;
The Instrumentation, Systems, and Automation Society;
Layers of Protection Analysis;
Modification Factor;
Mean Time Between Failures;
Mean Time to Fail;
Mean Time to Fail Safe;
Mean Time to Repair
National Fire Protection Association;
Direct Current Panel;
Probability of Failure on Demand;
Average Probability of Failure on Demand;
Risk Reduction Factor;
Shut Down Valve;
Safety Instrumented Function;
Safety Integrity Level;
Safety Instrumented System;
Safety Requirements Specification;
Basic Process Control System;
Factory Acceptance Test;
Techinische berwachungs Verein (Technical Inspection Agency);
Uninterruptible Power Supply.

5 Evaluation of SISs Need and Basic Designs Structuring

The evaluation of the need to implement one or more SIFs is part of the designs practices and shall
be performed during the elaboration of the plants basic design, through the application of one or more
risk analysis techniques, followed by the adoption of appropriate protection layers.

5.1 Hazard Analysis

5.1.1 Among the various techniques for assessing processes hazards cited in PETROBRAS
N-2782, it is recommended the application of HAZOP by a multidisciplinary team composed of
professionals of the areas of process, instrumentation and control, industrial operation and safety,
using as reference design documents that allow the identification of scenarios and assessment of
hazards associated with each scenario [Recommended Practice].

16

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

5.1.2 The boundary conditions imposed by the plant or equipments installation location, as well as by
its operational philosophy shall be defined upon the analysis of the impacts of a hazard scenario.
Typical examples are equipment remotely or manually operated from the field and plants located on
isolated areas or near inhabited areas.
5.1.3 Once the risk associated to a scenario is determined, it shall be evaluated whether such
scenario is tolerable, taking as base the corporate policies reflected on PETROBRAS
N-2782 criteria, local laws and applicable regulations.
NOTE

It also can be considered when determinating the tolerable risk: international standards
references, information from insurance companies, and agreements between stakeholders,
eventually allowing local community involvement. [Recommended Pratice]

5.1.4 The Table 2 of PETROBRAS N-2782 makes it clear that a risk not being tolerable (being out of
the T zone - "tolerable") is different from being not tolerable (being in the NT zone - "unacceptable"),
however it shall be emphasized that leaving the final risk in the M zone (moderate) shall be justified
after having made use of all resources to reduce it, in adherence to the ALARP concept.
5.2 Protection Layers
5.2.1 If the assessment of a scenario risk indicates that this is greater than the limit established as
tolerable, it shall be aimed to reduce the expected frequency of hazardous events occurrence or the
severity of the harm associated with this scenario by applying measures of risk reduction, often
referred to as safeguards or protection layers (see Figure 1).

EMERGENCY PLAN - COMMUNITY

GENERAL EMERGENCY SITUATION

EMERGENCY PLAN - INDUSTRIAL UNIT

EVACUATION PROCEDURES
PHYSICAL MITIGATION SYSTEMS (DIKES, RETENTION BASIN, etc)
OPERATIONAL INTERVENTION
RELIEF AND MECHANICAL PROTECTION SYSTEMS
(PSV, FLARE, etc.)
INSTRUMENTED SAFETY SYSTEMS

PROCESS ALARM SYSTEMS

WITH CORRECTIVE OPERATIONAL ACTION
BASIC PROCESS AND CONTROL SYSTEMS - BPCS
OPERATIONAL SUPERVISION
INSTALATION DESIGN
PROCESS

Figure 1 - Protection Layers Model

17

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

5.2.2 As the first protection layer, a scenario associated with equipments operation and/or processes
may have their risk significantly reduced, or even be completely eliminated, through specific design
techniques or an inherently safe design. Examples: risks due to excessive pressure can be reduced
through proper specification of the pipelines thickness or by limitation of the pumps head below the
designs pressure of the vessel to where it discharges; risks due to high temperatures can be reduced
through appropriate design of heat exchangers; risks due to vibrations can be reduced considering
appropriate support for the pipelines; risks to people may be greatly reduced through installation of the
plant in a non-inhabited location; fire or explosion risks can be eliminated if it is possible to change the
product by a non-flammable one.
5.2.3 As a second protection layer, generally there are available automatic control systems for the
process or equipment, being possible to obtain a third layer with continuous supervision of qualified
operation personnel with the support of an adequate alarm system.
5.2.4 The next protection layer, consisting of a SIS, the main object of this standard, usually
accompanies another, formed by relief and prevention systems based on mechanical devices such as
safety valves, rupture discs and check valves.
5.2.5 It is recommended to adopt a SIS only if after the application of other mentioned risks reduction
measures, the residual risk remain higher than the tolerable risk (see Figure 2). [Recommended
Practice]

Residual
Risk

Risk
inherent to
the process

Tolerable
Risk

Necessary Risk Reduction

Increasing
Risk

Total risk reduction

Partial risk covered by
prevention/mitigation
layers different from the
SIS (control, alarm,
mechanic devices)

Partial risk covered by

the SIS

Partial risk covered by

other protection layers

Risk reduction obtained with the use of all protection layers

Figure 2 - Risk Reduction Graphical Representation

5.3 Safety Life Cycle
5.3.1 Once the need for one or more SIFs is confirmed, its application now constitutes a SIS itself.
The steps required for a SISs implementation include conception, design, installation, operation,
maintenance and deactivation, and are called safety life cycle (see Figure 3).

18

-PUBLIC-

N-2595
START - Process
Basic Design

REV. C

ENGLISH

SIF Assessment
(SIL and MTTFS)
(section 6)

Risks Analysis
no

Application of other
means for reduction of
the identified risks

SIL and MTTFS

Verification
(section 8)

SISs Detailed Design

(section 9)
yes

Documentation

Key:

Operation,
maintenance and
periodical functional
tests of the SIS
(section 13)

Modification or
deactivation?

modification

deactivation
TAF, Installation,
commissioning and preoperation
(section 10, 11, and 12)

no

Operational and
maintenance
procedures
(section13)

Is SIF confirmed?

yes

Recommended
SIF?

12 / 2010

SIFs Deactivation

- scope of this standard

- scope of other standards

Figure 3 - Safety Life Cycle Model

5.3.2 To enable the application and operationalization of SISs , it is necessary the existence of an
implemented management system for its life cycle based on a Safety Plan according to the
IEC 61511-1, able to ensure that:
a) the people and organizations involved in each life cycles phase are identified and their
respective responsibilities are assigned;
b) the necessary training are applied;
c) each forseen phase is performed and documented;
d) the generated documents are distributed, controlled and kept updated;
e) control verifications are performed periodically.
5.4 SISs Basic Design Structuring
5.4.1 The SISs basic design shall establish and register, in an organized and systematic way, the
specifications technical requirements necessary for each of the SIFs that are part of the SIS, both for
those created during the processs basic design (usually recorded in engineering flowcharts and cause
and effect matrices) and for those created as recommendations of the hazard identification technique
applied during the plants risk analysis phase.
5.4.2 It shall be considered as SIF the automatic functions that actuate specifically to prevent
hazardous consequence(s) of a certain deviation, which can be associated with different scenarios.
5.4.3 All SIFs shall be executed by the SIS. It is not allowed to execute SIF via BPCS.
5.4.4 It is recommended that the inclusion of automatic functions unrelated to safety into the SIS be
limited to the cases where their separation is impracticable. Example: Furnace ignition sequence,
boilers and flare. [Recommended Practice]
19

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

5.4.5 It is recommended that signals related to SIS devices, but not used on SIF logic (e.g., status
indication of final element), dont be connected to the SIS Logic solver. [Recommended Practice]
5.4.6 Usually the cause and effect matrix indicate a common cause for safety actions and for actions
non-related to safety. It is recommended that a SIF only includes the devices absolutely necessary to
perform its safety action. [Recommended Practice]
5.4.7 Each SIF shall have a unique alpha-numeric identifier (tag) and be documented on a data sheet
that gathers the main SIF specifications, its features, its performance requirements (such as SIL and
MTTFS) and criteria used on calculations (like interval between periodic tests), composing a set of
information equivalent to the "Safety Requirements Specification - SRS" defined on IEC 61511-1.
5.4.7.1 It is recommended to use the model presented in Annex D to document SIFs data
[Recommended Practice].
5.4.8 The SISs basic design documentation shall form a distinct set separated from other designs
documents unrelated to the SIS (see ISA 91.00.01).
5.4.9 SISs basic design documentation will follow the SIS throughout its life cycle and shall be filed
on the technical documentation system of the respective industrial facility, and be always updated, in a
traceable and auditable way, due to any revision that might occur in the plant.
5.4.10 The elaboration of the SISs basic design shall consist, fundamentally, on the execution of the
following tasks:
a)
b)
c)
d)

SIFs identification (not covered in this standard);

SIFs assessment (see section 6);
definition of the SISs implementation requirements (see section 7);
verification of the SIL and MTTFS required for each SIF (see section 8);

5.4.11 At the end of the basic design, all SIF data sheets shall be completely filled.

6 SISs Basic Design - SIFs Assessments

6.1 General Considerations
6.1.1 The evaluation phase consists basically in determining two important performance parameters,
in order to elaborate the SISs specification, namely:
a) Safety Integrity Level - SIL;
b) Mean Time to Fail Safe - MTTFS;
6.1.2 SIFs assessment shall be performed during the a new plants basic design phase and during
revisions that might be performed in the design of an existing plant.
6.1.3 SIFs assessment shall not replace the risk analysis study, but complement its execution,
assisting on the specification of an appropriate SIS.
6.1.4 It is recommended that the assessment of the SIFs be performed by the same risk analysis
team, together with or immediately after the completion of this analysis. [Recommended Practice]
20

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

6.2 SIFs Assessment Teams Composition

6.2.1 The team assigned to evaluate the safety instrumented functions shall be multidisciplinary,
composed, throughout the entire execution of this activity, by a team leader and by representative
professionals of at least the following areas:
a)
b)
c)
d)

Process;
Instrumentation and Control;
Operational;
SMS (Safety, Envorinment and Health).

6.2.2 Experts of specific areas, such as static, thermal, dynamic or electrical equipment, shall be
consulted by the assessment team whenever there is a need to confirm premises assumed in the risk
estimates involving such specialties.
6.2.3 The Process representative shall have participated in the specific basic design to be analyzed,
so as to ensure a good knowledge about it.
6.2.4 The Instrumentation and Control representative shall have experience and/or specific training
on Safety Instrumented Systems.
6.2.5 The operational representative shall:
a) have experience in the considered process;
b) be linked with the future operation of the considered plant;
6.2.6 The SMS representative shall:
a) be familiar with the SMS policies, guidelines, standards and laws applicable to the
considered plant;
b) be linked with the future operation of the considered plant.
6.2.7 The assessment teams leader shall have experience on risk analysis, shall have training on the
specific method to be used and shall have participated previously in other SIF assessment processes.
6.2.8 It is admitted that the assessment teams leader accumulates the function of representative of
any of the areas listed in 6.2.1, provided that he or she meets the requirements for such.
6.2.9 The assessment teams leader shall ensure an organized, systematic and consistent application
of the method in use, guiding the other team members in this sense.
6.2.10 It is recommended that, before starting the analysis, the assessment teams leader promotes
an harmonization of understanding about the methods to be used by all participants in order to ensure
some minimum familiarity with the technique and its specific terminologies. [Recommended Practice]
6.2.11 At the end of the study, the report shall be prepared and agreed by the entire staff. On items
where it has not been possible to reach consensus, the reasons shall be recorded.

21

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

6.3 Preparation for SIFs Assessment

6.3.1 The following documents shall be available in their latest revisions for use in the assessment
process of the safety instrumented functions:
a) engineering flowcharts;
b) automatic actions description (cause and effect matrix, logic diagram, or another
equivalent document);
c) risks analysis report, if issued.
6.3.2 Additional information about failures, hazardous events and accidents related to the process or
equipment under protection of the SIF can also be used, provided that their sources are properly
documented in the SIF Data Sheet.
6.3.3 Among the scenarios identified by the risks analysis, it shall be selected for assessment those
where there is a SIF as safeguard or recommendation. Other scenarios can be assessed at discretion
of the team.

6.4 Assessment of the Safety Integrity Level required for a SIF

6.4.1 For each SIF shall be attributed a SIL in accordance with the required risk reduction for such
(see Table 1).

Table 1 - SIL Scale for Demand Mode

RRF
> 10 to 100
> 100 to 1.000
> 1.000 to 10.000
> 10.000 to 100.000
NOTE

PFDavg
10-2 to < 10-1
10-3 to < 10-2
10-4 to < 10-3
10-5 to < 10-4

SIL
1
2
3
4

For SIFs operating in continuous mode or with high demand (more than one demand per
year or two or more demands at each interval between tests), the SIL is correlated with a
frequency of dangerous failures per hour. For example, SIL 1 equivalent to a frequency
between 10-6 and 10-5 per hour (see Table 4 of IEC 61511-1:2003).

6.4.2 The assessment of the required SIL for a SIF shall consider the consequences about:
a) personal safety (S);
b) environment (E);
c) company property (L).
6.4.3 The required SIL for the SIF shall be the highest among those determined for each of these
three aspects.
6.4.4 If a single SIF is a safeguard for various scenarios, the required SIL shall be the highest among
those obtained for each scenario.

22

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

6.4.5 In this standard two distinct assessment methods of the required SIL for a SIF are presented,
namely:
a) Risk Graphs (Annex A): qualitative method, with simpler and more immediate application
and that, therefore, usually leads to more conservative results, with higher SILs and a
larger number of SIFs;
b) LOPA (Annex B): semi-quantitative method that takes into account risk reductions by
other protection layers different from the SIS, allowing more consistent assessments of
the scenarios and producing a more complete documentation.
6.4.6 It shall be taken into account when choosing the most appropriate assessment method: the
complexity of the process, the nature and severity of risks, the availability of information about the risk
scenarios, the qualification and experience of people available for the assessment work.
6.4.7 It is recommended the application of the LOPA method. [Recommended Practice]
6.4.8 Once the required safety integrity level is determined, this SIL shall be registered in the
respective SIF Data Sheet.
6.4.9 If a SIF assessments result indicates a required SIL greater than 3, it shall be applied other
means of risk reduction, in order to have the SIF required safety integrity level under SIL 4.
Orientations and precautions to be taken into account in order to safely reduce the required SIL can
be found in ISA 84.00.04 Part 1 Annex J.
6.4.10 If a SIFs assessment result indicates no required SIL, it shall be observed what is determined
on 5.4.4.
6.5 Assessment of the Acceptable Spurious Trips Frequency for a SIF
6.5.1 Aiming not to jeopardize the plant or equipments availability, subject to SIF protection, it shall
be stipulated a minimum value, considered as acceptable on the application, for the SIF Mean Time to
Fail Safe (MTTFS), related to spurious trips.
6.5.2 The industrial facility shall have a criterion for determining the MTTFS acceptable value. Two
possible alternatives are presented on 6.5.2.1 and 6.5.2.2.
6.5.2.1 Unavailability
The unavailability time due to SIS spurious trips shall be negligible (less than 1/10) in relation to the
total unavailability time (shutdown and unscheduled load reductions) of the plant over a given period
of time. Example: in a process unit in which 100 days of unavailability are historically observed each 5
years campaign, the SIS as a whole could not be responsible for more than 10 days of shutdown at
each campaign, or 2 days a year. Assuming that this SIS has 20 SIFs whose spurious trips result, on
average, in 12 h of unit shutdown by trip, we would have a limit of 1 spurious trip for every 5 years per
SIF, or a 5-year MTTFS for each SIF.
6.5.2.2 Spurious Trip Cost
The cost of the spurious trip shall take in account, besides the production loss (profit loss), the costs
associated with other possible consequences related to the unexpected shutdown and subsequent
plant startup, such as: harm to equipment (refractory breakdown, coking of tubes, etc..), contractual
penalties due to production interruption, environmental harm (excessive relief to flare, noise from
safety valves opening), harm to the companys image etc.

23

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table 2 - Criteria for Determination of the Acceptable MTTFS

Spurious trip cost (US$)

Acceptable MTTFS (years)

10 000

> 10 000 to 100 000

> 100 000 to 1 000 000

> 1 000 000 to 10 000 000

10

> 10 000 000

20

6.5.3 It shall be taken into account that a SIF action might originate other protection actions. For
example, low gas flow causes trip on the compressor, which in turn causes trip on the load pump.
6.5.4 Once the required MTTFS is determined, it shall be registered on the Data Sheet of the
respective SIF.
6.5.5 If personal and environmental risks are both negligible, causing SIL to be determined only by the
risk associated with the companys property aspect, it is recommended to carry out a cost-benefit
analysis to determine whether or not it is worth to implement the SIF. [Recommended Practice]

7 SIS Basic Design - Implementation Requirements

7.1 Segregation between SIS and BPCS
7.1.1 SIFs shall have their physical implementations separated from the BPCS loops. Therefore, at
least the following components shall be segregated:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
NOTE

process taps;
impulse lines;
sensors;
signal wirings;
junction boxes;
multicables;
terminal blocks;
control and marshalling panels;
fuses and circuit breakers;
Logic solver;
final elements.

It is permitted to share process taps or BPCS instruments nozzles with redundant SIS
sensors.

7.1.2 It is admitted sharing between SIS and BPCS for the following components:
a)
b)
c)
d)

primary flow elements type orifice plate, venturi or v-cone types;

sprockets (rotation measurement);
thermoelement well;
air supply branches.

7.1.3 It is admitted the use of control valves as a SISs final element only in cases where segregation
is impractical. For example: valves of spent catalyst and regenerated catalyst of FCC units.

24

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.1.4 In case it is necessary to use more than two pairs of taps for the same orifice plate, it is
recommended that the third pair of taps be on the pipe (pipe taps). [Recommended Practice]

7.2 Segregation between distinct SISs

7.2.1 Plants that operate independently or have scheduled shutdowns for maintenance shall have
distinct SISs.
7.2.2 For process equipment located within one single plant, which have independent scheduled
maintenance shutdowns, it is recommended to segregate the following components of each respective
SIS: junction boxes, multi cables, I/O modules and application programs. [Recommended Practice]
7.2.3 It is recommended for the SIS to be segregated from other safety systems ruled by specific
standards. [Recommended Practice]
EXAMPLE
NFPA 72 for fire alarm systems;
ABNT NBR 12712 for reduction stations of gas pressure;
API 670 for machinery protection systems.

7.3 Segregation between Redundant Channels of a SIF

7.3.1 For SIFs with redundancy of sensors and/or final elements, it is recommended to segregate the
following components of each respective channel: [Recommended Practice]
a)
b)
c)
d)
e)
f)
g)
h)

process taps;
impulse lines;
signal wirings;
junction boxes;
multicables;
terminal blocks;
fuses and circuit breakers;
I/O modules.

7.3.2 In case of measurement of redundant temperature it is admitted the use of one single well for
more than one sensor.

7.4 Power Supply

7.4.1 The electrical power supply for the SIS shall be provided from a redundant direct current
system, consisting of two sets of chargers, two battery banks and two distribution board (PCC) with a
circuit breaker for interconnection, being one board equal to the other (mirror) and each one of these
sets powered by independent feeders.
7.4.2 Such system shall distribute the electrical power to:
a)
b)
c)
d)

logic solver power supply modules;

power supply for analogic sensors;
energization of discrete sensors circuits;
energization of the final elements circuits;
25

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.4.3 The requirements established in PETROBRAS N-329 for design of accumulators batteries and
PETROBRAS N-332 for charges design shall be observed.
7.4.4 The power supply modules of the Logic solver, as well as the power supplies for the sensors
and final elements shall be redundant.
7.4.5 It is recommended for the Logic Solver power modules and the power supplies of the sensors
and final elements to have independent electrical power inputs, each one being supplied by a
separate PCC. [Recommended Practice]
7.5 Communication Between Field Devices and Logic solver
7.5.1 It is not allowed to use digital communication protocols for transmitting process signals in safety
functions.
7.5.2 The use of HART digital communication protocol is allowed only for diagnostic purposes, and
the remote configuration functionality shall be inhibited.
7.5.3 It is recommended not to use marshalling panels, intrinsic safety barriers, isolators, signal
converters, or other elements between the field devices and the Logic solver. [Recommended
Practice]
NOTE

In the case of electric machines (motors) activation circuits, the interposing relay is
considered part of the final element.

7.5.4 If the application of intrinsic safety barriers and/or signal isolators is necessary, such elements
shall be:
a) installed on the same panel as the Logic solver, and not distributed in other
locations/panels;
b) supplied by the power supplyes located on the Logic solvers panel.
7.6 Sensors
7.6.1 Sensors shall be implemented by transmitters operating in analog mode at the range of 4 mA up
to 20 mA, powered directly by the respective SISs Logic solver panel.
7.6.2 In situations where the use of transmitters as sensors is not technically feasible (e.g., position
indicator switches), the respective contacts used to activate the SIF shall be kept closed and
energized under normal operation condition of the plant or equipment.
7.6.3 In order to minimize the occurrence of spurious trips, it is recommended that the internal
diagnostic of the transmitters be configured in order to, in case of failure, lead the output signal to the
following values: [Recommended Practice]
a) below 3.6 mA (sub-range) for cases where the trip actuation occurs towards the increase
of the transmitter output signal;
b) over 21 mA (over-range) for cases where the trip actuation occurs towards the decrease
of the transmitter output signal.
NOTE

CANCELED - AMENDMENT 07/2012.

26

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.6.4 It is recommended that the execution of functions such as square root extraction, damping
adjustment and timing be performed on the Logic solver application program and not on the sensors.
[Recommended Practice]
7.6.5 It is recommended that SIS sensors and sensors used in the BPCS for measuring the same
variables have the same range and compatible uncertainties, in order to permit their direct
comparison, allowing the implementation of the BPCSs deviation alarm. [Recommended Practice]
7.6.6 The sensors shall be painted in the safety orange color in accordance to PETROBRAS N-1219.
The partial painting of the sensor is acceptable. Example: painting only on transmitters covers.
7.6.7 For SIFs sensors evaluated as SIL 3 it is recommended the use of diverse redundancy.
[Recommended Practice]

7.7 Final Elements

7.7.1 It is recommended that SIS valves use pneumatic actuators. Electric or hydraulic actuators can
be used in cases where pneumatic actuators are impracticable. For example, non availability of
instrument air. [Recommended Practice]
7.7.2 SISs valve actuators shall usually operate pressurized or energized, and the lack of such
pressurization or energization shall result in return of the valve to the position established as safe by
action of the power storage device (e.g., pre-compressed spring, hydraulic accumulator, etc.).
7.7.3 SIS valves shall not have wheels for manual activation.
7.7.4 For SIS valves and their respective actuators, it shall be specified, at least, the following items:
a) adequacy of the valve type and its materials to process and operation conditions
(especially for low demand);
b) required leakage class;
c) valve actuators failure modes;
d) normal flow direction which tends to bring the valve to the safety position;
e) opening and closing times of the valve and actuator set,compatible with the SIF
requirements;
f) device for monitoring the safety position.
7.7.5 In case the SIF final elements are driving circuits of electric machines (motors), the status of
such equipment shall be displayed on the operation interface.
7.7.6 In cases where an actuation of a SIF evalueted as SIL 3 is made on an eletric motor, it is
recommended that the engine status confirmation be given by monitoring variables such as axis
rotation or electric current. [Recommended Practice]
7.7.7 In applications involving protection of essential equipment driven by electric motor, it is
recommended to use the Break Failure - BF function on the electric protective relay of the motors
circuit breaker.
NOTE

The impacts of the shutdown of the remaining charges affected by the BF action shall be
evaluated.
27

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.7.8 It is recommended that the interposing relays be installed on the terminal box that makes
interface with the electric equipment . [Recommended Practice]
7.7.9 For solenoid valves of pneumatic actuators command, it shall be specified the following items:
a) normal operation condition: energized coil;
b) minimum air pressure of operation;
c) flow capacity adequate to the required operation time;
d) protection of air leaks against clogging by dirt, insects and frost.
7.7.10 It is recommended that solenoid valves with mechanical manual reset dont be used.
[Recommended Practice]
7.7.11 In case the SIF Data Sheet indicates the necessity of performing tests for valve partial stroke
(see ISA TR 96.05.01), those shall be implemented by devices specially designed for this application
and with a SIL compliance certification, in accordance to IEC 61508-1. The certificate shall be
submitted for Petrobras approval. Certificates issued by TV are pre-approved..
7.7.12 Final SIS elements shall be painted in safety orange color, in accordance to PETROBRAS
N-1219. Partial painting is acceptable, e.g., paint only over solenoid valves covers and valve actuator
casings.
7.7.13 For final elements of a SIF evaluated as SIL 3, the use of a diverse redundancy is
recommended. [Recommended Practice]

7.8 Logic solver

7.8.1 The Logic solver shall meet all technical requirements expressed in the Specification Data
Sheets of the SIFs that comprise the SIS.
7.8.2 The Logic solver shall have certification of compliance with IEC 61508-1 for applications with
safety integrity level equal or higher than the highest SIL required among the SIFs allocated on it. The
certificate shall be submitted for approval of Petrobras. Certificates issued by TV are pre-approved.
7.8.3 The Logic solver shall be physically implemented by a Safety CP in all applications where the
total amount of sensors and final elements is equal or greater than 20.
7.8.4 The Logic solver may, by express agreement of the Companys Organizational Unit, be
physically implemented through a non-programmable electronic technology on SIS in which the total
amount of sensors and final elements is less than 20 and the logic required is of low complexity.
7.8.5 It shall be observed the application restrictions for the selected equipment listed in its safety
manual and in its certificate of compliance with the required SILs fulfillment.
7.8.6 It is recommend as SISs Logic Solver the use of a safety CP adequate for SIL 3 applications ,
even if the SIL 3 is not required for any of the respective associated SIFs. This practice provides
greater flexibility on the SIFs design. [Recommended Practice]

28

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.8.7 All CP safety modules (input and output modules, power supplies and processors) connected
with the logic solving of SIFs shall:
a) not lead to spurious trip by simple failure;
b) enable maintenance interventions without having to power down or interrupt the logic
execution ("hot swapping").
7.8.8 It is recommended that the logic solver have resources capable to detect signal indicating that
the sensor is out of the normal operational range and to attribute to the sensor a failure status (out of
specification) when its analog output is below 3,6 mA and above 21 mA. [Recommended Pratice]
7.8.9 The Logic solver and its auxiliary equipment shall be installed on a panel exclusively for this
purpose. This set shall be compatible with the specific environmental and electric conditions of the
installation site.
7.8.10 The Logic solver panel and the SIS junction boxes shall have differentiated identification from
the others. Partial paintings of the panel and boxes in safety orange color and "SIS" inscription on the
panels nameplate are suggested.
7.8.11 In case of interaction between distinct logic solvers, their actions shall be coordinated to
ensure the conduction of the process as a whole to a safe state.
7.8.12 The SIF execution through a digital communication link between distinct safety CPs is
conditional upon the certification of the safety integrity level achieved by the whole set, including its
respective communication link, according to IEC 61508 - Parts 1, 2 and 3. The certificate shall be
submitted for approval of Petrobras. Certificates issued by TV are pre-approved.
7.8.13 The application program shall:
a) be developed in accordance with the logic diagram of the SIS detailing design;
NOTE 1 It is recommended to use the Function Blocks programming language (see IEC 61131-3 ).
[Recommended Practice]
NOTE 2 It is recommended not to use programming languages type structured text or Ladder
diagram. [Recommended Practice]
b) be developed considering the adequate restrictions regarding the use of the utility
program, compatible with the required integrity level , as indicated in the safety manual of
the selected CP;
c) have a scan time less than half the shortest response time required by the SIFs running
on the safety CP;
d) provide information to the BPCS according to 7.12;
e) CANCELED - AMENDMENT 07/2012.
NOTE

CANCELED - AMENDMENT 07/2012.

7.8.14 In order to minimize the occurrence of spurious trips, it is recommended that sensors identified
as in failure state be bypassed automatically by the application program, respecting the limitations
imposed by 7.11.3. [Recommended Pratice]
NOTE 1 The duration of this by-pass shall be defined automatically at the detailing design phase, and
cannot exceed 8 hours. During this period, the operation team of the unit shall decide if or
not the manual by-pass for maintenance must be activated for the considered sensor.

29

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

NOTE 2 The total duration of the by-pass (automatic + manual) shall comply with the limit established
on the specific procedure for the considered SIF.
NOTE 3 If the temporization of the automatic by-pass reaches the end, but the by-pass for
maintenance has not been manually activated according to 7.11.3.5, the application program
shall assign the trip status to the sensor, thus following the consequences programmed on
SIFs logic.
7.8.15 It is recommended that the application program treat the cases of SIFs with redundant sensors
in order to avoid spurious trips by false diagnosis of simultaneous failure on all sensors due to process
variable excursion outside the normal operational range in the opposite direction of the trip.
[Recommended Pratice]
EXAMPLE
Reevaluate the operating range and/or consider the possibility of extending the limits of
under/over-range beyond those established in 7.6.3.
NOTE

A possible implementation of specific logic to avoid this form of "trip" spurious shall be
preceded by careful evaluation of the possibilities for common cause failure of the sensors.

7.9 Manual Trip Command

7.9.1 The quantity and reach of manual trip commands of a plant or equipment shall be defined in the
process basic design phase and shall be described in the respective SIF Data Sheets.
NOTE

Manual activation is an option for actuation of the final elements of a SIF by the operator
foreseen in the process design, but it is not part of the automatic protection function and
therefore shall not be considered on SIF performance calculations (SIL or MTTFS).

7.9.2 It is recommended for manual trip commands to be implemented through electromechanical pull
buttons, to activate with a double contact normally closed, coupled in series, installed on a place of
easy access by the operation team and provided with protection against improper activation.
[Recommended Practice]
7.9.3 The signals of manual trip command shall be executed by the SIS Logic solver.
7.9.4 Manual trip commands from the BPCS operation interface shall be implemented "hardwired"
from the BPCS controller to the Logic solver.

7.10 SIF Reset

7.10.1 Every SIF shall have a reset command to enable the controlled resumption of operation of the
plant or equipment subject to the SIF protection, when after a trip event demand conditions are no
longer verified.
7.10.2 After a demand occurrence and the consequent activation of the respective SIF, the command
signal to the final element shall remain in the activated status until receiving a manual reset command
by the operator.
7.10.3 SIF automatic reset is not allowed.

30

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.10.4 The manual reset command shall only be implemented through a physical pushbutton located
in the field when required in the SIF Data Sheet.
7.10.5 The SIF reset signal shall be of type short duration pulse.

7.11 SIF By-Pass

7.11.1 General Considerations

7.11.1.1 The aim of by-pass is to restrict a SIFs action, whether by the need for operation startup or
maintenance intervention during the plant or equipments operation.
7.11.1.2 Every by-pass activated manually shall be done through pre-configured screens in the
BPCSs HMI, necessarily having signaling for confirmation of status.
7.11.1.3 It is not allowed by-pass in SIF Logic Solver outputs.
7.11.1.4 It is not allowed by-pass in manual trip command.
7.11.1.5 It is not allowed to force variables in the CP safety application program with SIF by-pass
purposes.
7.11.1.6 A SIF by-pass shall not suppress alarm functions.
7.11.2 By-Pass for Operation Startup
7.11.2.1 Only the SIFs that, due to the initial process state, prevent the plant or equipment subject to
protection from start, shall have by-pass command. Examples: low pressure in the gas header to the
furnace, low compressor rotation speed, low load flow rate, etc.
7.11.2.2 It is recommended that the by-pass commands for operation strartup be deactivated through
automatic functions, avoiding the use of manual command for this purpose. [Recommended Practice]
EXAMPLE
process condition: monitors the variable process value until it is characterized the end of
the operation start upcondition;
time: adjustment for a time period not much higher than the necessary for normal
execution of the start upprocedure;
combination of the above.
7.11.2.3 By-Pass commands for operation startup shall be kept deactivated when the plant or
equipment subject to the SIS protection are not in startup procedure.
7.11.3 By-Pass for Maintenance
7.11.3.1 It is recommended not to allow more than one SIF, belonging to a same plant or equipment,
to be by-passed at the same time (see API RP 554:1995). [Recommended Practice]
31

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.11.3.2 The by-pass duration for maintenance shall be as lower as possible.

7.11.3.3 For SIFs which have failure-tolerant sensors, by-pass for maintenance shall be on only one
sensor at a time and, when activated, it shall degrade its respective voting architectures as follows:
a) from 1 out of 2 to 1 out of 1;
b) from 2 out of 2 to 1 out of 1;
c) from 2 out of 3 to 1 out of 2.
7.11.3.4 For SIFs which dont have failure-tolerant sensors, there shall be only a by-pass command
for maintenance in the SIFs which satisfy both the following requirements:
a) existence of other means to monitor the process variable in issue;
b) the process dynamics allows the operator to activate timely the trip manual command.
7.11.3.5 SIF by-pass shall be conducted according to procedure developed specifically for this purpose
during the SIS detailing design phase. Such procedure shall include control of the by-pass duration (see
13.1.5) and comply with the plant or equipment operational standards, subject to SIS protection.
EXAMPLE
The operator, after receiving authorization activates a by-pass request command, specific to
the respective desired sensor, via BPCSs HMI. Then, the maintenance technician shall
activate a physical switch on the SIS Logic solver panel, which enables the requested
bypass command. While the by-pass is activated, an alert can be periodically announced. If
the by-pass device is not repaired within the MTTR assumed in the reliability calculations, an
action pre-defined on specific procedure shall be taken to maintain the plant or equipment in
safe state. The most common example of specific action is to adopt a special operating
regime (reduction of the processing unit load, operating on alert state etc), which can result
in the manual actuation of the safety function.
7.12 Operation Interface
7.12.1 It is considered that the plant or equipment subject to SIS protection is monitored and
controlled by means of an BPCS, whose HMI also serves as SIS interface to the plants operator.
Therefore, it shall be presented at the BPCSs HMI the following SIS information:
a) SIFs actuation indication (trip events);
b) first event indication in a trip sequence;
c) status indication (open/closed valve, motor turned on/off) and final elements diagnostic
(good/ in failure);
d) graphic representation of the logic showing states of inputs and outputs on the Logic
solver in real time with trip values (example: animated cause and effect matrices);
e) help texts;
f) by-pass status of sensors;
g) a summary of the Logic solver alarms (electrical power failure, high temperature in the
panel, modules in failure, wiring disruption, hardware failures on the safety CP, errors on
CP safety software etc.);
h) indications and diagnostics of analog sensors;
i) discrete sensors status;
j) alarms previous to SIFs actuation (pre-trip alarms);
k) communication failure on safety CP.
7.12.2 It shall be previously configured and sent from the BPCS operation interface to the SIS Logic
solver the following commands:
a) first event recognition;
32

-PUBLIC-

N-2595
b)
c)
d)
e)

REV. C

ENGLISH

12 / 2010

alarms recognition;
by-pass for operation startup;
by-pass for maintenance;
SIF reset.

7.12.3 It is recommended that every failure identified automatically in some SIS device, either by a
specific diagnostic function, by deviation in the monitored variable value, or by any other method,
generates an alarm in the BPCS operation interface. [Recommended Practice]
NOTE

Deviation in the monitored variable value means a difference greater than twice the total
probable error between the values of SIS analog sensors and the values of control system
sensors for the same process variable.

7.12.4 It is recommended to implement synchronization between the internal clocks of BPCS and SIS
Logic solver, in order to allow an analysis of events sequence. [Recommended Practice]
7.12.5 It is acceptable a maximum delay of up to 3 seconds between the occurrence of a trip action
activated by a SIF and the respective indication in the BPCS operation interface.
7.12.6 Whenever there is sufficient time for a corrective action by the operator there shall be a pre-trip
alarm.
7.12.7 It is recommended that the SIS alarms have visual and sound identification differentiated from
the other BPCS alarms. [Recommended Practice]
7.12.8 Visual identification for the first event of a trip sequence shall be prominently displayed in the
operation interface.
7.13 Interface for Maintenance and Engineering
7.13.1 The interface for maintenance and engineering shall be performed in an industrial PC
microcomputer and shall have the following functions:
a) Safety CP configuration and storage of its configuration;
b) diagnostic giving all details of failures detected in the Logic solver;
c) auditable history storage of actions / interventions in the SIS, with TAG, date, time and
personal identification, in order to be possible to analyze occurrences later.
7.13.2 The maintenance and engineering interface shall be provided with a password for access.
7.13.3 For the various Safety CPs of an industrial site there shall be at least one
engineering/maintenance workstations interconnected via network to the Safety CPs.
7.13.4 It is recommended to have a local communication port on each Safety CP in case of network
unavailability. [Recommended Practice]

7.14 Communication Interface with the BPCS

7.14.1 CANCELED - AMENDMENT 07/2012
33

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

7.14.2 It is recommended the use of redundant modules and cables of communication between the
Logic solver and the BPCS. [Recommended Practice]
7.14.3 It is recommended that the communication protocol used blocks commands for the Logic
solver coming from BPCSs different from those previously defined in 7.12.2. [Recommended
Practice]
7.14.4 In the case of a failure, the communication interface shall:
a) not compromise SIFs execution;
b) not cause spurious trip;
c) announce the operation interface failure.

8 SIS Basic Design - Verification of the SIL and the MTTFS required for Each SIF
8.1 The verification phase is intended to provide greater consistency to the basic design, avoiding
significant changes during the detailing design.
8.2 It shall be considered, initially, a simple voting architecture (1 out of 1) and components of general
usage, increasing gradually the architecture complexity and adopting special components, in this
order, until there is a compliance with the SIL and MTTFS values required for the SIF, through the
application of reliability engineering calculations (for example, according to methodology presented on
ISA TR 84.00.02 Part 2:2002).
NOTE

The indication by calculations that it is not required tolerance to failure does not invalidate
the application of other redundancy criteria, such as operational flexibility, including the
execution of SIF tests during the plant or equipments operation.

8.3 The reliability calculation of each SIF shall be registered in a specific calculation sheet, containing
the following information:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)

SIF devices voting architecture;

devices used (description, brand and model);
failure rates of the devices used in the considered process conditions (see Notes 1 and 2);
coverage factor of the devices diagnostic;
tests coverage factor;
common cause factor;
MTTR considered in the industrial installation under analysis;
considered time interval between periodic tests;
adopted calculation method;
identification of the failure data sources used;
requirements and means to conduct tests during normal operation campaign, if needed;
e.g.: valve partial stroke tests;
l) special applicable requirements; examples: use of intrinsic safety barrier (see Note 3)
energize to trip (see Note 4);
m) considered calculation criteria. Example: all failures detected during tests are corrected,
the fixed devices are as good as new, the failure rates are constant in time, etc.

NOTE 1 The failure rates of devices to be used shall be obtained from databases established by the
Operational Unit.
EXAMPLE
EXIDA - Safety Equipment Reliability Handbook;
SINTEF - Reliability Data for Control and Safety Systems;
34

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

OREDA - Offshore Reliability Data;

CCPS - Guidelines for Process Equipment Reliability Data;
IEEE
- STD 500 Reliability Data.
NOTE 2 It is recommended neither to use failure rates reported by manufacturers, as they do not
include failures caused by the installation (tap clogging, for example), nor take into account
the actual conditions of the process (operating temperature, corrosive fluid, aggressive
environment etc). [Recommended Practice]
NOTE 3 In case it is necessary to use some element between field devices and the Logic solver
(intrinsic safety barrier, isolator, signal converter, interposing relay etc.), its failure rate shall
be considered in the calculation of SIL and MTTFS of a SIF.
NOTE 4 Typically, a UPS failure causes a spurious trip, but its failure rate shall not be taken into
account in the MTTFS calculation. On the other hand, if a SIF requires electric power to
operate, the UPS failure rate shall be taken into account when calculating its PFD.
8.4 The MTTR assumed in the reliability calculation shall include the time of: problem notification to
the Maintenance Management, execution of the repair itself and post-repair tests, and device
restoration to its normal operating condition.
8.5 The time period between periodic tests shall be equal to or greater than the foreseen campaign
period, being understood as the time interval between scheduled periodical shutdowns for plant or
equipment maintenance.
8.6 A time interval between tests lower than the campaign period shall be adopted only in cases
where it is proven shown that the required SIL cannot be achieved otherwise.
8.7 In case it is adopted a time interval between tests lower than the campaign period, the respective
SIF shall be provided with resources/facilities to enable periodic testing during the normal operation
campaign of plant or equipment, without compromising its integrity or availability (production losses).
Such resources/facilities are part of the SIF design.

9 SIS Detailing Design

This chapter establishes requirements for the preparation and presentation in an organized and
systematic way, of a set of documents that enable the correct SIS physical and functional deployment.

9.1 General Requirements

9.1.1 The implementation of SIS detailing design shall consider the implementation requirements
established on Section 7 of this Standard.
9.1.2 The following documents shall be available to start the detailing design phase:
a) SIF Data Sheet;
b) SIFs SIL and MTTFS Verification Calculation Sheets;
c) SIS instruments Process Data Sheet.

9.2 Documentation
9.2.1 The documents listed below shall be prepared during the SIS detailing design phase and
comply with PETROBRAS N-1883, forming a distinct and separate set from other detailing design
documents (see ISA S.91.00.01):
35

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

a) SIFs list and instruments list of the SIS (see Note 1);
b) SIS instruments data sheet;
c) SIS setpoint list;
d) SIFs SIL and MTTFS Verification Calculation Sheets (Note 2);
e) SIS logic diagram;
f) SIS loop diagram;
g) SIS interconnection diagram;
h) SIS communication list;
i) inputs and outputs list of SIS Logic solver;
j) SIS electric charges list (see Note 3);
k) SIS Logic solver technical specification;
l) SIS panels technical specification;
m) technical manual (manufacturers) of SIS Logic solver - (see Note 4);
n) technical manual (manufacturers) of SIS sensors - (see Note 4);
o) technical manuals (manufacturers) of SIS final elements - (see Note 4);
p) SIS Logic solver application program (listing);
q) SIS panels drawings;
r) SIS TAF plan (see Note 5);
s) SIS operation manual (see Note 6);
t) SIS maintenance plan (see Note 7).
NOTE 1 SIFs and SIS instruments list is a document divided into two parts: the first part shall
correlate in numerical order each SIS SIF (tag, description and required SIL) with each
instrument tag (sensors and final elements) that compose it. The second part shall correlate
in alphabetical order each SIS instrument (tag, service, flowchart or source drawing and data
sheet) with SIFs tags of which they are part of.
NOTE 2 The SIFs SIL and MTTFS Verification Calculation Sheets of the detailing design shall
contain the same calculations performed during the basic design, but considering the voting
architectures and the specific models of sensors, Logic solver and final elements actually
adopted, and include the calculations of SIF response and delay time, if necessary.
NOTE 3 SIS electric charges list will be needed if SIS power supply is exclusive.
NOTE 4 The technical manuals shall include, where applicable, the relevant certificates and
compatibility
reports
with
the
security
integrity
level
according
to
IEC 61508-1.
NOTE 5 SIS TAF Plan content is defined on 10.2 of this Standard.
NOTE 6 SIS operation manual content is defined on 13.1 of this Standard.
NOTE 7 SIS maintenance plan content is defined on 13.2 of this Standard.
9.2.2 SIF data sheets shall be reviewed in accordance with the consolidated information of the
documents mentioned in a), b), c) and d) in 9.2.1.
9.2.3 After completing the design phase, all SIS documents, including SIF data sheets, manuals,
plans and reports shall be grouped to compose the Safety Instrumented Systems Manual.

10 Factory Acceptance Test and Preservation

10.1 Factory Acceptance Test - FAT
10.1.1 The SIS FAT shall be performed after the Logic solver detailing design conclusion and the
development of its respective application program and before the Logic solver installing and
precommissioning phases (see IEC 62381).
10.1.2 The FATs goal is to verify the compliance of operation of the Logic solver and application
program set according to the requirements previously established on SIF data sheets and the logic
diagram. The FAT shall be planned and executed in a detailed way for solution of non compliances,
faulty equipment and pending issues.
36

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

10.1.3 SIS FAT shall exhaustive, covering all SIFs and all possible logic combinations of each SIF.

10.2 Prerequisites for FAT Implementation

10.2.1 During the SIS detailing design phase it shall be prepared a proper and specific FAT plan.
Such planning shall be structured and presented in a document entitled FAT Plan, which shall include
the following items:
a) implementation site;
b) reference documents, among which the SIS Technical Specification of Logic solver
stands out;
c) competence of staff assigned to supervise and perform the tests;
d) responsibility for implementing and recording tests;
e) responsibility for monitoring, witnessing and liberation;
f) execution chronogram;
g) description of test platform and tools;
h) list of tests to be executed;
i) execution procedure specifically designed for each type of test;
j) acceptance criteria;
k) report model for results record - FAT report;
l) corrective action procedures;
m) pending issues classification and registration form for them;
n) reports of internal tests performed (pre FAT).
10.2.2 The acceptance criteria are part of the test procedure and shall be based on the Technical
Specification of the Logic solver.
10.2.3 The TAF Plan shall be submitted for review and release by PETROBRAS. Only after the FAT
Plans release the FAT implementation itself can be continued.

10.3 FAT Execution

10.3.1 FAT shall be done with the same equipment and application programs (utilities and embedded)
to be effectively installed in the field.
10.3.2 It is recommended to use process simulation resources with graphical visualization to help the
FATs implementation. [Recommended Practice]
10.3.3 FAT shall be conducted in accordance with the FAT Plan, including the following tests:
a)
b)
c)
d)
e)
f)

visual inspection;
electric tests; isolation, continuity;
functional tests: logic verification itself;
memory map verification and compliance with design;
performance tests: scan time measurement, etc.;
environmental compatibility tests: electromagnetic compatibility, operation under a higher
specified room temperature etc;
g) failure tolerance tests: operation under degraded mode;
h) interface tests:
reading and writing of all channels, analog and digital ones, input/output ones, as well
as all diagnostic levels; example: 2 mA on signal of 4 mA to 20 mA; simulation of
cable break into monitored digital input signal;
voltage variation of electric power;
37

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

verification of network communication;

verification of pressurization, if applicable, in the defined pressure range.
NOTE 1 Testing of analog inputs shall be implemented in at least five representative points of the
measuring range. Example: 0%, 25%, 50%, 75% and 100%.
NOTE 2 A temporary HMI with specific graphic displays shall be provided for tests.
10.3.4 For each executed test, it shall be recorded:
a)
b)
c)
d)
e)
f)
g)
h)

document number of the associated FAT plan;

SIF tag and the specific functionality under test;
document number of the associated test procedure;
identification of equipment and tools used ;
description of performed activities;
individuals results obtained from each SIF;
compliance with the acceptance criteria and punch list;
signatures of the executor and witnesses .

10.3.5 The records of the performed tests shall be grouped in a document entitled FAT Report, which
shall be submitted for PETROBRAS review and release.
10.3.6 In case a test execution is not successful, the corresponding event shall be recorded on the
report, analyzed and the foreseen corrective actions shall be applied.
10.3.7 During the FAT implementation it shall not be made any changes in the application program
that modify SIFs functionality or integrity. Any modification shall be made in accordance with 13.4 of
this Standard.
10.3.8 For a better analysis of the implemented logic functionality, it is recommended to include in the
FATs monitoring and witness team the operating personnel of the plant or equipments for which the
Logic solver will be installed. [Recommended Practice]

10.4 Preservation
10.4.1 The aim of this phase is to provide information for maintenance of the Logic solvers physical
integrity during the periods of transportation and storage, prior to the installation phase.
10.4.2 It shall be prepared a document entitled Preservation Plan, which shall include the following
items:
a) description of the packaging for transport, including handling recommendations;
b) extreme conditions to which the equipment may be subject, such as acceleration,
temperature, humidity, pressure etc.;
NOTE

If the devices sensitivity to accelerations is a critical factor, the use of shock detectors for
transport shall be evaluated.
c) description of procedures for receiving and inspecting on the erection site;
d) description of the procedures for preservation on pre and post installation phases.

38

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

11 Installation and Precommissioning for SIS Operation Start

11.1 Installation
11.1.1 The installation phase is intended to ensure that all SIS devices are actually installed
according to its technical specifications and other requirements established on the design phase.
11.1.2 It shall be prepared a document titled Installation Plan which shall contain:
a) list of materials and equipments to be installed;
b) installation activities description which shall include the verification of the conditions
foreseen in the preservation plan;
c) procedures and techniques to be used during installation;
d) execution schedule for installation activities;
e) list of staff responsible for supervising installation activities;
f) corrective action procedures;
11.1.3 SIS shall be installed according to the Installation Plan, which shall observe all requirements of
PETROBRAS N-858.
11.1.4 During the installation execution any impediment to follow what is defined on design (e.g.,
physical interference, reduced space, insufficient length of electrical cable, etc.) shall be registered on
installation report and sent to analysis to those responsible for preparing the design who shall indicate
a solution to be adopted that does not degrade the technical requirements established in the SIS
design. The design documentation shall be updated accordingly.

11.2 Precommissioning
11.2.1 The precommissioning phase aims to ensure that all SIS devices are individually operating in
order to enable the completion of pre-operation phase (see IEC 62337).
11.2.2 It shall be prepared a document entitled Precommissioning Plan, containing:
a)
b)
c)
d)

list of equipment to be commissioned (sensors, Logic solver, final elements, etc.);

punch list raised in the FAT and not yet solved;
precommissioning activities description;
procedures and techniques to be used during precommissioning (calibration, leakage
test, etc.);
e) execution schedule for precommissioning activities;
f) list of responsible staff for supervising and registering the precommissioning activities.
11.2.3 Precommissioning activities shall include the following tasks:
a)
b)
c)
d)
e)

visual inspection;
verification of connections and electrical grounding resistance;
verification of electric, pneumatic and hydraulic supply;
parameterization and calibration of the sensors and final elements;
verification of the electric interconnection between sensors and final elements to the
panel on Logic solver, including continuity and isolation;
f) verification of all block and drain valves in the normal operating position;
g) verification of all SIS devices energized and with a internal diagnostic indicating a good
operation status;
39

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

h) verification of the correct transmission and reception of information from the operation
interface (HMI);
i) measuring of the actuation time of final elements;
j) confirmation of immunity to electromagnetic interference.
11.2.4 SIS devices shall be conditioned in accordance with the Precommissioning Plan, which shall
meet the requirements of PETROBRAS N-858. During precommissioning activities execution it shall
be recorded and prepared a precommissioning report in order to demonstrate compliance with
technical requirements established in the SIS design.

12 SIS Pre Operation and Final Acceptance

12.1 Pre Operation
12.1.1 The pre-operation phase shall be performed after completion of the installation and
precommissioning phases. The successful conclusion of this phase is a prerequisite for the start-up of
the plant or equipment subject to the SIS protection.
12.1.2 The pre-operation phase aims to validate SIS through execution of simulations and exhaustive
functional tests, covering not only the joint operation of all SIS devices, but also those together with
other systems and/or equipment interconnected and effectively installed in the field.
12.1.3 It shall be prepared a document entitled SIS Pre Operation Plan, containing:
a) Validation Activities List, including all relevant operation modes of the process or
equipment associated with SIS (start-up, steady state, shutdown, maintenance, etc.);
b) procedures and techniques to be used;
c) execution chronogram for validation activities;
d) list of staff responsible for executing, registering and monitoring the validation activities;
e) design documents list to be used as a benchmark for validation (SIF data sheets, cause
and effect matrix, logic diagram, etc.).
12.1.4 It is recommended that the Pre-Operation Plan does not impose an excessive number of
demands during final elements testing. [Recommended Practice]
12.1.5 The Validation Activities List shall include, at least:
a) simulation of each SIF actuation, indicating the design functionality of the sensor(s), Logic
solver and final element(s) set, including voting architectures;
b) confirmation of the thresholds for each SIF actuation (trip set points) and delay time
values as well;
c) step by step simulation of the plant or equipment activation sequence, including by pass
commands and actuation of each SIF;
d) performance tests, including SIFs response time;
e) confirmation of the correct actuation of commands for manual start and shutdown;
f) confirmation of the correct actuation of the by-pass commands for maintenance;
g) confirmation of the correct actuation of reset commands;
h) confirmation of the proper communication with the operator interface, including
indications, alarms generated by SIFs, event records, animated cause and effect matrix
etc;
i) confirmation of the expected behavior of each SIF in case of occurrence of out of range
measurements, power supply interruption and loss of pneumatic or hydraulic
pressurization.

40

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

12.1.6 The activities performed in the SIS pre-operation phase shall be registered in a validation
report.

12.2 SIS Final Acceptance

12.2.1 The aim of this phase is to record conclusively the end of SISs pre-operation phase, releasing
it for operation startup.
12.2.2 It shall be prepared a document entitled SIS Acceptance Declaration, which shall include the
following records:
a)
b)
c)
d)
e)
f)
g)

number of the SISs Pre-Operation Plan used;

version of the validated application programs;
test tools and equipment to be used;
identification of each examined SIF and the respective tests results as well;
test results from the other interconnected systems (BPCS, other SISs);
description of the discrepancies observed;
name and signature of personnel responsible for the plant or equipments operation.

12.2.3 Any discrepancy observed between the obtained and expected results shall be submitted to
analysis by those responsible for preparing the design in order to correctly decide whether SIS can be
accepted, or if a review in design documents is necessary. The analysis report and the decision
concerning the treatment to be given to discrepancy(s) shall be part of the SIS Acceptance
Declaration.
12.2.4 All pending issue that degrades any technical requirement established in the SIS design shall
be treated.
12.2.5 As a final activity, it shall be performed a SIS inspection to ensure that:
a) all by-pass functions were left in their normal operation positions;
b) all final elements (block valves, by-pass valves, etc.) are in their respective safety
positions;
c) all materials and test devices are removed;
d) all variables or "forced" conditions in the application program have been removed.

13 Operation, Maintenance, Periodic tests and Modifications

13.1 Operation
13.1.1 The purpose of 13.1 is to establish requirements that contribute to the SISs proper operation
throughout its life cycle.
13.1.2 During the detailing design it shall be prepared a document entitled SIS Operation Manual,
which shall present in an organized manner the following contents:
a) Functional and detailing description of each SIF, mentioning:
hazardous event that the SIF is intended to protect;
potential consequences associated to that hazardous event;
probable SIF demand causes;
description of the safe state and the SIFs correct actuation;
alarm and trip set point values;
41

-PUBLIC-

N-2595

b)

c)
d)
e)
f)

REV. C

ENGLISH

12 / 2010

description of the alarms and associated interface presentation (screens, light and
sound announcers, etc.);
specific operating procedures when operating with SIF in by-pass.
step by step description of startup sequence for the process or equipment associated
with the SIS, explaining:
by-pass commands;
process conditions to be fulfilled at each step and its associated SIFs;
time intervals that shall be observed (heating ramp, purge time etc.);
reset functions.
individual description of each by-pass command, either for start or maintenance, detailing
the conditions under which they shall be used;
individual description of each manual shutdown command, identifying possible situations
where they shall be activated;
instruction about the necessity of conducting periodic tests on SIFs for their integrity
maintenance;
procedures associated with the occurrence of SIS diagnostic alarms.

13.1.3 The SIS Operating Manual shall reference and comply with all other SIS design documents,
such as risk analysis reports, SIF data sheets, cause and effect matrix, logic diagram, etc.
13.1.4 The staff responsible for operating the plant or equipment subject to SIS protection shall
undergo training in order to be instructed on the information and procedures contained in the SIS
operation manual. The training shall be appropriately recorded to ensure traceability.
13.1.5 In case a SIF is unavailable, a specific procedure shall be used for temporary by-pass.
NOTE

It is recommended that the by-pass registration document contains: [Recommended

Practice]
a)
b)
c)
d)
e)

description of the SIF to be by-passed;

reasons for the unavailability;
time interval foreseen for the by pass;
complementary operational actions during the by-pass period;
competent authoritys signature.

13.2 Maintenance
13.2.1 The 13.2 aims to establish requirements that allow the maintenance of SIS integrity and
reliability over its life cycle.
13.2.2 During detailing design it shall be prepared a document entitled SIS Maintenance Plan, which
shall present in an organized manner the following content:
a) list of periodic testing to be performed for each SIF, covering:
SIFs functional description;
safety integrity level to be maintained;
alarm and trip set point values;
minimum frequency required for execution;
detailed procedure for periodic test execution;
b) list of routine inspections to be carried out, covering:
site integrity verification: conduits and trays, junction boxes, supports, tubings,
padlocks and seals in valves and circuit breakers etc.;
scheduled replacement of batteries, fans, etc;
verification of application program backups.

42

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

c) forms for registering maintenance periodic testing, routine inspections and failures repair,
containing at least the following information:
task description;
task execution date;
staff responsible for the execution and time spent for it;
failure detection mode and description of corrective action, if applicable.
d) execution schedule of periodic tests and inspections;
e) description of the necessary tools and equipment;
f) list of staff and organizations responsible for implementing periodic tests, routine
inspections and related records;
13.2.3 It is recommended to adopt a systematic strategy for codification of tasks, failures, corrective
actions and actuations in order to allow statistical analysis of SIS occurrences. [Recommended
Practice]
13.2.4 SISs execution of scheduled maintenance interventions shall follow the SIS Maintenance
Plan, and all registry implementation documentation shall be available for consultation.
13.2.5 SISs maintenance plan shall reference and comply with all other SIS design documents, such
as risk analysis reports, SIF data sheets, cause and effect matrix, logic diagram etc.
13.2.6 It is recommended that other protection layers than the SIS are included on the SIS
Maintenance Plan, if they have been considered on risk reduction. [Recommended Practice]
13.2.7 Those responsible for the SIS maintenance activities shall undergo training in order to be
instructed on the information and procedures contained on the respective SIS maintenance plan. The
training shall be appropriately recorded to ensure traceability.
13.2.8 Access to SIS Logic solver shall be restricted to staff authorized by the person responsible for
maintenance. The number of people with access authorization shall be limited and controlled.
13.2.9 All SIS documentation shall be included in a revision control system which ensures its update
and distribution, so that their users are always in possession of its last revision.
13.2.10 It shall be provided periodic audits to confirm compliance with the following items:
a)
b)
c)
d)
e)

procedure adopted for modifications implementation;

procedure adopted for testing and verification of its periodicity;
systematic for maintenance records and analysis;
training of maintenance personnel;
documentation integrity and update.

13.3 Periodic tests

13.3.1 The purpose of 13.3 is to establish requirements for the execution of periodic tests on SIS in
order to detect and correct undetected failures that could compromise SISs functionality or integrity.
13.3.2 The execution of periodic tests shall be conducted in accordance with the procedures
developed and written specifically for each SIF, present on the SIS Maintenance Plan.
NOTE

It is recommended to use as reference ISA TR 84.00.03. [Recommended Practice]

43

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

13.3.3 The periodicity of the tests shall be such that it maintains the SIL of each SIF, as prescribed on
the SIF Data Sheets (basic design) and confirmed after SIL verification phase (detailing design).
13.3.4 During scheduled maintenance shutdowns all SIFs, regardless of the SIL and existence of
monitoring, shall be tested with coverage factor equal to 1.
13.3.5 The periodic tests shall cover all SIF devices, as follows: sensors, Logic solver and final
elements.
13.3.6 Sensors shall be tested to simulate, as closely as possible, the actual operational conditions, including
impulse lines, primary flow elements and electrical installation. Example: level switch block and drain.
13.3.7 Final elements shall be tested by forcing the actuation of the respective Logic solver outputs,
including the normally energized.
13.3.8 In cases where it is not feasible to complete the final element test under normal operation,
specific test procedures shall include:
a) execution of full test during process or equipment shutdown;
b) execution of partial test(s) during the of process or equipment operational regime,
involving the following components: output circuits, interposing relays, solenoid valves
and partial stroke of blocking valves.
13.3.9 A contingency action shall be provided if the final element fails in the safe position during the
test.
13.3.10 If the existence of an undetected failure due to periodic tests execution is confirmed, it shall
be repaired in order to restore the integrity of the involved SIFs.
13.3.11 Records of these periodic tests shall contain the following information:
a)
b)
c)
d)
e)
f)
g)

test procedure number;

test execution date;
name of the person responsible for executing the test;
tag and serial number of the tested devices;
test result "as found", including a description of the failure (if any);
test result as left , according to procedure acceptance criteria;
description of the performed jobs, including replaced parts (if any) and time used.

13.3.12 The records of periodic tests shall be kept throughout the SISs life cycle, so that they:
a) can be checked at any time;
b) allow assessment of long-term performance.
13.3.13 By criterion of the Operational Unit, one can consider real or spurious trip as SIFs tests,
provided they meet the following conditions:
a) the trip event shall be recorded in a specific form, containing at a minimum: date and time
of event, actuated SIF, alarms, detection mode, identified cause (process variable on
deviation, device(s) on failure, human action), subsequent actions and responsible

44

-PUBLIC-

N-2595
b)
c)
d)
e)
f)
g)
h)

REV. C

ENGLISH

12 / 2010

persons name; the trip registration form shall be stored on the technical documentation
system of the Operating Unit, in a traceable way;
trips with unknown cause shall not be used as a SIF test;
on a spurious trip caused by failure on the final element, none of the SIF devices can be
considered as tested;
on a spurious trip caused by failure on the output module of the safety CP, only the final
element can be considered as tested;
on a spurious trip caused by a failure on CPU Logic solver, only the output module of the
safety CP and the final element can be considered as tested;
on a spurious trip caused by a failure in the input module of the safety CP, the entire SIF,
except the sensor and the safety CP input module can be considered as tested;
on a spurious trip caused by a sensor failure, the entire SIF, except the sensor can be
considered as tested;
on a actual trip, only devices that have been shown (from the records of the event) to
operate properly can be considered tested.

13.4 Modifications
13.4.1 The purpose of 13.4 is to establish requirements so that changes made in SIS do not impact
the safety of the plant or associated equipment.
13.4.2 Any proposed changes to SIS shall be based on facts and data recorded in a document
entitled SIS Request for Modification, which shall contain:
a) description of the proposed modification;
b) reasons for executing the modification;
c) related conditions or hazardous events.
13.4.3 Any proposed amendment shall be submitted to an initial analysis by the technical team
responsible for SIS in order to classify it as:
a) modification type 1: does not change the logic structure, SIL or MTTFS of the involved
SIF(s). Examples: changes on scheduling parameters, such as range values, alarm or
trip set point, or time delays;
b) modification type 2: it can change functionality, SIL, or MTTFS of the involved SIF(s)
Examples: addition or removal of sensors or final elements, changes on voting
architecture, equipment type, or on the logic of the application program.
13.4.4 It is recommended to avoid: [Recommended Practice]
a) modifications in the application program logic during operation of the process or
equipment associated with the SIS;
b) firmware modifications, except when required for correction of failures detected by the
manufacturer.
13.4.5 After initial screening, the SIS Modification Request document shall be:
a) submitted for approval by the person responsible for the industrial plants operation;
b) stored in order to enable consultations during and after modification process.
13.4.6 If the modification request is approved, the technical team responsible for apply the requested
changes shall issue revision on all relevant technical documents, including testing, operation and
maintenance procedures. The revised documentation shall be identified as "PROVISORY REVISION
FOR SIS MODIFICATION" and reference the corresponding SIS Modification Request.

45

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

13.4.7 Before the review of documents affected by a modification type 2, it shall be done a
revalidation of SIL and MTTFSs risk analysis and assessment.
13.4.8 Prior to the execution of any SIS modification it shall be done a revalidation on verification
tests of the SIF(s) functionality involved on the modification.
13.4.9 Any execution of SIS modification shall be planned in compliance with current procedures for
access and work authorizing on the Operational Unit.
13.4.10 The execution of changes on the application program shall include additional verifications to
ensure nonexistence of changes on other SIFs not involved in the implemented modification.
13.4.11 After completion of the verification functional tests, the description of the revised technical
documents affected by the modification shall be changed to "REVISED ACCORDING TO
MODIFICATION REQUEST ON SIS N....".

46

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Annex A - Determination of the Required Safety Integrity Level Using the Risk Graphs
Method
A.1 Introduction
A.1.1 This annex describes the risk graphs method which allows the safety integrity level of a SIF to
be determined from knowledge of the risk factors associated with the process and basic process
control system. This is a semi-qualitative method, and was developed based on Annex D of
IEC 61511-3:2003.
A.1.2 In these approach it is used parameters, that together describe the nature of the hazardous
situation that occurs in case of a SIS absence or failure. Four sets of parameters are used, and the
selected parameters are combined to determine the SIFs safety integrity level. These parameters
represent key factors on risk assessment and allow a scaloned risk rating.
A.1.3 This Annex provides examples of risk graphs and parameters tables designed to meet the
criteria of typical process units. Before being used in any design, it is important to be validated by the
area responsible for plants safety. In this opportunity it may be done adjustments to the parameters in
order to fit them to specific situations.
A.1.4 In this annex, risk graphics related to people safety on process industries, environmental
protection aspects and asset protection are presented.

A.2 Risk Graphic Summary

A.2.1 Risk is defined as a combination of a harm occurrence probability and the severity of this harm
(see definitions). Typically, in the process sector, risk is a function of the following four parameters:
consequence severity of the hazardous event (C);
occupation or degree of human presence (the probability of the exposed area being
occupied) (F);
probability of avoiding exposure to the hazardous event (P);
frequency of demand (number of times per year in which the hazardous event occur in
the absence of the safety instrumented function under consideration) (W).

47

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table A.1 - Description of the Parameters of the Process Industry Risk Graph
Parameter

Consequence Severity

Occupation

Probability of avoiding the harm

Frequency of demand

Description

Number of fatalities and / or serious injuries resulting from

the occurrence of the hazardous event. It is determined
taking into account the number of people in the exposed
area when the area is busy and the vulnerability to the
hazardous event.

Probability that the area exposed to the hazard is

occupied at the moment of the occurrence of the
hazardous event. It is determined by calculating the
fraction of time that the area is occupied during the
occurrence of the hazardous event. It shall be considered
the possibility of the increase of presence in the exposed
area associated with the abnormal situations that can
exist before the occurrence of the hazardous event (this
shall also be considered to determine the parameter C).

The probability of people exposed to the hazard being

able to avoid the harm due to a failure on demand of the
safety instrumented function. It depends on the existence
of independent methods to alert people before the
occurrence of the hazardous event and on the possibility
of evacuation.

The number of times per year that the hazardous event

would occur in the absence of the safety instrumented
function being analyzed. This can be determined by
considering all the failures that can lead to the hazardous
event and by estimating the total rate for the occurrence.
It may include other protection layers on the analysis.

A.2.2 The risk graph lists specific combinations of risk parameters and safety integrity levels. The
relationship between the combinations of risk parameters and safety integrity levels is established
considering the tolerable risk associated with specific hazards.

A.3 Documentation Related to the Results of Safety Integrity Level Determination (SIL)
It is important that all decisions made during the SIL determination be recorded in controlled
documents. The documentation shall clearly indicate the reasons why the team selected the specific
parameters associated with each safety function. The forms that record the result and the
assumptions used on each SIL determination of each safety function shall be compiled on a report.
The report shall also include the following additional information:
the risk graph used in conjunction with the descriptions of all parameters scales;
the numbers and revisions of all used drawings;
references to the considered hypothesis and eventual studies of consequences that were
used to evaluate the parameters;
references to the failures that lead to demands and any failure propagation model used to
determine demand rates;
references to the data sources used to determine demand rates.

48

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

A.4 Usage of Risk Graph Relative to People Safety

A.4.1 Table A.2 lists descriptions and scales for each parameter used in Figure A.1 relative to people
safety.

Start

Consequence
Occupation
Probability of avoiding the hazardous event
Demand rate

No safety requisites
SIL
see 6.4.9 of this Standard

Figure A.1 - Risk Graph Relative to People Safety

A.4.2 The vulnerability concept has been introduced to modify the parameter of a consequence,
because not always a failure causes an immediate fatality. The vulnerability of a receiver is an
important consideration on risk analysis because the dose received by an individual is sometimes not
large enough to cause a fatality. The vulnerability of a receiver to a consequence is a function of the
concentration of the hazard he was exposed to and the length of that exposure. An example is when a
failure causes a pressure increase in equipment exceeding the operating pressure, but not reaching
the test pressure. The probable outcome will usually be limited to leakage on flanges joints. In such
cases, the rate of hazard progression probably shall be slow and the operation team can usually
escape from the consequences. Even in cases of large liquid inventories leakage, the worsening of
the situation may be sufficiently slow to allow the operation team to avoid the harm. Of course, there
are cases where a failure may lead to a rupture of pipes or vessels where the vulnerability of the
operational team can be high.
A.4.3 It shall be considered the possibility of the increase on the number of people nearby during a
hazardous event, as a consequence of verifications of symptoms that may occur during the formation
of such event. Therefore, it shall be considered the worst scenario.
A.4.4 It is important to emphasize the difference between "vulnerability" (V) and probability of
avoiding the hazardous event (P) in order to not being considered twice for the same factor. The
vulnerability is a measurement related to the progression speed after the hazard occurs, while the
parameter P is a measure related to the prevention of the hazardt. The parameter P shall be used only
in cases where the hazard can be prevented by an operator action, after he is aware that its
associated SIF has failed.

49

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

A.4.5 Some care shall be taken on selecting occupation parameters. The load factor shall be selected
based on the most exposed person and not on the average of all exposed.
A.4.6 When it is not possible to fit a parameter in the specified scales, it is necessary to use other
methods of risk reduction.

Table A.2 - Descriptions of the Parameters Used in Figure A.1

Risk parameter
Consequence Severity (C)

Classification
No significant
injuries

C1

It shall be calculated by multiplying the

vulnerability to the identified hazard by the
number of people present in the area C2
exposed to the hazard (C=NxV).

0.01 C < 0.1

Comments

1) The consequence
severity represents the
number of serious injuried
people and fatalities.

The vulnerability is determined by the

nature of the hazard as follows:
C3
V = 0.01 Small release of toxic or
flammable material;
V = 0.1 Large release of toxic or
flammable material;
V = 0.5 The same release as above,
but with high probability of fire or highly
C4
toxic material;
V = 1 Rupture or explosion.

0.1 C < 1.0

C 1.0

2) C1, C2, C3 and C4

shall be interpreted taking
into account also the
conditions of recovering of
the injured.

Occupation (F)
This
parameter
is
calculated
by
determining the proportional length of time
in which the area exposed to a hazard F1
event is occupied during a work shift.
NOTE 1 If the time in the hazard area is
different depending on the
operation shift, the maximum
value shall be selected.
NOTE 2 The use of parameter F is
appropriate only if it can
demonstrate that the demand
rate is random and not related to
F2
the period during which the
occupation is higher than normal.
This is the case, for example, in
activation periods or during the
investigation of anomalies.

Exposure from rare

to uncommon on
the hazard zone
Occupation lower
than 10% of the
time (F < 0.1).

See comment 1 above

Exposure from
Frequent to
permanent on the
hazard zone
Occupation greater
than 10% of the
time (F 0.1).

50

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table A.2 - Descriptions of the Parameters Used in Figure A.1 (Continuao)

Risk parameter

Classification

Comments

3) P1 shall be selected
only if all the following
Adopted
if
all conditions are true:
conditions on the
P1
Comments column means are foreseen to
alert the operator that
are fulfilled
the SIS has failed;
independent means of
process shutdown are
prescribed in order to
Probability of avoiding the hazardous
avoid the hazard or to
event (P) if the protection system fails.
allow people to be
evacuated to a safe
area;

the
time between the
Adopted if one or
moment
that
the
more conditions in
operator
is
warned
and
P2 the
Comment
the moment that the
column are not
event occurs exceeds
fulfilled.
1 h or is sufficient to
take
necessary
measures.

Demand rate (W)

Demand rate lower 4) The purpose of factor

W is to estimate the
than 0.1 per year
The number of times per year that the
frequency of the hazard
hazardous event would occurs in the
without the existence of a
absence of a SIF under analysis.
SISs.
Demand
rate
To determine the demand rate it is
W2 between 0.1 and 1
necessary to consider all sources of failure
per year
that might lead to a hazardous event. In
5) For demand rates
determining the demand rate, limited
greater than 10 per year,
reliability shall be credited to the control
Demand
rate SIL has to be determined
system. The performance of the control
system is limited below the performance W3 between 1 and 10 by another method.
per year
scales associated with SIL1.
W1

A.5 Risk Graphic Usage for Environmental Consequences

A.5.1 The required safety integrity level of depends on the characteristics of the released substance
and on the environment sensitivity. Table A.3 shows classes of environmental consequences. During
the design phase it shall be determined what can be accepted at each location of the industrial site.

51

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Start

Consequence
Probability of avoiding the hazardous event
Demand Rate

Without safety requirements

SIL
See 6.4.9 of this Standard

Figure A.2 - Risk Graph Related to Environmental Safety

A.5.2 The consequences mentioned above shall be used in conjunction with the risk graph shown in
Figure A.2. It shall be noted that the F parameter is not used in this risk graph because the concept of
occupation does not apply. The parameters P and W are applicable and definitions can be identical to
those used for the personal safety graph.

Table A.3 - General Environment Consequences

Risk parameter

Environmental
Consequence(E)

Classification

E1

No release or release with minor

damage, but sufficiently large to be
reported to the plants management.

E2

Release within company limits with

significant harm

E3

Release beyond company limits with

significant harms that can be quickly
cleaned without significant lasting
consequences

E4

Release beyond company limits with

significant harm that cannot be cleaned
quickly or with lasting consequences

52

Examples
A moderate leakage on a flange or
valve
A
small
leakage
of
liquid
Small
soil
pollution
without
affecting the waterground
An unhealthy steam cloud moving
outside the plant after a joint
flanges breakup or compressor
seal failure
A release of steam or aerosol, with
or without precipitation of liquid,
causing temporary harm to flora or
fauna
Significant liquid leakage in a river
or
in
the
sea;
Release of steam or aerosol, with
or without precipitation of liquid,
causing lasting harm to flora or
fauna;
Release of solids (dust, catalyst,
soot,
ash);
Fluid leakage that could affect the
groundwater

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

A.6 Risk Graph Usage for Material Consequences

A.6.1 The use of a risk graph to determine the safety integrity level associated to material
consequences shall take into account all economic losses due to failure on demand of the safety
functon, including facilities and equipament repair costs, production losses, cleaning and rebuild
costs, contractual penalties, penalties applied by governmental bodies etc.
A.6.2 The risk graph of Figure A.3 shall be used together with the materials consequences classes
described on Table A.4.

Start

Material Consequence
Probability of avoiding the hazardous event
Demand rate

Without safety requirements

SIL
See 6.4.9 of this Standard

Figure A.3 - Risk Graph for Material Consequences

Table A.4 - Material Consequences Classes

Risk parameter

Material
Consequence (L)

Classification

L1

Examples

Losses between
US$ 100.000 and
US$ 1.000.000

53

off-specification production;
product loss due to PSV opening;
damages due to cavitation on small pumps.

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table A.4 - Material Consequences Classes (Continuao)

Risk parameter

Classification

Examples

Losses between
US$ 1.000.000 and
US$ 10.000.000

great product loss due to PSV opening or ou

overflow reservoir;
damages due to cavitation on high rotation
pumps or on multi-stage pumps that possess
a reservoir;
financial losses due to delayed production,
including penalties for delivering delay.

L3

Losses between
US$ 10.000.000 and
US$ 100.000.000

furnace tube coking;

damages due to liquid suction or to suction or
discharge blocking on large compressor;
damages due to great product spill, including
cleaning costs and penalties applied by
environmental control bodies;
low cost repairs on essential equipment that
operates without spare parts;
large cost repairs on non essential equipment
tha dont possess spare parts.

L4

Losses greater than

US$ 100.000.000

reactor explosion;
rupture on pressurized system;
furnace explosion;
boiler explosion.

L2

Material
Consequence(L)

A.6.3 The materials consequences classes consequences shown in Table A.4 are primarily defined
by the ranges of monetary values indicated. The examples are merely illustrative of cases that
typically result in financial losses on that range and can be used as guidance for the analysis team. It
shall be noted that the F parameter is not used in this risk graph because the concept of occupation
does not apply. The parameters P and W are applicable and the definitions can be identical to those in
Table A.2.

A.7 Determination of Integrity Level of the Safety Instrumented Function when its
Failure Leads to More than One Type of Consequence
When a failure on demand leads to more than one type of consequence (to people, environment and
materials), the required integrity levels associated with each of the involved aspects shall be
determined separately and the largest of them shall be the integrity level specified for the function.

54

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Annex B - Layers of Protection Analysis (LOPA)

B.1 Introduction
B.1.1 This annex provides a standardized procedure for evaluating the Safety Integrity Level (SIL)
required for Safety Instrumented Functions (SIFs) using the method of Layers of Protection Analysis
(LOPA) described in AIChE CCPS concept book.
B.1.2 Layers of Protection Analysis (LOPA) is a semi-quantitative risk assessment method, whose
primary purpose is to determine whether the protective measures against an undesirable event are
sufficient to reduce its risk to a tolerable level. This is done by assigning numerical values to the
frequencies of the possible initiating causes and to average probabilities of failure on demand on each
protection layer, and comparing the resulting risk value with the pre-established tolerable risk value.
B.1.3 If the estimated risk for a scenario is not tolerable, other protection layers shall be added in
order to achieve the necessary risk reduction. LOPA does not define which protection layers shall be
added or how to design them, but helps on the assessment of alternative measures that can be
implemented to achieve the required risk reduction.
B.1.4 LOPA is not a method of identifying hazards or accident scenarios. The scenarios to be
analyzed with LOPA shall be developed during application of HAZOP as a technique of process risk
analysis able to identify the accidental risk scenarios, according to Annex C of PETROBRAS N-2782.

B.2 Procedure
The procedure for LOPA application to determine the required SIL for each SIF is shown in a
simplified form in Figure B.1 and described in detail in sections B.2 through B.4 of this Annex, which
present some numerical values tabulated to be used on the required SIL calculating at the end of the
analysis.
As a general rule, in case of doubt about the tabulated values, It shall always be adopted the most
conservative value. If the LOPA team decides to use on the analysis some value different from those
shown in the tables of this Annex, the values actually adopted shall be based on defensible and
documented reasons.

55

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Select scenarios to
be evaluated (B.2.1)

Start

Verify scenario
severity (B.2.2)

Determine the
tolerable frequency
(FTOL) (B.2.3)
Estimate an
ICF for the scenario
(B.2.4)
Find an EEL for the
scenario, if
applicable (B.2.5)
Determine the MFs,
if applicable (B.2.6)

Identify the IPL (non

SIF) and estimate
their PFDavg (B.2.7)

Yes
No

Determine the
Consequence
Frequency (FC) (B.3.1)

FC FTOL

Next
scenario

Yes
(OK)

Yes (SIF)

No
Yes

Document
scenario
(FC) (B.3.3)

It is possible
to add IPL
(non SIF)

SIL 3

No

No

Determine the
required
SIL

Re-assess process
risks. Management
measures required.

Figure B.1 - LOPA Procedure Flowchart

56

End

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.1 Scenario Selection for Analysis

B.2.1.1 The first activity of the LOPA team shall be select for review, among the scenarios identified in
the Risk Analysis, those where there is a SIF as safeguard or as recommendation.
B.2.1.2 Other scenarios can be evaluated by criterion of the team.
B.2.1.3 The LOPA team shall record all scenarios of interest in a worksheet for analysis, where the
identification (number) and description of each scenario are inherited from the HAZOP.
B.2.1.4 For recording the scenarios, it is recommend the adoption of an extended HAZOP worksheet
according to Annex C. [Recommended Practice]
B.2.1.5 For scenarios that present high frequency (greater than twice the frequency between IPL
tests) or consequence with catastrophic severity, it is recommended to perform a quantitative risk
assesment (e.g., fault tree). [Recommended Practice]
B.2.2 Severity Classification
B.2.2.1 Severity assigned to the consequence of a scenario represents a measurement of the
greatest impact to people (S), environment (E) and property (L). Each pair of cause and consequence
shall be analyzed separately, considering these three aspects.
B.2.2.2 Severity classification is a risk analysis activity that consists on define, for each selected
scenario, a category of severity according to the risk tolerability matrix of PETROBRAS N-2782,
assuming failure in all safeguards.
B.2.2.3 The LOPA team shall not do again the task of severity classification in case it has already
been done on a prior risk analysis.
B.2.3 Tolerable Frequency (FTOL)
The LOPA team shall find on Table B.1 the tolerable frequency value for the severity category of the
scenario consequence, defined according to B.2.2.

Table B.1 - Tolerable Frequency (FTOL)

FTOL (even/year)
1x10-5
1x10-4
1x10-3
1x10-2
1x10-1

Severity Category
V
IV
III
II
I
B.2.4 Initiating Cause Frequency

B.2.4.1 The initiating cause corresponds to the reason why occurred the deviation in the process
variable identified on HAZOP. Each initiating cause shall be analyzed separately in a specific
scenario.
57

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.4.2 The LOPA method establishes that dont be considered the existence of a protection layer or
any other factor in the determination of the frequency of the initiating cause.
B.2.4.3 Failures on demand in protection layers (SIF, PSV etc.) shall not be considered as initiating causes,
since other events shall initiate the scenario before these protection layers are demanded. However,
leakage or closing failure after PSV actuation, as well as spurious actuations of protection systems can be
considered as initiating causes of scenarios worthy of being analyzed, but are often ignored.
B.2.4.4 The LOPA team shall select an initiating cause frequency (ICF) on Table B.2 for the identified
scenario.

Table B.2 - Frequencies of Initiating Causes

Initiating Cause

ICF (event/year)

BPCS control loop failure

1 x 10-1

Failure of self-regulating valve on clean service

1 x 10-2

Static equipment failure (low vibration)

1 x 10-2

Static equipment failure (high vibration)

1 x 10-1

Dynamic equipment failure (B.2.4.5.a)

1 x 10-1

Turbine Overspeeding / diesel engine with transmission break

1 x 10-4

Failure on pressure vessel

1 x 10-6

Pipe failure - full rupture

1 x 10-7 per meter

Pipe leakage - 10 % straight section

1 x 10-5 per meter

Atmospheric tank failure

Spurious opening of safety valve

1 x 10-3

Pump seal failure

1 x 10-1

Failure on loading/unloading hose (low vibration)

1 x 10-1

Failure on loading/unloading hose (high vibration)

1 x 10-2

Failure on redundant cooling water system

1 x 10-1

Gasket rupture

1 x 10-2

Loss of redundant power supply

1 x 10-1

Land vehicle impact (truck, bulldozer, etc.)

1 x 10-2
1 x 10-4 per lifting

Fall of cargo suspended by crane

Atmospheric electric discharge

1 x 10-3

Fire in small proportions

1 x 10-1

Fire in great proportions

1 x 10-2

Failure of the operator to perform routine procedure (well-trained

operator, not stressed, not fatigued) (B.2.4.5.b)

1 x 10-2 per opportunity

Human error (no routine task, low stress) (B.2.4.5.c)

1 x 10-1 per opportunity

Human error (no routine stress, high stress) (B.2.4.5.c)

always
-3

Failure of maintenance procedure type LOTO

1 x 10 per opportunity
1 x 10-1

Spurious SIF actuation (B.2.4.7)

58

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.4.5 Rules usually used on initiating causes of Table B.2

a) any equipment whose operation depend on or is based on parts usually mobile can be
included on "dynamic equipments category;
b) routine procedures are actions performed routinely on site or on the BPCS operation
interface wich, if incorrectly done, can result in deviations on the process under review;
c) non-routine tasks are performed on those rare occasions, such as process units startup
and shutdown wich, if incorrectly done, can result in deviations on the process under
review;
d) considered as a general failure of a safety procedure with multiple steps, called LOTO
(Lockout / Tagout) and known in PETROBRAS as LIBRA (Abastecimento) or PCEP
(Transpetro); these denominations refer to specific practices and procedures for
safeguard workers against accidental equipment energizing, unexpected machines
activation, or release of hazardous substances during service or maintenance activities;
this requires that a designated individual turn off and unplug its machine or equipment
from its power supply before performing any service or maintenance and that authorized
workers close with padlock (lock) or identify (tag) the power isolation device, and verify
that power has been effectively isolated.
B.2.4.6 Values in Table B.2 derive from the experience of the process industry, and consider various
types of operational and equipment failures.
-1

B.2.4.7 For SIF spurious actuation as initiating cause, it is suggested to adopt an ICF of 1.10
spurious trip per year, once in this phase of application of the procedure, the SIF MTTFS is not yet
known.
B.2.4.8 Equipment not covered on Table B.2, such as filters (various types), flanges, tank trucks, land
and sea pipelines, manual valves (wheel) and actuated block valves shall have their failure frequency
values supported on defensible and documented reasons.

B.2.5 Enabling Event (EE)

B.2.5.1 Enabling event is an action or state that does not cause the scenario, but needs to exist in
order to allow the initiating cause to lead to the considered unintended consequence.
EXAMPLE
Enabling event Scenario:
The purge of coke drum to the fractionator tower is done in stages, with manual forcing of
flow rate set point for progressively larger values. At the end of cooling, the set point shall
return to the operational value before changing the control to automatic mode.
Enabling Event: set point of the cooling water flow rate left in the highest flow rate value
achieved in the last drum cooling;
Initiating Cause: Improper opening of the manual valves of cooling water isolation;
Consequence: Pressure increase on coke drum by sudden vaporization of the injected
water, with possibility of leakage on flanges an accessoriees, and possible harm to the
reactor.
B.2.5.2 Another enabling event to be considered (perhaps most common) is the Time at Risk.

59

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.5.3 Time at Risk

Certain hazards exist only at specific phases of the process or during the execution of specific tasks
(batch, loading, unloading, activation, shutdown, load variations, wait, regeneration etc.), or in specific
operation modes (auto, manual, remote, maintenance, load tracking etc.). In these cases, the initiating
cause frequency can be adjusted by a factor equal to the probability of existence of this enabling event
(Enabling Event Likelihood - EEL) obtained by the ratio between the time during which there is a risk
and the total time interval considered in the analysis (usually one year).
EEL = (Time at Risk) / (Total Time)
EXAMPLE:
EEL = 8 times a year x 1h duration = 8h/year x 1year/8760h = 0,000913

B.2.6 Modification Factors (MF)

In some scenarios, it is necessary the existence of certain specific conditions, such as the presence of
ignition sources or presence of people in the affected area, for the occurrence of a harm. In these
cases, the probabilities associated with these conditions can be used as risk adjustment factors for the
scenario.
The LOPA team shall ensure that these factors have neither been previously considered as an
enabling event, nor are embedded in the initiating cause frequency, especially given the
considerations made on determining the scenario during the HAZOP, because its duplicity in
accounting could significantly affect the result.
It is noteworthy that in HAZOP, the analyzed effect shall consider the worst scenario, without taking
into account the existence of safeguards or other extenuating factors.

B.2.6.1 Ignition Probability

B.2.6.1.1 Releases of flammable substances not always lead to ignition. The probability of ignition
depends mainly on:
the presence of ignition sources in the vicinity of the leakage;
the intrinsic properties of the substance and the quantity (volume or mass) of released
material;
the shape of the dispersion (spray, puddle, light cloud, heavy cloud) of flammable
material in the considered site (confined or free atmosphere, water, soil).
B.2.6.1.2 Before adopting a modification factor to represent the probability of ignition
it shall be observed the assumptions made about the relevant characteristics of the release of
flammable product and its possible outcomes (torch or jet fire, puddle fire, cloud fire, cloud explosion,
BLEVE) in the definition of the scenario during the risk analysis, especially not to count this reduction
factor more than once.
B.2.6.1.3 Tables B.3 and B.4 below show some typical ignition probabilities that can be used as
modification factors. The LOPA team can adopt only one modification factor of the ignition probability
for each scenario. To do so, they shall define which of these two tables to adopt, in accordance to
what is most relevant in the scenario analysis.

60

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table B.3 - Ignition Probability Modification factors by Ignition Sources Quantity

Ignition sources quantity
None readily identifiable (e.g., contention dike, empty terrain)
Very few (e.g., tank area)
Few (e.g., naval, bus or rail terminal)
Many (e.g.,: industrial plant)
NOTE

Modification Factor (MF)

0.1
0.2
0.5
0.9 (*)

(*) Industrial plants in which there is a study, application and proper maintenance of
hazardous area classification might consider an ignition probability equal to 0.1.

Table B. 4 - Ignition Probability Modification Factors by Flammable Material Type

Flammable material
Gas or LPG
Light liquid (flashpoint < 38 C)

Modification Factor (MF)

0.3
0.2
0.1

Heavy liquid (flashpoint 38 C)

B.2.6.2 Presence of People

B.2.6.2.1 For commercial or environmental consequences, the presence of people is not a
modification factor. However, for consequences related to people safety, at least one person shall be
present in the area where the incident occurs. It can be used risk reduction factors related to the time
when no one is present in the hazardous area. For example, if a fire occurs due to a leaking in the
pump seal, an operator needs to be near the pump, to be injured. If the operator remains in the
considered area only 30 minutes per shift, then the use of a modification factor is justified.
B.2.6.2.2 In case the scenario occurs during a local operational maneuver or maintenance work, this
reduction factor shall not be used.

Table B. 5 - Modification Factors by Presence of People

Exposure time to hazard
Always (more than 4 h per shift)
Usually (between 2 h and 4 h per shift)
Occasionally (between 1 h and 2 h per shift)
Rarely (less than 1 hour per shift)

Modification Factor (MF)

1.0
0.5
0.2
0.1

B.2.6.2.3 Other modification factors such as, for example, greater or less facility to avoid harm are not
considered in this Annex.

B.2.7 Independent Protection Layers (IPL)

This section describes how to proceed in order to identify the safeguards prescribed on design that
can be considered as independent protection layers (IPL) and how to reduce the risk that they
promote.

61

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

IPL identification is usually the hardest part of this method, and it is important to emphasize that every
IPL is a safeguard, but not every safeguard is an IPL.
Table B.6 contains some examples of safeguards that are not normally considered IPL.

Table B.6 - Safeguards Usually not Considered IPL

Safeguards usually
not considered IPL

Comments

Training and
Certification

These factors can be taken into account in determining the operators

PFDavg actions but they are not IPL by itself.

Procedures

The existence of good procedures can be considered on determining

operators PFDavg actions but they are not IPL itself.

Tests and Regular

inspections

In all hazard assessments it is assumed the perfect execution of these

activities, providing the basis for ICF values in Table B.2 and PFDavg in
Table B.7 and Table B.8. A change on the interval between inspections
and tests may affect the PFDavg of certain IPL.

Maintenance

In all hazard assessments it is assumed the perfect execution of these

activities, providing the basis for ICF values in Table B.2 and PFDavg in
Table B.7 and Table B.8. Poor maintenance may increase the PFDavg of
certain IPLs.

Communications

It is a primary hypothesis that adequate communications exist in an

industrial facility. Poor communication may increase the PFDavg of certain
IPLs.

Signaling

Signaling are not IPLs by themselves. Confused, dubious, misplaced, and

ignored signaling may increase the PFDavg of certain IPLs.

Safeguards, IPL or not, are linked to a scenario identified during the risk analysis with a specific cause
and consequence.
The main characteristic of a protection layer is that it shall be effective to individually prevent the
occurrence of a hazardous event. That is, it is necessary just a single protection layer working so that
the unwanted consequence does not occur. The term independent means that the protection layer
performance is not affected by an initiating cause and that there shall not be failures that could disable
two or more protection layers associated with the same scenario at the same time. Additionally, it shall
be demonstrated through auditable documentation that the safeguard in question was properly
designed and installed, and that is periodically subjected to test and properly maintained to ensure
their effectiveness, independence and specified PFD avg.
In short, an independent protection layer shall be:
a) effective on preventing the consequence of a potentially hazardous event;
b) independent of the initiating cause and the components of any other considered IPL for
the same scenario;
c) auditable, through documents that prove the adequacy of the design, installation, tests
and maintenance of the IPL to its specifications.
Additionally, the IPL spurious actuation shall not lead to a new scenario with risk greater than or equal
to the one which it aims to avoid. For example, a toxic or flammable material relief system shall be
directed to a safe location.
C
Original Risk = Original Harm x F x PFDavg;
Spurious Trip Risk = Spurious Trip Harm / MTTFS;
If (Spurious Trip Risk Original Risk) it isnt worth implementing IPL.

62

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

The LOPA method consists of adding protection layers until the risk thus obtained meets the
tolerability criterion adopted.
The decision on which protection layer (s) to add among the possible alternatives can be based on a
comparative analysis of their deployment, operation and maintenance costs throughout the life cycle.
[Recommended Practice]
Before considering the addition of protection layers, however, it is recommended that inherently safe
design solutions be applied. [Recommended Practice]
The adoption of an inherently safe design can effectively eliminate a scenario. Such consideration
shall be recorded in LOPA worksheet (Annex C). It is noteworthy that other scenarios with the same
consequence (but with other initiating causes) might still exist.
Regarding the actuaion mode, an IPL can be passive or active.
A passive IPL is one that does not need to take any action to fulfill its protective function. Table B.7
presents some examples of safeguards that might be considered as passive IPLs.

Table B. 7 - Passive IPL and their typical PFDavg

Independent Protection Layer (IPL)

Average Probability
of Failure on
Demand (PFDavg)

Basin / contention dike

1 x 10-2

Flame retainer (detonation or deflagration)

1 x 10-2

Blowout panel

1 x 10-2

Overflow line directed to a safe place [B.2.7.2]

1 x 10-2

Underground drainage system

1 x 10-2

Open vent (without valve)

1 x 10-2

Blast-wall or shelter type bunker

1 x 10-3

Fireproof insulation [B.2.7.3]

1 x 10-2

An active IPL is the one that needs to change from a particular state to another in response to
changes on measurable property of the process in question. Table B.8 presents some examples of
safeguards that can be considered active IPL.

63

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

Table B. 8 - Active IPL and their typical PFDavg

Independent Protection Layer (IPL)

Average
probability of
Failure on
Demand (PFDavg)

Safety instrumented function SIL 1

Safety instrumented function 2
Safety instrumented function SIL 3
BPCS loop control [B.2.7.4]
Operator response to an alarm [B.2.7.5]
Mechanical relief device / pressure safety valve [B.2.7.6]
Two independent relief devices (nozzles, discharge etc.) aligned to the
process, each one sized to meet 100% of the scenario [B.2.7.6]

1 x 10-1
1 x 10-2
1 x 10-3
1 x 10-1
1 x 10-1
1 x 10-2
1 x 10-3

Multiple independent relief devices (nozzles, discharge etc.), but more than
one needs to actuate to meet the 100% of the scenario (e.g., PSV stages)
[B.2.7.6]

1 x 10-1

Internal safety mechanical device independent of SIS and BPCS (e.g.,

mechanical turbine disarm)

1 x 10-1

Rupture disk
Retention valve [B.2.7.7] (a single one is not an IPL)
High integrity backflow prevention device [B.2.7.7]

1 x 10-2
1
1 x 10-1

Two or more retention valves coupled in series [B.2.7.7]

Self-regulating valve [B.2.7.8]
Car sealed valve, listed and regularly checked [B.2.7.9]

1 x 10-1
1 x 10-2
1 x 10-2

Locked valve, listed and regularly checked [B.2.7.9]

1 x 10-2

Dual seal (on pump) with alarm on the gap

Active protection against fire [B.2.7.10]

1 x 10-2
1 x 10-1

The numerical values in Tables B.7 and B.8 can be used as Average Probability of Failure on Demand
(PFDavg) for each IPL. If the LOPA team believes that any IPL is more reliable (lower PFDavg) than the
numerical values presented in these tables, or identify any IPL different from those presented in these
tables, the value adopted for its PFDavg shall be based on sustainable and documented reasons.
NOTE

Table B.8 expresses PFDavg values for a SIF in a demand operation mode. For continuous
operation mode, it shall be used frequency of dangerous failure values (SIL1 = 10-5 h / year,
SIL2 = 10-6 h / year, SIL3 =10-7 h / year) in place of PFDavg.

In order to ensure consistency in LOPA, are listed in B.2.7.1 and B.2.7.10 some conditions to guide
the decision on when to consider a safeguard as IPL.
B.2.7.1 General Conditions
a)
b)
c)
d)

IPL by itself shall be enough to prevent the occurrence of hazardous event;

The IPL failure shall not be the initiating cause for the considered scenario;
The scenario shall not lead IPL to fail or to become unavailable;
If IPL is active, its spurious performance shall not lead to a new scenario with greater risk
than the one it aims to avoid;
e) the components of the considered IPL shall be distinct and independent from other
components of other IPLs;
f) IPL shall be included on an established and auditable maintenance program;
64

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

g) It is recommended that two or more safeguards subjected to common cause failures be

accounted as a single IPL. Specifically, it shall not be counted more than one safeguard
of the same type (e.g., two SIFs, two control loops, two alarms, etc.) for the same
scenario. [Recommended Practice]
B.2.7.2 Overflow Line
Besides general conditions required for any IPL, any valves in the overflow line shall be
administratively controlled to ensure that this IPL is available when needed.
B.2.7.3 Fireproof Insulation
The specific conditions required for a valve (or arrangement of valves) with fireproof insulation to be
considered an IPL are:
a) fire shall be the initiating cause of the scenario, never the undesired consequence;
b) the fireproof insulation shall be able to provide enough additional time to respond
adequately to the situation (inventory contention, depressurization, flood etc.) in order to
effectively prevent the consequence considered in the scenario;
c) the insutation shall remain intact when exposed directly to fire and not move by impact of
water jet from the fire system;
d) all other corporate requirements established in the PETROBRAS N-1756 standard and its
supplementary documents for this protection type shall be met.
B.2.7.4 BPCS Control loop
It is recommended for control loops not to be considered IPLs, once this account implies to adopt
management of change procedures in order to, for example, place the loop on manual mode, open bypass of a control valve etc. [Recommended Practice]
To be considered as an Independent Protection Layer, a BPCS control loop shall meet the following
requirements:
a) the failure of this control loop shall not be the initiating cause of the considered scenario;
b) the scenario evolution shall not lead any of the components of the control loop in question
to fail or become unavailable;
c) the failure mode, in case of energy lack for actuating the final control elements, shall lead
to a safe state;
d) measurement devices and final control elements shall be separate and independent from
the other IPL devices;
e) the Logic solver and the power supply shall be completely separate and independent from
other IPL, or have high availability guaranteed by appropriate criteria for redundancy;
EXAMPLE
In case an initiating cause of a scenario is the failure in a control loop implemented on a
BPCS supplyed by UPS, a second loop can be considered an IPL, since its measurement
devices and final control elements are separate and independent from other loop devices
which have failed, since BPCS and UPS have high availability.
f) the normal operation of the control loop shall be monitored and recorded in a similar way
to the execution of periodic tests in a SIF, i.e., frequency and coverage of these registers
shall ensure the PFDavg assumed for this IPL;
g) a control loop used as IPL shall be identified as critical and its removal from operation
(manual mode switching, by-pass of final control element etc) shall be covered by a
specific management of changes procedure;
65

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

h) there shall be an established and auditable maintenance program.

It is recommended that the risk reduction factor assigned to a control loop dont be greater
than 10. [Recommended Practice]
NOTE

If during the review process, it is raised an hypothesis of increasing the complexity or use
redundant sensors or final elements on a control loop in order to count it as a protection
layer or increase its risk reduction factor, then it shall be taken into consideration the creation
of a new SIF or a increase on the SIL of the existing SIF.

B.2.7.5 Operator response to Alarms

Risk reduction for operator response to alarms shall not be counted more than once for each scenario,
regardless of the number of alarms or actions taken by the operator in response to these.
The specific conditions required for an operator response to alarms to be considered an IPL are as
follows:
a) the Operational Unit shall have a systematic alarms management to ensure appropriate
responses to alarms, consisting of at least the following criteria:
the alarm shall be specific, distinguishable among other possible alarms and give to
the operator a clear indication of the problem;
there shall be a specific operational procedure associated with the alarm;
the operator shall be trained on the adequate response;
the operator shall be always present at the interface operation that announces the
alarm;
there shall be sufficient time for the operator to evaluate the situation and execute
corrective action.
b) the operator action in response to the alarm shall be sufficient to avoid the undesired
consequence;
c) no condition present in this scenario shall be able to distort the alarm, for example, in a
scenario of a ruptured steam line, there may be a false high level indication due to
bubbles formation in the liquid phase, causing the low level alarm in steam generator not
to accuse the deviation immediately;
d) an alarm used as IPL shall be identified as such and properly prioritized;
e) an alarm used as IPL shall be inserted in an established and auditing maintenance
program.
B.2.7.6 Mechanical Relief Device / Pressure Safety Valve
The following specific conditions are applied to the use of mechanical relief devices such as IPL:
a) the relief system shall be sized to completely mitigate the scenario;
b) relieved fluids shall be clean and with low viscosity. If the safety and relief valve is used in
a service with corrosive fluids or fluids capable of polymerization or generation of
deposits without any protection, the valve shall not be considered an IPL. However, if the
design considers protective measures to ensure the operation of the valve, it can be
considered a PFDavg of 1x10-2. Such measures may include: the use of steam vent,
installation of rupture disc upstream from valve, installation of two parallel valves to allow
inspection and maintenance, among others;
c) relief shall be made to a safe place so that it does not cause significant environmental
effects;
d) the device shall be inserted in an established and auditable maintenance program.

66

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.7.7 Retention Valve

The specific conditions required for this type of device to be considered an IPL are:
a) two or more retention valves shall be coupled in series;
b) a single retention valve can be considered as an IPL only if that device has high reliability
(high integrity backflow prevention device);
c) the service shall be clean, not susceptible to plugging, deposit formation, gum,
polymerization, etc;
d) retention valves used as IPL shall be identified as such and be part of an established and
auditable mechanical maintenance program.
NOTE

Retention valves are not suitable for applications which require tight shut-off for reverse
flow.

B.2.7.8 Self-Regulating Valve

Self-regulating valves used as IPL shall be identified as such and be part of an established and
auditable mechanical maintenance program.

B.2.7.9 Car-Sealed or Locked Valves

The specific conditions required for car-sealed or locked valves to be considered an IPL are the
following:
a) the personnel responsible for plant or equipment operation shall maintain an updated list
of all car-sealed or locked valves;
b) the personnel responsible for the plant or equipment operation shall conduct regular
inspections to ensure that these valves are in proper position and its seals and locks,
intact.

B.2.7.10 Active Protection against Fire

Specific conditions required for an Active Protection Against Fire (e.g., fire detection systems
commanding the performance of the deluge system) to be considered an IPL are the following:
a) the active protection against fire can only be regarded as an IPL for scenarios where the
fire is the initiating cause;
b) the active protection against fire shall not be regarded as an IPL for the scenarios in
which its availability or effectiveness may be affected by fire or explosion which the IPL is
intended to contain;
NOTE

A gas detection system commanding on SDV closure (or isolation inventory valves) can be
analyzed similarly, i.e.:
a) this system can be considered a safeguard against events arising from a gas leak (e.g.,
fire, explosion), but not the leakage itself, because it necessarily will have already
occurred when detected;
b) It shall be evaluated whether this protection layer itself is capable of preventing undesired
consequence, or whether it depends on other external actions (e.g., the operator) to be
effective;
c) It shall be possible to determine (and audit) the effectiveness, in other words, the layers
RRF = 1/PFDavg, taking into account the gas dispersion in the atmosphere at the moment
of the demand.

67

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.2.7.11 Mitigating IPLs

Typically, IPLs aim to prevent the unwanted consequence. However, some protection layers, such as
contention dikes, drainage system and fire protection can be considered as mitigating IPLs when they
aim to reduce the severity of consequence of an event, either by limiting its intensity and extension of
the affected area, or by preventing side effects (e.g., BLEVE).
In general, the existence of a mitigating protection layer leads to two entirely new scenarios, which
shall be analyzed separately.
Original Severity (S0)
x
Reduced frequency (FC0 x PFDavg)

Failure
(PFDavg)

Mitigating
Layer

Original Scenario
S0 x FC0

Success
(1 - PFDavg)

Mitigated Severity (S1 < S0)

x
Original Frequency (FC0 x (1-PFDavg))

Figure B.2 - Mitigating Protection Layer

In a simple way, it is recommended to adopt the following order for adding protection layers:
[Recommended Practice]
a)
b)
c)
d)
e)

inherently safe design;

preventive passive IPLs (P);
non SIF preventive active IPLs (A);
SIFs;
Mitigating IPLs.

B.3 Analysis Conclusion

B.3.1 Scenario Residual Risk Without Considering SIF
B.3.1.1 The scenario residual risk without considering SIFs can be expressed in a simplified way by
the Frequency of Consequence (FC), which is given by the numerical product values determined in
steps B.2.4 to B.2.7, without accounting any risk reduction to SIFs:

F C ICF EEL iMFi jIPL j

Where:

FC = Frequency of Consequence;
ICF = Initiating Cause Frequency;
EEL = Enabling Event Likelihood;
MFi = ith Modification Factor;
IPLj = PFDavg of jth PL (non SIF) associated to the Initiating Cause.

68

-PUBLIC-

N-2595

REV. C

ENGLISH

12 / 2010

B.3.1.2 If FC is lower or equal than FTOL, then the existing protection layers are sufficient.
B.3.1.3 If FC is higher than FTOL; then it will be necessary additional protection layers to reduce the
scenario residual risk to a tolerable level.
NOTE

If FC indicates more than one SIF demand by year or two or more demands at each interval
between tests, it is appropriate to consider that this SIF will operate in continuous mode and
therefore has a SIL correlated, not with a PFDavg but with the dangerous failure frequency
per hour, where SIL 1 is equivalent to a frequency between 10-6/hour and
10-5/hour, and so on.

B.3.2 Determination of SIL Required to the SIF

B.3.2.1 After exhausting all possibilities of adopting inherently safer design solutions and adding non
SIF protection layers, the Safety Integrity Level (SIL) required for the Safety Instrumented Function
(SIF) prescribed by design, or recommended for the scenario can be determined by the Risk
Reduction Factor (RRF) required to reduce a FC to a value lower or equal than FTOL.

Table B. 9 - SIL Required to SIF

Risk Reduction Factor (RRF) Required
10
100
1.000

Required SIL
1
2
3

B.3.2.2 If the required RRF is greater than 1000, the process risks and design basis shall be
reviewed, possibly requiring management involvement.
B.3.2.3 It is recommended to evaluate the possibility of replacing a SIF demanded by many scenarios
with other SIFs based on process variables more directly related to each scenario deviation.
[Recommended Practice]
EXAMPLE
In a scenario where the failure to control the level of the vessel in a fractionating tower can
lead to gas discharge from a process component through a liquid outlet ("gas blow-by") and,
consequently, to excessive pressure on tower, a SIF initiated by a PSHH could be replaced
by another in case a very low level (LSLL) in the vessel force a power interruption to the
tower.
B.3.2.4 A SIF shall meet the greatest required SIL among the scenarios by which is demanded.

B.3.3 Documentation
B.3.3.1 LOPA results shall be clearly documented in the form of a report which shall be attached to or
be part of the HAZOP report.
B.3.3.2 It is recommended to use a standardized spreadsheet, according to the model in Annex C.
[Recommended Practice]

69

-PUBLIC-

N-2595
NOTE

REV. C

ENGLISH

12 / 2010

To make calculation more easier, in Annex C the MTTF interval time is used rather than ICF
frequency and the risk reduction factor (RRF) instead of the average probability of failure on
demand (PFDavg) in such a way that all powers of ten have positive exponents.

B.3.3.3 If FTOL has been satisfied without the need for SIF, it shall be registered that the automatic
function prescribed in the design or recommended by the HAZOP is not critical to safety and shall be
performed by the BPCS.
B.3.3.4 Beyond simply filling in the spreadsheet fields with standardized information about the team
and the scenario, the data obtained from HAZOP and calculation results, it shall be observed LOPA
recommendations for an objective design review, adding, modifying or eliminating existing or planned
safeguards, according to their effectiveness verified during the review process in order to prevent or
mitigate unwanted effects. It shall be also registered issues that need to be more detailed and
discussed in other forums as well as the actions to be taken and the points for continuous
improvement of this procedure.

B.4 Result Management

B.4.1 Auditing
B.4.1.1 Information contained on LOPA documentation is related to process safety and, as such, it
shall be maintained throughout the plant or equipments life cycle.
B.4.1.2 Recommendations of the LOPA shall be included in a systematic tracking of the industrial
facility recommendations, that allows to analyze the feasibility of implementing them and document
adequately those implementations or the decision of not implement them, with a respective
justification.
B.4.1.3 Every IPL shall be auditable and, therefore, it is recommended to include them on SIS
Maintenance Plan. [Recommended Practice]

B.4.2 Revalidation
Whenever there is any change that reflects either on review of the existing HAZOP or on a new
HAZOP, it shall be evaluated whether the assumptions made on the previous analysis remain valid,
and if not, to review LOPA results that were affected.

70

INDEX OF SHEET REVISIONS

SHEET

REV.

SHEET

REV.

SHEET

REV.

SHEET

REV.

SHEET

REV.

REV.

SHEET

REV.

SHEET

REFERENCE DRAWINGS
REV.

SHEET

REV.

SHEET

REV.

SHEET

REV.

DESCRIPTION

ABBREVIATIONS

NOTES:

No.
ORIGINAL

REV. A

REV. B

REV. C

REV. D

DATE

REV. E

REV. F

REV. G

REV. H

REV. J

REV. K
CLIENT OR USER:

DESIGN

PROGRAM OR DESIGN:

EXECUTION

REA OR UNIT:

VERIFICATION

TTLE:

APPROVAL
FORM BELONGING TO PETROBRAS N-2595 REV. C APPENDIX C - SHEET 01/02.

THE INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS. ITS UNREASONABLE USE IS PROHIBITED.

SHEET

of

Knot

Initiating Cause

Deviation

Description

MTTF

Consequence
EEL

Description

Severity of the
Consequence
H

NOTE

About the nomenclature:

H: related to health and physical integrity aspects of people exposed to the risk;
E: relates to impact to environment aspects;
L: relates to damage to companys facilities and/or revenue;

FORM OWNED TO PETROBRAS N-2595 REV. C ANNEX D - SHEET 02/02.

Safeguard

Applicable Modifying Factors

Ignition
Problem

Presence of
People

Other
(Specify)

Required RRF
Description
H

Type
(P/A)

IPL

RRF

Advices
Total
RRF

Residual Risk
H

N.
Rec

Description

REA:
TTLE:

INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE

Notes

Number
of the
Scenario

No.

DATA SHEET
CLIENT:

SHEET

of

PROGRAM:
AREA:
TITLE:

SIF SPECIFICATION

REVIEW INDEX
REV.

DESCRIPTION AND/OR AFFECTED SHEETS

REV. 0

REV. A

REV. B

REV. C

REV. D

DATE
PROJECT
EXECUTION
CONTROL
APPROVAL
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 01/04.

REV. E

REV. F

REV. G

REV. H

No.

DATA SHEET

REV.

SHEET

of

TITLE:

SIF SPECIFICATION
"Tag":

Risk Analysis Report:

Cause and Effect Matrix:

SIF Description:

Hazardous Event to be Avoided:

Causes of Demand:

Consequences of Failure on Demand:

Consequences of Spurious Trip:

Spurious Trip Cost (US$):

Functional Specification
Tag

Description of the Sensors

Tag

Description of the Final Elements

Manual Trip:

Yes

Tag

Description

No
Type

Funcional Relation between Sensors and Final Elements:

Description of the Safe State to be Achieved or Maintained:

Safety Actions:
Secondary Actions:
Maximum Acceptable Response Time (seconds):
DelayTime (seconds):
Hazardous
Combination of
Final Elements:

Yes

No

Description
:

INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 02/04.

Detection
(HH ou LL)

Trip Value

Actuation Mode

Safe State

Actuation Mode

Location

No.

DATA SHEET

REV.

SHEET

of

TITLE:

SIF SPECIFICATION
Application of Risk Graph
Frequency of Demand

( ) W1

( ) W2

( ) W3

Consequences to People

C:

F:

P:

Damage to the Environment

E:

P:

Property Loss

L:

P:
Application of LOPA

Deviation:
MTTF

Enabling Event

EEL

Initiating Cause

MTTF

Enabling Event

EEL

Initiating Cause

MTTF

Enabling Event

EEL

Initiating Cause

MTTF

Enabling Event

EEL

Scenario:

Initiating Cause

Consequences

Scenario:

Tolerable Frequency:
Consequences

Total RRF:

Scenario:

Tolerable Frequency:
Consequences

Scenario:

Tolerable Frequency

Assessment Results
Required SIL:
Minimum MTTFS Acceptable
(years):
Implementation Requirements
Maintenance Bypass

Description:

No (

Additional Cautions:

By-Pass to start
Operations

Yes (

Description:

No (

Additional Cautions:

Yes (

Description:

No (

Additional Cautions:

Reset in the Field

MTTR:
Interval Betwenn Periodical Tests:
Legal Requirements:
Observations:

NOTES:

INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 03/04.

Modifying Factors

Total RRF:

Observations:

Yes (

Modifying Factors

Total RRF:

Tolerable Frequency:
Consequences

Modifying Factors

Modifying Factors

Total RRF:

Safeguards

P/A IPL

RRF

P/A IPL

RRF

P/A IPL

RRF

P/A IPL

RRF

Required RRF:
Safeguards

Required RRF:
Safeguards

Required RRF:
Safeguards

Required RRF:

No.

DATA SHEET

REV.

SHEET

of

TITLE:

SIF SPECIFICATION
COMPLETION INSTRUCTIONS
General Information

Each SIF shall have a single identifier (Tag) consisting of the unit number followed by a sequential number.
Example: SIF-2212001 (unit 2212, sequential number 001)
Risk Analysis Report: number of the document related to the SIF.
Cause and Effect Matrix: number of the document related to the SIF.
- Description of the SIF: brief description of the function containing deviation and action. Example: high-pressure on fuel gas blocks furnace gas F-501.
- Hazardous Event to be avoided, taken into account in the risk analysis. Example: formation of explosive mixture inside the combustion chamber.
- Demand Causes considered in the risk analysis. Examples: failure in the pressure control net of the fuel gas, process imbalance, etc.
- Consequences of Failure on Demand: possible harms and impacts caused by the hazardous event considered on the risk analysis. Examples: Flame extinguishment with formation of explosive
mixture and the possibility of explosion of the combustion chamber, followed by fire, injury/death of a person, production loss of about US$ 200 K, damage to the instalations of about US$ 2 M.
- Consequences of Spurious Trip. Examples: production loss, possibility of tubes coking, damage to refractory material, etc.
Cost of the Spurious Trip (US$): according to item 6.5.

Functional Specification
Tag: identifiers of sensors and final elements, according to engineering flowcharts and cause and effect matrix. Examples: PIT-2212101A, PIT-2212101B, XV-2212190A, XV-2212190B and XV2212190C.
Description: services of sensors and final elements, according to the instrument list and data sheet. Examples: pressure transmitters of the fuel gas header, block valve for blocking fuel gas to furnace,
intermediate vent valve for fuel gas.
Mode of Operation: de-energizes for trip or energizes for trip.
Detection (HH or LL): direction of change of the process variable that demands SIF actuation.
Trip Value: value of the process variable that requires the performance of the SIF, as indicated in the data sheets of the respective sensors.
Safe State: safet position of the final element. Examples: block valve closed, vent valve open to safe place.
Manual Trip: brief description of the implementation. Example: Tag: HS-2212150; Description: electromechanical push button with double contact (in series), normally closed; Type: pull to trigger with
protection against improper actuation; Location: F-501local panel.
Functional relation between sensors and Final Elements: description, via text or drawing, of the logical relation between the SIF sensor(s) (may include manual trip) and final element(s) as well as the
voting architectures of sensors and final elements. Example: Starting on the normal state of operation, in case a flame failure occurs on more than 50% of the burners or there is a low pressure on fuel
gas, the admission of gas into the burners shall be blocked and the intermediate vent open to a safe place.
Description of the Safe State to be Achieved and Maintained: caracterization of the success of the SIF operation. Example: fuel gas blocked to the furnace and intermediate vent hole open to a safe
place.

Safety Actions: actions performed by SIF to reach or maintain the safe state. Example: de-energize solenoid valve coils that depresssurize the pneumatic actuator of XV-2212190A and XV-2212190C.
Secondary Actions: actions triggered by the SIF actuation not directly related with the achievement ormaintenance of the safe state with the purposed of help the operation. Example: after trip in the
furnace, choking steam admision and opening of the chimney damper to facilitate the combustion chamber purge.
Maximum Acceptable Response Time (seconds): maximum SIF response time (see definition) without joepardizing the safety actions.
Delay Time (seconds): delay time value (see definition) to be applied, if necessary.
Hazardous Combination of Final Elements: In case there is more than one final element; if any hazardous condition due to failure of their joint actuation exists. Example: Non closure of the first block
valve (XV-2212190A) when opening the intermediate vent (XV-2212190B), causing a fuel gas cloud in the outer area near the furnace.
Application of Risk Graph
Demand: frequency of the SIF demand assumed on the application of risk graph
Personal Safety: classes of severity of consequences to people (C), of ocupation (F) and probability of avoiding damage (P) assumed during application of the risk charts
Material Loss: classes of severity of material consequences (L) and the probability of avoiding damage (P) assumed in the application of risk graph
Environment: classes of severity of environmental consequence (E) and the probability of avoiding damage (P) assumed in the application of risk graph
Application of the LOPA
Deviation: deviation of the process variable that demands the SIF performance, according to the HAZOP+LOPA report
Scenario: number of the scenarios in which the SIF is IPL, according to the HAZOP+LOPA report
Initiating Cause: equipment failure, human action, or external event that causes deviation, with its MTTF (time expected for the initiating cause to occur);
Enabling Event: description of the enabling event, if appliable, with its EEL (probability of occurring the enabling event);
Consequences: possible impacts of the scenario, with its respective categories of severity to people (S), environment (E) and property (L);
Modifying factors considered on the analysis, with values and justificatios for adoption;
Safeguards for the scenario considered on the HAZOP+LOPA report and, for each one: if Passive (P) or Active (A); if it is IPL or not; and, if IPL, its RRF;
Tolerable Frequency for the consequence of major severity in the scenario taken into account.
Total RRF: total risk reduction obtained with all the IPLs considered for the scenatio, except the SIF.
Requested RRF: risk reduction by the SIF, which meets the Tolerable Frequency for the scenario.
Assessment Results
Requested SIL: result of the application of the risk graphs or LOPA
Acceptable Minimum MTTFS (years): according to item 6.5
Implementation Requirements
Maintenance By-pass: if it is necessary or not. If necessary, describe how it is implemented.
Additional Care: special condition or specific procedure to be observed, when applicable.
By-pass to start the Operation: if it is necessary or not. If necessary, describe how it is implemented.
Additional Care: special condition or specific procedure to be observed, when applicable.
Reset in the Field: if it is necessary or not. It necessary, describe the implementation form.
Additional Care: special condition or specific procedure to be observed, when applicable.
MTTR: value taken into account on SIF reliability calculations.
Intervals Between Periodical Tests: time interval taken into account on SIF reliability calculations for mantain the requested SIL.
Legal Requirements: Examples: NR-13, NR-10, environmental laws, etc.
Observations:
NOTES:

General observations about the SIF.

Appliable notes, numbered and referenced along the SIF data sheet.

INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRA N-2595 REV. C APPENDIX D - SHEET 04/04.

N-2595

REV. B

ENGLISH

NDICE DE REVISES

REV. A
Affected Parts

Description of Alteration

Revised and renumbered

Revised

Revised

4 to 4.2.9

Revised and renumbered

4.30

Eliminated

5 to 5.1

Revised and renumbered

5.1.1

Revised and renumbered

5.1.2 to 5.7.3

Included

6 to 6.1.6

Revised and renumbered

6.1.7 to 6.1.11

Included

6.2 to 6.24

Revised and renumbered

6.2.5 to 6.2.6

Eliminated

6.3 to 6.30.10

Revised and renumbered

6.3.11 and 6.3.12

Included

6.4 to 6.4.8

Revised and renumbered

6.4.8.1 to 6.4.8.5

Eliminated

6.4.9 to 6.4.11

Revised and renumbered

6.4.12 and 6.4.13

Included

6.5 to 6.5.12

Revised and renumbered

6.6 to 6.11

Included

7 to 7.1.5

Revised and renumbered

7.1.6

Eliminated

7.2 to 7.2.4

Revised and renumbered

7.2.5 to 7.2.14

Eliminated

7.3 to 7.3.2

Revised and renumbered

7.3.3 to 7.3.15

Eliminated

7.4 to 7.4.4

Revised and renumbered

7.4.5 to 7.9.2

Eliminated

IR 1/2

12 / 2010

N-2595

REV. B

ENGLISH

REV. A
Affected Parts

Description of Alteration

8 and 8.1

Revised and renumbered

8.1.1 to 8.1.4

Eliminated

8.2

Revised and renumbered

8.2.1 to 8.2.3

Eliminated

8.3

Revised and renumbered

8.3.1 and 8.3.2

Eliminated

8.4

Revised and renumbered

8.4.1 and 8.4.2

Eliminated

8.5 to 8.5.2

Revised and renumbered

8.5.2.1 to 8.5.2.3

Eliminated

8.5.4 to 8.8

Included

9 to 9.7

Eliminated

Anexo A

Revised

REV. B
Affected Parts

Description of Alteration

5.3

Revised

5.4.5.4

Revised

5.5.1

Revised

5.6.6

Revised

6.5.4

Revised

6.5.5

Revised

6.5.9

Revised

7.4.3

Revised

Anexo A

Revised

REV. C
Affected Parts
All

Description of Alteration
Revised

IR 2/2

12 / 2010

N-2595

REV. C

ENGLISH

12 / 2010

WORKING GROUP - WG-10-22

Members
Name

Department

Telephone

Key

Agliberto Pessoa da Silva

ENGENHARIA/IEABAST/EAB/AIIS

8193307

SGZG

Alexandre Botelho Figueira

ENGENHARIA/IEABAST/EAB/AIIS

8193305

CSJ1

AB-RE/ES/TAIE

8140627

DPBT

E&P-ENGP/IPP/EISA

7042396

Q093

REPAR/EN

8562539

AR85

Gonzalo Javier Alvarado Zamora

UN-RNCE/ATP-M

8344327

D5H4

Guilherme da Silva Telles Naegeli

CENPES/EB-AB-G&E/AEDC

8127084

BB29

ENGENHARIA/IEABAST/EAB/ENPRO

8193364

SGZP

ENGENHARIA/IEEPT/EEPTM/EIP

8116792

CTTD

Marcelo Lopes de Lima

CENPES/EB-AB-G&E/AEDC

CSG0

Marcia de Araujo Lisboa

E&P-ENGP/IPP/EISA

7041618

Q070

Mauricio Longo Braz Pessanha

E&P-CORP/SMS/SEG

7049202

RFX3

Rafael Jacques Zeitoune

GE-LPGN/PLGN/PSL

8194422

CSJ0

CENPES/EB-E&P/PPEP

8122461

Q071

RH/UP/ECTG&E

8013174

Q012

819-3063

CDF9

Bruno Ferreira Barsotti

Carlos Henrique Wildhagen Moura
Francisco Antonio Rocco

Joelson de Carvalho Britto

Luiz Carlos de Azevedo Fonseca

Sergio Luiz Teixeira Guedes

Salvador Simoes Filho

Technical Secretary
Andr da Rocha Marques

ENGENHARIA/AG/NORTEC-GC