209217952 sil working method report
TRANSCRIPT
-
8/21/2019 209217952 SIL Working Method Report
1/35
Document No.:37-1A-KST-F15-00026
Originator: AET Tag No. : N
Document Title: SIL WORKING
Project name:
Nyhamna
Rev.:01
System No. : 00 Area Co
ETHOD REPORT
Onshore EPCm Project
Page: 1 of 35
e: X00
-
8/21/2019 209217952 SIL Working Method Report
2/35
Document title:
SIL Working Method Report
TABLE OF CONTENTS
1 INTRODUCTION
1.1 Abreviations
1.2 Revision History
1.3 Scope
2 THE IEC 61508 AND IEC 61511
2.1 General
2.2 Safety lifecycle
3 PROJECT ASSUMPTIONS
3.1 Risk and integrity level categori
3.2 SIL allocation
3.3 Reliability data
3.4 Low complexity, proven in use
3.5 Safe failure fraction (SFF)
3.6 Systematic failures, PSF and c
Document no.:
37-1A-KST-F15-00026
Rev.:
01
STANDARDS, RELATIONSHIP BETWEEN THE S
ies
or prior use
alculation of PFD
Page:
2 of 35
4
4
5
5
TANDARDS 8
8
9
12
12
12
12
13
13
14
-
8/21/2019 209217952 SIL Working Method Report
3/35
Document title:
SIL Working Method Report
5 MANAGEMENT OF FUNCTION
5.1 General requirements
5.2 Organisations and resources
5.3 Risk evaluation and risk mana
5.4 Planning and follow up
5.5 Implementing and monitoring
5.6 Assessment and auditing
5.7 Handling of potential non-conf
5.8 Relevant interactions with othe
6 OVERAL L SAFETY LIFECYCL
6.1 SIS working process Safety li
6.2 Safety lifecycle requirement6.2.1 Scope definition6.2.2 Identification of EUC and SIS t6.2.3 Method for establishment of SI6.2.4 Additional SIL allocation
6.2.5 Operation and maintenance ph6.2.6 Detailed requirement and SIS r6.2.7 Avoidance and control of syste6.2.8 Safety validation planning
Document no.:
37-1A-KST-F15-00026
Rev.:
01
L SAFETY
ement
rmance
r project activities
REQUIREMENTS
ifecycle model
be SIL evaluated L requirements and SIL allocation
ilosophies & SIL strategy ealisation
matic failures
Page:
3 of 35
21
21
21
22
23
23
23
23
23
24
24
2727
27
27
28
2829
29
30
-
8/21/2019 209217952 SIL Working Method Report
4/35
Document title:
SIL Working Method Report
1 INTRODUCTIONTo prevent escalation of unstable situaconsequences of accidents, safety barprotection between different areas on avalves, fire walls, etc.), or barriers contPSD/ ESD isolation valves and automa
The quality of the safety barriers is ess
relevant Safety Integrity Level (SIL) anestablished and performed as an integinstallation. For this project, design of asystems shall meet requirements speciimplementation of IEC 61508 and IECdocuments DEP 32.80.10.10- Gen / 3/
1.1 ABREVIATIONS
CSU Critical Safety Unavailabili
DEP Design and Engineering P
E/E/PES Electrical/Electronic/Progr
EPCm Engineering Procurement
ESD Emergency Shutdown
EV Emergency shutdown Val
EUC Equipment Under Control
F&G Fire and Gas
FAT Factory Acceptance Test
FEED Front End Engineering De
FMECA Failure Modes Effects and
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ions into hazardous situations or accidents, as welliers shall be installed on equipment, process segmen installation. These barriers can be mechanical baolled by instrumentedsystems (such as F&G systetic fire extinguishing systems).
ntial for achieving acceptable risk levels on an inst
lysis activities (incl. management of functional safetated part of the design development for the Nyham
ll electrical, electronic, programmable electronic (E/
fied in IEC61508 and IEC 61511 standards, ref. /1/1511 shall be according to the requirements given i
and OLF GL 070 /4/in addition to the IEC standards
y
ractice (Shell design manual)
mmable Electronic System
Construction Management
e (valve connected to the ESD system)
ign
Criticality Analysis
Page:
4 of 35
as to reduce thents and asriers (reliefs, automatic
llation. Hence,
y) shall beaexpansion/PE) safety/2/. The
in the Company61508 and 61511.
-
8/21/2019 209217952 SIL Working Method Report
5/35
Document title:
SIL Working Method Report
PRE Package Responsible Eng
PSD Process Shutdown
PSF Probability of Systematic F
QA Quality Assurance
SAR Safety Analysis Report
SAS Safety and Automation Sy
SAT System Acceptance Test
SFF Safe Failure Fraction
SIF Safety Instrumented Funct
SIL Safety Integrity Level
SIS Safety Instrumented Syste
SRS Safety Requirement Speci
Definitions:
SIS Safety Instrumented System:
Instrumented system used to implemecomposed of any combination of Initiat
SIF Safety Instrumented Function :
Safety function with a specified safety i
which can be either a safety instrument
SIF used in this report is referred to an
O /C
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ineer
ailure
tem
ion
m
ication
t one or more Safety Instrumented Functions (SIFs)r(s), Logic Solver(s), and/or Final Element(s).
ntegrity level which is necessary to achieve function
ed protection function or a safety instrumented cont
Instrumented Protective Function (IPF) in DEP 32.8
Page:
5 of 35
. A SIS is
al safety and
rol function.
0.10.10- Gen /3/.
-
8/21/2019 209217952 SIL Working Method Report
6/35
Document title:
SIL Working Method Report
The detail engineering (EPCm) phas
The EPCm Contractor is responsible fo
Plan and document how IEC 6implemented in the project. (re
Further identify/ define, detail o
requirements are applicable, aPerform preliminary reliability cor redesigned, ref. / 7/.
Establish and update Safety Rdocuments for each relevant s
Give input to package specific
Establish structure and content
Update SRS and dedicated Sy
Follow up vendors and collectDocument compliance with SILfound to have the required/appcompliance report).
Ensure required QA (verificatio
Follow up and provide input to
After HAZOP has been performed durifollowing SIL activities:
Verify and establish updated/asoftware tool. According to theshall also be used for detail en
Document no.:
37-1A-KST-F15-00026
Rev.:
01
r the following SIL activities in the detail engineerin
1508/61511, DEP 32.80.10.10-Gen and OLF GL 07. /6/).
ut and document the SISs and SIFs where SIL and
d allocate SIL requirements for each relevant SIF,r alculations to detect any SIFs that possibly need to
quirement Specification (SRS) and dedicated Syststem, ref. /8/.
tions and technical requisitions.
requirements for Safety Analysis Reports (SARs),/
stem SRS documents for each relevant system.
ARs commenting/approval.requirements; preferably based on input from vend
roved quality (to be documented in each System SR
n/validation/FSA)as described in Chapter 7.
commissioning and operations.
g detail engineering phase, Company will be respo
ditional SIL requirements where required by using tdesign basis for this project /12/, the SIL facilitator uineering,
Page:
6 of 35
phase:
shall be
functional safety
f. /7/. be reconsidered
m SRS
/.
r SARs whereS or separate SIL
sible for the
he SIFproTM
sed for FEED
-
8/21/2019 209217952 SIL Working Method Report
7/35
Document title:
SIL Working Method Report
SIL parameters such as failureFraction (SFF) to be checked r
Take appropriate actions if sys
Provide SIL feedback to the C
Document no.:
37-1A-KST-F15-00026
Rev.:
01
rates, Probability of Failure on Demand (PFD) andgularly.
ems (SISs) and functions (SIFs) deviate from requi
ntractor(s) and vendors.
Page:
7 of 35
afe Failure
ements.
-
8/21/2019 209217952 SIL Working Method Report
8/35
Document title:
SIL Working Method Report
2 THE IEC 61508ANBETWEEN THE STAN
2.1 GENERALThe international standard IEC 61508andoperat ion of Safety Instrumented S
fordeciding the Safety Integrity Level (difficult to handle as part of a developmrequirements to safety functions can n(QRA) as it is performed today.
Contractor will therefore seek informatias this guideline has a widely acceptedGL 070 is provided in order to simplify tstandard common to several industriesstandard for appl ication of SIS. This st
IEC 61508 is relevant primarily for manfordesigners, integrators and users ofwithdue consideration to IEC 61508 re
The two figuresbelow guidance on wherelationship between IEC 61508 and IE
Document no.:
37-1A-KST-F15-00026
Rev.:
01
IEC 61511 STANDARDS, RELAARDS
as been widely accepted as the basis for specificatistems (SIS). The standard sets out a risk-based ap
IL) for systems performing safety functions. This apent project, as it requires extensive analysis work, armally not be obtained directly from the Quantitativ
n in the OLF GL 070 with respect to certain topics,and recommended approach to the implementationhe application of IEC 61508. Whereas IEC 61508 is, the process industry has developed their own sectndard, IEC 61511, is also extensively referred to in
ufacturers and suppliers of SIS devices. IEC 61511IS and is therefore the standard most relevant for tuirements.
n to apply IEC 61508 and IEC 61511 respectively isC 61511 is shown in Figure 2.1-1;
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Page:
8 of 35
IONSHIP
on, designproach
proach hasprovedndsinceRiskAnalysis
as a usefulhelpof SIS.The OLFagenericrspecific
theOLF GL 070.
is relevante Contractor
given.The
-
8/21/2019 209217952 SIL Working Method Report
9/35
Document title:
SIL Working Method Report
PR
IN
Process sector
hardware
Developing
new
hardware
devices
Using
Proven-in-
use
hardware
devices
Follow
IEC 61508
Follow
IEC 61511
Figure 2.1-2Guidance on when to
2.2 SAFETY LIFECYCLEBoth IEC 61508 and IEC 61511 are usirequirements related to specification, dd i i i f SIS E h h
Document no.:
37-1A-KST-F15-00026
Rev.:
01
CESS SECTOR SAFETY
TRUMENTED SYSTEM
STANDARD
Process sector
software
Follow IEC
61508-3
Follow
IEC 61511
Using
hardware
developed
and
accessedaccording
to IEC
61508
Developing
embedded
(system)
software
Developing
application
software
using full
variabilitylanguages
Follow IEC
61508-3
Devel
applic
soft
using li
varialangua
fix
progr
Follo
IEC 61
apply IEC 61511 or IEC 61508 (Figure 3 in IEC 615
ng the safety lifecycle as a framework in order to sesign, integration, operation, maintenance, modificah t f d fi d i t d t t d t
Page:
9 of 35
ping
tion
are
mited
ilityes or
d
ams
w
511
11, Clause 1)
tructureion and
th d f h
-
8/21/2019 209217952 SIL Working Method Report
10/35
Document title:
SIL Working Method Report
Document no.:
37-1A-KST-F15-00026
Rev.:
01
Page:
10 of 35
-
8/21/2019 209217952 SIL Working Method Report
11/35
Document title:
SIL Working Method Report
Document no.:
37-1A-KST-F15-00026
Rev.:
01
Page:
11 of 35
-
8/21/2019 209217952 SIL Working Method Report
12/35
Document title:
SIL Working Method Report
3 PROJECT ASSUMPTI
3.1 RISK AND INTEGRITY LEVAccording to DEP 32.80.10.10- Gen /3
The probability of occurrence o
The severity of the consequen
o Personnel health ando Environmental impact
o Production and equip
The SIL decision matrixes in DEP 32.8associated safety integrity level.
3.2 SILALLOCATIONA given SIL requirement corresponds tcompliance to IEC 61508/IEC 615111/requirement for the safety function reliasuppliers and vendors some important
The given SIL requirement for a SIS lodesign function on demand. In order toProbability of Failure to perform functiodemand mode when specifying requirethe SIL allocation process to be a highdangerous Failure per Hour)). For equiassumption must be identified and com
A SIL requirement shall be divided betwhen there are many equipment suppli
Dividing the PFD between the componvariations in requirements to equipmen
li b f h i h
Document no.:
37-1A-KST-F15-00026
Rev.:
01
NS
L CATEGORIES
, the required SIL is established based on:
f the hazardous situation if the IPF is not installed a
es expressed in terms of:
afety
ent loss
.10.10- Gen, section 4.2.1, shall be used to determ
several requirements that have to be fulfilled in ord& / 2/). The probability of failure on demand (PFD) ibility to function on demand. In order to allocate PFassumptions have been made as described below.
p corresponds to a minimum probability of failure toallocate a target safety integrity parameter as PFDn on Demand), the default mode of operation has bments to suppliers and vendors (unless specifically idemand function, i.e. requiring use of PFH (Probabilment package suppliers, this means that deviation
municated to the contractor. See assumption in Sec
een the components in the SIS loop. This is particuers involved in each Safety Instrumented Function (
nts as described below is performed to limit as fart/component suppliers. Additionally, if the PFD requi
i / li li ld
Page:
12 of 35
d
ine the
er to achievea quantitativerequirements to
perform itsaverageen set to lowdentified duringlity of a
from thistion3.8.
larly importantSIF).
s possible therement was not
ib i h
-
8/21/2019 209217952 SIL Working Method Report
13/35
Document title:
SIL Working Method Report
The project shall establish a preliminarduring early detail engineering. The daton relevant generic data.
Since vendor data will normally not befrom SINTEFs PDS Data Handbook /1preliminary reliability calculations. Theidentify possible safety functions that mof systems and/or barriers (if found req
cost and schedule impact.In early detail engineering phase prelimethodology and formulas as recommcalculation has to be agreed betweenSIFpro
TM.
Evaluation of vendor data shall be perfshall be used only if found qualified anand Contractor shall during the final SIreliability data from the available sourcqualified vendor data and/or relevant eas far as possible be ensured to be qu
The reliability data dossier as well as pthe SIL Identification and Allocation Rdetail engineering phase.
The final SIL compliance calculations ivendor data (i.e. approved SARs) becorelated to a specific SIS shall be includ
3.4 LOW COMPLEXITY, PROVA component is of low complexity if in3.4.3) and if dependable field experien(Clause 7.4.6 and 7.4.7) the requiremeto a subsystem considered proven in
Document no.:
37-1A-KST-F15-00026
Rev.:
01
reliability data dossier in order to perform reliabilitya applied in calculations shall prior to available ven
vailable at an early stage of engineering, the gener1/ and/or OREDA data handbook /10/) shall be use
ain purpose of such preliminary reliability calculatiight fail to achieve the required SIL. This will allowuired) at an early stage of the design development,
inary reliability calculations shall preferably be basended by OLF GL 070 / 4/.How to use SIFpro
TMfor t
ompany and Contractor after all SIFs have been re
rmed prior to use in final SIL compliance calculatiosufficiently documented by approved SARs in thecompliance calculations agree upon an approach f
s such as generic failure data (e.g. PDS reliability dperience from operations. The reliability data shalllified for the given application.
eliminary SIL compliance calculations shall be docuport in the early detail engineering phase, and be
cluding an updated Data Dossier shall be establishmes available. This final SIL compliance documentad as part of the respective System SRS / 8/.
N IN USE OR PRIOR USE
accordance with the definition in IEC 61508 / 1/ (Pae exists (ref. IEC 61508-1, Clause 4.2). According t
nt related to avoidance and control of systematic failse (given a set of criteria is fulfilled).
Page:
13 of 35
calculationsor data be based
ic data (preferablyto performns will be tootential redesigninimising project
d on PDShe reliabilityistered in
s. Vendor data roject. Company
or utilization ofata) and/ore evaluated and
mented as part ofpdated during the
d as soon astion for all SIFs
rt 4, ClauseIEC 61508-2
ures will not apply
-
8/21/2019 209217952 SIL Working Method Report
14/35
Document title:
SIL Working Method Report
A subsystem can be classified into typ
The failure modes of all constit
the behaviour of the subsyste
there is sufficient dependable ffailures for detected and undet
A subsystem can be classified in type
The failure mode of at least onthe behaviour of the subsyste
there is insufficient dependablefor detected and undetected d
In general all type A initiators and finalB initiators and final elements are assu
For all type A equipment a SFF abovemore (i.e. requiring redundant componand analogue transmitters, a SFF of mequipment unless they are intelligent
Similarly, for all type B equipment a SFredundant components). For type B initdetectors are defined as single compoor in voting configurations which impro
This understanding prevents interpretatransmitters for SIFs that are realized tbeen proven in use to be satisfactory o
61511 for SFF and corresponding HWequipment where reduction in HWFT is
All vendors supplying equipment/compeach critical equipment/components, a
Document no.:
37-1A-KST-F15-00026
Rev.:
01
A if:
uents are well defined; and classified
under fault conditions can be completely determin
ailure data from field experience to show that the clacted dangerous failures are met.
if:
constituent component is not well defined, orunder fault conditions cannot be completely deter
failure data from field experience to support claimsngerous failures.
elements are assumed to have a SFF of 60% or momed to have a SFF of 90% or more.
0% is required to avoid hardware fault tolerances (nts). For final elements and initiators such as valvere than 60% is assumed and these are also consid
(= smart transmitters).
F above 90% is required to avoid HWFT of 1 or moriators a SFF of >90% is assumed. Note that fire & gents in the SIL assessment, but will in most fire arees the HWFT.
ions of the standard resulting in need for redundantrough standard solution. Such SIFs with standard ser the last few decades. This is in line with interpre
T and prior use. Documentation for prior use is rallowed.
nents involved in SIFs with SIL requirements shalld a non-compliance with a SFF requirement shall b
Page:
14 of 35
d; and
imed rates of
ined, or
for rates of failure
re, while all type
WFT) of 1 or, fire dampers,red to be type A
e (i.e. requiringas (F&G)s be redundant
valves andolutions haveations in IEC
equired for
document SFF fore handled as a
-
8/21/2019 209217952 SIL Working Method Report
15/35
Document title:
SIL Working Method Report
ensure that acceptable risk representeassumed that MTTR can be disregarde(DU) failures only.
3.7 PARTIAL STROKE TESTINPartial stroke test of valves may be impduring testing. Wherever this is considaccordance with principles given in IEC
partial stroke testing, and the actual figdetected by partial stroke testing. Partifull closure of valves.
The contribution to identif ication of dane.g. Safety Analysis Reports (SARs), tdefined and agreed with Operator base
3.8 DEMAND MODE OF OPERAll Safety Instrumented Systems (SISs
unless specifically identified during thecontinuous demand mode for a specifirequirements related to a certain SIL wiSIFs specifically stated to be operatingTable 3 in IEC 61508-1.
3.9 VENDOR INTERFACEThis is descried in details in the SAR
The main principles for vendor SIL inte
3.9-1below. It shows the interface requirelevant for critical equipment/compondirectly communicated towards vendoroverall SIF and SIL requirements speci
Document no.:
37-1A-KST-F15-00026
Rev.:
01
by the Equipment Under Control (EUC) is achieved and PFD calculations can be based on the dange
lemented to detect failures and avoid full shutdownred relevant, the test system must be designed and61508 / 1/ for SIFs. In the SIL analyses it is accepte
re must be qualified in the project based on failurel stroke testing is not considered to fully qualify as f
erous failures during partial stroke testing has to bst reports or other relevant SIL documentation (or ad on e.g. operational experience).
TION
) are considered to be operating in a low demand m
SIL allocation process to be operating in a high deSIF. As a consequence of this assumption, most of
ill generally be based on Table 2 in IEC 61508-1 / 1/in a high demand or continuously demand mode wil
upplier Guideline document /9/ to be used for Nyh
face within the Nyhamnaexpansion project are illus
ired for documentation of compliance with allocatednts within packages. The relevant allocated SIL reqthrough the package specificat ion as wel l as with r
fied in Safety Requirement Specification (SRS) /8/.
Page:
15 of 35
. Hence, it isrous undetected
of productiondocumented ind to make use of
modes notunctional test with
documented inlternatively be
de of operation,
and orthe reliabilitywhile only the
l be based on
mna expansion.
rated in Figure
SIL requirementsuirements areeference to
-
8/21/2019 209217952 SIL Working Method Report
16/35
Document title:
SIL Working Method Report
Contrac
SAR-Supplier Re
P ackage spe
requirement (i
Package Specific
SRS main do
SRS main documsystem SRSs (see
Updated rev.s o
document+ rele
SRSs (see App
Figure 3.9-1Main principles f
3.10STRATEGY FOR HANDLINFor SIFs that fail to meet the PFD HW
Document no.:
37-1A-KST-F15-00026
Rev.:
01
tor Vendors
quirement
cific SIL
cluded in
ations/ PO)
cument
nt+ relevantAppendix A)
f SRS main
ant system
endix A)
Safety Analysis Reports (SARs)
from relevant Vendors
r vendor SIL interface within the Nyhamnaexpansio
OF DEVIATIONS
T and/or SFF requirements the following strategies
Page:
16 of 35
n project
are proposed:
-
8/21/2019 209217952 SIL Working Method Report
17/35
Document title:
SIL Working Method Report
4 DOCUMENTATION
4.1 INTRODUCTIONThe IEC 61508 and IEC 61511 are sperequirements. A SIL working method respecifications, and safety analysis repodocument how these requirements hav
4.2 SIL WORKING METHOD RThe SIL working method report shall dexecuted for the Nyhamna onshore EPrelationships, Requirements for verificaactivities. The method for determinatio
4.3 SIL IDENTIFICATION ANDA SIL identification and allocation repoIntegrity Levels (SIL) and functional safthe SIL for each function have been es
A preliminary SIL compliance calculatioearly detail engineering phase. The intbarriers, i.e. safety instrumented functirequirements. The preliminary SIL comis likely to achieve the identified SIL anperformed with generic failure data (no
4.4 SIL COMPLIANCE REPORA final SIL compliance report (SIL asseengineering phase to document that thlevel of integrity given to the safety inst
Document no.:
37-1A-KST-F15-00026
Rev.:
01
cifying requirements for documentation of implemenport (this report), a compliance report, safety requirrts from each equipment package supplier will be pre been implemented.
PORT
scribe how IEC 61508 and IEC 61511 are planned iCm project in the detail engineering phases. This intion, validation, and functional safety assessment, aof SIL shall also be described within this document
LLOCATION REPORT
t shall document the systems and safety functionsety requirements are applicable. The report shall alablished.
n will be included in the SIL identification and allocantion of this calculation is to give early attention tons (SIFs) which are unlikely to comply with the give
pliance calculation shall indicate whether the proposd whether a SIS may have to be redesigned. Calculvendor specific failure data are available at this sta
ssment recordings in SIFpro
TM) will be produced in l
SIFs meet the requirements from the methods forrumented functions. Results will be recorded in SIF
Page:
17 of 35
tation ofmentoduced to
implemented andludes document
nd management.
here Safetyo present how
tion report in theroblematic safetyn projected system designtions aree).
ate detailetermination ofro
TM. Calculations
-
8/21/2019 209217952 SIL Working Method Report
18/35
Document title:
SIL Working Method Report
3.4. Failure consequences on3.4.1. Safety3.4.2. Environmental3.4.3. Commercial3.5. Demand rates on safety fu
4. Performance requirements4.1. Integrity level4.2. Required risk reduction4.3. Response time4.4. Test interval4.5. SIF Performance Require4.5.1. Maximum Allowable Spu4.5.2. Application Software Re4.5.3. Mean Time to Repair4.5.4. Survival of the Safety In
5. Compliance5.1. Documentation of PFD, S5.2. Architectural constraints
5.3. Avoidance and control of s5.4. Logging of SIS performan6. Verifications, Validations and Functi
6.1. Verifications6.2. Validations6.3. Functional Safety Assess
7. References8. Appendix A Safety Analysis Repor9. Appendix B Compliance to require10. Appendix C Overview of tag nos
11. Appendix D FAT/SAT results12. Appendix E Commissioning chec13. Appendix F Operations and main
The SRS will discuss calculate docum
Document no.:
37-1A-KST-F15-00026
Rev.:
01
emand
nction
ents rious Trip Rate uirements
trumented Functions
F and HWFT
ystematic failures e nal Safety Assessment (FSA)
ent (FSA)
s ents
/ safety function connection
list enance checklist
ent and verify the defined safety functions related t
Page:
18 of 35
the system
-
8/21/2019 209217952 SIL Working Method Report
19/35
Document title:
SIL Working Method Report
Failure rate of the components
Recommended time interval b
MTTR
Diagnostic coverage
Voting
Common cause failures
IEC 61508-2 Clause 7.4.9.3 lists infor
hence, documented in the SAR.
IEC 61511-1 Clause 11.9.2 lists informhardware failures, and hence, docume
To ensure consistent layout of the SARreview and verification of the SARs in tfollowing the detail engineering phase;
SAR Table of content
I AbbreviationsII ReferencesIII Summary
1. Introduction2. System Description3. System Topology and Block Diagra4. Operational description of the syste5. Assumptions6. Failure rate of the components
7. Diagnostic Coverage & Safe Failure8. Architectural Constraints (HWFT an9. Common Cause failures
10. Behaviour of system/components o
Document no.:
37-1A-KST-F15-00026
Rev.:
01
tween functional testing
ation that shall be available for each safety-related
tion that shall be taken into account when calculatited in the SAR.
s the following table of content shall be used. Thise detail engineering phase and use of the SARs in
Fraction voting principles)
n detection of a fault
Page:
19 of 35
ubsystem, and
g PFD due to
ill facilitatethe phases
-
8/21/2019 209217952 SIL Working Method Report
20/35
Document title:
SIL Working Method Report
There are no requirements that compocertificate will not relieve a vendor fromHowever, a vendor supplying a certifiethe SAR;
I AbbreviationsII References
III Summary1. Introduction2. System Description3. System Topology and Block Diagra4. Operational description of the syste5. Assumptions6. Failure rate of the components*7. Diagnostic Coverage & Safe Failure8. Architectural constraints (HWFT and9. Common Cause failures*
10. Behaviour of system/components o11. Mean Time To Repair*12. Factory testing13. Operational testing (included test p14. NA15. NA16. Results
AppendicesE.g.Certificates
* Note that background/supporting doca certified component/system.
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ents or systems shall be certified to IEC 61508 or Idocumenting IEC 61508/ 61511 compliance and sucomponent/system will only have to document the
Fraction* voting principles)
n detection of a fault
ocedures and recommended functional test interval
mentation for the claimed figures in these chapters
Page:
20 of 35
C 61511. Applying a SAR.following parts of
)
is not required for
-
8/21/2019 209217952 SIL Working Method Report
21/35
Document title:
SIL Working Method Report
5 MANAGEMENT OF FThe objective of the requirements in thito ensure that all functional safety obje5 in IEC 61511-1, management activiti61511 will be based on the following;
General requirements
Organisation and resources
Risk evaluation and risk mana
Planning and follow up
Implementing and monitoring
Assessment and auditing (Veri
It will also be important to ensure corre
Potential contractual challenge
Potential non-conformances
Relevant interactions with othe
5.1 GENERAL REQUIREMENTThis SIL working method (incl. plan forexpansion must be communicated to t61508/61511 in the project.
5.2 ORGANISATIONS AND REPersons, departments and organisatio
each of the safety life-cycle phases shthem. It is also important to ensure thethe personnel involved.
In the FEED phase for the Nyhamnaexcoordinating the SIL activit ies: SIL iden
Document no.:
37-1A-KST-F15-00026
Rev.:
01
NCTIONAL SAFETY s section is to identify the management activities th
tives are met. With reference to Clause 6 in IEC 61 s to comply with functional safety according to IEC
ement
ication / Validation / FSA)
ct handling of:
s
r project activities.
management and functional safety) established fore project organisation for consistent implementation
OURCES
s or other units which are responsible for carrying o
ll be identified and be informed of the responsibilitierequired competence within the organisation as well
pansion project, the Company had the main respontification and allocation for the PSD system ref to
Page:
21 of 35
t are necessary508-1 and clause61508 and IEC
yhamna of IEC
ut and reviewing
s assigned tol as for each of
ibility forYX SIL report
-
8/21/2019 209217952 SIL Working Method Report
22/35
Document title:
SIL Working Method Report
follow up and ensure that SAR(s) will bdue time (as specified in the supplier dfound required prior to achieving projeceach SAR is sent to relevant disciplinebut preferably also the relevant System
All SAR(s) must be ensured to have thStatus Code 1) in due time before finalproject. SAR reports found to have non
specified in the SAR Supplier Requiredeliver a SIL certificate, since all requirdocument shall be included in the SAR
Figure 5.2-1below gives a coarse overmain SIL activities and deliverables du
Document no.:
37-1A-KST-F15-00026
Rev.:
01
e issued by relevant supplier(s) for project review ancument list), i.e. allowing for comments and updatit approval. It is also the responsibility of the PRE tofor review (as a minimum, the Safety discipline shaSRS owner(s)).
required quality for approval (i.e. the quality requircompliance calculations are to be performed within-compliance with relevant format and content requir
ents document / 9/ wil l not be accepted. It is not sd documentation as specified in the SAR Supplierin order to achieve project approval.
iew of multidiscipline involvement and responsibilitiing EPCm.
Page:
22 of 35
d acceptance ing of the SAR ifmake sure thatll review the SAR
d for achievinghe EPCm
ements as
ufficient to onlyRequirements
s related to the
-
8/21/2019 209217952 SIL Working Method Report
23/35
Document title:
SIL Working Method Report
5.4 PLANNING AND FOLLOWThe IEC 61508/61511 implementationlifecycle model as shown in Section 6.1
5.5 IMPLEMENTING AND MONIThe implementing and monitoring of acproject.
5.6 ASSESSMENT AND AUDITIReference is made to Chapter6 of thisare outlined in IEC 61511, Clause 5.2.
5.7 HANDLING OF POTENTIALAny non-conformance with requiremen070 shall be formally handled through tdeviation is rejected, the next step will
All applications for deviation where Cocommunicated to Company. Deviationdirected to SRS owner for handling an
Typically, non- conformance will be reltoo high PFD or insufficient systems (gsystematic failures.
5.8 RELEVANT INTERACTIONAs far as possible, the Quantitative Ris
allocated for Nyhamnaexpansion SIFs.the event trees so that it the assumedin the calculated risk level. This will alsrequirements, particularly that they are
Document no.:
37-1A-KST-F15-00026
Rev.:
01
P
rocess is described in this document and specificalof this document.
TORING
tions from reviews and audits will be covered in the
NG
ocument. Requirements related to Functional Safe.1.
NON-CONFORMANCE s given in IEC 61508, IEC 61511, DEP 32.80.10.10
he project systems for handling of contractual deviae to redesign the SIF in order to meet the relevant
pany documents or governmental regulations areapplications from vendors regarding SIL requiremen
further discussions with Company.
ted to too low SFF with the given hardware fault tolidelines, procedures, checklists) for avoidance and
WITH OTHER PROJECT ACTIVITIES
k Analyses (QRA) /13/ shall reflect and verify the SI
The analyses shall utilise the SIL requirements (PFerformance of the Safety Instrumented Functions (enable the analyses to act as verification versus th
sufficiently stringent.
Page:
23 of 35
ly in the safety
QA plan for the
y Assessment
- Gen, or OLF GL ions. If a
IL requirements.
eviated shall bets shall be
rance (HWFT), acontrol of
requirements
D figures) in e.g.IFs) are reflectede given SIL
-
8/21/2019 209217952 SIL Working Method Report
24/35
Document title:
SIL Working Method Report
6 OVERALL SAFETY LI
6.1 SIS WORKING PROCESSA project specific SIS work ing processproject has been established. Figure 6.handling of SIL requirements in the FEphases.
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ECYCLE REQUIREMENTS
SAFETY LIFECYCLE MODEL for implementation of IEC 61508/61511 in the Nyha
1-1and Figure 6.1-2 in the next two pages give a briD, Detail Engineering (EPCm), Commissioning an
Page:
24 of 35
na expansionef overview ofOperation
-
8/21/2019 209217952 SIL Working Method Report
25/35
-
8/21/2019 209217952 SIL Working Method Report
26/35
-
8/21/2019 209217952 SIL Working Method Report
27/35
Document title:
SIL Working Method Report
6.2 SAFETY LIFECYCLE REQUThis Section gives a brief description ocovering the SIS working process for i
6.2.1 Scope definitionThis phase is covered by the informatio
6.2.2 Identification of EUIn general all Safety Instrumented Funrequired SIL. Each EUC and related SIDuring HAZOP, the EUC and f inal elemultidiscipline SIL workshops, etc.) asrelevant requirements given in DEP 32.engineering design standards/14/ , SafOLF GL 070/4/, NORSOK S-001 /16/,
When relevant, discussions with eachspecified in the guideline. Furthermore,Safety discipline as found required in odisciplines to participate will typically bSafety. Company should also be involv
The main purposes of performing a SILphase are to:
Ensure the level of risk reducti
Ensure adequate sensors and
requirements of the SIL.Confirm that SIFs are capable
Ensure the impact of spurious
The main purposes of an initial SIL wor
Document no.:
37-1A-KST-F15-00026
Rev.:
01
IREMENT
the activities as outlined under activity time axis inplementation of SIL in the FEED and EPCm phase
n in and the work around developing this document.
and SIS to be SIL evaluated tions(SIFs) shall go through a SIL assessment to d
Fs will be defined by hazard identification activities (ent for each initiator should be identified basedell as by review of SIS design for theNyhamna exp
80.10.10- Gen./3/, relevant standards in Nyhamnaty Critical Elements Identification and Performancetc.
ystem responsible will be performed in order to finddedicated multidiscipline Workshops should be arr
rder to identify and verify SISs/SIFs to be SIL evaluInstrument, Process, HVAC, Electro, Telecom, Me
ed and participate in this identification process.
classification process during the FEED phase and
n afforded to the SIS is not excessive and the SILs
final elements have been provided in the design to
f adequately preventing/mitigating the hazardous e
trips is minimised and understood.
kshop are to:
Page:
27 of 35
igure 6.1-1,for this project.
.
termine thee.g. HAZOP-
n P&IDs, HAZID, ansion versus
nshoreStandards/15/,
SIFs notnged by theted. Relevanthanical and
arly engineering
are not too high.
eet PFD
vent.
-
8/21/2019 209217952 SIL Working Method Report
28/35
Document title:
SIL Working Method Report
DEP 32.80.10.10- Gen, The consequeimpact, environmental impact and comEIL(Environment Integrated level) andstringent requirement shall be applicablallocated a SIL; however, this is only repossible failures that could cause the hconditions that would help to prevent oonly considered if they were deemed sreduction.
With a given SIL requirement, an overaseveral elements, the PFD should be daccordance with the expected unavailacomponents. Typical allocation will be
6.2.4 Additional SIL allocIn addition to the method defined abovperformed according to the following m
Since the SIL review was only performphase, the SIL review for Global Safetphase. Due to limited SIFpro
TMsources
should be applied for SIL assessmentSIFs with pre-defined minimum SIL reqcovered by any of the OLF GL 070 stashould be used. Is should however, pripre-defined minimum SIL requirementstringent). In case a potential Integrityrequirements may not be relevant, and
methodology.After the process design is more maturassessment should be performed by Sproject.
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ces were based on three categories, which are perercial/economic impact. In case where SIL(SafetyIL(Asset Integrated level) are different from each o
le for the SIF as an SIL requirement. Note that not alevant in case of low criticality of the SIF. The likelihazardous event, as well as independent protection lmitigate the hazardous event. Prevention and mitigfficiently reliable to provide at least one order of ma
ll maximum allowable average PFD is given. Sinceistr ibuted between these based on the specific confibility (i.e. based on historical failure data) for the inverformed as described in Section3.2.
tion , it has been agreed with Company that SIL allocati
ethod in the early detail engineering phase:
d for the PSD functions by using SIFpro
TM
during thFunctions needs to be completed in early stage of, it has been agreed with Company (ref. /17/) that On Global Safety System. OLF GL 070 specifies a nuirements. Hence, if the identified SIF is evaluated tdard SIFs, then the predefined SIL requirement inr to such simplified allocation, be evaluated and coill be fully applicable for the specific SIF(i.e. not too
deviation is identified for a SIF, the pre-defined minshould be verified and allocated by use IEC61508/6
ed during the detail engineering phase, SIL verificati ell Global Solutions by using SIFpro
TMfor all SIL fu
Page:
28 of 35
onnel safetyIntegrated level),her, the mostll SIFs will beood consideredyers and
ation layers weregnitude risk
SIF consists ofguration and inlved
on can be
project FEEDetail engineeringLF GL 070/4/
mber of standardo be sufficientlyLF GL 070cluded that heweak or too
imum SIL1511 risk based
on/ re- nctions in the
-
8/21/2019 209217952 SIL Working Method Report
29/35
Document title:
SIL Working Method Report
Specification of which reliabilitphase.
From SIS realisation point of view, thesrelevant premises as input to the SRS.reviewed, and information essential forin a SIL operational strategy.
The contents of the SRS indicate the isfollowing table shows the sections of th
Table E.1 in OLF GL070)
ID Refer
5 Assumed sources of demand a
6 Requirement of proof test inter
12 Requirements for manual shutd
14 Requirements for resetting the
17 Any specific requirements related
19 Description of the modes of opinstrumented functions required
21 Requirements for overrides/ inh
22 Specification of any action nec
being detected by the SIS. Anyall relevant human factors
23 Minimum worst-case repair timthe travel time location spares
Document no.:
37-1A-KST-F15-00026
Rev.:
01
data that should be collected and analysed during
e bullet points should be established as early as poHowever, this may not be practicable, hence, the arobust & safe SIS development and realisation mus
sues required that is covered by the SIL operationale SRS where the SIL operational strategy has input
nce, IEC 61511, Ch.10.3
nd demand rate of the safety instrumented function
als
own
IS after a shutdown
o the procedure for starting up and restarting the SIS
ration of the plant and identification of the safetyto operate within each mode
ibits/ bypasses including how they will be cleared
ssary to achieve a safe state in the event of faults
such action shall be determined taking account of
, which is feasible for the SIS, taking into accountholding service contracts environmental
Page:
29 of 35
he operational
sible to establishove list should bet be established
strategy. The(compared to
Lifecyclephase (ref.
refer 6.1 in thisreport)
Pre- execution
Pre- execution
SRS rev. 1
SRS rev. 1
SRS rev. 1
SRS rev. 2
SRS rev. 1
SRS rev. 1
SRS rev. 2
-
8/21/2019 209217952 SIL Working Method Report
30/35
Document title:
SIL Working Method Report
Appendix A) to be established for eachdocumentation for critical equipment a
6.2.8 Safety validation plAfter the detail engineering lifecycle phsystems, an SIS safety validation canrequirements in the SRS.
The overall safety validation will be p
the SRS in all respects.
For further details see Section 7.2.
Document no.:
37-1A-KST-F15-00026
Rev.:
01
relevant system (e.g. by cross referring to relevantd components).
nning ase is complete and the SRS is produced for all defi
take place. This validation shall check the actual de
rformed in the commissioning phase to verify that t
Page:
30 of 35
ARs for detailed
ned safetysign against the
e design meets
-
8/21/2019 209217952 SIL Working Method Report
31/35
Document title:
SIL Working Method Report
7 VERIFICATION, VALID
7.1 VERIFICATION
7.1.1 GeneralVerification is covered by the generalactivities. The verification activities will
project independent personnel.
Verification activities are generally perfeach lifecycle phase to ensure that theInternal Checks (DICs); Inter Disciplineregister (Product Assurance Register requirements.
In general, all items with SIL requiremeof the content and quality of such as thSafety Requirement Specifications (SR
The verifications will also be performedHAZOP
HAZID
SIL workshops.
These verification activities will be doc
HAZOP report
HAZID report
Minutes of meeting from works
All activities as well as results related tIdentification and Allocation Report / 7/.
7.1.1 SIS verification
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ATION AND FSA
A system within Contractor as well as by separatebe performed by activity independent personnel in t
rmed throughout the overall safety lifecycle and sprequirements for that phase is met. These activitiesChecks (IDCs), and reviews & audits logged in thePAR). These QA activities are described in Contrac
nts shall be subject to verification activities. This willSafety Analysis Reports (SARs) and checking of c
Ss), etc.
during activities like:
mented through:
hops/reviews.
SIL identification and allocation shall be document
Page:
31 of 35
erificatione project and
cifically afterinclude DisciplineQA managementtors corporate
include checkingalculations in the
ed in the SIL
-
8/21/2019 209217952 SIL Working Method Report
32/35
Document title:
SIL Working Method Report
shall generally follow normal project rotherefore limited to providing additionalCommissioning Check Lists (includedsafety validation shall be documented icommissioning is included in the releva
In case the validation results in a non-cimplement changes as required or appl
7.3 FUNCTIONAL SAFETYASFunctional Safety Assessment (FSA) isstages of the safety lifecycle. FSAs shaSIL level (ref. table 4 and 5 in IEC 615
OLF GL 070, Section 6.5 recommends
1. After the hazard and risk assessmidentified and the SRS has been d
2. After the SIS has been designed.3. After the installation, pre-commissi
operation and maintenance proced4. After gaining experience from oper5. After modification and prior to deco
Based on these recommendations, theengineering phases (EPCm) for Nyha
FSA Phase I: To be performeverified/updated in the detail eSystem SRSs.
FSA Phase II: To be performSIL compliance documentationcompliance report.
Document no.:
37-1A-KST-F15-00026
Rev.:
01
utine related to commissioning procedures. Enginerequirements to existing procedures in form of e.g.as appendices to each System SRSs) The results f
n commissioning to ensure that a change made to Snt System SRSs (see document listing in Appendix
onformance with the applied SIL requirements, they for deviation to Company (ref. Section 3.10 and S
ESSMENT (FSA) in the IEC 61508/61511 standards defined as audit
ll be performed by project independent personnel a8-1).
FSAs in the following stages of a project (with ref. t
nt has been carried out, the required protection layveloped.
ning and final validation of the SIS has been compl
ure has been developed.tion and maintenance.
mmissioning of a SIF.
following timing of FSAs has been found to be relevna expansion project:
d after all SIFs and related SIL requirements have bgineering/EPCm phase (as well as SRS Main Docu
d after all relevant SARs have been received and aupdated in the System SRSs or established in a de
Page:
32 of 35
ering scope isIL related
rom the overallIS by
A).
roject shall eitherction 5.7.
s at predefinedrequired by the
IEC61511):
rs have been
eted and
ant for the
een identified,ment and all
pproved, and alldicated final SIL
-
8/21/2019 209217952 SIL Working Method Report
33/35
Document title:
SIL Working Method Report
8 REFERENCES1. IEC 61508: Functional safety of el
2010.
2. IEC 61511: Functional safety: SafInternational Electro technical Com
3. DEP 32.80.10.10-Gen: Instrumen
4. OLF GL 070: Application of IEC 6Norwegian Oil Industry Association
5. 37-1A-SHA-I15-00009: NYX-SIL r
6. 37-1A-KST-F15-00026: SIL worki
7. 37-1A-KST-F15-00027: SIL Identi
8. 37-1A-KST-F15-00028: Safety Re
9. 37-1A-AK-F15-00009: SAR Suppl
10. OREDA 2009 Handbook : Offshor
11. PDS Data Handbook : Reliability
12. 37-1A-SHA-X02-00010: Basic De
13. 37-1A-KST-F15-00020: Nyhamna
14. 37-1A-NS-D50-66000 : Nyhamna
15. 37-1A-SHA-F15-00005: Safety Cri
16. NORSOK S-001: Technical Safet17. Company response to TQ-AET-KS
Document no.:
37-1A-KST-F15-00026
Rev.:
01
ectrical/ electronic/ programmable electronic safety-
ty instrumented systems for the process industry smission, 2003.
Protective Functions, 2011.
1508 and IEC 61511 in the Norwegian Petroleum In , rev. 02, October 2004.
eport. Rev.03E.
g method report.
ication and Allocation Report.
quirement Specification (SRS).
ier Requirement.
e Reliability Data, SINTEF, 5th Edition.
ata for Safety Instrumented Systems, SINTEF, 20
ign and Engineering Package Part VI- Contractor S
Expansion QRA Report.
rojects Onshore Engineering Design Standards.
itical Elements Identification and Performance Stan
, Edition 4, 2008.T-KS-0017.
Page:
33 of 35
related systems,
ctor,
dustry, The
0 Edition.
ervice.
ards.
-
8/21/2019 209217952 SIL Working Method Report
34/35
Document title:
SIL Working Method Report
SRS
Document no.:
37-1A-KST-F15-00026
Rev.:
01
APPENDIXA
RESPONSIBILITY MATRIX
Page:
34 of 35
-
8/21/2019 209217952 SIL Working Method Report
35/35
www.kvaerner.com
1 SRS responsibility matrix
The following table gives an overview of the responsible system discipline for each dedicated System SRS document. It also shows the SRS- Main Documentowned by the safety discipline. The System SRS documents will be owned and issued by the relevant system disciplines as shown in this table.
(R=Responsible, I= Input required)
Doc. no. Title System Safety Instrument Process Electrical HVAC Telecom Piping Mechanical Operations/Maintenance
37-1A-KST-F15-00028 SRS Maindocument
General for all relevantsystems
R I I I I I I I I
N.A. for Nyhamnaexpansion
SRS- System 43Flare, ventilation andblowdown
43 - Flare, ventilationand blowdown systems
- - - - - - - - -
Not yet known SRS System 67Process shutdown
67 - Process shutdownsystems
I R I I I I I
Not yet known SRS System 69Distributed control/monitoring (HIPPS)
69 - Distributed control/monitoring (HIPPS)systems
I R I I I I
Not yet known SRS System70F&G detection
70 F&G detectionsystems
R I I I I I I
Not yet known SRS System 71&72 Fire water
71& 72 - Fire watersystems
R I I I I I
Not yet known SRS System 77HVAC
77 HVAC systems I I I R I I
Not yet known SRS s ystem 78&79Emergency shutdown
and depressurisation
78&79 Emergencyshutdown and
depressurisationsystems
I R I I I I I
Not yet known SRS system 85Emergency power
85 Emergency powersystems
I I I R I I I I