Professional Documents
Culture Documents
TABLE OF CONTENTS
1.1 Objective
This document defines the procedure to be used for carrying out the Safety Integrity
Level (SIL) assessments for #. This procedure has been prepared to outline the
overall methodology and the organisation of the SIL assessments. This procedure
encompasses the requirements of the IEC (International Electrotechnical
Commission) standards, IEC 61508 and IEC 61511.
SIL (Safety Integrity Level) and Spurious-Trip Classification is a method to establish a
fit-for-purpose design of (instrumented) safety measures, which are able to mitigate
process hazards with respect to safety, environmental consequences and economic
loss. It is also fit-for-purpose in the sense that robustness (i.e. redundancy of sensing
and/or final elements) of the safety measure is validated against operational losses
caused by spurious trips.
The primary objective is to identify failures in safety related control systems, which
have the potential for harm to personnel (through illness and injury or loss of life) or to
the environment (temporary or permanent). A secondary objective will be to identify
where such failures have the potential to cause significant economic loss due to
production loss and/or damage to capital equipment.
The safety and environmental harm and the economic loss will generally arise due to
loss of containment, either of the product or of a substance hazardous to health.
The SIL Classification applied will be consistent with the objectives and definition of
the Project recognizing.
1.2 Definitions
2. REFERENCE DOCUMENTS
3. SCOPE
The SIL assessment will provide a review of the Piping & Instrument Diagrams to:
Identify risks to persons, the environment and equipment/production losses
from potential hazards associated with the process and systems designed for
the facility.
For the purposes of the SIL Review, Safety Instrumented Systems will be defined as a
system comprising Electrical, Electronic or Programmable Electronic components that
are used to carry out safety functions. This definition specifically includes ESD and
HIPP systems. It may also include Fire and Gas Systems if the system both contains
E/E/PE components and initiates an executive action (i.e. systems that simply alarm
will not be covered).
The HAZOP Report and Close-Out Report shall be available for the SIL assessment
meeting.
A SIL review report shall be issued, documenting the review meeting, and shall
include a list of participants and all reviewed E/E/PS Safety Instrumented Systems
with the required SIL.
Where modifications are made to a Safety Related Instrumented System, the SIL
rating of the system affected will be re-examined and the report updated and reissued.
4. SIL ASSESSMENT
4.1 General
The SIL assessment comprises a qualitative assessment of the process equipment
and systems to be protected by the E/E/PE Safety Instrumented System, to identify
potential hazards and to assess the risk that is present for both persons and the
environment. This assessment is developed on the basis that, initially, no protective
systems are in place, so that a basic level of risk to personnel and the facility can be
established for the equipment under control (EUC). If SIL level 3 is identified during
this assessment then a quantitative method will be used in conjunction with Company
to further assess the risk.
Essentially, the SIL derived rating is a measure of the risk reduction that is required to
be achieved by the Safety Instrumented System, in order that the residual risk is
acceptable, or, is as low as reasonably practical (ALARP).
The SIL rating covers the complete loop and is used in the specification of the E/E/PE
Safety Instrumented System, e.g., from initiating devices through the logic solvers and
controllers to the final actuating elements, in order that the system will adequately
meet the design intent.
Unless the SIL Review Team agrees otherwise, systems that require manual initiation
(i.e. manual alarms and manual push-buttons) shall be excluded from the scope of the
reviews.
Appropriate credit may be taken in reducing the allocated SIL rating when the
consequence of failure of an E/E/EPS system is to allow excess pressure into a
system protected by full flow mechanical relief valves.
The Chairman of this review shall be experienced in carrying out SIL Reviews.
The team should contain sufficient expertise to provide the necessary technical input
to the SIL review.
4.3 IPF/SIL Classification
During the SIL Classification, an assessment of the Risk, the Frequency and the
Consequence presented by each specific scenario shall be made. All identified
scenarios shall then be classified by means of the Risk Graphs.
The parameters as discussed below are the Demand rate, Consequences, and
Possibility of Escape/Avoidance', are inputs to the assessments and shall be applied
in accordance with the guidelines given below. The Safety Integrity Level required to
ensure that the system/loop under review can meet the design intent can be: no
requirements, 0, a or SIL 1 to 4. Where 0 and a can be executed from the DCS or
ESD while the SIL 1 to 3 SIFs have to be executed from an ESD system. A SIL 4 is to
be avoided and redesign is strongly recommended. For further implementation details
refer to section 4.7.
Prior to the commencement of the SIL Classification, the HSE Manager will establish
the criteria to be used in establishing the Consequence parameters as presented
below.
For each potential hazard identified, the consequence parameters will use the
following classifications:
Safety (S)
Economic (L)
Demand
Rate
Once per IPF Safety Integrity Level
year
CategoryConsequence ClassRateDemand
D4 0-0.5 a 2 3 4 Avoid
D3 0.5-4 a 1 2 3 4
D2 4-20 0 a 1 2 3
D1 >20 - 0 a 1 2
From the above Dangerous Failure Risk Diagram, the SIL can be derived after the
Demand rate and the individual consequence levels have been determined.
When predicting the consequences of the various scenarios, the SIL Review Team will
need to consider a number of associated factors. These will include the materials
properties (density, toxicity, flammability, etc), the amount of material that is likely to be
released and how much becomes airborne, the layout and physical characteristics of
the area where the loss of containment occurs.
For each piece of equipment being reviewed, a SIL Rating Table will be completed in
order to record the findings and conclusions. The Cause and Effect diagram will be
updated to reflect the results of the SIL Review.
4.6 Requirements for Safety Instrumented Systems
For SIL 1, 2, 3 and 4, it is required that safety instrument systems are not self-
resetting and are independent of process control circuits. In most cases, this is
accomplished by physical segregation of both circuits for example, process control
performed by a DCS and safeguarding by a dedicated safety-PLC.
The following industry best practices for the various safety integrity levels will be used
for this project:
SIL 0: A DCS alarm informing the operator that the process condition is not normal.
SIL1: A 1 out of 1 (voting) system, segregated from the process control system, not
self-resetting, with certified logic solver.
SIL2: Generally, a 1 out of 2 (voting) system, segregated from the process control
system, not self-resetting, with certified logic solver.
SIL3: Generally, a 2 out of 3 (voting) system, segregated from the process control
system, not self-resetting, with certified logic solver. Diversity shall be
applied in order to reduce common cause/mode failures.