Saep 250

Engineering Procedure
SAEP-250 27 October 2007

Safety Integrity Level
Assignment & Verification
Process Control Standards Committee Members
Qaffas, Saleh Abdal Wahab, Chairman
Assiry, Nasser Yahya, Vice Chairman
Awami, Luay Hussain
Baradie, Mostafa M.
Ben Duheash, Adel Omar
Bu Sbait, Abdulaziz Mohammad
Dunn, Alan Ray
Fadley, Gary Lowell
Genta, Pablo Daniel
Ghamdi, Ahmed Saeed
GREEN, CHARLIE M
Hazelwood, William Priest
Hubail, Hussain Makki
Jansen, Kevin Patrick
Khalifa, Ali Hussain
Khalifah, Abdullah H
Khan, Mashkoor Anwar
Mubarak, Ahmad Mohd.
Shaikh Nasir, Mohammad Abdullah
Trembley, Robert James

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope....................................................... 2
2 Conflicts and Deviations........................... 3
3 Applicable Documents.............................. 3
4 Definitions................................................. 4
5 Instructions.... 7
6 Responsibilities....................................... 15

Previous Issue: New Next Planned Update: 27 October 2012
Page 1 of 32
Primary contact: Brell, Austin on 966-3-8739455

CopyrightSaudi Aramco 2007. All rights reserved.
Document Responsibility: Process Control SAEP-250
Issue Date: 27 October 2007 Safety Integrity Level
Next Planned Update: 27 October 2012 Assignment & Verification

Page 2 of 32

Table of Contents (cont'd)

Appendix A - Required SIL Assignment
Report Contents.............................. 18
Appendix B - Required SIL Verification
Report Contents.............................. 20
Appendix C - Responsibilities for Engineering.. 22
Appendix D - SIF Specification Sheet.............. 23
Appendix E - SIL Assignment Worksheet....... 25
Appendix F - Risk Graph Tables
and Worksheet................................ 26
Appendix G - Risk Matrix Table....................... 30
Appendix H - Quantitative Risk Criteria............ 31
Appendix I - General Notes.............................. 32

1 Scope
This Saudi Aramco Engineering Procedure provides procedures and guidelines for
the assignment and verification of Safety Integrity Levels (SIL) in ESD loops and
the analysis of the spurious trip rate (STR) that may result from introducing an ESD
safety instrumented function into the process facility.
The procedure applies a risk based approach to safety functions to validate that the
design of safety systems in Saudi Aramco are adequate to protect personnel,
environment and assets against potentially hazardous situations. The risk based
approach for SIL assignment and verification is required by SAES-J-601 based on
international standards ANSI/ISA 84.00.01 and IEC 61511. This procedure is to be
used for new facilities and modifications to existing facilities with safety
instrumented functions.
The document provides the risk tolerability criteria, recommended data sources for
commonly used control, instrument and process equipment and typical specification
sheets to document Safety Instrumented Functions (SIF).
The document also defines the roles and responsibilities for LPD, Proponent
Department, Project Management and P&CSD.
HIPS are a form of ESD and shall follow the same calculation procedures outlined
in this document and SAEP-354, High Integrity Protective Systems Design
Requirements.
As a minimum SIL studies shall be updated along with any changes to the facilities,
and also when major modifications in data basis, models or SIL estimating methods
occur.

Page 3 of 32
2 Conflicts and Deviations
2.1 Any conflicts between this Procedure and other applicable Saudi Aramco
Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards
(SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi
Aramco Standard Drawings (SASDs), or industry standards, codes, and
forms shall be resolved in writing by the Company or Buyer Representative
through the Manager, Process & Control Systems Department of Saudi
Aramco, Dhahran.
2.2 Direct all requests to deviate from this Procedure in writing to the Company
or Buyer Representative, who shall follow internal company procedure
SAEP-302 and forward such requests to the Manager, Process & Control
Systems Department of Saudi Aramco, Dhahran.
3 Applicable Documents
All referenced Procedures, Standards, Specifications, Codes, Forms, Drawings, and
similar material or equipment supplied shall be considered part of this Procedure to
the extent specified herein and shall be of the latest issue (including all revisions,
addenda, and supplements) unless stated otherwise.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
SAEP-354 High Integrity Protective Systems
Saudi Aramco Engineering Standards
SAES-J-002 Technically Acceptable Instruments
SAES-J-601 Emergency Shutdown & Isolation systems
3.2 Industry Codes and Standards
The Instrumentation, Systems, and Automation Society (ISA)
ANSI/ISA 84.00.01 Functional Safety Safety Instrumented
Systems for the Process Industry Sector
ISA TR84.0.02 Safety Instrumented Functions Evaluation
Techniques
The International Electrotechnical Commission (IEC)
IEC 61511 Functional Safety Safety Instrumented
Systems for the Process Industry Sector

Page 4 of 32
Reliability Data Sources
OREDA Offshore Equipment Reliability Handbook
EXIDA Safety Equipment Reliability Handbook
SHELL SIFPro Reliability Data Tables
4 Definitions
4.1 Acronyms
DCF Diagnostic Coverage Factor
ESD Emergency Shutdown System
ETA Event Tree Analysis
FTA Fault Tree Analysis
HAZOP Hazards and Operability Study
HIPS High Integrity Protective System
IO Input/Output
IPL Independent Protection Layer
LPD Loss Prevention Department
P&CSD Process and Control Systems Department
PFD Probability of Failure on Demand
PHA Preliminary Hazard Analysis
QRA Quantitative Risk Assessment
SAPMT Project Management Team
SIL Safety Integrity Level
SIF Safety Instrumented Function
SIS Safety Instrumented System
SRS Safety Requirements Specification
STR Spurious Trip Rate
UPS Uninterruptible Power Supply
ZV Power Operated Emergency Isolation Valve
4.2 Definition of Terms
Beta Factor: The number of common cause failures expressed as a fraction
of all possible failures. A common mode failure is a failure that may affect
duplicate components in redundant configurations.

Page 5 of 32
Dangerous Failure: Failures that will prevent the safety function from
protecting the process.
Demand: A process or equipment condition which requires the safety
function to take action to prevent a hazardous situation.
Diagnostic Coverage Factor: The number of dangerous failures that
diagnostic features are capable of detecting as a fraction of all possible
dangerous failures.
Failure: An abnormal situation that prevents the operation of the safety
function/s.
Final Control Element: A device that manipulates a process variable.
Final elements include valves, relays, solenoids and switchgear.
Initiator: The input measuring device that initiates a trip signal to the ESD
system. Initiators include switches, transmitters and manual pushbuttons.
Inherent Safety: A design that removes the hazard at the source as opposed
to accepting the hazard and looking to mitigate the effects. Inherent Safety
therefore generates little or no damage in the event of an incident. The
principles of inherent safety design are to minimize, substitute, moderate,
and simplify.
Logic solver: The system that is used to perform the application logic.
Logic solvers may be programmable, relay based or solid state.
Mechanical Integrity: is the suitability of the equipment to operate safely
and reliably under normal and abnormal (upset) operating conditions to
which the equipment is exposed.
MTTF: "Mean Time To Failure" is the expected time to failure of a system
in a population of identical systems.
MTBF: "Mean Time Between Failure" is the expected time between
failures of a system including time to repair. It is derived in its simplest form
as:
MTBF = MTTF + MTTR
MTTR: "Mean Time To Repair" is the statistical average of time taken to
identify and repair a fault (including diagnosis), in a population of identical
systems.
Probability of Failure on Demand (PFD): The probability that the SIF
fails to respond to a demand or a manual initiation.

Page 6 of 32
Process Safety Time: The time that it takes for a hazardous situation (such
as a release) to occur after process operates beyond the trip point of the
safety function.
Proof Test Coverage Factor: The fraction of dangerous failures detected
by a proof test.
Residual Risk: The risk remaining after protective measures have been
taken.
Safety Availability: The fraction of time that a safety system is able to
perform its designated function when the process is operating. The safety
system is unavailable when it has failed dangerously or is in bypass. Safety
availability is equal to 1 minus the PFD (dangerous) of the safety function.
Safe Failure: A failure that does not place the SIF in a dangerous state.
A safe failure results in a trip or an alarm to the operator.
Safe Failure Fraction: The fraction of all failures that drive the device to
its safe state i.e. a trip or an alarm.
Safety Instrumented Function (SIF): A safety instrumented function
consists of input devices, logic solver and final output devices. Another term
commonly used in Saudi Aramco is ESD Loop.
Safety Integrity Level (SIL): The level of overall availability for an ESD
loop or ESD system component calculated as 1 minus the sum of the average
probability of dangerous failure on demand.

Table 1 Safety Integrity Levels (SIL)

SIL
RRF
(Risk Reduction
Factor)
PFDavg
(Probability of
Failure on Demand)
(1/RRF)
Safety
Availability
(1-PFDavg)
0/a Process Control
1 10 to 100 1/10 to 1/100 90 - 99%
2 100 to 1,000 1/100 to 1/1,000 99 - 99.9%
3 1,000 10,000 1/1,000 to 1/10,000 99.9 - 99.99%
4 10,000 100,000 1/10,000 to 1/100,000 99.99 -99.999%

Spurious Trip Rate (STR): The rate in years that a trip leading to a
shutdown of the process would occur.

Page 7 of 32
Test Interval (TI): The interval in time that a test would be made on a
device or logic solver.
5 Instructions
5.1 SIL Assignment
5.1.1 General
The SIL assignment establishes the risk reduction needed for each
process system to protect against one or more hazards (such as
explosion, toxic release, leak, etc.). The risk reduction is calculated
as the gap between the existing risk posed by the process or
equipment and the risk target. Risk reduction is provided by
process and mechanical integrity, independent protection layers and
if so required safety instrumented systems (SIS).
5.1.2 Identification of Safety Instrumented Functions
Safety instrumented functions are to be identified during
engineering design phase to meet:
5.1.2.1 Licensor engineering requirements and previous design
experience for similar process.
5.1.2.2 Inplant or industry experience with process upsets,
incident or accident reports.
5.1.2.3 Engineering requirements of Saudi Aramco Standards.
5.1.2.4 HAZOP/PHA recommendations for process interlocks,
alarms and shutdown interlocks.
5.1.2.5 Recommendations from any process analysis such as the
study of the impact of control instrument failures.
control valve failure modes, pressure relief and flare
capacity studies, etc.
5.1.3 Acceptable SIL Assignment Techniques and Software Packages
5.1.3.1 Semi quantitative Risk Graph, modified Risk Matrix or
LOPA may be used for SIL assignment at project
proposal or detailed engineering on ESD loops.
5.1.3.2 Fully quantitative SIL analysis using consequence
modeling, ETA, FTA shall be used for all SIL#3 ESD
loops (SIFs).
5.1.3.3 Software packages which support consequence
modeling, ETA, FTA are recommended to assist in the

Page 8 of 32
documentation and consistency of the assignment
process. Refer to Loss Prevention Department /
Technical Support Unit for recomemended concequence
modeling packages.
5.1.4 Documentation of Calculations
All assumptions and the source of data used, consequence and
frequency model calculations and any information necessary to
support the risk assessment shall be documented and maintained
with the project documentation as specified in Appendix A of this
procedure.
5.1.5 SIL Assignment at Project Proposal or Detailed Engineering
5.1.5.1 SIL Assignment at Project Proposal and Detailed Design
stage may use risk graph, modified risk matrix or Layers
of Protection Analysis (LOPA). SIL Assignment should
be completed in Project Proposal.
5.1.5.2 The SIL study should be conducted before the HAZOP
study, and before instrumentation and control equipment
is ordered.
5.1.5.3 The consequence and frequency criteria in Appendix F
are to be used for the risk graph, modified risk matrix
and LOPA methods.
5.1.5.4 SIL#4 assignments shall not be assigned for Saudi
Aramco facilities design, instead the process and
mechanical design shall be reviewed and modified to
reduce the residual risk required by a SIF to SIL#3 or
below.
5.1.6 SIL Assignment Planning
In order to follow a sound and well planned process, the following
is required in preparation for a SIL study:
5.1.6.1 The scope of the study and its limitations are to be
clearly defined including the documentation
requirements as outlined in Appendix A.
5.1.6.2 The study team must be formed by knowledgeable
personnel as specified in section 5.1.7 of this procedure.
5.1.6.3 The SIL Assignment methodologies and the risk criteria
are to be agreed upon prior to beginning the study.

Page 9 of 32
5.1.6.4 Process Flow Diagrams which show both key control
and shutdown instrumentation shall be available to assist
the team in overviewing the process.
5.1.6.5 Supporting project documentation for the SIL Study and
required by the team are P&ID's, a Safey Instrumented
Functions List and Cause-and-Effect Charts.
5.1.6.6 Supporting software packages should be available and
understood by the Study Team Leader.
5.1.7 Personnel
The SIL Assignment team shall be formed, consisting of
knowledgeable and competent process engineer, instrument and
control engineer, senior operations personnel and safety engineer.
The team leader must have a working knowledge of the SIL
assignment process, familiar with the process under design and the
software tools being used during the study.
5.1.8 Independent Protection Layers (IPL)
Independent protection layers when applied to mitigate the hazard
shall reduce the identified risk by 10
-
1
, be independent, dependable
and auditable. IPL's may include one or more of the following:
5.1.8.1 Mechanical Protection such as a Safety Relief Valve.
5.1.8.2 Operator Intervention providing that:
5.1.8.2.1 The operator has an adequate alarm system
(i.e., alarms are less than 280 per console
operator per day).
5.1.8.2.2 There are written procedures stating the
operator action.
5.1.8.2.3 The operator regularly completes the action
as a drilled exercise.
5.1.8.3 Dike, fire proofing, blast proofing.
5.1.8.4 Fire Suppression Systems.
5.1.9 SIL Assignment Procedure Using Risk Graph
5.1.9.1 Use Appendix F to assign SIL functions using Risk
Graph.
5.1.9.2 Use Appendix F, Figure 3 to document the Risk Graph
results.

Page 10 of 32
5.1.10 SIL Assignment Procedure Using Risk Matrix
5.1.10.1 Use Appendix G to assign SIL functions using Risk
Matrix.
5.1.10.2 Use Appendix E to document the Risk Matrix results.
5.1.11 SIL Assignment for SIL#3
5.1.11.1 Fully quantitative SIL analysis using consequence
modeling, ETA, FTA shall be used for all SIL#3 loops.
5.1.11.2 The form depicted in Appendix E shall be used to
document the results of the study.
5.1.11.3 Develop accident scenarios for every initiating event.
This shall be accomplished using a ETA.
5.1.10.4 Develop accident scenarios for every initiating event.
This shall be accomplished using an ETA.
5.1.11.5 Evaluate the consequences of all significant accident
scenarios using consequence modeling software
recognized in the process industry.
5.1.11.6 Use Appendix I "Quantitative Risk Criteria" to
determine the Risk Target Frequency.
5.1.11.7 Determine the frequency of occurrence of each accident
scenario using a FTA, considering only the Process and
Control System risk. All protective systems shall be
disregarded for this purpose.
5.1.11.8 Compare the frequency of occurrence of each accident
scenario against its risk target. The risk reduction
required for each case is determined by the gap between
the actual risk of the process and the risk target for each
scenario.
5.1.11.9 Add all the IPLs that could reduce the risk gap. IPLs
that comply with all the criteria established in section
5.4 may be used.
5.1.11.10 SIL#3 functions that are designated as HIPS functions
shall follow SAEP-354 and perform a cost benefit
analysis.

Page 11 of 32
5.2 SIL Verification
All assumptions, data sources, and any other information necessary
to define the final system availability and spurious trip rate shall be
documented and maintained with the shutdown system
documentation as required in Appendix B.
5.2.2 SIL Verification Techniques and Software Packages
Simplified Equations, Markov Models or Fault Tree Analysis may
be used to provide the calculations for system availability and
spurious trip rate. Software packages which support these
modeling techniques are recommended to assist in the
documentation and consistency of the calculations.
5.2.3 Assumptions used in Calculations
5.2.3.1 Failure rate data shall be sourced from recognized
industry sources such as OREDA, EXIDA, Shell
SIFPro, certified manufacturers technical sheets or TUV
reports.
5.2.3.2 Components used in the shutdown system shall be
technically acceptable per SAES-J-002 and proven in
use in Aramco facilities or TUV certified.
5.2.3.3 When calculating dangerous failures for an energized to
trip system the power supply shall be included in the
calculations for dangerous failures.
5.2.3.4 The failure rate for a logic solver shall include the input
and output module type for that function.
5.2.3.5 Failure rate values are to be taken from specific FMEA,
third party reports, TUV reports or references provided
in this report.
5.2.3.6 The calculated PFDavg should be verified as better than
the minimum required PFD
avg
value by a factor of 25%.
That is:
SIL1 PFD
avg
< than 7.5 E-02
SIL 2 PFD
avg
< 7.5 E-03 and
SIL 3 PFD
avg
< 7.5 E-04.
5.2.3.7 The PFD
avg
calculations may assume that the calibration
and repair time is small compared to the MTTF.

Page 12 of 32
5.2.3.8 The Standard requirement for proof test intervals of
instruments and control equipment shall be for
transmitters (1 year), switches (6 months), Valves
(partial stroke quarterly and full stroke yearly), logic
solvers (10 years). These proof test intervals may be
extended based on calculations to show that the PFD
avg

meets the required target SIL.
5.2.3.9 Spurious trip calculations shall take into consideration
the failure mode of the transmitter and any time delay
shutdown logic which would inhibit spurious trip.
When a transmitter is configured to fail away from the
trip point, or the logic is such that the trip signal is
bypassed or delayed by a bad transmitter then the
spurious trip is inhibited. When the spurious trip is
inhibited in this way no spurious trip rate for the
transmitter is necessary.
5.2.3.10 The MTTR time for a transmitter, switch, valve or other
device to be offline is one shift (or 8 hours).
5.2.3.11 Partial stroke testing for valves shall use a 60%
contribution to the PFD
avg
. Full Stroke Testing shall use
a 40% contribution factor to the PFD
avg
.
5.2.3.12 Shutdowns which are initiated manually via a push/pull
button are exempt from SIL verification. These
shutdown buttons require an operator intervention that is
used for both prevention and mitigation of hazardous
events. Shutdowns which are manually initiated by the
operator via push/pull button shall be considered as
SIL#1 loops and included in the ESD system.
5.2.4 Calculation Procedure
Refer to ISA - TR84.00.02 Part 2
5.2.4.1 Identify the Safety Instrumented Functions and SIL
required.
5.2.4.2 List the components of the SIF. List the MTTF
(dangerous) for each component.
5.2.4.3 Calculate the PFD
avg
for each combination of
components (sensors, logic solver, Final Elements) and
then sum the values to obtain the PFD
avg
for the safety
instrumented function.

Page 13 of 32
5.2.4.4 Determine whether the PFDavg meets the required
integrity requirements for the Safety Requirements
Specification.
5.2.4.5 The PFD
avg
shall meet or exceed the requirements of the
SIL specified otherwise the component selection and
redundancy shall be modified accordingly.
5.2.5 PFD
avg
/Availability Calculation References
5.2.5.1 See ISA TR84.0.02 Parts 1 and 2 for use of Simplified
Equations
5.2.5.2 See ISA TR84.0.02 Parts 3 for use of Fault Tree Models
5.2.5.3 See ISA TR84.0.02 Parts 4 for use of Markov Models.
5.2.6 Determining the PFD
avg
of Sensors
5.2.6.1 Identify the sensors, list their dangerous failure rates
(i.e., dangerous undetected failures), Test Interval (TI)
and calculate the PFD
avg
.
5.2.6.2 For dirty process conditions apply a severity factor for
the sensor failure rate effectively de-rating it for the
service conditions.
5.2.6.3 Sum the PFD
avg
for sensors.
avg
of Final Control Elements
5.2.7.1 Identify the valves, and each of the components on the
valve including solenoid valve, positioners, boosters and
multiplexers, etc.
avg
for the valve package.
5.2.7.3 Sum the PFD
avg
for the Final Control Elements.
avg
of the Logic Solver
5.2.8.1 Identify the type and manufacturer of the hardware to be
used.
5.2.8.2 Identify the IO module types for the function and logic
solver combination.
avg
using a system calculation tool.
avg
of the Separate Field Power Supplies and
UPS

5.2.9.1 If the ESD is designed for de-energize to trip the power
supply does not impact on the safety function as the
power supply failure will result on the action of bringing
the process equipment to the safe state. Identify the type
and manufacturer of the hardware to be used.
5.2.9.2 If the ESD is designed for energize to trip the power
supply does impact on the safety function as the power
supply failure will not allow the ESD to be initiated.
List the MTBF for each power supply both field power
supplies and UPS. Identify the IO module types for the
function and logic solver combination.
avg
for the UPS and Field Power
Supplies.
5.2.10 Simplified Equations for PFDavg and STR
See ISA TR84.0.02 Parts 1 and 2 for use of Simplified Equations
including beta factors and dangerous detected failures. The
following table is a summary of the simplified equations without
these factors. Note that these simplified equations assume that the
voted components are the same which is not always the case. The
equations assume similar failure rates for redundant components.

Table 2 Simplified Equations for Different Voting Architectures

Voting PFD
avg
Spurious Trip Rate (STR)
1oo1

1oo2

1oo2D

1oo3

2oo2

2oo3

2oo4

Page 14 of 32

5.3 Spurious Trip Rate Calculation
STR calculations are made when a specific safety function may cause
unacceptable loss of production when the safety function fails.
All assumptions, data sources, and any other information necessary
to define the final system availability and spurious trip rate shall be
documented and maintained with the shutdown system
documentation.
5.3.2 Assumptions used in Calculations
5.3.2.1 The cost of the end device should include the total
installed cost including engineering.
5.3.2.2 Loss of production estimates should be clearly defined
in simple terms, average loss basis, number of hours
down, and % of turn down.
5.3.3 Calculation Procedure
5.3.3.1 Identify the initiators to shutdown in each SIF.
5.3.3.2 List the MTTF (spurious) for each sensor.
5.3.3.3 List the MTTR (spurious) for each sensor.
5.3.3.4 Calculate the spurious trip rate for the combination of
sensors.
5.3.3.5 Repeat 1-4 for final control elements.
5.3.3.5 Repeat 1-4 for logic solver and power supplies.
5.4 Safety Requirements Specification (SRS)
As part of the Safety Requirements Specification a SIF Specification Sheet
should be published to summarize the SIL Assignment, SIL Verification,
Spurious Trip Rate and a written narrative of the shutdown requirements.
See Appendix D for an example SIF Specification Sheet.

Page 15 of 32

Page 16 of 32
6 Responsibilities
6.1 Saudi Aramco Project Management Team (SAPMT)
a) Allocate a SIL Team to conduct a SIL Assignment Study.
b) Perform SIL Assignment and Verification for each safety instrumented
function per this procedure.
c) Submit the SIL Assignment report for review to appropriate Saudi
Aramco organizations.
d) Submit the SIL Verification report for review to appropriate Saudi
Aramco organizations.
e) Submit a SIF Specification Sheet for each ESD loop.
f) Conduct a Qauantitative assessment for all SIL#3 ESD loops.
6.2 Loss Prevention Department (LPD)
a) Support SAPMT and P&CSD organizations in planning and
performing SIL studies.
b) Support proponent organizations in maintaining the designed integrity
of installed SIS.
c) Review all projects SIL assignment reports to ensure compliance with
this procedure and applicable Saudi Aramco Standards.
6.3 Process & Control Systems Department (P&CSD)
a) Support PMT and Proponent organizations in planning and performing
SIL studies.
b) Support proponent organizations in maintaining the designed integrity
of installed SIS.
c) Review all projects SIL assignment reports to ensure compliance with
d) Review all projects SIL verification reports to ensure compliance with
e) Participate in SIL Assignment Studies as requested by SAPMT.
6.4 Proponent Organizations
a) Assign engineers to participate in SIL Assignment Studies
b) Review all projects SIL assignment reports to ensure compliance with
c) Review all projects SIL verification reports to ensure compliance with

Page 17 of 32
d) Allocate resources and plan necessary equipment/facility shutdowns, to
ensure performance of periodic proof testing and maintenance along
the life cycle of the SIS during its operational life and for
decommissioning, as established in this document.
e) Ensure that the designed integrity of the SIS is maintained during the
operational life cycle of the system.

Revision Summary
27 October 2007 New Saudi Aramco Engineering Procedure.

Page 18 of 32

Appendix A Required SIL Assignment Report Contents

1. Introduction
1.1 Scope
This section shall define the scope of the ESD application, and shall define
its structure and summarize its content.
1.2 Objectives
This section shall define the intent of the SIL Assignment Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of an abbreviation is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Assignment report shall be listed and
completely identified in this section.
4. Project Description
4.1 Introduction
This section shall provide an overall description of the Process and the
Process Control design.
4.2 SIL Study Methodology
This section shall summarize the SIL Assignment Methodology used in the
study.
5. Assumptions
State or reference all assumptions used in the quantitative and qualitative analysis in
this Section. Note assumptions relating to consequence and likelihood of hazardous
events.
6. Data Sources & Software Package
6.1 Data Sources
State the data sources or software packages used in this Section.

Page 19 of 32
6.2 Models
Reference all consequence and likelihood models completed on the facility
including toxicity dispersion models, blast study models, and transient
pipeline analysis.
7. Results
7.1 Worksheet
Provide a completed risk graph or risk matrix worksheet (Appendix F)
showing all initiated SIFs and their respective SIL assignment.
7.2 Recommendations
Provide a summary of recommended proposals that would improve the
safety design or mitigate the process risk in this section.
8. Conclusions
This section provides a summary of the recommendations and any further
information to execute the engineering design. State any further information or
modeling required.

Page 20 of 32

Appendix B Required SIL Verification Report Contents

1. Introduction
1.1 Scope
This section shall define the scope of the ESD application, and shall define
its structure and summarize its content.
1.2 Objectives
This section shall define the intent of the SIL Verification Report.
2. Definitions
This section shall provide a listing with definitions of terms and abbreviations used
in this document that are subject to interpretation by the user.
A simple translation of abbreviations is not sufficient unless the meaning of the
translation is obvious.
3. Applicable Documents
All documents referenced within the SIL Verification report shall be listed and
completely identified in this section.
4. System Description
4.1 Introduction
This section shall provide an overall view of the Process Automation
System, its operation and capabilities, and its intended use.
4.2 Safety Instrumented Functions
This section shall provide a list of the SIFs being considered in the
verification. The following information shall be included:
a) SIF Number and Tag Name.
b) SIL required.
c) Initiator/s Tag Number/s.
d) Final Element/s Tag Number/s.
e) SIS architecture showing required fault tolerance per SAES-J-601 and
IEC 61511.

Page 21 of 32
5. Assumptions
This section shall include all assumptions used in the calculations. These include
but not limited to:
5.1 Test Interval (TI) for instruments, logic solver and final control elements.
5.2 Common Cause Factors (Beta Factor).
Commentary Note:
Typical Common Cause Factors range from 1-5% for similar equipment.
Otherwise Common Cause Factor can be provided from a Fault Mode and
Effect Analysis (FMEA).
5.3 MTTR of instrumentation.
5.4 Service factors for process instruments.
5.5 The failure mode of transmitters to the trip condition.
6. Data Sources & Software Package (Version)
This section provides a reference or a complete list of Failure Rate data used for
instrumentation and control equipment.
7. Calculation Results
This section shall show the calculation results summarized for each Safety
Instrumented Function including those that verify the SIL and to calculate the
Spurious Trip Rate (STR) of the device/s that lead to a trip. Functions which have
the same instrumentation may be grouped, however the calculations must show
sufficient working so as to be checked and reviewed.

Appendix C Responsibility for Engineering

Figure 1 - SIL and Engineering Design

Conceptua l
Design

DBSP

Project
Proposal

Detailed
Design

PMT

PMT

PMT

S t age-one

PHA, Hazard
Identification

SIL Assignment

Qualitative

Consequence

SAES

S t age-two

SIL Assignment
Semi - Quantitative
Risk Graph
SAES

Stage-three

SIL 3 Only

SIL Assignment
Quantitative
SAES

By:

Review:

PMT

P&CSD

SIS Design
SIL 1, 2, and 3
PMT

P & CSD/ LPD

SIS Verification

SIL 1, 2, and 3

PMT

OPS/AALPD

Installation
Validatio
n

OME

Testing
Commiss -
ioning

&OME

P & CSD/LPD

P & CSD/LPD

P&CSD/LPD

Page 22 of 32

Page 23 of 32

Appendix D SIF Specification Sheet

This Section shall provide a completed SIF specification summarizing the SIL Assignment, SIL
Verification, Spurious Trip Rate, SIF architecture, level of redundancy and suitability of components
and sub-systems.

SI F SPECIFICATION SHEET
PEFS Number: Is it a Pre-Alarm?
Initiator Tag:
Logic Sol ver Tag:
Final Element Tag:

FAILURE ON DEMAND:
Design Intent:

Demand Scenarios:
Case A:

Case B:

Consequence of Failure:
Case A:

Case B:

Demand Rate: D: Process Safety Time:
Health and Safety
Consequence:
S:
Exposure:
Possibility to Avert Hazard:
Loss Consequence: L:
Environmental consequence: E:
Overall SIL:

CONSEQUENCE OF SPURIOUS TRIP:

COST: C:
Initiator: Rate:
Final element: Rate:


Appendix E SIL Assignment Worksheet

Department: Date Prepared:

Team:
Division: Date Issued:
Facility/Project:

Process Equipment: Reviewed by: Approved by:
SIF Scenario
Risk
(yr
-1
)
Risk
Target
(yr
-1
)
IPLs
(Description)
IPLs
RR
PFD
Required
SIL

RR: Risk Reduction

Page 24 of 32

Page 25 of 32

Appendix F Risk Graph Tables and Worksheet

The application of the Risk Graph Methodology requires the evaluation of the following
factors:
Consequences (C)
The consequence criteria shall be taken in accordance with table No. 2-1.
Occupancy (F)
This parameter should be estimated based on table No. 2-2. It is calculated by
determining the proportional length of time the area exposed to the hazard is
occupied during a normal working period. If the time in the hazardous area is
different depending on the shift being operated then the maximum should be
selected. It is only appropriate to use F
A
where it can be shown that the demand rate
is random and not related to when occupancy could be higher than normal. The
latter is usually the case with demands which occur at equipment start-up or during
the investigation of abnormalities. In any case, the factor should be selected based
on the most exposed person rather than the average across all people. It should be
noted that the concept of occupancy applies for personnel. For environmental and
assets damage, because they have no mobility only F
B
is used when applying the
risk graph.
Possibility of Avoiding the Hazard (P)
This parameter should be estimated based on table No. 2-3. It represents a measure
of the possibility of preventing the hazard. The parameter P
A
should only be used in
cases where the hazard can be prevented by the operator taking action.
Frequency of unwanted event (W)
The analysis of this aspect should follow table No. 2-4. It is important to note that
the frequency of the unwanted event (also called demand), shall be assessed as the
number of times per year that the hazardous situation would occur without the
addition of any safety instrumented system (E/E/PE or other technology), but
including any external risk reduction facilities (drain system, firewall, dike, etc.).

Page 26 of 32

Table 3-1 Consequence Criteria (C)

Consequence Description
C
A

People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million
C
B
B

People: Employee fatality.
Environment: Localized effect affecting neighborhood.
Assets: Partial shutdown. Cost up to $100 million
C
C

People: Employee multiple fatalities and some impact on third
parties.
Environment: Severe damage to environment to be extensively
restored by SA.
Assets: Partial operation loss. Costs up to $500 million
C
D

People: Employees and third parties multiple fatalities.
Environment: Contamination over a public large area.
Major economic loss to SA.
Assets: Significant or total loss of facility. Costs above $500 million.

Table 3-2 Occupancy Factor (F)

Risk Parameter Classification
F
A
Rare to more frequent exposure in the hazardous zone.
Occupancy less than 10%
F
B
B Frequent to permanent exposure in the hazardous zone.

Table No. 3-3 Probability of Avoiding the Hazardous Event (P)

Risk Parameter Classification Comments
P
A
Adopted if all conditions
in comments column are
satisfied
P
B
B Adopted if all conditions
in comments column are
not satisfied
P
A
should be selected if all the following are
true:
o Facilities are provided to alert the
operator that the SIS has failed.
o Independent facilities are provided to
shutdown such that the hazard can be
avoided or which enable all persons to
escape to a safe area.
o The time between the operator being
alerted and a hazardous event occurring
exceeds 1 hour or is definitely sufficient
for the necessary actions.


Table 3-4 Frequency of Unwanted Event (W)

Risk Parameter Frequency (yr-1 ) Description
W
1
<1 x 10
-6
Very Low. Never heard of in industry.
W
2
1 x 10
-3
to 1 x 10
-6
Medium. Incident has occurred in SA.
W
3
>1 x 10
-3
High. Happens several times per year in SA.

Figure No. 2 Risk Graph

Starting point
for risk reduction
estimation
a
b
1
1
2
2
2
3
3
3
4
4
C =Consequence risk parameter
F =Frequency and exposure time risk parameter
P =Possibility of failing to avoid hazard risk parameter
W =Probability of the unwanted occurrence
a
a
1
---
---
---
--- =No safety requirements
a =No special safety requirements
b =A single E/E/PES is not sufficient
1, 2, 3, 4 =Safety integrity level
W W W
1 2 3
C
C
C
C
F
F
P
P
P
A
B
D
C
A
B
F
F
P
P
P
A
B
A
B
A
B
B
A
A
F
F
P
P
A
B
B
X
X
6
X
5
X
4
X
3
X
2
1
Generalized arrangement
(in practical implementations
the arrangement is specific to
the applications to be covered
by the risk graph)

Page 27 of 32

Figure 3 Risk Graph SIL Summary

Department: Date Prepared:

Team:
Division: Date Issued:
Facility/Project:

Process Equipment: Reviewed by: Approved by:
Factors
SIF Scenario
C F P W
SIL
w/o
IPLs
IPLs
(Description)
IPLs
RR
SIL

RR: Risk Reduction.

Page 28 of 32

Appendix G Risk Matrix Table

Saudi Aramco Risk Matrix for Safety Integrity
Level (SIL) Assignment
Likelihood Descriptions (Without IPLs, but
including the Control System)
Descriptions Categories
Legend
o EHRS: Extremely High Risk Scenario. Redesign of the process
system required.
o 3: A SIL 3 SIF is required.
o 2: A SIL 2 SIF is required
o 1: A SIL 1 SIF is required.
o 0: No SIF required
Scenario can be
expected to occur
several times per
year in the facility.
1
Very High (>
10
-2
yr
-1
)
2 2 3 EHRS EHRS
Scenario can be
expected to occur
several times per
year in SA.
2
High. (10
-2
to
10
-3
yr
-1
)
1 2 3 3 EHRS
Scenario has
occurred in SA.
3
Medium(10
-3

to 10
-4
yr
-1
)
0 1 2 3 3
Some scenarios
have occurred in the
industry.
4
Low. (10
-4
to
10
-6
yr
-1
)
0 0 1 2 2
Very rare or never
heard of in industry.
5
Very Low. (<
10
-6
yr
-1
)
D
e
c
r
e
a
s
i
n
g

L
i
k
e
l
i
h
o
o
d

0 0 0 1 1
Decreasing Consequence

Page 29 of 32
5 4 3 2 1
Categories

Insignificant Low Medium High Very High
People
No injury or
damage to
health
Minor injury
or damage to
health.
Lost time injury or
limited health
effects
Employee
fatalities and
minor impact
on third parties.
Multiple
fatalities
Environment
No impact Minor and
inside the
fence
Localized effect
affecting
neighborhood
Severe damage
to environment
to be restored
by SA
Contaminati
on over a
public large
area.
Assets
Operational
upset. Cost
less than
$100.000
Minor
damage.
Costs up to
$25 million
Partial shutdown.
Cost up to $100
million
Partial
operation loss.
Costs up to
$500 million
Significant
or total loss
of facility.
Cost above
$500 million
C
o
n
s
e
q
u
e
n
c
e

c
a
t
e
g
o
r
i
e
s

&

D
e
s
c
r
i
p
t
i
o
n

(
W
i
t
h
o
u
t

I
P
L
s
,

b
u
t

i
n
c
l
u
d
i
n
g

t
h
e

C
o
n
t
r
o
l

S
y
s
t
e
m
)

D
e
s
c
r
i
p
t
i
o
n
s

Reputation
No public
awareness
Some public
and media
awareness
but no
concern.
Regional public
and some media
concern
National
impact. Public
and media
concern
International
public and
media
attention
About this matrix:
o The risk ranking is given by the risk to people and environment with no direct relationship with risks to assets.
o This matrix is endorsed for use across SA.
o Should any part of this matrix be changed or modified, adapted or customized. It is only to be used for SIL determination and by
competent personnel.
Notes:
o Facility loss includes capital loss, business interruption,
production deferment, legal liability and emergency response
costs.
o In applying this matrix it is important to bear in mind that it
is strongly recommended as far as possible designing the
process with a lower SIL (below SIL 2 ), and also, provide
Non-SIS protection layers.
o The consequence scenarios referred to in this matrix are
those fully developed, e.g. VCE, fire, toxic vapor cloud, etc.
ABBREVIATIONS:
o SIL: Safety Integrity Level
o SIS: Safety Instrumented System
o SIF: Safety Instrumented Function.
o IPL: Independent Protection Layer
o VCE: Vapor Cloud Explosion


Page 30 of 32

Appendix H Quantitative Risk Criteria

Risk Target
Frequency (yr
-1
)
Consequence Description
1 x 10
-6
People: Employees and third parties multiple
fatalities.
Environment: Contamination over a public large
area.
Major economic loss to SA.
Assets: Significant or total loss of facility. Costs
above $500 million

1 x 10
-5
People: Employee multiple fatalities and some
impact on third parties.
Environment: Severe damage to environment to
be extensively restored by SA.
Assets: Partial operation loss. Costs up to $500
million

1 x 10
-4
People: Employee fatality.
Environment: Localized effect affecting
neighborhood.
Assets: Partial shutdown. Cost up to $100
million

1 x 10
-3
People: Employee injury or damage to health.
Environment: Minor and inside the fence.
Assets: Minor damage. Cost less than $1 million


Page 31 of 32

Appendix I General Notes

Introduction
Applying a risk based approach to safety functions using SIL will validate that the
design of safety systems in Saudi Aramco are adequate to protect personnel,
environment and assets against potentially hazardous situations. In addition, the risk
based approach will provide additional understanding of the process, provide
opportunities to reduce capital and maintenance costs as well as avoidance of false
trips.
The starting point for risk based SIL assignment is to establish risk tolerability
criteria, so that the necessary risk reduction for each safety function can be
quantitatively or qualitatively ascertained. In some cases other safety protective
layers exist that may be used as credit when assessing the required safety integrity
level.
In order to meet the requirements of international standards it is required to:
Identify safety functions.
Determine SIL for each function.
Develop safety requirement specifications
Use life cycle approach for SIS design.
Verify the integrity of SIS design.
Demonstrate that integrity of SIS can be maintained.
Document the process.
The SIL Concept
The SIL concept as applied by Saudi Aramco requires the identification of process
equipment with safety implication and establishing the risk reduction needed for
each of the safety functions required by each process equipment to operate safely.
Process equipment with safety implications are those process systems that can pose
one or more hazards (explosion, toxic release, leak, etc.). The risk reduction needed
is the gap between the existing risk posed by the equipment and the risk target. This
gap is to be covered firstly by inherently safer design and mechanical integrity, and
in the second place using independent protection layers (IPL). When all the above
mentioned measures by themselves are not sufficient to cover the risk reduction
needed, a safety instrumented systems (SIS) with the required technical specification
and architecture will be specified.

Page 32 of 32
The Safety Life Cycle
The safety life cycle is another fundamental concept established by the international
standards. The safety life cycle represents the application of good engineering
practice to SISs. This safety life cycle is depicted in the figure 1 in Appendix C.
Good engineering practice is accomplished based on three fundamental aspects:
i) Design by Layers of Protection. Risk reduction is normally accomplished
using more than one protective system and more than one type of technology.
Some of these protective systems reduce the frequency of the hazardous
scenario, whereas others reduce the consequences. As a result, the total risk
reduction factor is obtained from the combination of the risk reduction factors
from each individual protective system.
ii) The second fundamental aspect of the safety lifecycle process is that it includes
design verification. The SIL for each section of the safety system is
calculated. Then, based on this calculated SIL each design must meet or
exceed these requirements. This aspect provides a control and verification
process that ensures that the design is optimal for the need. SIS over-design
can be easily and clearly identified and consequently changed. On the other
hand, SIS designs not fully covering the risk reduction needed can be
identified as well, and improved to meet the risk target.
iii) In third place, the safety life cycle includes inspection, testing and maintenance
planning, which address among others, testing intervals and testing schedules.
Furthermore, operation, maintenance and decommissioning are all part of the
safety life cycle.
Independent Protection Layers
Only those protection systems that meet the following criteria shall be classified as
independent protection layers, and therefore used in Saudi Aramco SIL studies.
These criteria are:
i) The protection provided reduces the identified risk by a large amount, that is, a
minimum of 10
-1
.
ii) Specificity: An IPL is designed solely to prevent or to mitigate the
consequences of one potentially hazardous event (for example, a runaway
reaction, release of toxic material, a loss of containment, or a fire). Multiple
causes may lead to the same hazardous event; and, therefore, multiple event
scenarios may initiate action of one IPL.
iii) Independence: An IPL is independent of the other protection layers associated
with the identified danger.
iv) Dependability: It can be counted on to do what it was designed to do. Both
random and systematic failures modes are addressed in the design.

Saep 250

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Saep 250

Uploaded by

Copyright:

Available Formats

Engineering Procedure

SAEP-250 27 October 2007

You might also like