Sabp Z 091
Sabp Z 091
                                          Contents
                                          1. Scope ................................................................. 2
                                          2. Conflicts and Deviations ..................................... 2
                                          3. References ......................................................... 2
                                          4. Terminology........................................................ 3
                                          5. Method Details ................................................... 7
                                          Appendix-A: SIL Assignment for Existing Facilities
                                             During HAZOP Revalidation ........................... 12
                                          Appendix B: The Background and Basis for the Best
                                             Practice Methodology...................................... 13
          1.      Scope
                  This best practice document provides a concise method to conduct Safety Integrity
                  Level (SIL) assignment and verification in an existing Saudi Aramco facility where no
                  prior SIL assignment has been conducted. This document also provides guidelines to
                  develop Safety Requirement Specification (SRS) for a Safety Instrumented System
                  (SIS) and Safety Instrumented Function (SIF) intended proof testing.
                  The tasks in this best practice are to be implemented one time in an existing facility
                  during the plant’s HAZOP revalidation session.
                  The purpose of this document is to provide a simplified and cost effective SIL
                  Assignment approach using the risk ranking established during HAZOP revalidation in
                  existing facilities. The best practice provides guidelines how to prepare and conduct SIL
                  Verification as required by company and international standards. The document also
                  provides guidelines to establish a Safety Requirement Specification (SRS) and how to
                  handle SIF Proof Testing.
          3.      References
                  All referenced procedures, standards, specifications, codes, forms, drawings, and
                  similar material or equipment supplied shall be considered part of this Best Practice to
                  the extent specified herein and shall be of the latest issue (including all revisions,
                  addenda, and supplements) unless stated otherwise.
                  Saudi Aramco References
                  Saudi Aramco Engineering Procedures
                  SAEP-203                          Governance of Saudi Aramco Best Practices
                  SAEP-250                          Safety Integrity Level Assignment and Verification
                  Saudi Aramco Engineering Standard
                  SAES-J-601                                 Emergency Shutdown and Isolation Systems
                  Saudi Aramco Best Practice
                  SABP-Z-076                        Guidelines for Development of Safety Requirement
                                                    Specification (SRS)
                  4Industry Codes and Standards
                  International Electrotechnical Commission (IEC)
Page 2 of 13
4. Terminology
                  Acronyms
                  BPCS              Basic Process Control System
                  ESD               Emergency Shutdown System
                  EIV               Emergency Isolation Valve
                  HAZOP             Hazards and Operability Study
                  IO                Input/Output
                  IPL               Independent Protection Layer
                  LOPA              Layers of Protection Analysis
                  LPD               Loss Prevention Department
                  LS                Logic Solver
                  MEF               Mitigated Event Frequency, [yr-1]
                  MTBF              Mean Time Between Failure, [yr]
                  MTTF              Mean Time To Failure, [yr]
                  MTTR              Mean Time To Repair, [hr]
                  MOV               Motor Operated Valve
                  MAOP              Maximum Allowable Operating Pressure
                  P&CSD             Process and Control Systems Department
                  PFDavg            Probability of Failure on Demand Average
                  PHA               Preliminary Hazard Analysis
                  RRF               Risk Reduction Factor
                  RTF               Risk Target Frequency
                  SAPMT             Saudi Aramco Project Management Team
                  SIL               Safety Integrity Level
                  SIF               Safety Instrumented Function
                  SIS               Safety Instrumented System
                  SRS               Safety Requirements Specification
                  STR               Spurious Trip Rate, [yr-1]
                  TI                Test Interval
                  T&I               Test and Inspection
                  TI                Test Interval, [yr]
                  UPS               Uninterruptible Power Supply
                  ZV                Power Operated Emergency Isolation Valve
Page 3 of 13
                  Definitions
                  Basic Process Control System (BPCS): A system, which provides process control and
                  monitoring for a facility by responding to input signals from the process, associated
                  equipment or operators to generate output based on control functions and desired
                  control strategies but does not perform any SIF. Examples of a BPCS are DCS,
                  SCADA, and PLCs.
                  Beta Factor (β): The number of common cause failures expressed as a fraction of all
                  possible failures. A common mode failure is a failure that may affect duplicate
                  components in redundant configurations.
                  Dangerous Failure (λD): Component failures that will prevent the Safety Instrumented
                  Function from safely shutting down and isolating the process. Dangerous failures
                  consist of dangerous detected and dangerous undetected failures.
                                    λD : The failure rate for a dangerous failure of a component.
                                    λD = λDD + λDU
                                    λD = 1/MTTFD
                                    λDD : The failure rate for a dangerous detected failure of a component.
Page 4 of 13
                  Independent Protection Layer (IPL): Any mechanism that reduces risk by control,
                  prevention or mitigation. An IPL can be a process engineering mechanism such as size
                  of vessel, a mechanical mechanism such as a relief valve, a control system such as the
                  BPCS or ESD or an administrative procedure.
                  Inherent Safety: A design that avoids the hazards instead of controlling them, by
                  minimizing the amount of hazardous material present, substituting the material with a
                  material less hazardous, moderating the affect through dilution or pressure reduction
                  and to simplifying the design where practical to minimize equipment and process
                  failure.
                  Initiator: The input measuring device that initiates a trip signal to the ESD system.
                  Initiators include switches, transmitters and manual pushbuttons.
                  Legacy SIS: A Safety Instrumented System (ESD System) that was engineered,
                  designed, built and operated prior to the realization of performance based system
                  standards like IEC 61511.
                  Logic Solver (LS): The system that is used to perform the shutdown application logic.
                  Logic solvers may be programmable controller based, relay based or solid state.
                  Mechanical Integrity: is the suitability of the equipment to operate safely and reliably
                  under normal and abnormal (upset) operating conditions to which the equipment is
                  exposed.
                  Mean Time To Failure (MTTF): Is the expected time to failure of a system in a
                  population of identical systems.
                  Mean Time Between Failures (MTBF): Is the expected time between failures of a
                  systems component including its time to repair. MTBF = MTTF + MTTR
                  Mean Time To Repair (MTTR): Is the statistical average of time taken to identify
                  and repair a fault (including diagnosis), in a population of identical systems.
                  Process Hazard Analysis (PHA): Organized and systematic assessment of the
                  potential hazards associated with a process e.g. HAZOP.
                  Potentially Toxic Material: A liquid or a gas substance whereby the toxic
                  concentration in the gas phase, determined through equilibrium flash calculations,
                  exceeds its Immediately Dangerous to Life and Health (IDLH).
                  Probability of Failure on Demand (PFDavg): The average probability of a system
                  failing to respond to a demand in a specified time interval is referred to as PFDavg.
                  PFDavg = 1 - Safety Availability.
                  Process Safety Time (PST): The time between the Safety Instrumented Function trip
                  point being reached and a hazardous event occurring if no safety measures such as a
                  shutdown are taken.
                  Proof Test: A periodic test performed on SIF components according to test procedure
                  for the purpose of detecting dangerous hidden failures and ensuring that the SIF
                  component is functioning correctly.
                  Proven-in-use or Prior-use: When a documented assessment has shown that the
                  device, based on previous operating experience in a similar environment, is suitable for
                  use in the ESD system.
Page 5 of 13
                  Residual Risk: The risk remaining after protective measures have been taken.
                  Risk Reduction Factor (RRF): The reduction of risk that the Safety Instrumented
                  Function provides when operating in the process. RRF = 1/ PFDavg SIF
                  Safety Availability: The fraction of time that a safety system is able to perform its
                  designated function when the process is operating. The safety system is unavailable
                  when it has failed dangerously or is in bypass. Safety availability is equal to 1 - PFDavg
                  of the SIF.
                  Safe Failure (S): A failure that does not place the SIF in a dangerous state. A safe
                  failure results in a trip or an alarm to the operator.
                  S : The failure rate for a safe failure of a component.
                  S = SD + SU = 1/(MTTFS).
                  SD : The failure rate for a safe detected failure of a component.
                  SU : The failure rate for safe un-detected failure of a component.
                  Safety Instrumented Function (SIF): A safety function implemented in the ESD,
                  consisting of any combination of sensor(s), logic solver(s), and final elements(s), which
                  is intended to achieve or maintain a safe state for the process, with respect to a specific
                  hazardous event. SIFs are identified as part of SIL assignment or are prescriptive.
                  Safety Integrity Level (SIL): Discrete level allocated to the SIF for specifying the
                  safety integrity requirements to be achieved by the SIS. The SIL is a measure of the
                  performance of the SIF in terms of probability of failure on demand.
                           Table 1: SIL in terms of Probability of Failure on Demand or Risk Reduction
                              Safety Integrity
                                                          PFDavg            Risk Reduction
                                   Level
                                     1                 ≥ 10-2 to < 10-1        >10 ≤ 100
                                       2               ≥ 10-3 to < 10-2       >100 ≤ 1000
                                       3               ≥ 10-4 to < 10-3     >1000 ≤ 10000
                                       4               ≥10-5 to < 10-4     >10000 ≤ 100000
                  Safety Requirements Specification (SRS): The specification that contains all the
                  functional requirements for the SIFs and their associated safety integrity levels. Refer to
                  SABP-Z-076.
                  Spurious Trip Rate (STR): The rate of unscheduled shutdown of the process occurring
                  each year. MTTFspurious = 1/ STRSIF.
                  Test Interval (TI): The time interval in years that a proof test would be made on a
                  sensor, logic solver and/final control element to ascertain that the components of a SIF
                  are operating correctly.
                  ZV: A power operated emergency isolation valve that is controlled from an Emergency
                  Shutdown System (ESD).
Page 6 of 13
          5.      Method Details
                  The method presented in this best practice is divided into five phases as follows:
                        Phase 1       Risk Ranking During HAZOP Revalidation
                           Phase 2           SIL Assignment
                           Phase 3           SIL Verification
                           Phase 4           Safety Requirement Specification (SRS)
                           Phase 5           SIF Proof-Testing
Page 7 of 13
                           LOPA sheets and the summary sheets are saved in PDF format to be included in
                           the final SIL Assignment Report. SIL Assignment report guidelines provided in
                           Appendix-A in SAEP-250 shall be followed.
                  5.2.5 SIL Assignment Report and Recommendations
                           The SIL Facilitator shall issue a SIL Study (LOPA) Report gathering the study
                           work effort, assumptions, LOPA sheets and recommendations.
                           The SIL Assignment Report should be reviewed by the SIL study team
                           members. SIL recommendation compliment SIL study analysis and plant
                           process safety. Therefore, all report recommendations shall be shall be
                           scheduled for implementation and final closing. A mechanism to monitor SIL
                           study report recommendations implementation progress shall be developed and
                           followed until all recommendations are implemented.
                           Deliverables of Phase-2:
                               1. SIL Assignment report as described in SAEP-250.
                               2. LOPA sheets for all SIFs for high severity hazardous events.
                               3. Recommendations.
                  Phase-3 SIF SIL Verification
Page 8 of 13
Page 9 of 13
Page 10 of 13
                  Utilizing an SRS template like the one in SABP-Z-076 for all SIFs in the plant is the
                  ultimate solution, welcomed and encouraged.
                  Deliverables for Phase-4:
                      1. Updated drawings and documents list and SRS.
                      2. A list of all up-to-date document and their locations.
                      3. SIF template (from SABP-Z-076) for each SIF in one folder/area or Unit.
                  Phase 5 SIF Proof-Testing
                          Develop a proof test procedure for each instrument and final element.
                          Consult company standards, reliability group in the plant, SRS and manufacturer
                           literature to determine instrument capabilities, limitation and specific
                           requirements.
                          Document SIF test interval used in SIL Verification calculations.
                          A shutdown in which final elements operate as intended is considered a test and
                           must be documented as such to reset the test cycle.
                        Save all test documents, update the tracking system for previous tests and
                         schedule future tests.
                  Deliverables for Phase-5
                     1. Proof test procedure for all SIF Sensor.
                     2. Proof test procedure for all SIF Final Elements.
                     3. Updated SAP system SIF test interval to the SIL Verified TIs.
Page 11 of 13
START
                 IS PROCESS       Y
                 EXEMPTED
                  FROM SIL
             EXISTING HAZOP
               DOCUMENT
                HAZOP
             REVALIDATION
                                                   Y
                 FIRST                N          LAST
               HAZARDOUS                      HAZARDOU
                 EVENT                         S EVENT
                    RISK RANK
                                                            DOCUMENT SIL ASSIGNMENT               ISSUE SIL REPORT
                              Y                                               CONDUCT
                                                                                LOPA
                     IS THE SIF       Y
                    PRESCRIPTI
                         VE
                                          N
                   SEVERITY ≥ 4
Page 12 of 13
Appendix B: The Background and Basis for the Best Practice Methodology
          General
          This document applies a selection criteria for SIFs based on the unmitigated severity of the
          hazard they are preventing or mitigating. The criteria assigns SIL-1 for SIFs deployed to
          prevent or mitigate hazards with severity levels of 1 to 3. The criteria will take SIFs deployed
          to prevent or mitigate hazards with severity levels of 4 to 5 to LOPA to determine the
          appropriate SIL Assignment for.
Page 13 of 13