SIL Review Guideline

STANDARDS PUBLICATION
QP GUIDELINE FOR
SAFETY INTEGRITY LEVEL REVIEW
DOC NO: QP-GDL-S-030
REVISION 1
CORPORATE HSE SUPPORT DEPARTMENT
QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW
DOC. No. QP-GDL-S-030
Rev1
TABLE OF CONTENT
Page No
FOREWORD
1.0
INTRODUCTION..
2.0
SCOPE .
3.0
APPLICATION .
4.0
POLICY ..
5.0
5.1
5.2
TERMINOLOGY
DEFINITIONS ..
ABBREVIATIONS
5
5
7
6.0
REFERENCE STANDARDS........................
7.0
METHODOLOGY/APPROACH ...................................
8.0
8.1
8.2
TEAM STRUCTURE AND RESPONSIBILITIES...........................................

TEAM STRUCTURE.........................................................................................
ROLES AND RESPONSIBILITIES...................................................................
9
9
10
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
REQUIREMENTS.............................................................................................
PREPARATION OF THE REVIEW...................................................................
SIL REVIEW.....................................................................................................
VALIDATION OF SIF........................................................................................
CAUSE DEMAND SCENARIO.........................................................................
CONSEQUENCES OF FAILURE ON DEMAND (CoFD)................................
INDEPENDENT SAFEGUARDS......................................................................
SIL ASSESSMENT CALIBRATED RISK GRAPH METHOD........................
11
11
12
13
13
14
14
14
10.0
10.1
10.2
PLANNING.......................................................................................................
PREPARATION OF THE REVIEW...................................................................
TIMING OF THE REVIEW................................................................................
20
20
20
11.0
11.1
11.2
11.3
DOCUMENTS REQUIRED AND RECORDING.............................................

DOCUMENTS REQUIRED...............................................................................
RECORDING....................................................................................................
REPORTING AND FOLLOW-UP.....................................................................
20
20
20
21
12.0
12.1
APPENDICES.................................................................................................
APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH
METHOD..........................................................................................................
APPENDIX II: TYPICAL SIL ACTION SHEET..................................................
APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT.......
APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST.................
22
12.2
12.3
12.4
Doc File No.: GDL-S-030 R1
Page 2 of 31
22
23
24
25
Custodian Dept: ST

12.5
12.6
12.7
Rev1
APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH

PARAMETERS.................................................................................................
APPENDIX VI - DEMAND RATE......................................................................
APPENDIX VII CORPORATE RISK MATRIX...............................................
26
27
28
REVISION HISTORY LOG .
31
Page 3 of 31
Custodian Dept: ST
Rev1
FOREWORD
This document has been developed by Corporate HSE Support Department, reviewed and
edited by Corporate Quality and Management System Department and circulated for review by
user departments before being endorsed by QP Management to provide guideline.
This document is published for QP Departments/ Contractors/ Consultants utilization. It shall
be emphasized that the document to be used for QP operations wherever applicable and
appropriate.
This document is subjected to periodical review to re-affirm its adequacy or to conform to any
changes in the corporate requirements or to include new developments on the subject.
It is recognized that there will be cases where addenda or other clarifications need to be
attached to the standard to suit a specific application or service environment. As such, the
content of the document shall not be changed or re-edited by any user, but any addenda or
clarifications entailing major changes shall be brought to the attention of the Custodian
Department.
The custodian of this document is Corporate HSE Support Department (ST). Therefore, all
comments, views, recommendations, etc. on it shall be forwarded to the same and copied to
Manager, Corporate Quality & Management Systems Department (QA).
Page 4 of 31
Custodian Dept: ST
1.0
Rev1
INTRODUCTION
Safety Integrity Level (SIL) review is an analysis which aims at the determination of the
appropriate reliability required from the elements of the Safety Instrumented Functions
(SIF) identified in prior safety reviews (e.g. HAZOP).
The approach of this guideline is to remove the uncertainty regarding the safety
integrity, cost effectiveness and availability requirements, reducing over and under
engineering, in a traceable manner.
SIL study is a method to record all the SIF for a project development and document the
expected reliability level. SIL study provides a basis for future maintenance and
operating strategies. SIL shall be conducted during FEED phase and /or EPIC phase in
accordance with Project HSE Plan or as required by the outcome of Safety Reviews of
a project.
SIL assignment is based on the amount of risk reduction that is necessary to mitigate
the risk associated with the process to a tolerable level. All of the Safety Instrumented
Systems (SIS) design, operation and maintenance choices must then be verified
against the SIL assigned.
2.0
SCOPE
This guideline details the structure, responsibilities and techniques of the Safety
Integrity Level (SIL) review.
3.0
APPLICATION
The SIL review of the project shall cover all Safety Instrumented Systems (SIS) in
process and utility units where there is potential for hazard to human safety,
environment or asset /production loss.
4.0
POLICY
QP is committed to protect the health and safety of its employees and others that may
be affected by its activities and to give proper regard to the conservation of the
environment. QP policy is to conduct its activities such that it strives towards an incident
free, secure, safe and healthy workplace.
Safety studies and reviews shall be performed during the course of a project or
modifications to an existing facility. This is to identify, qualify, quantify and to establish
that design safety measures shall provide adequate protection and mitigate any risk
involved with the proposed project development or the modifications.
5.0
TERMINOLOGY
5.1
DEFINITIONS
Basic Process
Control
System (BPCS)
A combination of Sensors, Logic Solvers and Final

elements which automatically regulate the process
within normal production limits. The BPCS provides
control of a process in the desired manner.
Page 5 of 31
Custodian Dept: ST
Rev1
Cause
Factor contributing alone or in combination with others

to the release of a hazard (in this guideline synonymous
to the demand scenario triggering a SIF).
Company
Means QATAR PETROLEUM or QP
Consequence (C)
Number of fatalities and/or serious injuries likely to

result from the occurrence of the hazardous event.
Effect
on
personnel
safety,
economic
loss,
environmental loss.
Consequences of
Failure on Demand
Escalation events that happen after the failure of the SIF

during its solicitation. Effect on personnel safety,
economic loss, environmental effect.
Demand Rate (W)
The number of times per year that the hazardous event

would occur in the absence of the safety instrumented
function under consideration.
Demand Scenario
The set of conditions

(synonymous Cause).
Design Intent
The reason why a SIF is set. Its purpose.
Final Element
A device which manipulates a process variable to

achieve control. e.g. Control Valve, Emergency Block
Valve, motor starter.
Layers of Protection
Analysis
A process of evaluating the effectiveness of

Independent Protection Layers in reducing the
likelihood or severity of an undesirable event to meet
organizational needs.
Logic Solver
The element of the BPCS or SIS that implements one or

more logic functions.
Hazard
A source of potential harm or damage, or a situation

with potential for harm or damage.
Licensor
triggering
SIF
action
LICENSOR or PROCESS LICENSOR means each of

the Companies which have granted (or will grant) to QP
a Process License and have provided (or will provide)
the corresponding Licensor Basic Engineering Package
(BEP) during the FEED project.
Occupancy (F)
Probability that the exposed area is occupied at the time

of the hazardous event .Determined by calculating the
fraction of time the area is occupied at the time of the
hazardous event.
Probability of
Avoiding the Hazard
(P)
The probability that exposed persons is able to avoid

the hazardous situation which exists if the SIF fails on
demand.
Probability of
Failure on Demand
The probability that a system fail to perform a specified

function on demand.
Page 6 of 31
Custodian Dept: ST
Rev1
Recovery Measures
All technical, operational and organizational measures

that limit the chain of consequences arising from a top
event and assist return to normal operation.
Safety Integrity
Level
Defined as a relative level of risk-reduction provided by

a safety function, or to specify a target level of risk
reduction. In simple terms, SIL is a measurement of
performance required for a Safety Instrumented
Function (SIF).Four level of SILs are defined, SIL 4 has
the highest level of safety integrity and SIL 1 has the
lowest.
Safety Instrumented
Function
It is a safety function with a specified safety integrity

level which is necessary to achieve functional safety. A
safety instrumented function can be either a safety
instrumented protection function or a safety
instrumented control function.
Safety Instrumented
System
Instrumented system used to implement one or more

safety instrumented functions. A Safety Instrumented
System is composed of any combination of sensor (s),
logic solver (s), and final elements(s).
It performs specified safety instrumented functions to
achieve or maintain a safe state of the process when
unacceptable or dangerous process conditions are
detected. Safety instrumented systems are separate
and independent from regular control systems but are
composed of similar elements, including sensors, logic
solvers, and final elements.
5.2
ABBREVIATIONS
CoFD
Consequence of Failure on Demand
F&G
HAZOP
Hazard and Operability Study
LOPA
Layer of Protection Analysis
LP
Loss Prevention
P&ID
Piping & Instrumentation Diagram
PFD
Process Flow Diagram
PSD
Process Shut Down
QP
Qatar Petroleum.
SIL
Safety Integrity Level
EPIC
ESD
FEED
Engineering, Procurement, Installation and Commissioning

Emergency Shut Down
Front End Engineering Design
Fire & Gas System
Page 7 of 31
Custodian Dept: ST
6.0
Rev1
SIF
Safety Instrumented Function
SIS
Safety Instrumented System
REFERENCE STANDARDS
IEC-61508
Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems Part 1: General requirements;
Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems;
Part 3: Software requirements;
Part 4: Definitions and abbreviations;
Part 5: Examples of methods for the determination of safety integrity
levels (supporting Information);
Part 6: Guidelines for the application of IEC 61508-2 and IEC 61508-3;
Part 7: Overview of techniques and measures.
IEC-61511 Functional safety Safety instrumented systems for the process industry
sector
Part 1: Framework, definitions, system, hardware and software
requirements;
Part 2: Guidelines for the application of IEC 61511-1;
Part 3: Guidelines for the determination of the required safety integrity
levels.
7.0
METHODOLOGY/ APPROACH
The technical standard IEC 61511 sets out a good practice for engineering of safety
instrumented systems that ensure the safety of process industries. This standard
defines the functional safety requirements established by IEC 61508 in process industry
sector terminology.
It also focuses attention on one type of instrumented safety system used within the
process sector, the safety instrumented system (SIS).
IEC 61511 covers the design and management requirements for SISs. Its scope
includes initial concept, design, implementation, operation, and maintenance through
decommissioning. The standard starts in the earliest phase of a project and continues
through start up. It contains sections that cover modifications that come along later,
along with maintenance activities and the eventual decommissioning activities.
The standard consists of three parts as detailed under Clause 6.0.
The SIL review session is a guided team brainstorming activity that benefits from a
structured method and from the broad experience of a multidisciplinary team led by a
SIL facilitator.
The methodology that will be employed for the SIL determination is a technique uses a
semi qualitative method: calibrated risk graph, as defined in IEC 61511-3 Annex D.
Page 8 of 31
Custodian Dept: ST
Rev1
Essentially the SIL derived rating is a measure of risk reduction that is required to be
achieved by the safety instrumented system in order that the residual risk is acceptable
or is as low as reasonably acceptable (ALARP)
There are four levels of Safety Integrity for Safety Instrumented Functions, SIL1 to SIL
4. SIL 4 has the highest level of safety integrity and SIL 1 has the lowest. For SIF which
are assigned SIL 1 or SIL 2 no further studies or action shall be required. However, for
SIF which are assigned SIL 3 or 4, the SIL classification shall be considered in detail
using a Quantitative method: Layer of Protection Analysis (LOPA) as defined in IEC
61511-3 Annex F.
SIL classification study shall be carried out for all the elements of SIS; i.e. PSD, ESD
and F&G as identified in the Cause & Effect matrix.
The outcome of the SIL assessment is followed by a SIL verification study, where the
reliability of the SIS is verified.
Dedicated computer spreadsheet or dedicated SIL software shall be used for recording
SIL proceedings. The software tool used for determining SIL shall be in accordance
with IEC 61508/61511 and shall have a provision to calibrate the Risk Graph based on
QP SIL review guideline.
Note: Contractor shall develop project specific SIL procedure and terms of reference
consistent with QP SIL guideline and shall submit to QP for prior approval.
8.0
TEAM STRUCTURE AND RESPONSIBILITIES
8.1
TEAM STRUCTURE
In performing a SIL review, the proper selection of team participants is very important.
The review team shall consist of personnel who are knowledgeable in the process
technology and experienced in the operations of the process. The team shall have the
necessary SIL review experience and obtained formal SIL training techniques. The
chairman will be independent of the CONTRACTOR. QP will review and approve the
Chairmans resume prior to the SIL review.
The planned multidisciplinary core team necessary for the realisation of the SIL review
shall include the following disciplines and maximum number to be limited to 10 persons
excluding chairman and scribe.
a) Qatar Petroleum
Loss Prevention Engineer Corporate HSE support

Process Engineer
Instrumentation Engineer
Operation Engineer
Loss Prevention Engineer
Maintenance Engineer
b) Independent Third Party
Chairman
Page 9 of 31
Custodian Dept: ST
Rev1
c) Project Independent
Contractors LP Engineer
Scribe
d) Contractor
Process Engineer
Loss Prevention Engineer
e) LICENSOR (for LICENSOR units)
Process Engineer (knowledgeable of processes involved in project)

Additional specialists of other disciplines may be called to participate upon request

according to the needs identified by the other permanent members of the team.
8.2
ROLES AND RESPONSIBILITIES

The quality of the review highly results from the contribution of all team members and
from their global expertise.
In order to achieve a quality result, members of the team shall adhere to:
adopt a positive attitude toward other team members contribution,

provide their expertise on the project specifics and from similar experience
elsewhere,
be logical, open minded and creative,
focus on the objective of the SIL study.
8.2.1 Chairman
The Chairman shall require a high level of technical and managerial skills. He shall
require expertise and experience in conducting SIL reviews and SIL verification studies.
He needs to remain independent of the discussion and shall not associate with the
project. The Chairmans resume shall be reviewed and approved by QP prior to a SIL
session.
The role of the Chairman is critical to the success of the meeting.
He shall:
Prepare, and make a presentation prior to the review on SIL techniques, rules
and assumptions to be used by the team during the review,
Lead the team through the SIL Determination technique,
Prompt the brainstorming effort, and manage the discussion,
Identify the key issues as they are raised by the team,
Facilitate the evaluation of demand rates and consequences and ensure

consistency of rating,
Manage the recording of the findings by the scribe,
Ensure that the minutes fully reflect the points identified,
Generate the report of the review.

Page 10 of 31
Custodian Dept: ST
Rev1
8.2.2 Scribe
The role of scribe shall be skilled to record accurately outcome of the discussions.
Without being highly experienced the scribe needs to be familiar with engineering
terminology.
He / She shall:
Be familiar with the computer software used to record the review findings
before the start of the review,
Follow the Chairmans instruction in recording the team findings.

8.2.3 Instrumentation/ LP Engineer ( Contractor)
Prior to the review, the instrumentation engineer/specialist is in charge to complete the
following elements for each SIF, based on the Cause & Effect Matrix /P&ID/
HAZOP/Safe Charts.
For each SIF to be reviewed, SIL review work sheet to be provided with:
Listing the initiators,
Listing the final elements,
Defining the success criteria for initiators and final elements, and
Indicating the associated actions.

An example of SIL Review Worksheet is provided in Appendix I.
8.2.4 Process Engineer( Contractor)
Prior to the review, the process engineer is in charge of the description of the Design
intent of the SIF and to provide this information to Instrumentation Engineer for
implementation in the SIL review worksheet.
An example of how this is documented is provided in Appendix I (1 st column on left of
the table).
9.0
REQUIREMENTS
9.1
PREPARATION OF THE REVIEW
Prior to the review, the chairman shall collect the SIF description (SIF name,
initiator(s), final elements, success criteria, associated actions and design
Intent from the instrumentation specialist/ LP engineer
The chairman shall make a presentation to the team about the purpose and
scope of the SIL review and to focus the efforts of the team members.
The chairman shall make a presentation to the team about the methodology to
be used in the SIL review. This establishes a common starting basis for the
team that is necessary to conduct an effective SIL review.
The parameters of the Project Risk Matrix shall be presented to the team for
subsequent use in the evaluation of SIL assessment (Ref Appendix VII).
The process engineer shall present an overall explanation of the plants
process so that all team members have a clear understanding of the basic
operations of the plant. This also acquaints the team members with typical
scenarios that may lead to a hazardous condition.
Page 11 of 31
Custodian Dept: ST
9.2
Rev1
Dedicated SIL software or spreadsheets shall be introduced to the team to log

the SIL review session (Contractor shall specify the software /spreadsheet
proposed while submitting SIL methodology document for QP approval prior to
a SIL review session).
SIL REVIEW
The SIL review sequence process shall be divided into steps as follows:
Select the Safety Instrumented Function,

Validation of the SIF description (already documented in the SIL review
worksheet by instrumentation/ LP engineer),
Validation of the design intent (already documented in the SIL review
worksheet by process engineer,
Determine (by brainstorming) all the potential causes/ demand scenario which
trigger the SIF action,
Agree the credibility of each cause,
Identify potential hazard in terms of:
i. Consequences of SIS failure on Demand (C )
- Personnel Safety (S)
- Environmental Effect (E)
- Economic loss (A)
ii. Occupancy (F)
iii.
Probability of avoiding the hazardous situation (P)
iv.
Demand Rate (W)
Assess the preventive, protective and mitigation safety features,
Assign SIL based on C,F,P&W parameters,
Agree a recommendation for action or further consideration of the problem (if
applicable),
Apply the next cause (relevant to the selected SIF),
Move onto the next SIF of the system until the whole study has been examined.
Figure 1 given below is a pictorial description of the review procedure.
Page 12 of 31
Custodian Dept: ST
Rev1
ASSESS
CLASSIFICATION
Figure 1: SIL Review Process Schematic
9.3
VALIDATION OF SIF
Instrumentation or LP engineer shall present each SIF to the review team to have the
same understanding of its purpose (design intend) among the team members.
9.4
CAUSE DEMAND SCENARIO

The team shall brainstorm to identify possible causes for the conditions that trigger the
SIF. The demand could be caused by any of a number of reasons, e.g., control
instrument malfunction, operator error, loss of feed, etc. Each cause shall be clearly
documented in the SIL review worksheet.
The team shall focus on all possible causes of the hazard against which the SIF is
designed (design intend) and ensure all of them are indeed source of demand on the
SIF.
Page 13 of 31
Custodian Dept: ST

9.5
Rev1
CONSEQUENCES OF FAILURE ON DEMAND (CoFD)

The team shall identify all the consequences of the identified demand scenario(s). The
location of the plant and of the relative positions of installations can have a significant
influence in the consequences.
The correct appreciation of these consequences is critical to the appropriate
classification of the SIF.
9.6
INDEPENDENT SAFEGUARDS
Where applicable, the team may list of Independent safeguards (independent from SIF)
which can reduce the event probability.
9.7
SIL ASSESSMENT CALIBRATED RISK GRAPH METHOD

After the evaluation of the Consequences of Failure on Demand, each SIF is assigned
with a Safety Integrity Level (SIL).
The SIL determination shall be based on calibrated risk graphs from IEC 61511-3. This
Risk Graphs are based on the following:
The consequences of the hazardous situation for Personnel Safety,

Environment and Economic/ Asset loss (parameters S, E and A respectively),
The Occupancy (parameter F),
The probability of avoiding the hazardous situation (parameter P),
The Demand Rate (W).
9.7.1 Consequence (Parameters S, E and A)

The consequences of the hazardous situation for personnel safety, environment and
economic/ asset loss (parameters S, E and A respectively) are further defined for
various risk levels. These definitions are consistent with QP Risk Assessment Matrix.
Table 1 - Consequence Risk Parameter for Personnel Safety(S)
Consequence Risk
Parameter
Definition
S1(CA)
Minor injury or health effects
S2 (CB)
Major injury or health effects
S3 (CC)
Single fatality or Permanent total disability
S4(CD)
Multiple fatalities
Notes:
The classification system has been developed to deal with injury and
death to people.
For the interpretation of S1, S2, S3 and S4 parameters, the
consequences of the accident and normal healing shall be taken into
account.
Page 14 of 31
Custodian Dept: ST
Rev1
Table 2 - Environmental Consequence Parameter (E)

Level of
Environmental
Consequences
E1(CA)
E2(CB)
E3(CC)
E4(CD)
Definition
Minor effect: Contamination; damage sufficiently large to

impact the environment; single exceeding of statutory or
prescribed limits; single complaint; no permanent effect on
the environment.
Localized effect: Limited loss of discharges of unknown

toxicity; repeated exceeding of statutory or prescribed limits
and beyond fence/ neighborhood.
Major effect: Severe environmental damage; the company is
required to take extensive measures to restore the
contaminated environment to its original state. Extended
exceeding of statutory or prescribed limits.
Massive effect: Persistent severe environmental damage or
severe nuisance extending over a large area. In terms of
commercial or recreational use or nature conservancy, a
major economic loss for the company. Constant high
Table 3- Economic/Asset Consequence Parameter (A)

Level of Economic
Consequences
Definition
A1(CA)
Minor damage: Brief disruption to operation with

estimated costs less than QR 350,000.
A2(CB)
Local Damage: Partial shutdown of operation; can be

restarted but with estimated costs up to QR 3,500,000.
A3(CC)
Major Damage: Partial loss of operation; 2 weeks

shutdown with estimated costs up to QR 35,000,000.
A4(CD)
Extensive Damage: Substantial or total loss of operation;

with estimated costs in excess of QR 35,000,000.
Page 15 of 31
Custodian Dept: ST
Rev1
9.7.2 Exposure time (Parameter F)

The exposure time of an individual in a hazardous situation are further defined for two
occupancy conditions.
Table 4- Occupancy Exposure Time Parameter (F)
Exposure time in the
hazardous zone
Definition
Rare to more often exposure in the hazardous zone (normally
unmanned operation of the relevant part of the plant).
Occupancy less than 10%.
F1
Frequent to permanent exposure in the hazardous zone

(relevant part of plant is attended locally on a regular basis,
e.g. every shift, or during the specific time of demand, e.g.
start-up or shut-down, or relevant part of the plant is located
near a continuously occupied road)
F2
9.7.3 Probability of avoiding the Hazard (Parameter P)

This parameter represents the probability of avoiding the hazardous event if the
protection system fails. Two scenarios are defined for SIL review.
Table 5- Probability of avoiding the Hazard Parameter (P)
Probability of
avoiding the
hazardous event
Definition
P1
Possible under certain conditions some warning available.

(Operator is capable of getting away from the hazard or
hazard is mitigated by other measures).
P2
Almost impossible No warning available. (Operator may not

be aware of hazard or may not be able to get away sufficiently
quick).
Notes: This parameter takes into account:
Operation of a process (supervised i.e. operated by skilled or unskilled

persons or unsupervised).
Rate of development of the hazardous event (suddenly, quickly and
slowly).
Ease of recognition of danger (seen immediately, detected by technical
measures or detected without technical measures).
Page 16 of 31
Custodian Dept: ST
Rev1
Avoidance of hazardous event (escape possible, not possible or

possible under certain conditions; independent facilities are provided to
shutdown).
Facilities are provided to alert the operator that the SIS has failed.
The time between the operator being alerted and a hazardous event
occurring exceeds 15 minutes or is definitely sufficient for the necessary
actions.
Actual safety experience (such experience may exist with an identical
unit or a similar unit or may not exist).
9.7.4 Demand Rate (W)

The purpose of the demand rate (W factor) is to estimate the frequency of the
unwanted occurrence in the absence of the SIF under consideration. This can be
determined by considering all failures which can lead to the hazardous event and
estimating the overall rate of occurrence. Other protection layers should be included in
the consideration. Three conditions are defined for SIL review.
Table 6- Demand Rate Parameter (W)
Likelihood of the
unwanted occurrence
W1
W2
W3
Definition
A very slight probability that the unwanted occurrences will happen
and only a few unwanted occurrences are likely: Once in every 30
to 100 years.
A slight probability that the unwanted occurrences will happen and
few unwanted occurrences are likely: Once in every three to 30
years.
A relatively high probability that the unwanted occurrences will
happen and frequent unwanted occurrences are likely: more than
once in every one to three years.
9.7.5 Risk Graph Personnel Safety, (Ref. IEC 61511-3 fig D.1)
Risk graph as referred in Figure 2 shall be used to determine SIL for personnel safety.
The consequences of the hazardous situation for personnel safety are determined as SIL
levels using risk graph.
Page 17 of 31
Custodian Dept: ST
Rev1
Fig 2- Risk Graph: Personnel Safety

9.7.6 Risk Graph Environmental Loss, (Ref. IEC 61511-3 fig D.2)
Risk graph as referred in Figure 3 shall be used to determine SIL for environmental loss.
The consequences of the hazardous situation for environmental loss are determined as
SIL levels using risk graph.
Fig 3- Risk Graph: Environmental Loss

Page 18 of 31
Custodian Dept: ST
Rev1
9.7.7 Risk Graph Economical Loss

The risk graph approach may also be used to determine the integrity level requirements
where the consequences of failure include asset loss. Asset loss is the total economic
loss associated with failure to function on demand.
A similar risk graph to that used for environmental protection can be used for asset
loss. It should be noted that the F parameter should not be used the concept of
occupancy does not apply. Other parameter P and W apply and definitions can be
identical to those applied above to safety consequences.
Fig 4- Risk graph: Economic loss

For each SIF operating in demand mode, the required SIL shall be specified in
accordance with either Figs 2, 3 or 4. SIL assigned against various probability of failure
demand is given in table 7 for reference.
.
Table 7 - Safety Integrity Levels: Demand mode of operation
Safety Integrity
Level
Target average probability of failure on demand
10-5 to < 10-4
10-4 to < 10-3
10-3 to < 10-2
10-2 to < 10-1
Page 19 of 31
Custodian Dept: ST
Rev1
The selected SIL level for a safety interlock function is the highest of the three individual
SILs (Safety, Economical and Environmental) and defines a minimum SIL. It is always
possible to select a higher SIL level than the required SIL, if the project team thinks this
is preferred.
10.0 PLANNING
10.1
PREPARATION OF THE REVIEW

Once the dates and duration of the review(s) are known necessary logistical
arrangement shall be made.
Appendix IV provides a checklist of the SIL review preparation items.
10.2
TIMING OF THE REVIEW

The SIL review of Project shall take place after associated HAZOP review.
Dedicated session shall be performed for each unit.
11.0 DOCUMENTS REQUIRED AND RECORDING

11.1
DOCUMENTS REQUIRED
Before the start of the SIL review exercise the following documents shall be available to
serve as input information for the discussion:
11.2
Process Flow Diagrams (PFD).

Piping and Instrument Diagrams (P&ID). The P&IDs used for the SIL
review will show all instruments, check valves, safety valves, controllers,
pressure and level switches that are included in the limits of supply.
Cause & Effect matrix.
Safe Charts.
Previous Hazard Analysis (HAZOP) review findings.
Control and Safeguarding philosophy.
Interlocks description.
Layout/ plot plan (if available).
For LICENSOR units, where applicable, LICENSOR recommendation for SIL
based on their design knowledge and operating experience.
Material balance information (information on request).
RECORDING
The findings of the application of the methodology presented above shall be recorded
during the session by the scribe with the computer spreadsheet or dedicated SIL
software.
The scribe records the results of this identification activity in a table type file (see
appendix I) using a computer and a video projector.
Use of a video projector shall allow the team to visualise the record. A SIL review
worksheet used for the report of the findings is presented in appendix I.
Page 20 of 31
Custodian Dept: ST
Rev1
Upon completion of the review the chairman will produce a report, which discusses the
findings of the review and details the critical findings.
11.3
REPORTING AND FOLLOW-UP

Subsequent to SIL study, SIL chairman shall issue the study report and shall document
the following as minimum (See appendix III for full list of Table of Content of the report).
The scope of the study;

Study Methodology;
The study team;
The SIFs reviewed and the reference used;
Summarise and present the SIL review proceeding, all the recommendations
and actions raised with proper reference for close out actions to be carried out;
Identify/List those responsible for preparing responses to the actions and
recommendations;
Schedule, monitor and record the execution of necessary close out actions.
Recommendation (Action /query items) shall be recorded and the corresponding SIL
ACTION SHEET (see Appendix II) shall be generated for subsequent follow-up by the
project.
The Project Engineer shall have the responsibility to ensure appropriate project followup of the action recommendations generated during the review are implemented (see
Appendix II).
A Formal SIL Close out Report with SIL verification study shall be submitted to QP for
approval.
Page 21 of 31
Custodian Dept: ST
Rev1
12.0 APPENDICES
12.1
APPENDIX I: TYPICAL SIL REVIEW WORKSHEET USING RISK GRAPH

METHOD
Project Name /No :

SIF No:
Date Reviewed: DD MMM YYYY
SIF: Reference / name of the selected SIF

Initiators:
Final Elements:
Initiator Success Criteria:
Final Element Success Criteria:
Associated Operating Actions:
Drawings and Documents:
Documents used :
DESIGN INTENT
Purpose of the SIF
CAUSE / DEMAND
CONSEQUENCES
INDEPENDENT
RECOMMENDA
SCENARIO
of FAILURE on
DEMAND (CoFD)
SAFEGUARDS
TIONS
List here causes

that will trigger the
SIF to operate.
List here all the

consequences that
will occur in case
list here all the

independent
safeguards
recommendation
of the team (if
any)
of Failure on
demand of the SIF
Consequence
Parameter
Occupancy
Parameter
Probability of
Avoiding the
hazard Parameter
Demand Rate
Parameter
SIL Level
Safety
Environment
Economic
Required SIL level

SIF Action Number:
Assigned to:
Name of person
Page 22 of 31
Custodian Dept: ST
Rev1
12.2 APPENDIX II: TYPICAL SIL ACTION SHEET

SIF STUDY ACTION AND RESPONSE SHEET
SIF ACTION ON:

SIF ACTION NO:
RESPOND BY:
MEETING DATES: DD MMM YYYY
DRAWINGS AND DOCUMENTS:

documents used (from the front page list of documents studied)
SIF :
Reference / name of the selected SIF
(SIF Table 1)
DESIGN INTENT:
purpose of the SIF
CAUSE / DEMAND SCENARIO:
list here causes that will trigger the SIF to operate
CONSEQUENCES of FAILURE on DEMAND (CoFD):
list here all the consequences that will occur in case of Failure on demand of the SIF
.
INDEPENDENT SAFEGUARDS:
list here all the independent safeguards
RECOMMENDATIONS:
recommendation of the team (if any)
RESPONSE: (Action )
DATED:
SIGNED:
ENTER YOUR RESPONSE IN THE BOX ABOVE, THEN SIGN AND RETURN TO:
NOTES (for use of Scribe only)
Page 23 of 31
Custodian Dept: ST
Rev1
12.3 APPENDIX III: TYPICAL SIL REVIEW REPORT TABLE OF CONTENT
TABLE OF CONTENT
1.0 SUMMARY
2.0 INTRODUCTION
3.0 SCOPE
4.0 TEAM COMPOSITION
5.0 DOCUMENTS REFERENCES
(Including to the present procedure)
6.0 GENERAL DESCRIPTION
7.0 FINDINGS OF THE REVIEW (if any)
8.0 CONCLUSION (as required)
In attachment:
9.0 COPY OF REFERENCE DOCUMENTS MARQUED DURING
REVIEW
10.0 SIF CLASSIFICATION RISK MATRIX
11.0 SIL WORKSHEET TABLES
12.0 SIF CLASSIFICATION REVIEW ACTION SHEETS (if any)
Page 24 of 31
Custodian Dept: ST
Rev1
12.4 APPENDIX IV: SIL REVIEW PREPARATION ITEMS CHECKLIST

Check-list up-dated by: Name: _ _ _ _ _ _ _ _ _ _
Date: _ _/ _ _/ _ _
Logistics:
Dates defined: start date: _ _/ _ _/ _ _
Chairman selected:
Scribe selected:
End date: _ _/ _ _/ _ _
Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Name: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Room booked for the period: Yes/No Room # _ _ _ _ _ _ _ _ _ _

Computer booked for the period: Yes/No
Data Projector booked for the period: Yes/No
Coffee/biscuits ordered for the period: Yes/No
Documents available:
Methodology, SIL Procedure: Yes/No
PFD:
Yes/No
PID:
Yes/No
Cause & Effect Matrix: Yes/No

Safe Charts: Yes/No
Process description, balance, layout, etc Yes/No
Previous hazard analysis Yes/No
Participants:
List of participants identified: Yes/No
Participants have been informed of review session dates: Yes/No
when ?
Date: _ _/ _ _/ _ _
Documentation made available to participants: Yes/No
Page 25 of 31
Custodian Dept: ST
Rev1
12.5 APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH

PARAMETERS
(REF.: IEC 61511-3)
Descriptions of Process Industry Risk Graph Parameters
Parameter
Description
Consequence
Occupancy
Probability of
avoiding the
hazard
Demand rate
Number of fatalities and/or serious injuries likely to result from the

occurrence of the hazardous event. Determined by calculating the
numbers in the exposed area when the area is occupied taking in to
account the vulnerability to the hazardous event.
Probability that the exposed area is occupied at the time of the
hazardous event. Determined by calculating the fraction of time the
area is occupied at the time of the hazardous event. This should take
in to account the possibility of an increased likelihood of persons
being in the exposed area in order to investigate abnormal situations
which may exist during the build-up to the hazardous event ( consider
also if this changes the C parameter)
The probability that exposed persons are able to avoid the hazardous
situation which exists if the safety instrumented function fails on
demand. This depends on there being independent methods of
alerting the exposed persons to the hazard prior to the hazard
occurring and there being methods of escape.
The number of times per year that the hazardous event would occur
in the absence of the safety instrumented function under
consideration. This can be determined by considering all failures
which can lead to the hazardous event and estimating the overall rate
of occurrence. Other protection layers should be included in the
consideration.
Page 26 of 31
Custodian Dept: ST
Rev1
12.6 APPENDIX VI - DEMAND RATE

The demand rate will be determined using the teams collective experience, along with
reference from data bases from OREDA or USRMP or other accepted data bases. QP data
base for failure rates shall be primarily considered when available. Failure rates for typical
equipment items, as shown below for example.
Typical Failure Rate Date (from OREDA Offshore Reliability Database)

Item:
Mean Failure
Rate per 106
hours
Per Year
(Continuous
Operation)
1 Failure
per
(years)
Pressure Switch (Pneumatic)

Level Switch (Pneumatic)
Level Switch (Electric)
Level Transducer
PCV / LCV (Ball)
0.05
0.024
0.084
0.096
0.086 to 0.14
21
40
12
10
7 to 11
0.053 to 0.21
5 to 19
0.19
0.227
0.21 to 0.39
5.25
4.4
2.5 to 5
Electric Relay (logic solver)

Pilot Valve (in SDP)
5.3
2.8
9.6
11
10 to 16 (1 to
20)
19 to 24 (1 to
10)
22
25.94
24 to 44 (1 to
10)
4.1
6.5
0.036
0.0575
27.8
17
Fusible Plug
H2S Gas Detector
IR HC Gas Detector
0.27
11.46
36.5
0.00237
0.1004
0.320
423
9.96
3.13
PCV / LCV (Globe)

PSV
XSDV (Globe Valve)
XBDV (Ball Valve)
Item Leak Frequency (Offshore Hydrocarbon Release Statistics and Analysis, 2002, HID
Statistics Report HSR 2002 002, UK Health and Safety Executive, February 2003.)
Item:
Leak Frequency
(per year)
Flange
Valve
Instrument Connections
Pressure Vessel
Centrifugal pump
Shell & Tube Heat Exchanger
Launcher / Receiver
Centrifugal Compressor
Reciprocating Compressor
5.2 x 10
-4
4 x 10
-4
6 x 10
-3
2 x 10
-3
5 x 10
-3
3.5 x 10
-2
1 x 10
-3
8 x 10
-2
7 x 10
-5
1 leak per
(years)
19230
2500
1700
500
200
290
100
125
15
Overall Leak Frequencies for a Platform:
Large Integrated Offshore Platform approx 1 leak per year

Minimum facilities wellhead platform approx 1 leak per 10 years
Riser Failure frequency approx. 1 x 10-3 per year or 1 in 1000 riser years
Page 27 of 31
Custodian Dept: ST
Rev1
12.7 APPENDIX VII QP CORPORATE RISK MATRIX

(Ref: Corporate Procedure for Incident management Doc# QPR-STM- 001)
Risk Assessment Matrix
Potential
Severity
SEVERITY
INCREASING SEVERITY
CONSEQUENCES
People
Asset/
Production
No injury
No damage
INCREASING PROBABILITY
A
B
C
Environment Reputation
No Effect
No Impact
Slight injury Slight damage

or health
No disruption Slight Effect
effect
to operation
Slight
Impact
Minor injury
Minor damage
or health
Minor effect
( < QR 350,000)
effect
Limited
Impact
Major injury Local damage

or health
( < QR
effect
3,500,000)
National
Impact
Single
Fatality or
permanent
total
disability
Multiple
fatalities
Localised
Effect
Major damage
( < QR
Major Effect
35,000,000)
Extensive
damage ( > QR
35,000,000)
Massive
Effect
E
Occurres
Has
Occurres
Never
Has
several
Occurred
several
heard in
Occurred
times a
in
times a
Industry
in QP
year this
Industry
year in QP
site
No Risk
Low Risk
Regional
Impact
Medium Risk
High Risk
Internation
al impact
FIGURE A- QP RISK ASSESSMENT MATRIX
Page 28 of 31
Custodian Dept: ST
Rev1
12.7 APPENDIX VII Cont., QP CORPORATE RISK MATRIX
Risk Matrix (Explanation Sheet)
Consequence Category Definitions

1.0 PEOPLE
Harm to people is further explained for:
Slight injury or Health effects:
This includes first aid and medical treatment that does not affect work performance or
cause disability.
Minor injury or Health effects: A lost time injury that restricts a person's work
performance where the injury results in a work assignment after the day of the incident
that does not include al of the normal duties of that person's regular job. It may take a few
days off from work to fully recover (Lost Time Incident). Limited health effects that are
reversible, e.g. skin irritation, food poisoning.
Major injury or Health effects (Including permanent partial disability): Work performance
is affected in the long term, such as prolonged absence from work, irreversible damage to
health without loss of life. For example, noise induced hearing loss, chronic back injuries.
Single fatality or permanent total disability: This is either from a work - related incident
or an occupational illness such as poisoning or cancer.
Multiple fatalities: More than one fatality either from a work - related incident
or
an
occupational illness such as poisoning or cancer.

2.0 ENVIRONMENT
Harm to the Environment is further explained for:
Slight effect: Negligible financial consequences and local environmental risk within the
fence and within the system.
Minor effect: Contamination; damage sufficiently large to impact to impact the
environment; single exceeding of statutory or prescribed limits; single complaint; no
permanent effect on the environment.
Local effect: Limited loss of discharges of unknown toxicity; repeated exceeding of
statutory or prescribed limits and beyond fence or neighbourhood.
Page 29 of 31
Custodian Dept: ST
Rev1
Major effect: Severe environmental damage; the company is required to take extensive
measures to restore the contaminated environment to its original state; Extended
Massive effect: Persistent severe environmental damage or severe nuisance extending
over a large area; In terms of commercial or recreational use or nature conservancy, a
major economic loss for the company; Constant high exceeding of statutory or prescribed
limits.
3.0 ASSET DAMAGE/ LOSS OF PRODUCTION
Asset damage and loss of production is further explained for:
Slight damage: No disruption to operation with estimated cost less than QR 25,000.
Minor damage: Brief disruption to operation with estimated cost less than QR 350,000.
Local damage: Partial shutdown of operation; can be restarted with estimated cost up to
QR 3,500,000.
Major damage: Partial loss of operation; 2 weeks shutdown with estimated cost up to QR
35,000,000.
Massive damage: Substantial or total loss of operation with estimated cost in excess of
QR 35,000,000.
4.0 REPUTATION
Damage or loss of reputation is further explained for:

Slight impact: Public awareness may exist but there is no public concern.
Limited impact: Some local public concern; some local media and /or local political attention
with potentially adverse aspects for QP operations.
National impact: National public concern; extensive adverse attention in the national media.
Regional impact: Extensive adverse attention in the regional media; regional public and
political concern.
International impact: Extensive adverse attention in international media; international public
attention.
Page 30 of 31
Custodian Dept: ST
Rev1
REVISION HISTORY LOG
Revision: 1
Date: 24/03/2010
Reason for Change/Amendment

Item Revised:
Changes/Amendment:
This new guideline is developed to cover
requirements for safety integrity level review.
the
corporate
Note:
The revision history log shall be updated with each revision of the document. It shall
contain a written audit trail of the reason(s) why the changes/amendments have occurred,
what the changes/amendments were and the date at which the changes/amendments
were made.
Page 31 of 31
Custodian Dept: ST

SIL Review Guideline

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SIL Review Guideline

Uploaded by

Copyright:

Available Formats

STANDARDS PUBLICATION

DOC NO: QP-GDL-S-030

CORPORATE HSE SUPPORT DEPARTMENT

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

TEAM STRUCTURE AND RESPONSIBILITIES...........................................

DOCUMENTS REQUIRED AND RECORDING.............................................

Doc File No.: GDL-S-030 R1

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

APPENDIX V: DESCRIPTION OF PROCESS INDUSTRY RISK GRAPH

REVISION HISTORY LOG .

Doc File No.: GDL-S-030 R1

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

Doc File No.: GDL-S-030 R1

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

Doc File No.: GDL-S-030 R1

A combination of Sensors, Logic Solvers and Final

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

Factor contributing alone or in combination with others

Means QATAR PETROLEUM or QP

Number of fatalities and/or serious injuries likely to

Escalation events that happen after the failure of the SIF

Demand Rate (W)

The number of times per year that the hazardous event

The set of conditions

The reason why a SIF is set. Its purpose.

A device which manipulates a process variable to

A process of evaluating the effectiveness of

The element of the BPCS or SIS that implements one or

A source of potential harm or damage, or a situation

LICENSOR or PROCESS LICENSOR means each of

Probability that the exposed area is occupied at the time

The probability that exposed persons is able to avoid

The probability that a system fail to perform a specified

Doc File No.: GDL-S-030 R1

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

All technical, operational and organizational measures

Defined as a relative level of risk-reduction provided by

It is a safety function with a specified safety integrity

Instrumented system used to implement one or more

Consequence of Failure on Demand

Hazard and Operability Study

Layer of Protection Analysis

Piping & Instrumentation Diagram

Process Flow Diagram

Process Shut Down

Safety Integrity Level

Doc File No.: GDL-S-030 R1

Engineering, Procurement, Installation and Commissioning

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030

Safety Instrumented Function

Safety Instrumented System

Functional Safety of Electrical/Electronic/Programmable Electronic

Doc File No.: GDL-S-030 R1

QP GUIDELINE FOR SAFETY INTEGRITY LEVEL REVIEW

DOC. No. QP-GDL-S-030