209217952 SIL Working Method Report

8/21/2019 209217952 SIL Working Method Report

1/35

Document No.:37-1A-KST-F15-00026

Originator: AET Tag No. : N

Document Title: SIL WORKING

Project name:

Nyhamna

Rev.:01

System No. : 00 Area Co

ETHOD REPORT

Onshore EPCm Project

Page: 1 of 35

e: X00


2/35

Document title:

SIL Working Method Report

TABLE OF CONTENTS

1 INTRODUCTION

1.1 Abreviations

1.2 Revision History

1.3 Scope

2 THE IEC 61508 AND IEC 61511

2.1 General

2.2 Safety lifecycle

3 PROJECT ASSUMPTIONS

3.1 Risk and integrity level categori

3.2 SIL allocation

3.3 Reliability data

3.4 Low complexity, proven in use

3.5 Safe failure fraction (SFF)

3.6 Systematic failures, PSF and c

Document no.:

37-1A-KST-F15-00026

Rev.:

01

STANDARDS, RELATIONSHIP BETWEEN THE S

ies

or prior use

alculation of PFD

Page:

2 of 35

4

4

5

5

TANDARDS 8

8

9

12

12

12

12

13

13

14


3/35

Document title:


5 MANAGEMENT OF FUNCTION

5.1 General requirements

5.2 Organisations and resources

5.3 Risk evaluation and risk mana

5.4 Planning and follow up

5.5 Implementing and monitoring

5.6 Assessment and auditing

5.7 Handling of potential non-conf

5.8 Relevant interactions with othe

6 OVERAL L SAFETY LIFECYCL

6.1 SIS working process Safety li

6.2 Safety lifecycle requirement6.2.1 Scope definition6.2.2 Identification of EUC and SIS t6.2.3 Method for establishment of SI6.2.4 Additional SIL allocation

6.2.5 Operation and maintenance ph6.2.6 Detailed requirement and SIS r6.2.7 Avoidance and control of syste6.2.8 Safety validation planning

Document no.:

37-1A-KST-F15-00026

Rev.:

01

L SAFETY

ement

rmance

r project activities

REQUIREMENTS

ifecycle model

be SIL evaluated L requirements and SIL allocation

ilosophies & SIL strategy ealisation

matic failures

Page:

3 of 35

21

21

21

22

23

23

23

23

23

24

24

2727

27

27

28

2829

29

30


4/35

Document title:


1 INTRODUCTIONTo prevent escalation of unstable situaconsequences of accidents, safety barprotection between different areas on avalves, fire walls, etc.), or barriers contPSD/ ESD isolation valves and automa

The quality of the safety barriers is ess

relevant Safety Integrity Level (SIL) anestablished and performed as an integinstallation. For this project, design of asystems shall meet requirements speciimplementation of IEC 61508 and IECdocuments DEP 32.80.10.10- Gen / 3/

1.1 ABREVIATIONS

CSU Critical Safety Unavailabili

DEP Design and Engineering P

E/E/PES Electrical/Electronic/Progr

EPCm Engineering Procurement

ESD Emergency Shutdown

EV Emergency shutdown Val

EUC Equipment Under Control

F&G Fire and Gas

FAT Factory Acceptance Test

FEED Front End Engineering De

FMECA Failure Modes Effects and

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ions into hazardous situations or accidents, as welliers shall be installed on equipment, process segmen installation. These barriers can be mechanical baolled by instrumentedsystems (such as F&G systetic fire extinguishing systems).

ntial for achieving acceptable risk levels on an inst

lysis activities (incl. management of functional safetated part of the design development for the Nyham

ll electrical, electronic, programmable electronic (E/

fied in IEC61508 and IEC 61511 standards, ref. /1/1511 shall be according to the requirements given i

and OLF GL 070 /4/in addition to the IEC standards

y

ractice (Shell design manual)

mmable Electronic System

Construction Management

e (valve connected to the ESD system)

ign

Criticality Analysis

Page:

4 of 35

as to reduce thents and asriers (reliefs, automatic

llation. Hence,

y) shall beaexpansion/PE) safety/2/. The

in the Company61508 and 61511.


5/35

Document title:


PRE Package Responsible Eng

PSD Process Shutdown

PSF Probability of Systematic F

QA Quality Assurance

SAR Safety Analysis Report

SAS Safety and Automation Sy

SAT System Acceptance Test

SFF Safe Failure Fraction

SIF Safety Instrumented Funct

SIL Safety Integrity Level

SIS Safety Instrumented Syste

SRS Safety Requirement Speci

Definitions:

SIS Safety Instrumented System:

Instrumented system used to implemecomposed of any combination of Initiat

SIF Safety Instrumented Function :

Safety function with a specified safety i

which can be either a safety instrument

SIF used in this report is referred to an

O /C

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ineer

ailure

tem

ion

m

ication

t one or more Safety Instrumented Functions (SIFs)r(s), Logic Solver(s), and/or Final Element(s).

ntegrity level which is necessary to achieve function

ed protection function or a safety instrumented cont

Instrumented Protective Function (IPF) in DEP 32.8

Page:

5 of 35

. A SIS is

al safety and

rol function.

0.10.10- Gen /3/.


6/35

Document title:


The detail engineering (EPCm) phas

The EPCm Contractor is responsible fo

Plan and document how IEC 6implemented in the project. (re

Further identify/ define, detail o

requirements are applicable, aPerform preliminary reliability cor redesigned, ref. / 7/.

Establish and update Safety Rdocuments for each relevant s

Give input to package specific

Establish structure and content

Update SRS and dedicated Sy

Follow up vendors and collectDocument compliance with SILfound to have the required/appcompliance report).

Ensure required QA (verificatio

Follow up and provide input to

After HAZOP has been performed durifollowing SIL activities:

Verify and establish updated/asoftware tool. According to theshall also be used for detail en

Document no.:

37-1A-KST-F15-00026

Rev.:

01

r the following SIL activities in the detail engineerin

1508/61511, DEP 32.80.10.10-Gen and OLF GL 07. /6/).

ut and document the SISs and SIFs where SIL and

d allocate SIL requirements for each relevant SIF,r alculations to detect any SIFs that possibly need to

quirement Specification (SRS) and dedicated Syststem, ref. /8/.

tions and technical requisitions.

requirements for Safety Analysis Reports (SARs),/

stem SRS documents for each relevant system.

ARs commenting/approval.requirements; preferably based on input from vend

roved quality (to be documented in each System SR

n/validation/FSA)as described in Chapter 7.

commissioning and operations.

g detail engineering phase, Company will be respo

ditional SIL requirements where required by using tdesign basis for this project /12/, the SIL facilitator uineering,

Page:

6 of 35

phase:

shall be

functional safety

f. /7/. be reconsidered

m SRS

/.

r SARs whereS or separate SIL

sible for the

he SIFproTM

sed for FEED


7/35

Document title:


SIL parameters such as failureFraction (SFF) to be checked r

Take appropriate actions if sys

Provide SIL feedback to the C

Document no.:

37-1A-KST-F15-00026

Rev.:

01

rates, Probability of Failure on Demand (PFD) andgularly.

ems (SISs) and functions (SIFs) deviate from requi

ntractor(s) and vendors.

Page:

7 of 35

afe Failure

ements.


8/35

Document title:


2 THE IEC 61508ANBETWEEN THE STAN

2.1 GENERALThe international standard IEC 61508andoperat ion of Safety Instrumented S

fordeciding the Safety Integrity Level (difficult to handle as part of a developmrequirements to safety functions can n(QRA) as it is performed today.

Contractor will therefore seek informatias this guideline has a widely acceptedGL 070 is provided in order to simplify tstandard common to several industriesstandard for appl ication of SIS. This st

IEC 61508 is relevant primarily for manfordesigners, integrators and users ofwithdue consideration to IEC 61508 re

The two figuresbelow guidance on wherelationship between IEC 61508 and IE

Document no.:

37-1A-KST-F15-00026

Rev.:

01

IEC 61511 STANDARDS, RELAARDS

as been widely accepted as the basis for specificatistems (SIS). The standard sets out a risk-based ap

IL) for systems performing safety functions. This apent project, as it requires extensive analysis work, armally not be obtained directly from the Quantitativ

n in the OLF GL 070 with respect to certain topics,and recommended approach to the implementationhe application of IEC 61508. Whereas IEC 61508 is, the process industry has developed their own sectndard, IEC 61511, is also extensively referred to in

ufacturers and suppliers of SIS devices. IEC 61511IS and is therefore the standard most relevant for tuirements.

n to apply IEC 61508 and IEC 61511 respectively isC 61511 is shown in Figure 2.1-1;

PROCESS SECTOR

SAFETY

INSTRUMENTED

SYSTEM

STANDARDS

Page:

8 of 35

IONSHIP

on, designproach

proach hasprovedndsinceRiskAnalysis

as a usefulhelpof SIS.The OLFagenericrspecific

theOLF GL 070.

is relevante Contractor

given.The


9/35

Document title:


PR

IN

Process sector

hardware

Developing

new

hardware

devices

Using

Proven-in-

use

hardware

devices

Follow

IEC 61508

Follow

IEC 61511

Figure 2.1-2Guidance on when to

2.2 SAFETY LIFECYCLEBoth IEC 61508 and IEC 61511 are usirequirements related to specification, dd i i i f SIS E h h

Document no.:

37-1A-KST-F15-00026

Rev.:

01

CESS SECTOR SAFETY

TRUMENTED SYSTEM

STANDARD

Process sector

software

Follow IEC

61508-3

Follow

IEC 61511

Using

hardware

developed

and

accessedaccording

to IEC

61508

Developing

embedded

(system)

software

Developing

application

software

using full

variabilitylanguages

Follow IEC

61508-3

Devel

applic

soft

using li

varialangua

fix

progr

Follo

IEC 61

apply IEC 61511 or IEC 61508 (Figure 3 in IEC 615

ng the safety lifecycle as a framework in order to sesign, integration, operation, maintenance, modificah t f d fi d i t d t t d t

Page:

9 of 35

ping

tion

are

mited

ilityes or

d

ams

w

511

11, Clause 1)

tructureion and

th d f h


10/35

Document title:


Document no.:

37-1A-KST-F15-00026

Rev.:

01

Page:

10 of 35


11/35

Document title:


Document no.:

37-1A-KST-F15-00026

Rev.:

01

Page:

11 of 35


12/35

Document title:


3 PROJECT ASSUMPTI

3.1 RISK AND INTEGRITY LEVAccording to DEP 32.80.10.10- Gen /3

The probability of occurrence o

The severity of the consequen

o Personnel health ando Environmental impact

o Production and equip

The SIL decision matrixes in DEP 32.8associated safety integrity level.

3.2 SILALLOCATIONA given SIL requirement corresponds tcompliance to IEC 61508/IEC 615111/requirement for the safety function reliasuppliers and vendors some important

The given SIL requirement for a SIS lodesign function on demand. In order toProbability of Failure to perform functiodemand mode when specifying requirethe SIL allocation process to be a highdangerous Failure per Hour)). For equiassumption must be identified and com

A SIL requirement shall be divided betwhen there are many equipment suppli

Dividing the PFD between the componvariations in requirements to equipmen

li b f h i h

Document no.:

37-1A-KST-F15-00026

Rev.:

01

NS

L CATEGORIES

, the required SIL is established based on:

f the hazardous situation if the IPF is not installed a

es expressed in terms of:

afety

ent loss

.10.10- Gen, section 4.2.1, shall be used to determ

several requirements that have to be fulfilled in ord& / 2/). The probability of failure on demand (PFD) ibility to function on demand. In order to allocate PFassumptions have been made as described below.

p corresponds to a minimum probability of failure toallocate a target safety integrity parameter as PFDn on Demand), the default mode of operation has bments to suppliers and vendors (unless specifically idemand function, i.e. requiring use of PFH (Probabilment package suppliers, this means that deviation

municated to the contractor. See assumption in Sec

een the components in the SIS loop. This is particuers involved in each Safety Instrumented Function (

nts as described below is performed to limit as fart/component suppliers. Additionally, if the PFD requi

i / li li ld

Page:

12 of 35

d

ine the

er to achievea quantitativerequirements to

perform itsaverageen set to lowdentified duringlity of a

from thistion3.8.

larly importantSIF).

s possible therement was not

ib i h


13/35

Document title:


The project shall establish a preliminarduring early detail engineering. The daton relevant generic data.

Since vendor data will normally not befrom SINTEFs PDS Data Handbook /1preliminary reliability calculations. Theidentify possible safety functions that mof systems and/or barriers (if found req

cost and schedule impact.In early detail engineering phase prelimethodology and formulas as recommcalculation has to be agreed betweenSIFpro

TM.

Evaluation of vendor data shall be perfshall be used only if found qualified anand Contractor shall during the final SIreliability data from the available sourcqualified vendor data and/or relevant eas far as possible be ensured to be qu

The reliability data dossier as well as pthe SIL Identification and Allocation Rdetail engineering phase.

The final SIL compliance calculations ivendor data (i.e. approved SARs) becorelated to a specific SIS shall be includ

3.4 LOW COMPLEXITY, PROVA component is of low complexity if in3.4.3) and if dependable field experien(Clause 7.4.6 and 7.4.7) the requiremeto a subsystem considered proven in

Document no.:

37-1A-KST-F15-00026

Rev.:

01

reliability data dossier in order to perform reliabilitya applied in calculations shall prior to available ven

vailable at an early stage of engineering, the gener1/ and/or OREDA data handbook /10/) shall be use

ain purpose of such preliminary reliability calculatiight fail to achieve the required SIL. This will allowuired) at an early stage of the design development,

inary reliability calculations shall preferably be basended by OLF GL 070 / 4/.How to use SIFpro

TMfor t

ompany and Contractor after all SIFs have been re

rmed prior to use in final SIL compliance calculatiosufficiently documented by approved SARs in thecompliance calculations agree upon an approach f

s such as generic failure data (e.g. PDS reliability dperience from operations. The reliability data shalllified for the given application.

eliminary SIL compliance calculations shall be docuport in the early detail engineering phase, and be

cluding an updated Data Dossier shall be establishmes available. This final SIL compliance documentad as part of the respective System SRS / 8/.

N IN USE OR PRIOR USE

accordance with the definition in IEC 61508 / 1/ (Pae exists (ref. IEC 61508-1, Clause 4.2). According t

nt related to avoidance and control of systematic failse (given a set of criteria is fulfilled).

Page:

13 of 35

calculationsor data be based

ic data (preferablyto performns will be tootential redesigninimising project

d on PDShe reliabilityistered in

s. Vendor data roject. Company

or utilization ofata) and/ore evaluated and

mented as part ofpdated during the

d as soon astion for all SIFs

rt 4, ClauseIEC 61508-2

ures will not apply


14/35

Document title:


A subsystem can be classified into typ

The failure modes of all constit

the behaviour of the subsyste

there is sufficient dependable ffailures for detected and undet

A subsystem can be classified in type

The failure mode of at least onthe behaviour of the subsyste

there is insufficient dependablefor detected and undetected d

In general all type A initiators and finalB initiators and final elements are assu

For all type A equipment a SFF abovemore (i.e. requiring redundant componand analogue transmitters, a SFF of mequipment unless they are intelligent

Similarly, for all type B equipment a SFredundant components). For type B initdetectors are defined as single compoor in voting configurations which impro

This understanding prevents interpretatransmitters for SIFs that are realized tbeen proven in use to be satisfactory o

61511 for SFF and corresponding HWequipment where reduction in HWFT is

All vendors supplying equipment/compeach critical equipment/components, a

Document no.:

37-1A-KST-F15-00026

Rev.:

01

A if:

uents are well defined; and classified

under fault conditions can be completely determin

ailure data from field experience to show that the clacted dangerous failures are met.

if:

constituent component is not well defined, orunder fault conditions cannot be completely deter

failure data from field experience to support claimsngerous failures.

elements are assumed to have a SFF of 60% or momed to have a SFF of 90% or more.

0% is required to avoid hardware fault tolerances (nts). For final elements and initiators such as valvere than 60% is assumed and these are also consid

(= smart transmitters).

F above 90% is required to avoid HWFT of 1 or moriators a SFF of >90% is assumed. Note that fire & gents in the SIL assessment, but will in most fire arees the HWFT.

ions of the standard resulting in need for redundantrough standard solution. Such SIFs with standard ser the last few decades. This is in line with interpre

T and prior use. Documentation for prior use is rallowed.

nents involved in SIFs with SIL requirements shalld a non-compliance with a SFF requirement shall b

Page:

14 of 35

d; and

imed rates of

ined, or

for rates of failure

re, while all type

WFT) of 1 or, fire dampers,red to be type A

e (i.e. requiringas (F&G)s be redundant

valves andolutions haveations in IEC

equired for

document SFF fore handled as a


15/35

Document title:


ensure that acceptable risk representeassumed that MTTR can be disregarde(DU) failures only.

3.7 PARTIAL STROKE TESTINPartial stroke test of valves may be impduring testing. Wherever this is considaccordance with principles given in IEC

partial stroke testing, and the actual figdetected by partial stroke testing. Partifull closure of valves.

The contribution to identif ication of dane.g. Safety Analysis Reports (SARs), tdefined and agreed with Operator base

3.8 DEMAND MODE OF OPERAll Safety Instrumented Systems (SISs

unless specifically identified during thecontinuous demand mode for a specifirequirements related to a certain SIL wiSIFs specifically stated to be operatingTable 3 in IEC 61508-1.

3.9 VENDOR INTERFACEThis is descried in details in the SAR

The main principles for vendor SIL inte

3.9-1below. It shows the interface requirelevant for critical equipment/compondirectly communicated towards vendoroverall SIF and SIL requirements speci

Document no.:

37-1A-KST-F15-00026

Rev.:

01

by the Equipment Under Control (EUC) is achieved and PFD calculations can be based on the dange

lemented to detect failures and avoid full shutdownred relevant, the test system must be designed and61508 / 1/ for SIFs. In the SIL analyses it is accepte

re must be qualified in the project based on failurel stroke testing is not considered to fully qualify as f

erous failures during partial stroke testing has to bst reports or other relevant SIL documentation (or ad on e.g. operational experience).

TION

) are considered to be operating in a low demand m

SIL allocation process to be operating in a high deSIF. As a consequence of this assumption, most of

ill generally be based on Table 2 in IEC 61508-1 / 1/in a high demand or continuously demand mode wil

upplier Guideline document /9/ to be used for Nyh

face within the Nyhamnaexpansion project are illus

ired for documentation of compliance with allocatednts within packages. The relevant allocated SIL reqthrough the package specificat ion as wel l as with r

fied in Safety Requirement Specification (SRS) /8/.

Page:

15 of 35

. Hence, it isrous undetected

of productiondocumented ind to make use of

modes notunctional test with

documented inlternatively be

de of operation,

and orthe reliabilitywhile only the

l be based on

mna expansion.

rated in Figure

SIL requirementsuirements areeference to


16/35

Document title:


Contrac

SAR-Supplier Re

P ackage spe

requirement (i

Package Specific

SRS main do

SRS main documsystem SRSs (see

Updated rev.s o

document+ rele

SRSs (see App

Figure 3.9-1Main principles f

3.10STRATEGY FOR HANDLINFor SIFs that fail to meet the PFD HW

Document no.:

37-1A-KST-F15-00026

Rev.:

01

tor Vendors

quirement

cific SIL

cluded in

ations/ PO)

cument

nt+ relevantAppendix A)

f SRS main

ant system

endix A)

Safety Analysis Reports (SARs)

from relevant Vendors

r vendor SIL interface within the Nyhamnaexpansio

OF DEVIATIONS

T and/or SFF requirements the following strategies

Page:

16 of 35

n project

are proposed:


17/35

Document title:


4 DOCUMENTATION

4.1 INTRODUCTIONThe IEC 61508 and IEC 61511 are sperequirements. A SIL working method respecifications, and safety analysis repodocument how these requirements hav

4.2 SIL WORKING METHOD RThe SIL working method report shall dexecuted for the Nyhamna onshore EPrelationships, Requirements for verificaactivities. The method for determinatio

4.3 SIL IDENTIFICATION ANDA SIL identification and allocation repoIntegrity Levels (SIL) and functional safthe SIL for each function have been es

A preliminary SIL compliance calculatioearly detail engineering phase. The intbarriers, i.e. safety instrumented functirequirements. The preliminary SIL comis likely to achieve the identified SIL anperformed with generic failure data (no

4.4 SIL COMPLIANCE REPORA final SIL compliance report (SIL asseengineering phase to document that thlevel of integrity given to the safety inst

Document no.:

37-1A-KST-F15-00026

Rev.:

01

cifying requirements for documentation of implemenport (this report), a compliance report, safety requirrts from each equipment package supplier will be pre been implemented.

PORT

scribe how IEC 61508 and IEC 61511 are planned iCm project in the detail engineering phases. This intion, validation, and functional safety assessment, aof SIL shall also be described within this document

LLOCATION REPORT

t shall document the systems and safety functionsety requirements are applicable. The report shall alablished.

n will be included in the SIL identification and allocantion of this calculation is to give early attention tons (SIFs) which are unlikely to comply with the give

pliance calculation shall indicate whether the proposd whether a SIS may have to be redesigned. Calculvendor specific failure data are available at this sta

ssment recordings in SIFpro

TM) will be produced in l

SIFs meet the requirements from the methods forrumented functions. Results will be recorded in SIF

Page:

17 of 35

tation ofmentoduced to

implemented andludes document

nd management.

here Safetyo present how

tion report in theroblematic safetyn projected system designtions aree).

ate detailetermination ofro

TM. Calculations


18/35

Document title:


3.4. Failure consequences on3.4.1. Safety3.4.2. Environmental3.4.3. Commercial3.5. Demand rates on safety fu

4. Performance requirements4.1. Integrity level4.2. Required risk reduction4.3. Response time4.4. Test interval4.5. SIF Performance Require4.5.1. Maximum Allowable Spu4.5.2. Application Software Re4.5.3. Mean Time to Repair4.5.4. Survival of the Safety In

5. Compliance5.1. Documentation of PFD, S5.2. Architectural constraints

5.3. Avoidance and control of s5.4. Logging of SIS performan6. Verifications, Validations and Functi

6.1. Verifications6.2. Validations6.3. Functional Safety Assess

7. References8. Appendix A Safety Analysis Repor9. Appendix B Compliance to require10. Appendix C Overview of tag nos

11. Appendix D FAT/SAT results12. Appendix E Commissioning chec13. Appendix F Operations and main

The SRS will discuss calculate docum

Document no.:

37-1A-KST-F15-00026

Rev.:

01

emand

nction

ents rious Trip Rate uirements

trumented Functions

F and HWFT

ystematic failures e nal Safety Assessment (FSA)

ent (FSA)

s ents

/ safety function connection

list enance checklist

ent and verify the defined safety functions related t

Page:

18 of 35

the system


19/35

Document title:


Failure rate of the components

Recommended time interval b

MTTR

Diagnostic coverage

Voting

Common cause failures

IEC 61508-2 Clause 7.4.9.3 lists infor

hence, documented in the SAR.

IEC 61511-1 Clause 11.9.2 lists informhardware failures, and hence, docume

To ensure consistent layout of the SARreview and verification of the SARs in tfollowing the detail engineering phase;

SAR Table of content

I AbbreviationsII ReferencesIII Summary

1. Introduction2. System Description3. System Topology and Block Diagra4. Operational description of the syste5. Assumptions6. Failure rate of the components

7. Diagnostic Coverage & Safe Failure8. Architectural Constraints (HWFT an9. Common Cause failures

10. Behaviour of system/components o

Document no.:

37-1A-KST-F15-00026

Rev.:

01

tween functional testing

ation that shall be available for each safety-related

tion that shall be taken into account when calculatited in the SAR.

s the following table of content shall be used. Thise detail engineering phase and use of the SARs in

Fraction voting principles)

n detection of a fault

Page:

19 of 35

ubsystem, and

g PFD due to

ill facilitatethe phases


20/35

Document title:


There are no requirements that compocertificate will not relieve a vendor fromHowever, a vendor supplying a certifiethe SAR;

I AbbreviationsII References

III Summary1. Introduction2. System Description3. System Topology and Block Diagra4. Operational description of the syste5. Assumptions6. Failure rate of the components*7. Diagnostic Coverage & Safe Failure8. Architectural constraints (HWFT and9. Common Cause failures*

10. Behaviour of system/components o11. Mean Time To Repair*12. Factory testing13. Operational testing (included test p14. NA15. NA16. Results

AppendicesE.g.Certificates

* Note that background/supporting doca certified component/system.

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ents or systems shall be certified to IEC 61508 or Idocumenting IEC 61508/ 61511 compliance and sucomponent/system will only have to document the

Fraction* voting principles)

n detection of a fault

ocedures and recommended functional test interval

mentation for the claimed figures in these chapters

Page:

20 of 35

C 61511. Applying a SAR.following parts of

)

is not required for


21/35

Document title:


5 MANAGEMENT OF FThe objective of the requirements in thito ensure that all functional safety obje5 in IEC 61511-1, management activiti61511 will be based on the following;

General requirements

Organisation and resources

Risk evaluation and risk mana

Planning and follow up

Implementing and monitoring

Assessment and auditing (Veri

It will also be important to ensure corre

Potential contractual challenge

Potential non-conformances

Relevant interactions with othe

5.1 GENERAL REQUIREMENTThis SIL working method (incl. plan forexpansion must be communicated to t61508/61511 in the project.

5.2 ORGANISATIONS AND REPersons, departments and organisatio

each of the safety life-cycle phases shthem. It is also important to ensure thethe personnel involved.

In the FEED phase for the Nyhamnaexcoordinating the SIL activit ies: SIL iden

Document no.:

37-1A-KST-F15-00026

Rev.:

01

NCTIONAL SAFETY s section is to identify the management activities th

tives are met. With reference to Clause 6 in IEC 61 s to comply with functional safety according to IEC

ement

ication / Validation / FSA)

ct handling of:

s

r project activities.

management and functional safety) established fore project organisation for consistent implementation

OURCES

s or other units which are responsible for carrying o

ll be identified and be informed of the responsibilitierequired competence within the organisation as well

pansion project, the Company had the main respontification and allocation for the PSD system ref to

Page:

21 of 35

t are necessary508-1 and clause61508 and IEC

yhamna of IEC

ut and reviewing

s assigned tol as for each of

ibility forYX SIL report


22/35

Document title:


follow up and ensure that SAR(s) will bdue time (as specified in the supplier dfound required prior to achieving projeceach SAR is sent to relevant disciplinebut preferably also the relevant System

All SAR(s) must be ensured to have thStatus Code 1) in due time before finalproject. SAR reports found to have non

specified in the SAR Supplier Requiredeliver a SIL certificate, since all requirdocument shall be included in the SAR

Figure 5.2-1below gives a coarse overmain SIL activities and deliverables du

Document no.:

37-1A-KST-F15-00026

Rev.:

01

e issued by relevant supplier(s) for project review ancument list), i.e. allowing for comments and updatit approval. It is also the responsibility of the PRE tofor review (as a minimum, the Safety discipline shaSRS owner(s)).

required quality for approval (i.e. the quality requircompliance calculations are to be performed within-compliance with relevant format and content requir

ents document / 9/ wil l not be accepted. It is not sd documentation as specified in the SAR Supplierin order to achieve project approval.

iew of multidiscipline involvement and responsibilitiing EPCm.

Page:

22 of 35

d acceptance ing of the SAR ifmake sure thatll review the SAR

d for achievinghe EPCm

ements as

ufficient to onlyRequirements

s related to the


23/35

Document title:


5.4 PLANNING AND FOLLOWThe IEC 61508/61511 implementationlifecycle model as shown in Section 6.1

5.5 IMPLEMENTING AND MONIThe implementing and monitoring of acproject.

5.6 ASSESSMENT AND AUDITIReference is made to Chapter6 of thisare outlined in IEC 61511, Clause 5.2.

5.7 HANDLING OF POTENTIALAny non-conformance with requiremen070 shall be formally handled through tdeviation is rejected, the next step will

All applications for deviation where Cocommunicated to Company. Deviationdirected to SRS owner for handling an

Typically, non- conformance will be reltoo high PFD or insufficient systems (gsystematic failures.

5.8 RELEVANT INTERACTIONAs far as possible, the Quantitative Ris

allocated for Nyhamnaexpansion SIFs.the event trees so that it the assumedin the calculated risk level. This will alsrequirements, particularly that they are

Document no.:

37-1A-KST-F15-00026

Rev.:

01

P

rocess is described in this document and specificalof this document.

TORING

tions from reviews and audits will be covered in the

NG

ocument. Requirements related to Functional Safe.1.

NON-CONFORMANCE s given in IEC 61508, IEC 61511, DEP 32.80.10.10

he project systems for handling of contractual deviae to redesign the SIF in order to meet the relevant

pany documents or governmental regulations areapplications from vendors regarding SIL requiremen

further discussions with Company.

ted to too low SFF with the given hardware fault tolidelines, procedures, checklists) for avoidance and

WITH OTHER PROJECT ACTIVITIES

k Analyses (QRA) /13/ shall reflect and verify the SI

The analyses shall utilise the SIL requirements (PFerformance of the Safety Instrumented Functions (enable the analyses to act as verification versus th

sufficiently stringent.

Page:

23 of 35

ly in the safety

QA plan for the

y Assessment

- Gen, or OLF GL ions. If a

IL requirements.

eviated shall bets shall be

rance (HWFT), acontrol of

requirements

D figures) in e.g.IFs) are reflectede given SIL


24/35

Document title:


6 OVERALL SAFETY LI

6.1 SIS WORKING PROCESSA project specific SIS work ing processproject has been established. Figure 6.handling of SIL requirements in the FEphases.

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ECYCLE REQUIREMENTS

SAFETY LIFECYCLE MODEL for implementation of IEC 61508/61511 in the Nyha

1-1and Figure 6.1-2 in the next two pages give a briD, Detail Engineering (EPCm), Commissioning an

Page:

24 of 35

na expansionef overview ofOperation


25/35


26/35


27/35

Document title:


6.2 SAFETY LIFECYCLE REQUThis Section gives a brief description ocovering the SIS working process for i

6.2.1 Scope definitionThis phase is covered by the informatio

6.2.2 Identification of EUIn general all Safety Instrumented Funrequired SIL. Each EUC and related SIDuring HAZOP, the EUC and f inal elemultidiscipline SIL workshops, etc.) asrelevant requirements given in DEP 32.engineering design standards/14/ , SafOLF GL 070/4/, NORSOK S-001 /16/,

When relevant, discussions with eachspecified in the guideline. Furthermore,Safety discipline as found required in odisciplines to participate will typically bSafety. Company should also be involv

The main purposes of performing a SILphase are to:

Ensure the level of risk reducti

Ensure adequate sensors and

requirements of the SIL.Confirm that SIFs are capable

Ensure the impact of spurious

The main purposes of an initial SIL wor

Document no.:

37-1A-KST-F15-00026

Rev.:

01

IREMENT

the activities as outlined under activity time axis inplementation of SIL in the FEED and EPCm phase

n in and the work around developing this document.

and SIS to be SIL evaluated tions(SIFs) shall go through a SIL assessment to d

Fs will be defined by hazard identification activities (ent for each initiator should be identified basedell as by review of SIS design for theNyhamna exp

80.10.10- Gen./3/, relevant standards in Nyhamnaty Critical Elements Identification and Performancetc.

ystem responsible will be performed in order to finddedicated multidiscipline Workshops should be arr

rder to identify and verify SISs/SIFs to be SIL evaluInstrument, Process, HVAC, Electro, Telecom, Me

ed and participate in this identification process.

classification process during the FEED phase and

n afforded to the SIS is not excessive and the SILs

final elements have been provided in the design to

f adequately preventing/mitigating the hazardous e

trips is minimised and understood.

kshop are to:

Page:

27 of 35

igure 6.1-1,for this project.

.

termine thee.g. HAZOP-

n P&IDs, HAZID, ansion versus

nshoreStandards/15/,

SIFs notnged by theted. Relevanthanical and

arly engineering

are not too high.

eet PFD

vent.


28/35

Document title:


DEP 32.80.10.10- Gen, The consequeimpact, environmental impact and comEIL(Environment Integrated level) andstringent requirement shall be applicablallocated a SIL; however, this is only repossible failures that could cause the hconditions that would help to prevent oonly considered if they were deemed sreduction.

With a given SIL requirement, an overaseveral elements, the PFD should be daccordance with the expected unavailacomponents. Typical allocation will be

6.2.4 Additional SIL allocIn addition to the method defined abovperformed according to the following m

Since the SIL review was only performphase, the SIL review for Global Safetphase. Due to limited SIFpro

TMsources

should be applied for SIL assessmentSIFs with pre-defined minimum SIL reqcovered by any of the OLF GL 070 stashould be used. Is should however, pripre-defined minimum SIL requirementstringent). In case a potential Integrityrequirements may not be relevant, and

methodology.After the process design is more maturassessment should be performed by Sproject.

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ces were based on three categories, which are perercial/economic impact. In case where SIL(SafetyIL(Asset Integrated level) are different from each o

le for the SIF as an SIL requirement. Note that not alevant in case of low criticality of the SIF. The likelihazardous event, as well as independent protection lmitigate the hazardous event. Prevention and mitigfficiently reliable to provide at least one order of ma

ll maximum allowable average PFD is given. Sinceistr ibuted between these based on the specific confibility (i.e. based on historical failure data) for the inverformed as described in Section3.2.

tion , it has been agreed with Company that SIL allocati

ethod in the early detail engineering phase:

d for the PSD functions by using SIFpro

TM

during thFunctions needs to be completed in early stage of, it has been agreed with Company (ref. /17/) that On Global Safety System. OLF GL 070 specifies a nuirements. Hence, if the identified SIF is evaluated tdard SIFs, then the predefined SIL requirement inr to such simplified allocation, be evaluated and coill be fully applicable for the specific SIF(i.e. not too

deviation is identified for a SIF, the pre-defined minshould be verified and allocated by use IEC61508/6

ed during the detail engineering phase, SIL verificati ell Global Solutions by using SIFpro

TMfor all SIL fu

Page:

28 of 35

onnel safetyIntegrated level),her, the mostll SIFs will beood consideredyers and

ation layers weregnitude risk

SIF consists ofguration and inlved

on can be

project FEEDetail engineeringLF GL 070/4/

mber of standardo be sufficientlyLF GL 070cluded that heweak or too

imum SIL1511 risk based

on/ re- nctions in the


29/35

Document title:


Specification of which reliabilitphase.

From SIS realisation point of view, thesrelevant premises as input to the SRS.reviewed, and information essential forin a SIL operational strategy.

The contents of the SRS indicate the isfollowing table shows the sections of th

Table E.1 in OLF GL070)

ID Refer

5 Assumed sources of demand a

6 Requirement of proof test inter

12 Requirements for manual shutd

14 Requirements for resetting the

17 Any specific requirements related

19 Description of the modes of opinstrumented functions required

21 Requirements for overrides/ inh

22 Specification of any action nec

being detected by the SIS. Anyall relevant human factors

23 Minimum worst-case repair timthe travel time location spares

Document no.:

37-1A-KST-F15-00026

Rev.:

01

data that should be collected and analysed during

e bullet points should be established as early as poHowever, this may not be practicable, hence, the arobust & safe SIS development and realisation mus

sues required that is covered by the SIL operationale SRS where the SIL operational strategy has input

nce, IEC 61511, Ch.10.3

nd demand rate of the safety instrumented function

als

own

IS after a shutdown

o the procedure for starting up and restarting the SIS

ration of the plant and identification of the safetyto operate within each mode

ibits/ bypasses including how they will be cleared

ssary to achieve a safe state in the event of faults

such action shall be determined taking account of

, which is feasible for the SIS, taking into accountholding service contracts environmental

Page:

29 of 35

he operational

sible to establishove list should bet be established

strategy. The(compared to

Lifecyclephase (ref.

refer 6.1 in thisreport)

Pre- execution

Pre- execution

SRS rev. 1

SRS rev. 1

SRS rev. 1

SRS rev. 2

SRS rev. 1

SRS rev. 1

SRS rev. 2


30/35

Document title:


Appendix A) to be established for eachdocumentation for critical equipment a

6.2.8 Safety validation plAfter the detail engineering lifecycle phsystems, an SIS safety validation canrequirements in the SRS.

The overall safety validation will be p

the SRS in all respects.

For further details see Section 7.2.

Document no.:

37-1A-KST-F15-00026

Rev.:

01

relevant system (e.g. by cross referring to relevantd components).

nning ase is complete and the SRS is produced for all defi

take place. This validation shall check the actual de

rformed in the commissioning phase to verify that t

Page:

30 of 35

ARs for detailed

ned safetysign against the

e design meets


31/35

Document title:


7 VERIFICATION, VALID

7.1 VERIFICATION

7.1.1 GeneralVerification is covered by the generalactivities. The verification activities will

project independent personnel.

Verification activities are generally perfeach lifecycle phase to ensure that theInternal Checks (DICs); Inter Disciplineregister (Product Assurance Register requirements.

In general, all items with SIL requiremeof the content and quality of such as thSafety Requirement Specifications (SR

The verifications will also be performedHAZOP

HAZID

SIL workshops.

These verification activities will be doc

HAZOP report

HAZID report

Minutes of meeting from works

All activities as well as results related tIdentification and Allocation Report / 7/.

7.1.1 SIS verification

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ATION AND FSA

A system within Contractor as well as by separatebe performed by activity independent personnel in t

rmed throughout the overall safety lifecycle and sprequirements for that phase is met. These activitiesChecks (IDCs), and reviews & audits logged in thePAR). These QA activities are described in Contrac

nts shall be subject to verification activities. This willSafety Analysis Reports (SARs) and checking of c

Ss), etc.

during activities like:

mented through:

hops/reviews.

SIL identification and allocation shall be document

Page:

31 of 35

erificatione project and

cifically afterinclude DisciplineQA managementtors corporate

include checkingalculations in the

ed in the SIL


32/35

Document title:


shall generally follow normal project rotherefore limited to providing additionalCommissioning Check Lists (includedsafety validation shall be documented icommissioning is included in the releva

In case the validation results in a non-cimplement changes as required or appl

7.3 FUNCTIONAL SAFETYASFunctional Safety Assessment (FSA) isstages of the safety lifecycle. FSAs shaSIL level (ref. table 4 and 5 in IEC 615

OLF GL 070, Section 6.5 recommends

1. After the hazard and risk assessmidentified and the SRS has been d

2. After the SIS has been designed.3. After the installation, pre-commissi

operation and maintenance proced4. After gaining experience from oper5. After modification and prior to deco

Based on these recommendations, theengineering phases (EPCm) for Nyha

FSA Phase I: To be performeverified/updated in the detail eSystem SRSs.

FSA Phase II: To be performSIL compliance documentationcompliance report.

Document no.:

37-1A-KST-F15-00026

Rev.:

01

utine related to commissioning procedures. Enginerequirements to existing procedures in form of e.g.as appendices to each System SRSs) The results f

n commissioning to ensure that a change made to Snt System SRSs (see document listing in Appendix

onformance with the applied SIL requirements, they for deviation to Company (ref. Section 3.10 and S

ESSMENT (FSA) in the IEC 61508/61511 standards defined as audit

ll be performed by project independent personnel a8-1).

FSAs in the following stages of a project (with ref. t

nt has been carried out, the required protection layveloped.

ning and final validation of the SIS has been compl

ure has been developed.tion and maintenance.

mmissioning of a SIF.

following timing of FSAs has been found to be relevna expansion project:

d after all SIFs and related SIL requirements have bgineering/EPCm phase (as well as SRS Main Docu

d after all relevant SARs have been received and aupdated in the System SRSs or established in a de

Page:

32 of 35

ering scope isIL related

rom the overallIS by

A).

roject shall eitherction 5.7.

s at predefinedrequired by the

IEC61511):

rs have been

eted and

ant for the

een identified,ment and all

pproved, and alldicated final SIL


33/35

Document title:


8 REFERENCES1. IEC 61508: Functional safety of el

2010.

2. IEC 61511: Functional safety: SafInternational Electro technical Com

3. DEP 32.80.10.10-Gen: Instrumen

4. OLF GL 070: Application of IEC 6Norwegian Oil Industry Association

5. 37-1A-SHA-I15-00009: NYX-SIL r

6. 37-1A-KST-F15-00026: SIL worki

7. 37-1A-KST-F15-00027: SIL Identi

8. 37-1A-KST-F15-00028: Safety Re

9. 37-1A-AK-F15-00009: SAR Suppl

10. OREDA 2009 Handbook : Offshor

11. PDS Data Handbook : Reliability

12. 37-1A-SHA-X02-00010: Basic De

13. 37-1A-KST-F15-00020: Nyhamna

14. 37-1A-NS-D50-66000 : Nyhamna

15. 37-1A-SHA-F15-00005: Safety Cri

16. NORSOK S-001: Technical Safet17. Company response to TQ-AET-KS

Document no.:

37-1A-KST-F15-00026

Rev.:

01

ectrical/ electronic/ programmable electronic safety-

ty instrumented systems for the process industry smission, 2003.

Protective Functions, 2011.

1508 and IEC 61511 in the Norwegian Petroleum In , rev. 02, October 2004.

eport. Rev.03E.

g method report.

ication and Allocation Report.

quirement Specification (SRS).

ier Requirement.

e Reliability Data, SINTEF, 5th Edition.

ata for Safety Instrumented Systems, SINTEF, 20

ign and Engineering Package Part VI- Contractor S

Expansion QRA Report.

rojects Onshore Engineering Design Standards.

itical Elements Identification and Performance Stan

, Edition 4, 2008.T-KS-0017.

Page:

33 of 35

related systems,

ctor,

dustry, The

0 Edition.

ervice.

ards.


34/35

Document title:


SRS

Document no.:

37-1A-KST-F15-00026

Rev.:

01

APPENDIXA

RESPONSIBILITY MATRIX

Page:

34 of 35


35/35

www.kvaerner.com

1 SRS responsibility matrix

The following table gives an overview of the responsible system discipline for each dedicated System SRS document. It also shows the SRS- Main Documentowned by the safety discipline. The System SRS documents will be owned and issued by the relevant system disciplines as shown in this table.

(R=Responsible, I= Input required)

Doc. no. Title System Safety Instrument Process Electrical HVAC Telecom Piping Mechanical Operations/Maintenance

37-1A-KST-F15-00028 SRS Maindocument

General for all relevantsystems

R I I I I I I I I

N.A. for Nyhamnaexpansion

SRS- System 43Flare, ventilation andblowdown

43 - Flare, ventilationand blowdown systems

- - - - - - - - -

Not yet known SRS System 67Process shutdown

67 - Process shutdownsystems

I R I I I I I

Not yet known SRS System 69Distributed control/monitoring (HIPPS)

69 - Distributed control/monitoring (HIPPS)systems

I R I I I I

Not yet known SRS System70F&G detection

70 F&G detectionsystems

R I I I I I I

Not yet known SRS System 71&72 Fire water

71& 72 - Fire watersystems

R I I I I I

Not yet known SRS System 77HVAC

77 HVAC systems I I I R I I

Not yet known SRS s ystem 78&79Emergency shutdown

and depressurisation

78&79 Emergencyshutdown and

depressurisationsystems

I R I I I I I

Not yet known SRS system 85Emergency power

85 Emergency powersystems

I I I R I I I I

Documents

209217952 SIL Working Method Report