SIL PROCEDURE

TABLE OF CONTENTS

1. DESCRIPTION OF WORK GENERAL..............................................................................3

1.1 Objective....................................................................................................................... 3
1.2 Definitions...................................................................................................................... 3
2. Reference documents...........................................................................................................4
2.1 Codes and Standards....................................................................................................4
3. Scope................................................................................................................................... 4
4. SIL assessment.................................................................................................................... 5
4.1 General.......................................................................................................................... 5
4.2 Team composition..........................................................................................................6
4.3 IPF/SIL Classification.....................................................................................................6
4.4 Ground Rules and Assumptions....................................................................................9
4.5 Records and Findings..................................................................................................10
4.6 Requirements for Safety Instrumented Systems..........................................................10
4.7 Industry Best Practices for Safety Instrumented Systems...........................................10
1. DESCRIPTION OF WORK GENERAL

1.1 Objective

This document defines the procedure to be used for carrying out the Safety Integrity
Level (SIL) assessments for #. This procedure has been prepared to outline the
overall methodology and the organisation of the SIL assessments. This procedure
encompasses the requirements of the IEC (International Electrotechnical
Commission) standards, IEC 61508 and IEC 61511.
SIL (Safety Integrity Level) and Spurious-Trip Classification is a method to establish a
fit-for-purpose design of (instrumented) safety measures, which are able to mitigate
process hazards with respect to safety, environmental consequences and economic
loss. It is also fit-for-purpose in the sense that robustness (i.e. redundancy of sensing
and/or final elements) of the safety measure is validated against operational losses
caused by spurious trips.
The primary objective is to identify failures in safety related control systems, which
have the potential for harm to personnel (through illness and injury or loss of life) or to
the environment (temporary or permanent). A secondary objective will be to identify
where such failures have the potential to cause significant economic loss due to
production loss and/or damage to capital equipment.

The safety and environmental harm and the economic loss will generally arise due to
loss of containment, either of the product or of a substance hazardous to health.
The SIL Classification applied will be consistent with the objectives and definition of
the Project recognizing.

1.2 Definitions

Within this document the following definitions shall apply:

ALARP: As Low As Reasonably Practical
BS: British Standard
DCS: Distributed Control System
ESD: Emergency Shutdown System
E/E/PE: Electrical/Electronic/Programmable Electronic
E/E/PS: Electrical/Electronic/Programmable System
EUC: Equipment Under Control
HAZID: Hazard Identification
HAZOP: Hazard and Operability Study
HIPP: High Integrity Pressure Protection
HSE: Health Safety and Environment
IEC: International Electrotechnical Commission
IPF: Instrumented Protective Function
MOS Maintenance Override Switch
MVC Measurement Validation Comparison
NRV Non Return Valve
PLC: Programmable Logic Controller
PLE: Product Loss Equation
P&ID: Piping and Instrument Diagram
PFD: Process Flow Diagram
 PFSD: Process Flow Safeguarding Diagram
RRM: Risk and Reliability Manual
RV: Pressure Relief Valve
SIL: Safety Integrity Level
SIF Safety Instrumented Function
SIS: Safety Instrumented System

2. REFERENCE DOCUMENTS

2.1 Codes and Standards

The following International codes shall be applied, as given below:

IEC: International Electrotechnical Commission:

BS IEC 61508 Functional Safety of electrical / electronic / programmable

electronic safety-related systems". 2002
BS IEC 61511 Functional Safety safety instrumented systems for the
process industry sector. 2003

3. SCOPE

The SIL assessment will provide a review of the Piping & Instrument Diagrams to:
Identify risks to persons, the environment and equipment/production losses
from potential hazards associated with the process and systems designed for
the facility.

Define the basic performance requirements of the safety instrumented systems

to reduce these risks to as low as reasonably practical (ALARP).

All units pertaining to Utilities and Offsites will be assessed.

For the purposes of the SIL Review, Safety Instrumented Systems will be defined as a
system comprising Electrical, Electronic or Programmable Electronic components that
are used to carry out safety functions. This definition specifically includes ESD and
HIPP systems. It may also include Fire and Gas Systems if the system both contains
E/E/PE components and initiates an executive action (i.e. systems that simply alarm
will not be covered).

The HAZOP Report and Close-Out Report shall be available for the SIL assessment
meeting.

A SIL review report shall be issued, documenting the review meeting, and shall
include a list of participants and all reviewed E/E/PS Safety Instrumented Systems
with the required SIL.

Where modifications are made to a Safety Related Instrumented System, the SIL
rating of the system affected will be re-examined and the report updated and reissued.
4. SIL ASSESSMENT

4.1 General
The SIL assessment comprises a qualitative assessment of the process equipment
and systems to be protected by the E/E/PE Safety Instrumented System, to identify
potential hazards and to assess the risk that is present for both persons and the
environment. This assessment is developed on the basis that, initially, no protective
systems are in place, so that a basic level of risk to personnel and the facility can be
established for the equipment under control (EUC). If SIL level 3 is identified during
this assessment then a quantitative method will be used in conjunction with Company
to further assess the risk.

Essentially, the SIL derived rating is a measure of the risk reduction that is required to
be achieved by the Safety Instrumented System, in order that the residual risk is
acceptable, or, is as low as reasonably practical (ALARP).
The SIL rating covers the complete loop and is used in the specification of the E/E/PE
Safety Instrumented System, e.g., from initiating devices through the logic solvers and
controllers to the final actuating elements, in order that the system will adequately
meet the design intent.

Unless the SIL Review Team agrees otherwise, systems that require manual initiation
(i.e. manual alarms and manual push-buttons) shall be excluded from the scope of the
reviews.

Appropriate credit may be taken in reducing the allocated SIL rating when the
consequence of failure of an E/E/EPS system is to allow excess pressure into a
system protected by full flow mechanical relief valves.

4.2 Team composition

The SIL team shall consist of, as a minimum, the following personnel:
Project Engineering Manager,
Lead Process Engineer,
Lead Instrument/Control Systems Engineer,
Other Engineer/Licensor specialists on call as required and part-time.

The Chairman of this review shall be experienced in carrying out SIL Reviews.

Company shall supply staff as required and would be expected to include:

Operations Representative,
HSE engineer on call as required and part-time.
Control & Instrumentation Engineer on call as required and part-time.

The team should contain sufficient expertise to provide the necessary technical input
to the SIL review.
4.3 IPF/SIL Classification

During the SIL Classification, an assessment of the Risk, the Frequency and the
Consequence presented by each specific scenario shall be made. All identified
scenarios shall then be classified by means of the Risk Graphs.

The parameters as discussed below are the Demand rate, Consequences, and
Possibility of Escape/Avoidance', are inputs to the assessments and shall be applied
in accordance with the guidelines given below. The Safety Integrity Level required to
ensure that the system/loop under review can meet the design intent can be: no
requirements, 0, a or SIL 1 to 4. Where 0 and a can be executed from the DCS or
ESD while the SIL 1 to 3 SIFs have to be executed from an ESD system. A SIL 4 is to
be avoided and redesign is strongly recommended. For further implementation details
refer to section 4.7.

Prior to the commencement of the SIL Classification, the HSE Manager will establish
the criteria to be used in establishing the Consequence parameters as presented
below.

Demand rate (D)

D0: Negligible The demand has not been heard of in the industry
D1: >30 years The demand has not occurred in the Company Facilities but
has been heard of in the industry.
D2: 3 to 30 years The demand has occurred in the Company Facilities.
D3: 6 month to 3 years The demand occurs several times a year in the Company
Facilities
D4: < 6 month The demand occurs several times at this location

Demand rate considerations:

The selection of D1 requires special justification why it is so low.
For backflow protection systems, a Non Return Valve (NRV) will decrease the
demand rate by the factor 10.
Where two NRVs are installed in series, the demand rate reduction will be by the
factor 50.
D1/D2, 30 years is the expected life of the plant.
D3 shall be selected when a demand is expected once between scheduled
shutdowns.
Evaluate Consequences, Parameter C

For each potential hazard identified, the consequence parameters will use the
following classifications:

Safety (S)

S0: No injury or health No injury is sustained

effect No health effect is observed
S1: Slight injury or Does not effect work performance or cause disability
health effect (includes First Aid Case, Medical Treatment Case or
Occupational Illness)
S2: A minor, reportable Affects work performance, e.g., restricted duties or requiring
injury or health maximum one week to fully recover (includes Lost Time Injury
effect. and Restricted Work Case)
Minor health effects that are reversible, e.g., skin irritation,
food poisoning, etc.
S3: Serious permanent Affects work performance in the long term, e.g., prolonged
injury to one or more absence from work (includes Permanent Partial Disability).
persons, or health Irreversible health damage without loss of life, e.g. noise
effect. induced hearing loss or chronic back injury.
S4: Death to one to Permanent Total disability.
three people. Multiple fatalities (up to three) in close succession as a result
of the incident or occupational illness.
S5: Multiple Fatalities. Four or more fatalities as a result of the incident or
occupational illness.

Mitigation Questionnaire for Safety

Exposure
1 Very rare
(less than 10 man-minutes per day)
2 Occasionally
(less than 6 man-hours per day)
3 Frequently to continuously
(more than 6 man-hours per day)

Possibility to avert danger

1 In almost all circumstances
2 In some circumstances
(more than 25% of cases)
3 Little or none
 Environmental (E)

E0 No effect No environmental damage. No financial consequence.

E1: Slight effect Local environmental effect, Within the boundary fence and within systems.
E2: Minor effect Contamination sufficiently large to damage the environment or single
complaint.
Single exceedance of statutory or prescribed limit.
No permanent effect on environment.
E3 Local effect Limited discharge of known toxicity.
Repeated exceedance of statutory or prescribed limit.
Affecting the neighbourhood beyond the boundary fence.
E4: Major effect Severe environmental damage.
The company is required to take extensive measures to restore the
contaminated environment to its original state.
Extended exceedance of statutory or prescribed limit.
E5: Massive effect Persistent severe environmental damage or severe nuisance extended over a
large area.
Loss of commercial, recreational use or nature conservancy resulting in major
financial consequences.
Constant and high exceedance of statutory or prescribed limit.

Economic (L)

L0: No Loss < 1 k$

L1: Slight Loss 1 - 10 k$
L2: Minor Loss 10 - 100 k$
L3: Local Loss 0.1 - 1 MM$
L4: Major Loss 1 - 10 MM$
L5: Extensive Loss > 10 MM$

Dangerous Failure Classification Risk Diagram

Demand
Rate
Once per IPF Safety Integrity Level
year
CategoryConsequence ClassRateDemand

D4 0-0.5 a 2 3 4 Avoid
D3 0.5-4 a 1 2 3 4
D2 4-20 0 a 1 2 3
D1 >20 - 0 a 1 2

L Economics Slight Minor Local Major Extensive Damage

(US $) Damage Damage Damage Damage >10 MM
<10 k 10-100 k 0.1-1MM 1-10 MM
S Health & Slight Injury Minor Injury Major Injury Single Multiple Fatalities
Safety Fatality
E Environment Slight Effect Minor Effect Localised Major Effect Massive Effect
Effect

Consequence Class 1 (N) 2 (L) 3 (M) 4 (H) 5 (E)

Where in the Dangerous Failure Classification Risk Diagram

(N) is no disruption to operation
(L) is brief disruption
(M) is partial shutdown that can be re-started
 (H) is partial operation loss (2 week shutdown)
(E) is substantial or total loss of operation

From the above Dangerous Failure Risk Diagram, the SIL can be derived after the
Demand rate and the individual consequence levels have been determined.

4.4 Ground Rules and Assumptions.

When predicting the consequences of the various scenarios, the SIL Review Team will
need to consider a number of associated factors. These will include the materials
properties (density, toxicity, flammability, etc), the amount of material that is likely to be
released and how much becomes airborne, the layout and physical characteristics of
the area where the loss of containment occurs.

The following should be used as starting point:

The probability of an incident must be assessed assuming all safety provisions are
absent
Operator action can be relied upon to mitigate the consequences of, but not prevent,
undesirable occurrences.
Proper operating, maintenance and inspection (also mechanical) procedures are
available and adhered to. This is also applicable to the NRVs which are considered
when determining the demand rates.
Critical spares (such as parts for or complete pot mounted-pumps, spare rotor for
compressors) are available on-site to ensure short turn-around times.
It is also assumed that proper mechanical maintenance and inspection is carried out
to ensure the mechanical integrity of equipment and piping.
After a fire or another incident that requires authorities to witness any inspections,
the representatives of the authorities are available locally on short notice (within 24
hours). Company has its own (in-house) inspection department.
Refer to all other quality procedures etc. that ensure that the assumptions are
realised.
RVs, if fully sized, are assumed to provide sufficient protection against overpressure.
Any IPF provided prevents relieving of the RV.
If the RV relieves, it is assumed that the RV will need be removed and overhauled at
the workshop for re-certification.
Repairs following a spurious trip (revealed failure) would take an average 8 hours. If
a MOS is provided and helpful (initiator failure) restart may be immediate. Otherwise
a delay of 8 hours would be incurred.
4.5 Records and Findings

For each piece of equipment being reviewed, a SIL Rating Table will be completed in
order to record the findings and conclusions. The Cause and Effect diagram will be
updated to reflect the results of the SIL Review.
4.6 Requirements for Safety Instrumented Systems

For SIL 1, 2, 3 and 4, it is required that safety instrument systems are not self-
resetting and are independent of process control circuits. In most cases, this is
accomplished by physical segregation of both circuits for example, process control
performed by a DCS and safeguarding by a dedicated safety-PLC.

4.7 Industry Best Practices for Safety Instrumented Systems

The following industry best practices for the various safety integrity levels will be used
for this project:

SIL 0: A DCS alarm informing the operator that the process condition is not normal.

SIL a : A system, which automatically intervenes in the process. It may be self-

resetting. The logic solver may be shared with the process control system,
implemented in the DCS. This can be done when operator action can not be
relied upon.

SIL1: A 1 out of 1 (voting) system, segregated from the process control system, not
self-resetting, with certified logic solver.

SIL2: Generally, a 1 out of 2 (voting) system, segregated from the process control
system, not self-resetting, with certified logic solver.

SIL3: Generally, a 2 out of 3 (voting) system, segregated from the process control
system, not self-resetting, with certified logic solver. Diversity shall be
applied in order to reduce common cause/mode failures.

SIL4: Generally, this class is to be avoided. Redesign is strongly recommended.

To prevent nuisance trips it may be decided to implement 2 out of 3 (2oo3) voting

systems for SIL 1 and SIL 2 safeguarding initiators.