Sunteți pe pagina 1din 12

SIL(Safety Integrity Level)

Procedure









Table of Contents


SECTION SUBJECT


1. SCOPE OF WORK
2. PURPOSE
3. AUTHORITIES AND REPONSIBILITIES
4. GUIDELINES
4.1 RELATIONSHIPS WITH HAZOP STUDIES
4.2 DECISION TO CARRY OUT SIL REVIEWS
4.3 ATTENDEES
4.4 ADMINISTRATION
5. EVALUATION STEPS
5.1 PRELIMINARY ACTIVITIES
5.2 PROBABILITY OF THE UNWANTED
EVENT HAPPENING (W)
5.3 CONSEQUENCES OF THE EVENT
5.4 FREQUENCY OF, AND EXPOSURE TO,
THE HAZARD (F)











Table of Contents


SECTION SUBJECT


5.5 PROBABILITY OF AVOIDING THE EVENT (P)
5.6 USING THE FIRST RISK GRAPH FOR RISK TO
PERSONNEL
5.7 SIL LEVELS FOR FINANCIAL RISK
5.8 USE OF FINANCIAL RISK GRAPH
5.9 SIL LEVEL FOR ENVIRONMENTAL RISK
5.10 USE OF ENVIRONMENTAL RISK GRAPH
5.11 OMBINING THE SIL LEVELS






1.0 Scope of work
This procedure defines the application to establish the required safety integrity level for
instrument systems, based on the risk of injury to people, the financial loss due to
potential damage to equipment, and on the level of potential damage to the environment.
This procedure does not describe how to engineer instrument control system so as to
achieve the different SIL level required.

2.0 Purpose
The purpose of this procedure is to define the basis and scope of the Safety Integrated
Level (SIL) Review, which may be undertaken as part of the engineering of a project.

3.0 Authorities and Responsibilities
A process safety engineer should perform SIL study according to the following
procedure. If necessary, he determines and supervises a subcontractor who is able to do
SIL study very well. All products related to this job should be confirmed by people who
are responsible the project before they are issued.

4.0 Guidelines
4.1 Relationships with HAZOP Studies
SIL reviews should generally take place immediately after the HAZOP Studies to which
they relate. When the HAZOP Studies are carried out the Chairman shall ensure that all
appropriate entries are made in the Existing Safeguards Column of the HAZOP Report,
HAZOP Procedure refers.
Note that the HAZOP Study should carefully review the Cause and Effects Charts both
for completeness and for accuracy. Particular care should be taken to review such items
as the overall plant shutdown, and/or the partials plant shutdown and depressurizing
valves to ensure that all appropriate actions are included, and others are excluded, as it
is not the job of a SIL Review to evaluate these matters.
For this reason it is important to make the decision as to whether or not to do SIL
Reviews before starting the HAZOP Studies.
In most cases it will be difficult to do the SIL Review before the HAZOP, but they
could be done at the same time to prevent rework, or over-engineering of the
instrumented safety systems.



4.2 Decision to carry out SIL Reviews
The SIL Reviews may be required by the Client, or shall be undertaken on the
instructions to the Design Safety Manager.
4.3 Attendees
4.3.1 The following are required to attend a SIL Reviews
Design Safety Engineer
Process Engineer
C&I Engineer
Environmental Engineer
Mechanical Equipment Engineer (Packaged Units)
Client
4.3.2 The client shall be invited to send his operations personnel to attend the review, if
they are unavailable, a CEC Commissioning Engineer shall deputize.
4.3.3 The review Chairmen should be experienced with the technique of SIL Reviews,
has training in Reliability Engineering and preferably independent of the project
task force. The CEC Design Safety Manager should be consulted over the
appointment of a chairman. Where appropriate, the HAZOP Chairman shall also
be chairman for the SIL Reviews.
4.3.4 Note that IEC-61508 requires that the attendees at a SIL Review are well qualified
and experienced engineers. Attendees shall be the Authorized Engineers for the
Engineering Disciplines concerned.
4.4 Administration
4.4.1 Before starting the SIL Reviews the Project Process Manager, or Lead Process
Engineer shall endure that the Cause and Effect Diagrams for the project
concerned have been issued for design. The Cause and Effect Diagrams are used
to define the extent of the ESD or safeguarding system.
4.4.2 Before the start of the review, the C and I Engineer needs to set up an Excel
Spreadsheet with format similar to the second page of Attachment 2 of this
Procedure. The C and I engineer then needs to take data from the Cause and Effect
Diagrams and populate the first four windows of the electronic record sheets.



4.4.3 The Process Engineer then adds to the electronic record sheets the Cause, which
in this case is the reason for having the instrument system, as well as the
Consequence of the instrument system failing to operate when it is most
required. These consequences may be personal injury or financial loss or
environmental damage. At this stage of the review no credit should be taken for
any relief for any relief valve, or other mitigating equipment, which may be
installed to prevent the consequences.
4.4.4 The following documentation needs to be available at the review:
Process Flow Diagrams
Cause and Effect Diagrams
Relief Valve Schedule (if available)
4.4.5 Before the SIL Reviews begin the Design Safety Manager shall be asked to agree
which Risk Groups should be used. The CEC Risk Graphs are provided in
Attachment 1 of this procedure. When a Client provides the Risk Graphs, these
shall be used instead.
4.4.6 The report on the SIL Review shall be based on the formats provided in
Attachment 2. The report needs to list the SIL levels agreed at the review, as well
as the assumptions made in arriving at these conclusions. The Chairmen shall be
responsible for checking and signing the REV A1 Report before it is issued.
4.4.7 The Lead C and I Engineer shall be designated as the Engineer responsible for
implementing the actions, issuing a response report which indicates the steps to be
taken. This response report shall be issue to all who attend the SIL Review.
4.4.8 The following section explains how the three Risk Graphs in Attachment 1 are
used in turn to determine a SIL Level for each instrument system based in turn on:
Risk of personal injury or death.
Risk of financial loss.
Risk of environmental damage.
Section 5.10 explains how the three SIL Levels determined are combined to give
the overall SIL Level.



5.0 Evaluation Steps
5.1 Preliminary Activities
The chairman asks the C and I Engineer to provide the definition of the first
instrumented protective system and location on a P&ID. The Process Engineer explains
then the cause and consequences, which the instrument system is designed to avoid. See
section 4.4.3 for explanation of the cause and consequence in this context.
The review is carried out on the basis that the instrumented protective system fails to
work. The presence of a relief valve or other mitigation equipment, if they exist, is
taken into account at the end of the review. See section 5.11 below.
The Chairman then guides the team through the following steps:
5.2 Probability of the unwanted event happening (W)
The probability of the unwanted event happening needs to be expressed as one of the
following:
W1 = A low probability that the unwanted event will happen. (Less than once every
thirty years)
W2 = A low probability that the unwanted event will occur, and only a few events
are likely to happen. (Once per year to up once per thirty years).
W3 = A relatively high probability that the event will occur and frequent unwanted
events are likely to occur. (At least once per year).
If the cause of the event is the failure of a DCS based control system (transmitter plus
DCS plus output device), assume that the probability is W2.
5.3 Consequences of the Event
The consequences resulting from the failure of the instrumented systems needs to be
classified in terms of risk to personal safety, financial loss or environmental damage.
The application to Safety related consequences is as follows:
C
A
= Minor injury only
C
B
= Serious permanent injury to one or more persons, or death to one person.
C
C
= Death to more than one person.
C
D
= Many people killed.



5.4 Frequency of, and exposure to, the hazard (F)
The frequency needs to be expressed as one of the following:
F
A
= Rare or occasional exposure of personnel in the hazardous zone. (less than
50% of time).
F
B
= Frequent to permanent exposure of personnel in the hazardous zone. (more
than 50% of time).
5.5 Probability of avoiding the Event (P)
The probability of a person avoiding the hazardous event needs to be expressed as either
PA or PB as follows:
P
A
= Possible to anticipate the event and to get clear before the event
happens.(There will be a clear warning before the event happens).
P
B
= Almost impossible to anticipate the event and/or to get clear before the event
happens. (No advance warning of the event)
5.6 Using the first Risk Graph for Risk to Personnel.
The review team will evaluate the values of W, C, F, and P (if applicable) for each
instrumented system and enter them into the first Risk Graph in Attachment 1, to obtain
the SIL value for the instrumented system, based on risk of injury or death to personnel.
5.7 SIL levels for Financial Risk
The SIL level required to protect financial risk is determined as follows:
L
A
is a loss of less than 10,000,000 ($8,000)
L
B
is a loss of between 10,000,000 and 20,000,000 ($8,000 and $16,000)
L
C
is a loss of between 20,000,000 and 200,000,000 ($16,000 and $160,000)
L
D
is a loss of more than 200,000,000 ($160,000)
These losses are based on damage to equipment rather than loss of operating revenue. If
the Client wishes to refer to loss of revenue from his plant, the risk graph needs to be
adjusted to reflect this.
5.8 Use of Financial Risk Graph.
Use of the appropriate value of L from section 5.7, and the value of W as already
determined in Section 5.2, to work out the SIL for the financial risk using the second
Risk Graph in Attachment 1.



5.9 SIL Level for Environmental Risk
E
A
is a minimal or zero environmental events.
E
B
is a reversible environmental event within the fence.
E
C
is a reversible environmental event outside the fence.
ED is an irreversible environmental event, which may effect the environment inside
and/or outside the fence.
5.10 Use of Environmental Risk Graph
Use the appropriate value of E from section 5.9 and the value of W already determined
in section 5.2, to work out the SIL for using the third Risk Graph in Attachment 1.
5.11 Combining the SIL levels
The SIL levels as calculated by the three matrices are combined by assuming the largest
of the three values obtained. However, if a relief valve is provided to fully protect the
system from the cause and consequence being considered, then the overall SIL level as
calculated by the matrices, may be reduced by one.



ATTACHMENT 1 MATRICS FOR SIL LEVEL DETERMINATION
RISK GRAPH 1 for determining SIL levels based on the risk of injury or death to personnel.













Starting Point
P
A

C
A

C
B

C
C

C
D

F
A

F
B

F
A

F
B

P
B

P
A

P
B

P
A

P
B

a
1
1
2
3
3
3
4
b
--
a
1
1
2
2
2
3
4
--
a
1
1
1
1
2
2
3
W
3
W
2
W
1

-- : No safety requirements. a : No special safety requirements. b : A single E/E/PES is not sufficient.
1,2,3,4 : Safety integrity levels. E/E/PES : Electric / Electronic / programmable Electronic system.






C = Consequence risk parameter
F = Frequency and exposure time risk parameter
P = Possibility of failing to avoid hazard risk parameter
W = Probability of the unwanted occurrence




W
1
= Less than once every thirty years.
W
2
= Between once per year and once every thirty years.
W
3
= At least once per year.




C
A
= Minor injury only.
C
B
= Serious permanent injury, or one death.
C
C
= More than one death.
C
D
= Many people killed.



F
A
= Exposure less than 50% time.
F
B
= Exposure more than 50% time




P
A
= Warning to permit people to escape
P
B
= No warning before the event.




ATTACHMENT 1 (CONTD) MATRICS FOR SIL LEVEL
DETERMINATION
RISK GRAPH 2 for determining SIL levels due to level of Financial Risk.

a
1
1
2
--
a
1
1
--
a
1
1
W
3
W
2
W
1

-- : No safety requirements.
a : No special safety requirements.
1,2,3,4 : Safety integrity levels.






L
D

L
C

L
B

Starting Point
L
A




L
A
is a loss of less than 10,000,000 ($8,000)
L
B
is a loss of between 10,000,000 and 20,000,000 ($8,000 and $16,000)
L
C
is a loss of between 20,000,000 and 200,000,000 ($16,000 and $160,000)
L
D
is a loss of more than 200,000,000 ($160,000)





W
1
= Less than once every thirty years.
W
2
= Between once per year and once every thirty years.
W
3
= At least once per year.

S-ar putea să vă placă și