Académique Documents
Professionnel Documents
Culture Documents
N-2595
REV. C
ENGLISH
12 / 2010
CONTEC
Comisso de Normalizao
Tcnica
SC - 10
Instrumentation and
Industrial Automation
Introduction
PETROBRAS Technical Standards are prepared by Working Groups - WG
(consisting specialized of Technical Collaborators from Company and its Subsidiaries), are
commented by Company Units and its Subsidiaries, are approved by the Authoring Subcommittees SCs (consisting of technicians from the same specialty, representing the various Company Units and
its Subsidiaries), and ratified by the Executive Nucleus (consisting of representatives of the Company
Units and its Subsidiaries). A PETROBRAS Technical Standard is subject to revision at any time by its
Authoring Subcommittee and shall be reviewed every 5 years to be revalidated, revised or cancelled.
PETROBRAS Technical Standards are prepared in accordance with PETROBRAS Technical
Standard N-1. For complete information about PETROBRAS Technical Standards see PETROBRAS
Technical Standards Catalog.
.
PROPERTY OF PETROBRAS
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Summary
Foreword.................................................................................................................................................. 6
1 Scope................................................................................................................................................... 6
2 Normative References......................................................................................................................... 6
3 Terms and Definitions.......................................................................................................................... 7
4 Symbols and Abbreviations ............................................................................................................... 15
5 Evaluation of SISs Need and Basic Designs Structuring ................................................................ 16
5.1 Hazard Analysis ................................................................................................................... 16
5.2 Protection Layers ................................................................................................................. 17
5.3 Safety Life Cycle .................................................................................................................. 18
5.4 SISs Basic Design Structuring ............................................................................................ 19
6 SISs Basic Design - SIFs Assessments ........................................................................................... 20
6.1 General Considerations ....................................................................................................... 20
6.2 SIFs Assessment Teams Composition ............................................................................... 21
6.3 Preparation for SIFs Assessment ........................................................................................ 22
6.4 Assessment of the Safety Integrity Level required for a SIF................................................ 22
7 SIS Basic Design - Implementation Requirements ........................................................................... 24
7.1 Segregation between SIS and BPCS................................................................................... 24
7.3 Segregation between Redundant Channels of a SIF........................................................... 25
7.4 Power Supply ....................................................................................................................... 25
7.6 Sensors ................................................................................................................................ 26
7.7 Final Elements...................................................................................................................... 27
7.9 Manual Trip Command......................................................................................................... 30
7.11 SIF By-Pass ....................................................................................................................... 31
7.12 Operation Interface ............................................................................................................ 32
7.14 Communication Interface with the BPCS........................................................................... 33
8 SIS Basic Design - Verification of the SIL and the MTTFS required for Each SIF............................ 34
9 SIS Detailing Design.......................................................................................................................... 35
9.1 General Requirements ......................................................................................................... 35
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Figures
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Table
Table 1 - SIL Scale for Demand Mode .................................................................................................. 22
Table 2 - Criteria for Determination of the Acceptable MTTFS ............................................................. 24
Table A.1 - Description of the Parameters of the Process Industry Risk Graph ................................... 48
Table A.2 - Descriptions of the Parameters Used in Figure A.1 ........................................................... 50
Table A.3 - General Environment Consequences................................................................................. 52
Table A.4 - Material Consequences Classes ........................................................................................ 53
Table B.1 - Tolerable Frequency (FTOL)................................................................................................. 57
Table B.2 - Frequencies of Initiating Causes ........................................................................................ 58
Table B.3 - Ignition Probability Modification factors by Ignition Sources Quantity ................................ 61
Table B.4 - Ignition Probability Modification Factors by Flammable Material Type .............................. 61
Table B.5 - Modification Factors by Presence of People ...................................................................... 61
Table B.6 - Safeguards Usually not Considered IPL............................................................................. 62
Table B.7 - Passive IPL and their Typical PFDavg ................................................................................. 63
Table B.8 - Active IPL and their Typical PFDavg .................................................................................... 64
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Foreword
This Standard is the English version (issued in 11/2012) of PETROBRAS N-2595 REV. C 12/2010,
including its Amendment - 07/2012 and Erratum - 01/2011. In case of doubt, the Portuguese version,
which is the valid document for all intents and purposes, shall be used.
1 Scope
1.1 This Standard aims to provide guidelines and establish the minimum conditions required for
design, operation and maintenance of the Safety Instrumented Systems - SIS on PETROBRAS
onshore facilities.
1.2 This Standard contains Technical Requirements and Recommended Practices and establishes
the conditions required for designs starting after the date of its issue.
1.3 Fire and gas detection systems are not considered in this Standard.
1.4 Any function with exclusive manual actuation does not fit in the Safety Instrumented Systems. For
example: inventories isolation and depressurization.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document applies.
PETROBRAS N-329 - Bateria de Acumuladores;
PETROBRAS N-332 - Retificador para Uso Industrial;
PETROBRAS N-858 - Construo, Montagem e Condicionamento de Instrumentao;
PETROBRAS N-1219 - Cores;
PETROBRAS N-1756 - Projeto e Aplicao de Proteo Contra Fogo em Instalaes
Terrestres;
PETROBRAS N-1883 - Apresentao de Projetos de Instrumentao / Automao;
PETROBRAS N-2782 - Tcnicas Aplicveis Anlise de Riscos Industriais;
ABNT NBR 12712 - Projeto de Sistemas de Transmisso e Distribuio de Gs
Combustvel;
ISA TR 84.00.02 Part 2:2002 - Safety Instrumented Functions (SIF) - Safety Integrity Level
(SIL) Evaluation Techniques Part 2: Determining the SIL of a SIF via Simplified Equations;
ISA TR 84.00.03 - Guidance for Testing of Process Sector Safety Instrumented Functions
(SIF) Implemented as or Within Safety Instrumented System (SIS);
ISA TR 84.00.04 Part 1 - Guideline for the Implementation of ANSI/ISA-84.00.01-2004
(IEC 61511);
ISA 91.00.01 - Identification of Emergency Shutdown Systems and Controls that are Critical
to Maintaining Safety in Process Industries;
ISA TR 96.05.01 - Partial Stroke Testing of Automated Block Valves;
6
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Electronic
Electronic
Electronic
IEC 61511-1:2003 - Functional Safety - Safety Instrumented Systems for the Process
Industry Sector - Part 1: Framework, Definitions, System, Hardware and Software
Requirements;
IEC 61511-3 - Functional Safety - Safety Instrumented Systems for the Process Industry
Sector - Part 3: Guidance for the Determination of the Required Safety Integrity Levels;
IEC 62337 - Commissioning of Electrical, Instrumentation and Control Systems in the
Process Industry - Specific Phases and Milestones;
IEC 62381 - Automation Systems in the Process Industry - Factory Acceptance Test (FAT),
Site Acceptance Test (SAT) and Site Integration Test (SIT);
NFPA 72 - National Fire Alarm and Signaling Code.
NOTE
For documents referred in this Standard and for which only the Portuguese version is
available, the PETROBRAS department that uses this Standard should be consulted for any
information required for the specific application.
3.1
Layers of Protection Analysis - LOPA
semi-quantitative technique for assessing process risks reduction, achieved by the use of protection
layers.
3.2
Process Hazard Analysis - PHA
systematizated and organized effort using one or more techniques listed on
PETROBRAS N-2782 (APR, HAZOP etc) to identify and evaluate the relevance of potential hazards
associated with the processing or handling of hazardous products focusing on equipment,
instrumentation, utilities, human actions and external conditions that may affect the process.
3.3
protection layer
resource specifically adopted, designed or developed to reduce the risk associated with one or more
scenarios.
7
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
NOTE 1 The adopted resource may be a process engineering technique such as sizing of vessel
containing hazardous product, a piece of mechanical equipment such as a safety valve, a
Safety Instrumented Function or even an administrative procedure such as an emergency
plan for situations of imminent danger.
NOTE 2 A protection layer may be preventive when it aims to reduce the expected frequency of
occurrence of a hazardous event, or it may be mitigating, when it aims to reduce the severity
of a harm associated with the hazardous event.
NOTE 3 A protection layer may be passive (when it does not need to execute an action to fulfill its
function of protection) or active (when it needs to change from a particular state to another in
response to a change in the measurable process property in question). In the second case,
its action may be initiated automatically or by human action.
3.4
Independent Protection Layer - IPL
a protection layer that keeps its preventive or mitigating function autonomously, without taking into
account the initiating cause or any other protection layer action associated with the scenario.
3.5
initiating cause
an equipment failure, an inappropriate human action or an external event that sets off a scenario.
3.6
scenario
event or sequence of events resulting from an initiating cause that culminates in a hazardous
consequence.
3.7
SIS safety life cycle
set of activities involved on SIFs implementation during the time interval that begins in the conceptual
design phase and ends when the referred SIFs are disabled.
3.8
Enabling Event - EE
action or state that does not cause the scenario, but needs to exist to allow the initiating cause to lead
to the unintended consequence considered.
3.9
consequence
accidental scenarios undesired effect
NOTE 1 An example of consequence is the loss of containment leading to product release with fire
risk.
NOTE 2 Consequence severity is a qualitative or quantitative measure of the impact of a
consequence to safety of people, environment and company's property. This concept can be
exemplified by the possibility of death due to fire.
3.10
Programmable Electronics - PE
programmable controller designed and developed specifically to act as SISs Logic solver.
NOTE
The CP safety denomination replaces the former term PES that was used by Petrobras, in
order to eliminate conflict with IEC 61508-4 and IEC 61511-1, in which the term PES
designates the entire set of devices (sensors + Logic solver + final elements) of SIS.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
3.11
harm
impact, achieved consequence or the final outcome of a hazardous event on human beings,
environment and/or property, expressed in terms of fatalities, environmental damages, destruction of
property, production loss, etc.
NOTE 1 Environmental impacts may include expenses on facilities cleaning and environmental
decontamination, fines from supervision bodies, civil and labor reparation, difficulties in
obtaining new licenses, harm to the companys image etc.
NOTE 2 Property is understood as equipment, facilities, products, and processes.
3.12
fault
abnormal condition that may cause reduction or loss of the ability of a device to performing its function
3.13
demand
hazardous condition or event that requires the action of a SIF
3.14
device
equipment capable of performing a specific function
3.15
final element
a device, part of the SIS, that implements the physical action required to achieve a safe state
NOTE
3.16
Safety Requirements Specification - SRS
documentation containing all the requirements that each SIF shall present when implemented in the
SIS
3.17
safe state
state of a process or equipment whose risk is within the limits established as tolerable
3.18
Hazards and Operability Study - HAZOP
inductive and structured technique to identify any hazard process and potential operational problems,
associating, in a systematic way, a set of keywords to the process variables; for each identified
deviation, its causes, consequences, detection modes, and existing safeguards are listed, and
additional measures are recommended when necessary
3.19
logic solver
a device, part of the SIS, that receives signals from the sensors, processes programmed functions and
sends commands to the final elements
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
3.20
failure
an event characterized by the cessation of a device's ability to perform its function
NOTE
All disabilities caused by planned actions, as preventive maintenance, are excluded from this
concept.
3.21
random hardware failure
failure that occurs on an unpredictable moment as a result of a variety of degradation processes
acting on the internal components of a device
NOTE 1 Due to manufacturing tolerances, such degradation processes have different dynamics on
distinct components, giving a random character to the failures instant.
NOTE 2 Due to its nature, the random hardware failure can be quantified in a statistic way. For
example: by observing various identical devices, operating under the same conditions, the
respective failure rate can be determined.
3.22
common cause failure
failures on more than one device, component or system as a result of the same direct cause, in a
relatively short period of time, being the failures not a consequence of one another
NOTE
As examples of common causes one can mention the action of corrosive atmosphere,
electromagnetic interference, mechanical vibration, clogging of stand-pipe taps, loss of
electrical power, loss of pneumatic or hydraulic pressure, fire, explosion, lightning, improper
procedure (of manufacturing, installation, precommissioning, operation, or maintenance),
inadequate training (ditto), design fault or limitation.
3.23
failure on demand
non-actuation of a SIF when it is subjected to an actual demand
3.24
undetected failure
failure that is only noticed when a SIF is either demanded or tested
3.25
dangerous failure, unsafe failure, fail-to-function failure
failure that has potential to prevent a safety function from acting when there is an actual demand
NOTE
A single dangerous failure is often insufficient to prevent a redundant safety function from
acting when required.
3.26
safe failure, spurious trip failure, nuisance trip failure, false trip failure, fail-to-safe failure
failure that presents potential to cause a safety function actuation when it is not required
NOTE
A single failure is usually insufficient to effectively cause a spurious trip in a redundant safety
function.
3.27
systematic failure
failure related in a deterministic way with a certain cause
NOTE 1 Three main types of errors may lead to systematic failures:
10
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
design error (wrong or omissive specifications, such as: incorrect equipment sizing,
improper selection of materials);
equipment failure (error in the manufacturing process, improper installation, improper
maintenance or operation procedure);
program error (software programming or change).
NOTE 2 A systematic failure can only be eliminated through appropriate changes on its cause.
Corrective maintenance interventions without the implementation of these modifications do
not eliminate the systematic failure.
NOTE 3 Due to its nature, the causes of systematic failures cannot be easily predicted or quantified
in a statistical way.
3.28
coverage
number that ranges from 0 to 1 (100%) which indicates the percentage of undetected failures that are
discovered when a SIS device is subject to a certain test or diagnostic
3.29
Risk Reduction Factor - RRF
performance measure of a protection layer given by the ratio between risks with and without the
implementation of this protection layer; it can be expressed mathematically as the inverse of the
considered protection layers PFDavg : RRF = 1/ PFDavg
3.30
Modification Factor - MF
specific condition that may alter the consequence of a scenario
3.31
Initiating Cause Frequency - ICF
expected frequency of occurrence of the cause which may lead to the considered scenario
3.32
Frequency of Consequence - FC
expected frequency of occurrence of the undesired consequence, taking into account the frequency of
the initiating cause, the probability of ocurring the enabling event, the average probabilities of failure
on demand of the non-SIF protection layers and the applicable modification factors.
3.33
Scenario risk tolerance criteria - FTOL
risk tolerability criterion given by the frequency above which incidents of a given severity are not
tolerated
3.34
Safety Instrumented Function - SIF
a protection function implemented in a SIS in order to achieve or maintain a safe state of a process or
equipment through a specific automatic action against a certain operational deviation
NOTE
For each SIF one SIL and one MTTFS are associated.
3.35
risk graphs
technique for qualitative assessment of risk reduction that uses graphical representations of the risk
tolerability criterion
11
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
3.36
sensor
device or combination of devices that provide information to the Logic solver on the value or state of
process variables or monitored equipment that initiates the SIF action.
NOTE 1 The most common examples are:
a) transmitters, including process connections, sensors and complete wiring;
b) limit switches, including complete wiring;
c) manual trip switches and complete wiring.
NOTE 2 The term sensor as defined on this standard is equivalent to the term "iniciador" defined on
the portuguese version.
3.37
operator interface
means by which communication is established between the human operator and the SIS. The
operation interface is also known as Human-Machine Interface (HMI)
NOTE
As examples of operator interface one can mention: video monitors, indicator lamps, pushbuttons, sirens and alarm speakers.
3.38
Safety Integrity Level - SIL
Discrete indicator of a SIF performance, in terms of its PFDavg and its RRF, expressed on a scale of
integer numbers from 1 to 4
NOTE
The SIF design shall consider all failures (random hardware and systematic ones) that might
prevent the safe state from being reached. For hardware random failures, the SIL is related
to the quantified SIFs PFDavg. For systematic failures, it is necessary to use specific
approaches such as FMEA, FMECA, fault trees, etc.
3.39
hazard
condition or property inherent to a substance, an activity, a system or a process, with potential to harm
peoples physical integrity, the environment, property or production loss
NOTE
The term includes hazards that are presented in short time intervals (e.g., fire or explosion)
and in long periods of time (e.g., release of toxic products).
3.40
Probability of Failure on Demand - PFD
probability of a protection layer to fail to perform its specific function in response to a demand
3.41
Average Probability of Failure on Demand - PFDavg
reliability indicator of a protection layer given by the average probability, in a given time interval, of
such layer to fail when demanded
NOTE
The time interval considered for calculating the average is usually the interval between
periodic tests (usually equal to the plant or equipment campaign period).
3.42
application software
a specific program for user application; it generally contains logic sequences, permissions, limits and
expressions necessary to meet its functional requirements
12
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
3.43
embedded software
a specific program which is part of the programmable electronic system, supplied by the respective
manufacturer, essential for the operation and not accessible for modifications by the user; also known
as the systems firmware or software
3.44
utility software
a set of programming tools necessary for creation, modification and documentation of the application
software; these programming tools are not necessary for the programmable electronic systems
operation
3.45
redundancy
existence of more than one way to perform the same function, usually to increase the reliability and/or
availability of a system
NOTE
3.46
diverse redundancy
resource usually used to reduce the influence of common cause failures by using different
technologies, designs, manufacturing, programming, etc to perform the same function
NOTE
As examples of usual methods for obtaining diverse redundancy one can mention:
a) measurement of different process variables, such as pressure and temperature, in cases
where the correlation between these variables is well established and known;
b) measurement of a single process variable by means of different technologies such as
flow measurement via vortex and coriolis;
c) use of aerial and underground routes with different paths for redundant communication
means;
d) use of different models of controllers in a redundant architecture, programmed with
distinct methods, by technicians with different specializations.
3.47
risk
combination of either the probability or the expected frequency of occurrence of a hazardous event
with the consequence severity of this hazardous event
NOTE 1 The risk can be expressed mathematically as the product of the expected frequency of a
hazardous events occurrence by the severity of its consequence:
Risk = frequency x severity
NOTE 2 The expected occurrences frequency is usually expressed in terms of number of events per
year;
NOTE 3 The consequences severity is usually expressed in terms of monetary value (production
losses and/or property harm) and/or the number of fatalities.
3.48
process risk
risk inherent to the process or equipment conditions caused by abnormal events (including faults in
the BPCS), without taking into account the protection layers
13
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
NOTE 1 In the context of this standard, the process or equipment risk is the specific risk to which a
protection layer provides reduction.
NOTE 2 Process hazards include fire, explosion, toxic release, and exposure to ionizing radiation, but
they do not include hazards not related to the process, normally controlled by other means,
such as hearing protection, gloves, safety goggles, guardrail, or housekeeping and
occupational hazards such as slips, stumbles and falls.
3.49
tolerable risk
risk defined as acceptable in a given context
NOTE
In the context of this standard, the term "acceptable" refers to an agreement between the
society, risk analysts and specialized agencies (e.g., HSE) in dealing with a particular risk to
obtain certain benefits, trusting that this risk is being properly controlled and, therefore, these
benefits compensates the assumed risk.
3.50
Safety Instrumented System - SIS
instrumented system used to implement one or more safety instrumented functions; a SIS is
composed of a set of sensors, logic solvers and final elements
3.51
Basic Process Control System - BPCS
system that monitors and processes input signals from the process or equipment, and responds by
generating output signals that lead them to operate as desired, through continuous regulatory controls
(PID type), discrete controls (on-off type) and sequential controls
3.52
SIF response time
time interval between the ocurrence of a demand and the completion of a SIF actuation; this time
includes the time required by the sensor(s) to detect the demand condition (rise time) , the signals
processing time on the Logic solver and the time for actuation of the final element (s)
3.53
SIF delay time
time delay intentionally added to a SIF logics processing, which is insufficient to check the harm(s) to be
avoided against an actual demand, and necessary to avoid spurious trips by normal/expected process
oscillations that although do not represent any hazard, may reach the SIFs actuation threshold
3.54
process safety time
time interval between the ocurrence of an actual demand and the hazard
NOTE 1 It is recommended that the time required to reach the safe state is less or equal than half the
time of the process safety . [Recommended Practice]
NOTE 2 Time required to reach the safe state is usually the sum of the SIFs response time plus the
SIFs delay time.
3.55
failure on demand tolerance
capacity of a SIF to perform its function when demanded, even in the presence of dangerous failure(s)
NOTE
As an example of an architecture that has tolerance to failure on demand, one can mention
the voting type 1 out of 2.
14
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
3.56
spurious trip tolerance
SIFs capacity of not causing a spurious trip, even in the presence of safe failure(s)
NOTE 1 As an example of architecture that has tolerance to spurious trip, the voting architecture type
2 out of 2 can be cited.
NOTE 2 The voting architecture type 2 out of 3 is generally used in SIS devices when it is desired to
achieve simultaneously failure on demand tolerance and spurious trip tolerance.
3.57
trip
SIFs final element(s) actuation, either by actual demand, by manual forcing, or by a SIF failure
(spurious trip)
3.58
spurious trip
trip occurred either without an actual demand or an intentional forcing (manual trip) of this condition; it
usually occurs due to a failure of one or more SIF devices.
NOTE
Not every spurious trip may be categorized as a safe failure, since total or partial spurious
actuation of some SIFs may be initiating causes of risk scenarios.
3.59
validation
activity for demonstrating that the installed SIS effectively meets its SIFs specifications, including all
aspects of their functionalities and performance requirements.
3.60
verification
activity for demonstrating for each safety life cycle phase, through analysis and/or tests that, for the
specified conditions, all objectives and requirements established in the functional specification for that
phase are achieved
NOTE
-PUBLIC-
N-2595
APR
CCPS
CP
EE
EEL
FC
FCC
FTOL
HAZOP
HSE
ICF
IEC
IHM
IPL
ISA
LOPA
MF
MTBF
MTTF
MTTFS
MTTR
NFPA
PCC
PFD
PFDavg
RRF
SDV
SIF
SIL
SIS
SRS
BPCS
FAT
TV
UPS
REV. C
ENGLISH
12 / 2010
16
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
5.1.2 The boundary conditions imposed by the plant or equipments installation location, as well as by
its operational philosophy shall be defined upon the analysis of the impacts of a hazard scenario.
Typical examples are equipment remotely or manually operated from the field and plants located on
isolated areas or near inhabited areas.
5.1.3 Once the risk associated to a scenario is determined, it shall be evaluated whether such
scenario is tolerable, taking as base the corporate policies reflected on PETROBRAS
N-2782 criteria, local laws and applicable regulations.
NOTE
It also can be considered when determinating the tolerable risk: international standards
references, information from insurance companies, and agreements between stakeholders,
eventually allowing local community involvement. [Recommended Pratice]
5.1.4 The Table 2 of PETROBRAS N-2782 makes it clear that a risk not being tolerable (being out of
the T zone - "tolerable") is different from being not tolerable (being in the NT zone - "unacceptable"),
however it shall be emphasized that leaving the final risk in the M zone (moderate) shall be justified
after having made use of all resources to reduce it, in adherence to the ALARP concept.
5.2 Protection Layers
5.2.1 If the assessment of a scenario risk indicates that this is greater than the limit established as
tolerable, it shall be aimed to reduce the expected frequency of hazardous events occurrence or the
severity of the harm associated with this scenario by applying measures of risk reduction, often
referred to as safeguards or protection layers (see Figure 1).
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
5.2.2 As the first protection layer, a scenario associated with equipments operation and/or processes
may have their risk significantly reduced, or even be completely eliminated, through specific design
techniques or an inherently safe design. Examples: risks due to excessive pressure can be reduced
through proper specification of the pipelines thickness or by limitation of the pumps head below the
designs pressure of the vessel to where it discharges; risks due to high temperatures can be reduced
through appropriate design of heat exchangers; risks due to vibrations can be reduced considering
appropriate support for the pipelines; risks to people may be greatly reduced through installation of the
plant in a non-inhabited location; fire or explosion risks can be eliminated if it is possible to change the
product by a non-flammable one.
5.2.3 As a second protection layer, generally there are available automatic control systems for the
process or equipment, being possible to obtain a third layer with continuous supervision of qualified
operation personnel with the support of an adequate alarm system.
5.2.4 The next protection layer, consisting of a SIS, the main object of this standard, usually
accompanies another, formed by relief and prevention systems based on mechanical devices such as
safety valves, rupture discs and check valves.
5.2.5 It is recommended to adopt a SIS only if after the application of other mentioned risks reduction
measures, the residual risk remain higher than the tolerable risk (see Figure 2). [Recommended
Practice]
Residual
Risk
Risk
inherent to
the process
Tolerable
Risk
Increasing
Risk
18
-PUBLIC-
N-2595
START - Process
Basic Design
REV. C
ENGLISH
SIF Assessment
(SIL and MTTFS)
(section 6)
Risks Analysis
no
Application of other
means for reduction of
the identified risks
Documentation
Key:
Operation,
maintenance and
periodical functional
tests of the SIS
(section 13)
Modification or
deactivation?
modification
deactivation
TAF, Installation,
commissioning and preoperation
(section 10, 11, and 12)
no
Operational and
maintenance
procedures
(section13)
Is SIF confirmed?
yes
Recommended
SIF?
12 / 2010
SIFs Deactivation
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
5.4.5 It is recommended that signals related to SIS devices, but not used on SIF logic (e.g., status
indication of final element), dont be connected to the SIS Logic solver. [Recommended Practice]
5.4.6 Usually the cause and effect matrix indicate a common cause for safety actions and for actions
non-related to safety. It is recommended that a SIF only includes the devices absolutely necessary to
perform its safety action. [Recommended Practice]
5.4.7 Each SIF shall have a unique alpha-numeric identifier (tag) and be documented on a data sheet
that gathers the main SIF specifications, its features, its performance requirements (such as SIL and
MTTFS) and criteria used on calculations (like interval between periodic tests), composing a set of
information equivalent to the "Safety Requirements Specification - SRS" defined on IEC 61511-1.
5.4.7.1 It is recommended to use the model presented in Annex D to document SIFs data
[Recommended Practice].
5.4.8 The SISs basic design documentation shall form a distinct set separated from other designs
documents unrelated to the SIS (see ISA 91.00.01).
5.4.9 SISs basic design documentation will follow the SIS throughout its life cycle and shall be filed
on the technical documentation system of the respective industrial facility, and be always updated, in a
traceable and auditable way, due to any revision that might occur in the plant.
5.4.10 The elaboration of the SISs basic design shall consist, fundamentally, on the execution of the
following tasks:
a)
b)
c)
d)
5.4.11 At the end of the basic design, all SIF data sheets shall be completely filled.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Process;
Instrumentation and Control;
Operational;
SMS (Safety, Envorinment and Health).
6.2.2 Experts of specific areas, such as static, thermal, dynamic or electrical equipment, shall be
consulted by the assessment team whenever there is a need to confirm premises assumed in the risk
estimates involving such specialties.
6.2.3 The Process representative shall have participated in the specific basic design to be analyzed,
so as to ensure a good knowledge about it.
6.2.4 The Instrumentation and Control representative shall have experience and/or specific training
on Safety Instrumented Systems.
6.2.5 The operational representative shall:
a) have experience in the considered process;
b) be linked with the future operation of the considered plant;
6.2.6 The SMS representative shall:
a) be familiar with the SMS policies, guidelines, standards and laws applicable to the
considered plant;
b) be linked with the future operation of the considered plant.
6.2.7 The assessment teams leader shall have experience on risk analysis, shall have training on the
specific method to be used and shall have participated previously in other SIF assessment processes.
6.2.8 It is admitted that the assessment teams leader accumulates the function of representative of
any of the areas listed in 6.2.1, provided that he or she meets the requirements for such.
6.2.9 The assessment teams leader shall ensure an organized, systematic and consistent application
of the method in use, guiding the other team members in this sense.
6.2.10 It is recommended that, before starting the analysis, the assessment teams leader promotes
an harmonization of understanding about the methods to be used by all participants in order to ensure
some minimum familiarity with the technique and its specific terminologies. [Recommended Practice]
6.2.11 At the end of the study, the report shall be prepared and agreed by the entire staff. On items
where it has not been possible to reach consensus, the reasons shall be recorded.
21
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
PFDavg
10-2 to < 10-1
10-3 to < 10-2
10-4 to < 10-3
10-5 to < 10-4
SIL
1
2
3
4
For SIFs operating in continuous mode or with high demand (more than one demand per
year or two or more demands at each interval between tests), the SIL is correlated with a
frequency of dangerous failures per hour. For example, SIL 1 equivalent to a frequency
between 10-6 and 10-5 per hour (see Table 4 of IEC 61511-1:2003).
6.4.2 The assessment of the required SIL for a SIF shall consider the consequences about:
a) personal safety (S);
b) environment (E);
c) company property (L).
6.4.3 The required SIL for the SIF shall be the highest among those determined for each of these
three aspects.
6.4.4 If a single SIF is a safeguard for various scenarios, the required SIL shall be the highest among
those obtained for each scenario.
22
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
6.4.5 In this standard two distinct assessment methods of the required SIL for a SIF are presented,
namely:
a) Risk Graphs (Annex A): qualitative method, with simpler and more immediate application
and that, therefore, usually leads to more conservative results, with higher SILs and a
larger number of SIFs;
b) LOPA (Annex B): semi-quantitative method that takes into account risk reductions by
other protection layers different from the SIS, allowing more consistent assessments of
the scenarios and producing a more complete documentation.
6.4.6 It shall be taken into account when choosing the most appropriate assessment method: the
complexity of the process, the nature and severity of risks, the availability of information about the risk
scenarios, the qualification and experience of people available for the assessment work.
6.4.7 It is recommended the application of the LOPA method. [Recommended Practice]
6.4.8 Once the required safety integrity level is determined, this SIL shall be registered in the
respective SIF Data Sheet.
6.4.9 If a SIF assessments result indicates a required SIL greater than 3, it shall be applied other
means of risk reduction, in order to have the SIF required safety integrity level under SIL 4.
Orientations and precautions to be taken into account in order to safely reduce the required SIL can
be found in ISA 84.00.04 Part 1 Annex J.
6.4.10 If a SIFs assessment result indicates no required SIL, it shall be observed what is determined
on 5.4.4.
6.5 Assessment of the Acceptable Spurious Trips Frequency for a SIF
6.5.1 Aiming not to jeopardize the plant or equipments availability, subject to SIF protection, it shall
be stipulated a minimum value, considered as acceptable on the application, for the SIF Mean Time to
Fail Safe (MTTFS), related to spurious trips.
6.5.2 The industrial facility shall have a criterion for determining the MTTFS acceptable value. Two
possible alternatives are presented on 6.5.2.1 and 6.5.2.2.
6.5.2.1 Unavailability
The unavailability time due to SIS spurious trips shall be negligible (less than 1/10) in relation to the
total unavailability time (shutdown and unscheduled load reductions) of the plant over a given period
of time. Example: in a process unit in which 100 days of unavailability are historically observed each 5
years campaign, the SIS as a whole could not be responsible for more than 10 days of shutdown at
each campaign, or 2 days a year. Assuming that this SIS has 20 SIFs whose spurious trips result, on
average, in 12 h of unit shutdown by trip, we would have a limit of 1 spurious trip for every 5 years per
SIF, or a 5-year MTTFS for each SIF.
6.5.2.2 Spurious Trip Cost
The cost of the spurious trip shall take in account, besides the production loss (profit loss), the costs
associated with other possible consequences related to the unexpected shutdown and subsequent
plant startup, such as: harm to equipment (refractory breakdown, coking of tubes, etc..), contractual
penalties due to production interruption, environmental harm (excessive relief to flare, noise from
safety valves opening), harm to the companys image etc.
23
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
10 000
10
20
6.5.3 It shall be taken into account that a SIF action might originate other protection actions. For
example, low gas flow causes trip on the compressor, which in turn causes trip on the load pump.
6.5.4 Once the required MTTFS is determined, it shall be registered on the Data Sheet of the
respective SIF.
6.5.5 If personal and environmental risks are both negligible, causing SIL to be determined only by the
risk associated with the companys property aspect, it is recommended to carry out a cost-benefit
analysis to determine whether or not it is worth to implement the SIF. [Recommended Practice]
process taps;
impulse lines;
sensors;
signal wirings;
junction boxes;
multicables;
terminal blocks;
control and marshalling panels;
fuses and circuit breakers;
Logic solver;
final elements.
It is permitted to share process taps or BPCS instruments nozzles with redundant SIS
sensors.
7.1.2 It is admitted sharing between SIS and BPCS for the following components:
a)
b)
c)
d)
7.1.3 It is admitted the use of control valves as a SISs final element only in cases where segregation
is impractical. For example: valves of spent catalyst and regenerated catalyst of FCC units.
24
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.1.4 In case it is necessary to use more than two pairs of taps for the same orifice plate, it is
recommended that the third pair of taps be on the pipe (pipe taps). [Recommended Practice]
process taps;
impulse lines;
signal wirings;
junction boxes;
multicables;
terminal blocks;
fuses and circuit breakers;
I/O modules.
7.3.2 In case of measurement of redundant temperature it is admitted the use of one single well for
more than one sensor.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.4.3 The requirements established in PETROBRAS N-329 for design of accumulators batteries and
PETROBRAS N-332 for charges design shall be observed.
7.4.4 The power supply modules of the Logic solver, as well as the power supplies for the sensors
and final elements shall be redundant.
7.4.5 It is recommended for the Logic Solver power modules and the power supplies of the sensors
and final elements to have independent electrical power inputs, each one being supplied by a
separate PCC. [Recommended Practice]
7.5 Communication Between Field Devices and Logic solver
7.5.1 It is not allowed to use digital communication protocols for transmitting process signals in safety
functions.
7.5.2 The use of HART digital communication protocol is allowed only for diagnostic purposes, and
the remote configuration functionality shall be inhibited.
7.5.3 It is recommended not to use marshalling panels, intrinsic safety barriers, isolators, signal
converters, or other elements between the field devices and the Logic solver. [Recommended
Practice]
NOTE
In the case of electric machines (motors) activation circuits, the interposing relay is
considered part of the final element.
7.5.4 If the application of intrinsic safety barriers and/or signal isolators is necessary, such elements
shall be:
a) installed on the same panel as the Logic solver, and not distributed in other
locations/panels;
b) supplied by the power supplyes located on the Logic solvers panel.
7.6 Sensors
7.6.1 Sensors shall be implemented by transmitters operating in analog mode at the range of 4 mA up
to 20 mA, powered directly by the respective SISs Logic solver panel.
7.6.2 In situations where the use of transmitters as sensors is not technically feasible (e.g., position
indicator switches), the respective contacts used to activate the SIF shall be kept closed and
energized under normal operation condition of the plant or equipment.
7.6.3 In order to minimize the occurrence of spurious trips, it is recommended that the internal
diagnostic of the transmitters be configured in order to, in case of failure, lead the output signal to the
following values: [Recommended Practice]
a) below 3.6 mA (sub-range) for cases where the trip actuation occurs towards the increase
of the transmitter output signal;
b) over 21 mA (over-range) for cases where the trip actuation occurs towards the decrease
of the transmitter output signal.
NOTE
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.6.4 It is recommended that the execution of functions such as square root extraction, damping
adjustment and timing be performed on the Logic solver application program and not on the sensors.
[Recommended Practice]
7.6.5 It is recommended that SIS sensors and sensors used in the BPCS for measuring the same
variables have the same range and compatible uncertainties, in order to permit their direct
comparison, allowing the implementation of the BPCSs deviation alarm. [Recommended Practice]
7.6.6 The sensors shall be painted in the safety orange color in accordance to PETROBRAS N-1219.
The partial painting of the sensor is acceptable. Example: painting only on transmitters covers.
7.6.7 For SIFs sensors evaluated as SIL 3 it is recommended the use of diverse redundancy.
[Recommended Practice]
The impacts of the shutdown of the remaining charges affected by the BF action shall be
evaluated.
27
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.7.8 It is recommended that the interposing relays be installed on the terminal box that makes
interface with the electric equipment . [Recommended Practice]
7.7.9 For solenoid valves of pneumatic actuators command, it shall be specified the following items:
a) normal operation condition: energized coil;
b) minimum air pressure of operation;
c) flow capacity adequate to the required operation time;
d) protection of air leaks against clogging by dirt, insects and frost.
7.7.10 It is recommended that solenoid valves with mechanical manual reset dont be used.
[Recommended Practice]
7.7.11 In case the SIF Data Sheet indicates the necessity of performing tests for valve partial stroke
(see ISA TR 96.05.01), those shall be implemented by devices specially designed for this application
and with a SIL compliance certification, in accordance to IEC 61508-1. The certificate shall be
submitted for Petrobras approval. Certificates issued by TV are pre-approved..
7.7.12 Final SIS elements shall be painted in safety orange color, in accordance to PETROBRAS
N-1219. Partial painting is acceptable, e.g., paint only over solenoid valves covers and valve actuator
casings.
7.7.13 For final elements of a SIF evaluated as SIL 3, the use of a diverse redundancy is
recommended. [Recommended Practice]
28
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.8.7 All CP safety modules (input and output modules, power supplies and processors) connected
with the logic solving of SIFs shall:
a) not lead to spurious trip by simple failure;
b) enable maintenance interventions without having to power down or interrupt the logic
execution ("hot swapping").
7.8.8 It is recommended that the logic solver have resources capable to detect signal indicating that
the sensor is out of the normal operational range and to attribute to the sensor a failure status (out of
specification) when its analog output is below 3,6 mA and above 21 mA. [Recommended Pratice]
7.8.9 The Logic solver and its auxiliary equipment shall be installed on a panel exclusively for this
purpose. This set shall be compatible with the specific environmental and electric conditions of the
installation site.
7.8.10 The Logic solver panel and the SIS junction boxes shall have differentiated identification from
the others. Partial paintings of the panel and boxes in safety orange color and "SIS" inscription on the
panels nameplate are suggested.
7.8.11 In case of interaction between distinct logic solvers, their actions shall be coordinated to
ensure the conduction of the process as a whole to a safe state.
7.8.12 The SIF execution through a digital communication link between distinct safety CPs is
conditional upon the certification of the safety integrity level achieved by the whole set, including its
respective communication link, according to IEC 61508 - Parts 1, 2 and 3. The certificate shall be
submitted for approval of Petrobras. Certificates issued by TV are pre-approved.
7.8.13 The application program shall:
a) be developed in accordance with the logic diagram of the SIS detailing design;
NOTE 1 It is recommended to use the Function Blocks programming language (see IEC 61131-3 ).
[Recommended Practice]
NOTE 2 It is recommended not to use programming languages type structured text or Ladder
diagram. [Recommended Practice]
b) be developed considering the adequate restrictions regarding the use of the utility
program, compatible with the required integrity level , as indicated in the safety manual of
the selected CP;
c) have a scan time less than half the shortest response time required by the SIFs running
on the safety CP;
d) provide information to the BPCS according to 7.12;
e) CANCELED - AMENDMENT 07/2012.
NOTE
7.8.14 In order to minimize the occurrence of spurious trips, it is recommended that sensors identified
as in failure state be bypassed automatically by the application program, respecting the limitations
imposed by 7.11.3. [Recommended Pratice]
NOTE 1 The duration of this by-pass shall be defined automatically at the detailing design phase, and
cannot exceed 8 hours. During this period, the operation team of the unit shall decide if or
not the manual by-pass for maintenance must be activated for the considered sensor.
29
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
NOTE 2 The total duration of the by-pass (automatic + manual) shall comply with the limit established
on the specific procedure for the considered SIF.
NOTE 3 If the temporization of the automatic by-pass reaches the end, but the by-pass for
maintenance has not been manually activated according to 7.11.3.5, the application program
shall assign the trip status to the sensor, thus following the consequences programmed on
SIFs logic.
7.8.15 It is recommended that the application program treat the cases of SIFs with redundant sensors
in order to avoid spurious trips by false diagnosis of simultaneous failure on all sensors due to process
variable excursion outside the normal operational range in the opposite direction of the trip.
[Recommended Pratice]
EXAMPLE
Reevaluate the operating range and/or consider the possibility of extending the limits of
under/over-range beyond those established in 7.6.3.
NOTE
A possible implementation of specific logic to avoid this form of "trip" spurious shall be
preceded by careful evaluation of the possibilities for common cause failure of the sensors.
Manual activation is an option for actuation of the final elements of a SIF by the operator
foreseen in the process design, but it is not part of the automatic protection function and
therefore shall not be considered on SIF performance calculations (SIL or MTTFS).
7.9.2 It is recommended for manual trip commands to be implemented through electromechanical pull
buttons, to activate with a double contact normally closed, coupled in series, installed on a place of
easy access by the operation team and provided with protection against improper activation.
[Recommended Practice]
7.9.3 The signals of manual trip command shall be executed by the SIS Logic solver.
7.9.4 Manual trip commands from the BPCS operation interface shall be implemented "hardwired"
from the BPCS controller to the Logic solver.
30
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.10.4 The manual reset command shall only be implemented through a physical pushbutton located
in the field when required in the SIF Data Sheet.
7.10.5 The SIF reset signal shall be of type short duration pulse.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
-PUBLIC-
N-2595
b)
c)
d)
e)
REV. C
ENGLISH
12 / 2010
alarms recognition;
by-pass for operation startup;
by-pass for maintenance;
SIF reset.
7.12.3 It is recommended that every failure identified automatically in some SIS device, either by a
specific diagnostic function, by deviation in the monitored variable value, or by any other method,
generates an alarm in the BPCS operation interface. [Recommended Practice]
NOTE
Deviation in the monitored variable value means a difference greater than twice the total
probable error between the values of SIS analog sensors and the values of control system
sensors for the same process variable.
7.12.4 It is recommended to implement synchronization between the internal clocks of BPCS and SIS
Logic solver, in order to allow an analysis of events sequence. [Recommended Practice]
7.12.5 It is acceptable a maximum delay of up to 3 seconds between the occurrence of a trip action
activated by a SIF and the respective indication in the BPCS operation interface.
7.12.6 Whenever there is sufficient time for a corrective action by the operator there shall be a pre-trip
alarm.
7.12.7 It is recommended that the SIS alarms have visual and sound identification differentiated from
the other BPCS alarms. [Recommended Practice]
7.12.8 Visual identification for the first event of a trip sequence shall be prominently displayed in the
operation interface.
7.13 Interface for Maintenance and Engineering
7.13.1 The interface for maintenance and engineering shall be performed in an industrial PC
microcomputer and shall have the following functions:
a) Safety CP configuration and storage of its configuration;
b) diagnostic giving all details of failures detected in the Logic solver;
c) auditable history storage of actions / interventions in the SIS, with TAG, date, time and
personal identification, in order to be possible to analyze occurrences later.
7.13.2 The maintenance and engineering interface shall be provided with a password for access.
7.13.3 For the various Safety CPs of an industrial site there shall be at least one
engineering/maintenance workstations interconnected via network to the Safety CPs.
7.13.4 It is recommended to have a local communication port on each Safety CP in case of network
unavailability. [Recommended Practice]
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
7.14.2 It is recommended the use of redundant modules and cables of communication between the
Logic solver and the BPCS. [Recommended Practice]
7.14.3 It is recommended that the communication protocol used blocks commands for the Logic
solver coming from BPCSs different from those previously defined in 7.12.2. [Recommended
Practice]
7.14.4 In the case of a failure, the communication interface shall:
a) not compromise SIFs execution;
b) not cause spurious trip;
c) announce the operation interface failure.
8 SIS Basic Design - Verification of the SIL and the MTTFS required for Each SIF
8.1 The verification phase is intended to provide greater consistency to the basic design, avoiding
significant changes during the detailing design.
8.2 It shall be considered, initially, a simple voting architecture (1 out of 1) and components of general
usage, increasing gradually the architecture complexity and adopting special components, in this
order, until there is a compliance with the SIL and MTTFS values required for the SIF, through the
application of reliability engineering calculations (for example, according to methodology presented on
ISA TR 84.00.02 Part 2:2002).
NOTE
The indication by calculations that it is not required tolerance to failure does not invalidate
the application of other redundancy criteria, such as operational flexibility, including the
execution of SIF tests during the plant or equipments operation.
8.3 The reliability calculation of each SIF shall be registered in a specific calculation sheet, containing
the following information:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
NOTE 1 The failure rates of devices to be used shall be obtained from databases established by the
Operational Unit.
EXAMPLE
EXIDA - Safety Equipment Reliability Handbook;
SINTEF - Reliability Data for Control and Safety Systems;
34
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
9.2 Documentation
9.2.1 The documents listed below shall be prepared during the SIS detailing design phase and
comply with PETROBRAS N-1883, forming a distinct and separate set from other detailing design
documents (see ISA S.91.00.01):
35
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
a) SIFs list and instruments list of the SIS (see Note 1);
b) SIS instruments data sheet;
c) SIS setpoint list;
d) SIFs SIL and MTTFS Verification Calculation Sheets (Note 2);
e) SIS logic diagram;
f) SIS loop diagram;
g) SIS interconnection diagram;
h) SIS communication list;
i) inputs and outputs list of SIS Logic solver;
j) SIS electric charges list (see Note 3);
k) SIS Logic solver technical specification;
l) SIS panels technical specification;
m) technical manual (manufacturers) of SIS Logic solver - (see Note 4);
n) technical manual (manufacturers) of SIS sensors - (see Note 4);
o) technical manuals (manufacturers) of SIS final elements - (see Note 4);
p) SIS Logic solver application program (listing);
q) SIS panels drawings;
r) SIS TAF plan (see Note 5);
s) SIS operation manual (see Note 6);
t) SIS maintenance plan (see Note 7).
NOTE 1 SIFs and SIS instruments list is a document divided into two parts: the first part shall
correlate in numerical order each SIS SIF (tag, description and required SIL) with each
instrument tag (sensors and final elements) that compose it. The second part shall correlate
in alphabetical order each SIS instrument (tag, service, flowchart or source drawing and data
sheet) with SIFs tags of which they are part of.
NOTE 2 The SIFs SIL and MTTFS Verification Calculation Sheets of the detailing design shall
contain the same calculations performed during the basic design, but considering the voting
architectures and the specific models of sensors, Logic solver and final elements actually
adopted, and include the calculations of SIF response and delay time, if necessary.
NOTE 3 SIS electric charges list will be needed if SIS power supply is exclusive.
NOTE 4 The technical manuals shall include, where applicable, the relevant certificates and
compatibility
reports
with
the
security
integrity
level
according
to
IEC 61508-1.
NOTE 5 SIS TAF Plan content is defined on 10.2 of this Standard.
NOTE 6 SIS operation manual content is defined on 13.1 of this Standard.
NOTE 7 SIS maintenance plan content is defined on 13.2 of this Standard.
9.2.2 SIF data sheets shall be reviewed in accordance with the consolidated information of the
documents mentioned in a), b), c) and d) in 9.2.1.
9.2.3 After completing the design phase, all SIS documents, including SIF data sheets, manuals,
plans and reports shall be grouped to compose the Safety Instrumented Systems Manual.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
10.1.3 SIS FAT shall exhaustive, covering all SIFs and all possible logic combinations of each SIF.
visual inspection;
electric tests; isolation, continuity;
functional tests: logic verification itself;
memory map verification and compliance with design;
performance tests: scan time measurement, etc.;
environmental compatibility tests: electromagnetic compatibility, operation under a higher
specified room temperature etc;
g) failure tolerance tests: operation under degraded mode;
h) interface tests:
reading and writing of all channels, analog and digital ones, input/output ones, as well
as all diagnostic levels; example: 2 mA on signal of 4 mA to 20 mA; simulation of
cable break into monitored digital input signal;
voltage variation of electric power;
37
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
10.3.5 The records of the performed tests shall be grouped in a document entitled FAT Report, which
shall be submitted for PETROBRAS review and release.
10.3.6 In case a test execution is not successful, the corresponding event shall be recorded on the
report, analyzed and the foreseen corrective actions shall be applied.
10.3.7 During the FAT implementation it shall not be made any changes in the application program
that modify SIFs functionality or integrity. Any modification shall be made in accordance with 13.4 of
this Standard.
10.3.8 For a better analysis of the implemented logic functionality, it is recommended to include in the
FATs monitoring and witness team the operating personnel of the plant or equipments for which the
Logic solver will be installed. [Recommended Practice]
10.4 Preservation
10.4.1 The aim of this phase is to provide information for maintenance of the Logic solvers physical
integrity during the periods of transportation and storage, prior to the installation phase.
10.4.2 It shall be prepared a document entitled Preservation Plan, which shall include the following
items:
a) description of the packaging for transport, including handling recommendations;
b) extreme conditions to which the equipment may be subject, such as acceleration,
temperature, humidity, pressure etc.;
NOTE
If the devices sensitivity to accelerations is a critical factor, the use of shock detectors for
transport shall be evaluated.
c) description of procedures for receiving and inspecting on the erection site;
d) description of the procedures for preservation on pre and post installation phases.
38
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
11.2 Precommissioning
11.2.1 The precommissioning phase aims to ensure that all SIS devices are individually operating in
order to enable the completion of pre-operation phase (see IEC 62337).
11.2.2 It shall be prepared a document entitled Precommissioning Plan, containing:
a)
b)
c)
d)
visual inspection;
verification of connections and electrical grounding resistance;
verification of electric, pneumatic and hydraulic supply;
parameterization and calibration of the sensors and final elements;
verification of the electric interconnection between sensors and final elements to the
panel on Logic solver, including continuity and isolation;
f) verification of all block and drain valves in the normal operating position;
g) verification of all SIS devices energized and with a internal diagnostic indicating a good
operation status;
39
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
h) verification of the correct transmission and reception of information from the operation
interface (HMI);
i) measuring of the actuation time of final elements;
j) confirmation of immunity to electromagnetic interference.
11.2.4 SIS devices shall be conditioned in accordance with the Precommissioning Plan, which shall
meet the requirements of PETROBRAS N-858. During precommissioning activities execution it shall
be recorded and prepared a precommissioning report in order to demonstrate compliance with
technical requirements established in the SIS design.
40
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
12.1.6 The activities performed in the SIS pre-operation phase shall be registered in a validation
report.
12.2.3 Any discrepancy observed between the obtained and expected results shall be submitted to
analysis by those responsible for preparing the design in order to correctly decide whether SIS can be
accepted, or if a review in design documents is necessary. The analysis report and the decision
concerning the treatment to be given to discrepancy(s) shall be part of the SIS Acceptance
Declaration.
12.2.4 All pending issue that degrades any technical requirement established in the SIS design shall
be treated.
12.2.5 As a final activity, it shall be performed a SIS inspection to ensure that:
a) all by-pass functions were left in their normal operation positions;
b) all final elements (block valves, by-pass valves, etc.) are in their respective safety
positions;
c) all materials and test devices are removed;
d) all variables or "forced" conditions in the application program have been removed.
-PUBLIC-
N-2595
b)
c)
d)
e)
f)
REV. C
ENGLISH
12 / 2010
description of the alarms and associated interface presentation (screens, light and
sound announcers, etc.);
specific operating procedures when operating with SIF in by-pass.
step by step description of startup sequence for the process or equipment associated
with the SIS, explaining:
by-pass commands;
process conditions to be fulfilled at each step and its associated SIFs;
time intervals that shall be observed (heating ramp, purge time etc.);
reset functions.
individual description of each by-pass command, either for start or maintenance, detailing
the conditions under which they shall be used;
individual description of each manual shutdown command, identifying possible situations
where they shall be activated;
instruction about the necessity of conducting periodic tests on SIFs for their integrity
maintenance;
procedures associated with the occurrence of SIS diagnostic alarms.
13.1.3 The SIS Operating Manual shall reference and comply with all other SIS design documents,
such as risk analysis reports, SIF data sheets, cause and effect matrix, logic diagram, etc.
13.1.4 The staff responsible for operating the plant or equipment subject to SIS protection shall
undergo training in order to be instructed on the information and procedures contained in the SIS
operation manual. The training shall be appropriately recorded to ensure traceability.
13.1.5 In case a SIF is unavailable, a specific procedure shall be used for temporary by-pass.
NOTE
13.2 Maintenance
13.2.1 The 13.2 aims to establish requirements that allow the maintenance of SIS integrity and
reliability over its life cycle.
13.2.2 During detailing design it shall be prepared a document entitled SIS Maintenance Plan, which
shall present in an organized manner the following content:
a) list of periodic testing to be performed for each SIF, covering:
SIFs functional description;
safety integrity level to be maintained;
alarm and trip set point values;
minimum frequency required for execution;
detailed procedure for periodic test execution;
b) list of routine inspections to be carried out, covering:
site integrity verification: conduits and trays, junction boxes, supports, tubings,
padlocks and seals in valves and circuit breakers etc.;
scheduled replacement of batteries, fans, etc;
verification of application program backups.
42
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
c) forms for registering maintenance periodic testing, routine inspections and failures repair,
containing at least the following information:
task description;
task execution date;
staff responsible for the execution and time spent for it;
failure detection mode and description of corrective action, if applicable.
d) execution schedule of periodic tests and inspections;
e) description of the necessary tools and equipment;
f) list of staff and organizations responsible for implementing periodic tests, routine
inspections and related records;
13.2.3 It is recommended to adopt a systematic strategy for codification of tasks, failures, corrective
actions and actuations in order to allow statistical analysis of SIS occurrences. [Recommended
Practice]
13.2.4 SISs execution of scheduled maintenance interventions shall follow the SIS Maintenance
Plan, and all registry implementation documentation shall be available for consultation.
13.2.5 SISs maintenance plan shall reference and comply with all other SIS design documents, such
as risk analysis reports, SIF data sheets, cause and effect matrix, logic diagram etc.
13.2.6 It is recommended that other protection layers than the SIS are included on the SIS
Maintenance Plan, if they have been considered on risk reduction. [Recommended Practice]
13.2.7 Those responsible for the SIS maintenance activities shall undergo training in order to be
instructed on the information and procedures contained on the respective SIS maintenance plan. The
training shall be appropriately recorded to ensure traceability.
13.2.8 Access to SIS Logic solver shall be restricted to staff authorized by the person responsible for
maintenance. The number of people with access authorization shall be limited and controlled.
13.2.9 All SIS documentation shall be included in a revision control system which ensures its update
and distribution, so that their users are always in possession of its last revision.
13.2.10 It shall be provided periodic audits to confirm compliance with the following items:
a)
b)
c)
d)
e)
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
13.3.3 The periodicity of the tests shall be such that it maintains the SIL of each SIF, as prescribed on
the SIF Data Sheets (basic design) and confirmed after SIL verification phase (detailing design).
13.3.4 During scheduled maintenance shutdowns all SIFs, regardless of the SIL and existence of
monitoring, shall be tested with coverage factor equal to 1.
13.3.5 The periodic tests shall cover all SIF devices, as follows: sensors, Logic solver and final
elements.
13.3.6 Sensors shall be tested to simulate, as closely as possible, the actual operational conditions, including
impulse lines, primary flow elements and electrical installation. Example: level switch block and drain.
13.3.7 Final elements shall be tested by forcing the actuation of the respective Logic solver outputs,
including the normally energized.
13.3.8 In cases where it is not feasible to complete the final element test under normal operation,
specific test procedures shall include:
a) execution of full test during process or equipment shutdown;
b) execution of partial test(s) during the of process or equipment operational regime,
involving the following components: output circuits, interposing relays, solenoid valves
and partial stroke of blocking valves.
13.3.9 A contingency action shall be provided if the final element fails in the safe position during the
test.
13.3.10 If the existence of an undetected failure due to periodic tests execution is confirmed, it shall
be repaired in order to restore the integrity of the involved SIFs.
13.3.11 Records of these periodic tests shall contain the following information:
a)
b)
c)
d)
e)
f)
g)
13.3.12 The records of periodic tests shall be kept throughout the SISs life cycle, so that they:
a) can be checked at any time;
b) allow assessment of long-term performance.
13.3.13 By criterion of the Operational Unit, one can consider real or spurious trip as SIFs tests,
provided they meet the following conditions:
a) the trip event shall be recorded in a specific form, containing at a minimum: date and time
of event, actuated SIF, alarms, detection mode, identified cause (process variable on
deviation, device(s) on failure, human action), subsequent actions and responsible
44
-PUBLIC-
N-2595
b)
c)
d)
e)
f)
g)
h)
REV. C
ENGLISH
12 / 2010
persons name; the trip registration form shall be stored on the technical documentation
system of the Operating Unit, in a traceable way;
trips with unknown cause shall not be used as a SIF test;
on a spurious trip caused by failure on the final element, none of the SIF devices can be
considered as tested;
on a spurious trip caused by failure on the output module of the safety CP, only the final
element can be considered as tested;
on a spurious trip caused by a failure on CPU Logic solver, only the output module of the
safety CP and the final element can be considered as tested;
on a spurious trip caused by a failure in the input module of the safety CP, the entire SIF,
except the sensor and the safety CP input module can be considered as tested;
on a spurious trip caused by a sensor failure, the entire SIF, except the sensor can be
considered as tested;
on a actual trip, only devices that have been shown (from the records of the event) to
operate properly can be considered tested.
13.4 Modifications
13.4.1 The purpose of 13.4 is to establish requirements so that changes made in SIS do not impact
the safety of the plant or associated equipment.
13.4.2 Any proposed changes to SIS shall be based on facts and data recorded in a document
entitled SIS Request for Modification, which shall contain:
a) description of the proposed modification;
b) reasons for executing the modification;
c) related conditions or hazardous events.
13.4.3 Any proposed amendment shall be submitted to an initial analysis by the technical team
responsible for SIS in order to classify it as:
a) modification type 1: does not change the logic structure, SIL or MTTFS of the involved
SIF(s). Examples: changes on scheduling parameters, such as range values, alarm or
trip set point, or time delays;
b) modification type 2: it can change functionality, SIL, or MTTFS of the involved SIF(s)
Examples: addition or removal of sensors or final elements, changes on voting
architecture, equipment type, or on the logic of the application program.
13.4.4 It is recommended to avoid: [Recommended Practice]
a) modifications in the application program logic during operation of the process or
equipment associated with the SIS;
b) firmware modifications, except when required for correction of failures detected by the
manufacturer.
13.4.5 After initial screening, the SIS Modification Request document shall be:
a) submitted for approval by the person responsible for the industrial plants operation;
b) stored in order to enable consultations during and after modification process.
13.4.6 If the modification request is approved, the technical team responsible for apply the requested
changes shall issue revision on all relevant technical documents, including testing, operation and
maintenance procedures. The revised documentation shall be identified as "PROVISORY REVISION
FOR SIS MODIFICATION" and reference the corresponding SIS Modification Request.
45
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
13.4.7 Before the review of documents affected by a modification type 2, it shall be done a
revalidation of SIL and MTTFSs risk analysis and assessment.
13.4.8 Prior to the execution of any SIS modification it shall be done a revalidation on verification
tests of the SIF(s) functionality involved on the modification.
13.4.9 Any execution of SIS modification shall be planned in compliance with current procedures for
access and work authorizing on the Operational Unit.
13.4.10 The execution of changes on the application program shall include additional verifications to
ensure nonexistence of changes on other SIFs not involved in the implemented modification.
13.4.11 After completion of the verification functional tests, the description of the revised technical
documents affected by the modification shall be changed to "REVISED ACCORDING TO
MODIFICATION REQUEST ON SIS N....".
46
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Annex A - Determination of the Required Safety Integrity Level Using the Risk Graphs
Method
A.1 Introduction
A.1.1 This annex describes the risk graphs method which allows the safety integrity level of a SIF to
be determined from knowledge of the risk factors associated with the process and basic process
control system. This is a semi-qualitative method, and was developed based on Annex D of
IEC 61511-3:2003.
A.1.2 In these approach it is used parameters, that together describe the nature of the hazardous
situation that occurs in case of a SIS absence or failure. Four sets of parameters are used, and the
selected parameters are combined to determine the SIFs safety integrity level. These parameters
represent key factors on risk assessment and allow a scaloned risk rating.
A.1.3 This Annex provides examples of risk graphs and parameters tables designed to meet the
criteria of typical process units. Before being used in any design, it is important to be validated by the
area responsible for plants safety. In this opportunity it may be done adjustments to the parameters in
order to fit them to specific situations.
A.1.4 In this annex, risk graphics related to people safety on process industries, environmental
protection aspects and asset protection are presented.
47
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Table A.1 - Description of the Parameters of the Process Industry Risk Graph
Parameter
Consequence Severity
Occupation
Frequency of demand
Description
A.2.2 The risk graph lists specific combinations of risk parameters and safety integrity levels. The
relationship between the combinations of risk parameters and safety integrity levels is established
considering the tolerable risk associated with specific hazards.
A.3 Documentation Related to the Results of Safety Integrity Level Determination (SIL)
It is important that all decisions made during the SIL determination be recorded in controlled
documents. The documentation shall clearly indicate the reasons why the team selected the specific
parameters associated with each safety function. The forms that record the result and the
assumptions used on each SIL determination of each safety function shall be compiled on a report.
The report shall also include the following additional information:
the risk graph used in conjunction with the descriptions of all parameters scales;
the numbers and revisions of all used drawings;
references to the considered hypothesis and eventual studies of consequences that were
used to evaluate the parameters;
references to the failures that lead to demands and any failure propagation model used to
determine demand rates;
references to the data sources used to determine demand rates.
48
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Start
Consequence
Occupation
Probability of avoiding the hazardous event
Demand rate
No safety requisites
SIL
see 6.4.9 of this Standard
49
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
A.4.5 Some care shall be taken on selecting occupation parameters. The load factor shall be selected
based on the most exposed person and not on the average of all exposed.
A.4.6 When it is not possible to fit a parameter in the specified scales, it is necessary to use other
methods of risk reduction.
Classification
No significant
injuries
C1
Comments
1) The consequence
severity represents the
number of serious injuried
people and fatalities.
C 1.0
Occupation (F)
This
parameter
is
calculated
by
determining the proportional length of time
in which the area exposed to a hazard F1
event is occupied during a work shift.
NOTE 1 If the time in the hazard area is
different depending on the
operation shift, the maximum
value shall be selected.
NOTE 2 The use of parameter F is
appropriate only if it can
demonstrate that the demand
rate is random and not related to
F2
the period during which the
occupation is higher than normal.
This is the case, for example, in
activation periods or during the
investigation of anomalies.
50
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Classification
Comments
3) P1 shall be selected
only if all the following
Adopted
if
all conditions are true:
conditions on the
P1
Comments column means are foreseen to
alert the operator that
are fulfilled
the SIS has failed;
independent means of
process shutdown are
prescribed in order to
Probability of avoiding the hazardous
avoid the hazard or to
event (P) if the protection system fails.
allow people to be
evacuated to a safe
area;
the
time between the
Adopted if one or
moment
that
the
more conditions in
operator
is
warned
and
P2 the
Comment
the moment that the
column are not
event occurs exceeds
fulfilled.
1 h or is sufficient to
take
necessary
measures.
51
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Start
Consequence
Probability of avoiding the hazardous event
Demand Rate
Environmental
Consequence(E)
Classification
E1
E2
E3
E4
52
Examples
A moderate leakage on a flange or
valve
A
small
leakage
of
liquid
Small
soil
pollution
without
affecting the waterground
An unhealthy steam cloud moving
outside the plant after a joint
flanges breakup or compressor
seal failure
A release of steam or aerosol, with
or without precipitation of liquid,
causing temporary harm to flora or
fauna
Significant liquid leakage in a river
or
in
the
sea;
Release of steam or aerosol, with
or without precipitation of liquid,
causing lasting harm to flora or
fauna;
Release of solids (dust, catalyst,
soot,
ash);
Fluid leakage that could affect the
groundwater
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Start
Material Consequence
Probability of avoiding the hazardous event
Demand rate
Material
Consequence (L)
Classification
L1
Examples
Losses between
US$ 100.000 and
US$ 1.000.000
53
off-specification production;
product loss due to PSV opening;
damages due to cavitation on small pumps.
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Classification
Examples
Losses between
US$ 1.000.000 and
US$ 10.000.000
L3
Losses between
US$ 10.000.000 and
US$ 100.000.000
L4
reactor explosion;
rupture on pressurized system;
furnace explosion;
boiler explosion.
L2
Material
Consequence(L)
A.6.3 The materials consequences classes consequences shown in Table A.4 are primarily defined
by the ranges of monetary values indicated. The examples are merely illustrative of cases that
typically result in financial losses on that range and can be used as guidance for the analysis team. It
shall be noted that the F parameter is not used in this risk graph because the concept of occupation
does not apply. The parameters P and W are applicable and the definitions can be identical to those in
Table A.2.
A.7 Determination of Integrity Level of the Safety Instrumented Function when its
Failure Leads to More than One Type of Consequence
When a failure on demand leads to more than one type of consequence (to people, environment and
materials), the required integrity levels associated with each of the involved aspects shall be
determined separately and the largest of them shall be the integrity level specified for the function.
54
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
B.2 Procedure
The procedure for LOPA application to determine the required SIL for each SIF is shown in a
simplified form in Figure B.1 and described in detail in sections B.2 through B.4 of this Annex, which
present some numerical values tabulated to be used on the required SIL calculating at the end of the
analysis.
As a general rule, in case of doubt about the tabulated values, It shall always be adopted the most
conservative value. If the LOPA team decides to use on the analysis some value different from those
shown in the tables of this Annex, the values actually adopted shall be based on defensible and
documented reasons.
55
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Select scenarios to
be evaluated (B.2.1)
Start
Verify scenario
severity (B.2.2)
Determine the
tolerable frequency
(FTOL) (B.2.3)
Estimate an
ICF for the scenario
(B.2.4)
Find an EEL for the
scenario, if
applicable (B.2.5)
Determine the MFs,
if applicable (B.2.6)
Yes
No
Determine the
Consequence
Frequency (FC) (B.3.1)
FC FTOL
Next
scenario
Yes
(OK)
Yes (SIF)
No
Yes
Document
scenario
(FC) (B.3.3)
It is possible
to add IPL
(non SIF)
SIL 3
No
No
Determine the
required
SIL
Re-assess process
risks. Management
measures required.
End
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Severity Category
V
IV
III
II
I
B.2.4 Initiating Cause Frequency
B.2.4.1 The initiating cause corresponds to the reason why occurred the deviation in the process
variable identified on HAZOP. Each initiating cause shall be analyzed separately in a specific
scenario.
57
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
B.2.4.2 The LOPA method establishes that dont be considered the existence of a protection layer or
any other factor in the determination of the frequency of the initiating cause.
B.2.4.3 Failures on demand in protection layers (SIF, PSV etc.) shall not be considered as initiating causes,
since other events shall initiate the scenario before these protection layers are demanded. However,
leakage or closing failure after PSV actuation, as well as spurious actuations of protection systems can be
considered as initiating causes of scenarios worthy of being analyzed, but are often ignored.
B.2.4.4 The LOPA team shall select an initiating cause frequency (ICF) on Table B.2 for the identified
scenario.
ICF (event/year)
1 x 10-1
1 x 10-2
1 x 10-2
1 x 10-1
1 x 10-1
1 x 10-4
1 x 10-6
1 x 10-3
1 x 10-1
1 x 10-1
1 x 10-2
1 x 10-1
Gasket rupture
1 x 10-2
1 x 10-1
1 x 10-2
1 x 10-4 per lifting
1 x 10-3
1 x 10-1
1 x 10-2
always
-3
1 x 10 per opportunity
1 x 10-1
58
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
B.2.4.7 For SIF spurious actuation as initiating cause, it is suggested to adopt an ICF of 1.10
spurious trip per year, once in this phase of application of the procedure, the SIF MTTFS is not yet
known.
B.2.4.8 Equipment not covered on Table B.2, such as filters (various types), flanges, tank trucks, land
and sea pipelines, manual valves (wheel) and actuated block valves shall have their failure frequency
values supported on defensible and documented reasons.
59
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
60
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
(*) Industrial plants in which there is a study, application and proper maintenance of
hazardous area classification might consider an ignition probability equal to 0.1.
B.2.6.2.3 Other modification factors such as, for example, greater or less facility to avoid harm are not
considered in this Annex.
61
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
IPL identification is usually the hardest part of this method, and it is important to emphasize that every
IPL is a safeguard, but not every safeguard is an IPL.
Table B.6 contains some examples of safeguards that are not normally considered IPL.
Comments
Training and
Certification
Procedures
Maintenance
Communications
Signaling
Safeguards, IPL or not, are linked to a scenario identified during the risk analysis with a specific cause
and consequence.
The main characteristic of a protection layer is that it shall be effective to individually prevent the
occurrence of a hazardous event. That is, it is necessary just a single protection layer working so that
the unwanted consequence does not occur. The term independent means that the protection layer
performance is not affected by an initiating cause and that there shall not be failures that could disable
two or more protection layers associated with the same scenario at the same time. Additionally, it shall
be demonstrated through auditable documentation that the safeguard in question was properly
designed and installed, and that is periodically subjected to test and properly maintained to ensure
their effectiveness, independence and specified PFD avg.
In short, an independent protection layer shall be:
a) effective on preventing the consequence of a potentially hazardous event;
b) independent of the initiating cause and the components of any other considered IPL for
the same scenario;
c) auditable, through documents that prove the adequacy of the design, installation, tests
and maintenance of the IPL to its specifications.
Additionally, the IPL spurious actuation shall not lead to a new scenario with risk greater than or equal
to the one which it aims to avoid. For example, a toxic or flammable material relief system shall be
directed to a safe location.
C
Original Risk = Original Harm x F x PFDavg;
Spurious Trip Risk = Spurious Trip Harm / MTTFS;
If (Spurious Trip Risk Original Risk) it isnt worth implementing IPL.
62
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
The LOPA method consists of adding protection layers until the risk thus obtained meets the
tolerability criterion adopted.
The decision on which protection layer (s) to add among the possible alternatives can be based on a
comparative analysis of their deployment, operation and maintenance costs throughout the life cycle.
[Recommended Practice]
Before considering the addition of protection layers, however, it is recommended that inherently safe
design solutions be applied. [Recommended Practice]
The adoption of an inherently safe design can effectively eliminate a scenario. Such consideration
shall be recorded in LOPA worksheet (Annex C). It is noteworthy that other scenarios with the same
consequence (but with other initiating causes) might still exist.
Regarding the actuaion mode, an IPL can be passive or active.
A passive IPL is one that does not need to take any action to fulfill its protective function. Table B.7
presents some examples of safeguards that might be considered as passive IPLs.
Average Probability
of Failure on
Demand (PFDavg)
1 x 10-2
1 x 10-2
Blowout panel
1 x 10-2
1 x 10-2
1 x 10-2
1 x 10-2
1 x 10-3
1 x 10-2
An active IPL is the one that needs to change from a particular state to another in response to
changes on measurable property of the process in question. Table B.8 presents some examples of
safeguards that can be considered active IPL.
63
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Average
probability of
Failure on
Demand (PFDavg)
1 x 10-1
1 x 10-2
1 x 10-3
1 x 10-1
1 x 10-1
1 x 10-2
1 x 10-3
Multiple independent relief devices (nozzles, discharge etc.), but more than
one needs to actuate to meet the 100% of the scenario (e.g., PSV stages)
[B.2.7.6]
1 x 10-1
1 x 10-1
Rupture disk
Retention valve [B.2.7.7] (a single one is not an IPL)
High integrity backflow prevention device [B.2.7.7]
1 x 10-2
1
1 x 10-1
1 x 10-1
1 x 10-2
1 x 10-2
1 x 10-2
1 x 10-2
1 x 10-1
The numerical values in Tables B.7 and B.8 can be used as Average Probability of Failure on Demand
(PFDavg) for each IPL. If the LOPA team believes that any IPL is more reliable (lower PFDavg) than the
numerical values presented in these tables, or identify any IPL different from those presented in these
tables, the value adopted for its PFDavg shall be based on sustainable and documented reasons.
NOTE
Table B.8 expresses PFDavg values for a SIF in a demand operation mode. For continuous
operation mode, it shall be used frequency of dangerous failure values (SIL1 = 10-5 h / year,
SIL2 = 10-6 h / year, SIL3 =10-7 h / year) in place of PFDavg.
In order to ensure consistency in LOPA, are listed in B.2.7.1 and B.2.7.10 some conditions to guide
the decision on when to consider a safeguard as IPL.
B.2.7.1 General Conditions
a)
b)
c)
d)
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
If during the review process, it is raised an hypothesis of increasing the complexity or use
redundant sensors or final elements on a control loop in order to count it as a protection
layer or increase its risk reduction factor, then it shall be taken into consideration the creation
of a new SIF or a increase on the SIL of the existing SIF.
66
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Retention valves are not suitable for applications which require tight shut-off for reverse
flow.
A gas detection system commanding on SDV closure (or isolation inventory valves) can be
analyzed similarly, i.e.:
a) this system can be considered a safeguard against events arising from a gas leak (e.g.,
fire, explosion), but not the leakage itself, because it necessarily will have already
occurred when detected;
b) It shall be evaluated whether this protection layer itself is capable of preventing undesired
consequence, or whether it depends on other external actions (e.g., the operator) to be
effective;
c) It shall be possible to determine (and audit) the effectiveness, in other words, the layers
RRF = 1/PFDavg, taking into account the gas dispersion in the atmosphere at the moment
of the demand.
67
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
Failure
(PFDavg)
Mitigating
Layer
Original Scenario
S0 x FC0
Success
(1 - PFDavg)
FC = Frequency of Consequence;
ICF = Initiating Cause Frequency;
EEL = Enabling Event Likelihood;
MFi = ith Modification Factor;
IPLj = PFDavg of jth PL (non SIF) associated to the Initiating Cause.
68
-PUBLIC-
N-2595
REV. C
ENGLISH
12 / 2010
B.3.1.2 If FC is lower or equal than FTOL, then the existing protection layers are sufficient.
B.3.1.3 If FC is higher than FTOL; then it will be necessary additional protection layers to reduce the
scenario residual risk to a tolerable level.
NOTE
If FC indicates more than one SIF demand by year or two or more demands at each interval
between tests, it is appropriate to consider that this SIF will operate in continuous mode and
therefore has a SIL correlated, not with a PFDavg but with the dangerous failure frequency
per hour, where SIL 1 is equivalent to a frequency between 10-6/hour and
10-5/hour, and so on.
Required SIL
1
2
3
B.3.2.2 If the required RRF is greater than 1000, the process risks and design basis shall be
reviewed, possibly requiring management involvement.
B.3.2.3 It is recommended to evaluate the possibility of replacing a SIF demanded by many scenarios
with other SIFs based on process variables more directly related to each scenario deviation.
[Recommended Practice]
EXAMPLE
In a scenario where the failure to control the level of the vessel in a fractionating tower can
lead to gas discharge from a process component through a liquid outlet ("gas blow-by") and,
consequently, to excessive pressure on tower, a SIF initiated by a PSHH could be replaced
by another in case a very low level (LSLL) in the vessel force a power interruption to the
tower.
B.3.2.4 A SIF shall meet the greatest required SIL among the scenarios by which is demanded.
B.3.3 Documentation
B.3.3.1 LOPA results shall be clearly documented in the form of a report which shall be attached to or
be part of the HAZOP report.
B.3.3.2 It is recommended to use a standardized spreadsheet, according to the model in Annex C.
[Recommended Practice]
69
-PUBLIC-
N-2595
NOTE
REV. C
ENGLISH
12 / 2010
To make calculation more easier, in Annex C the MTTF interval time is used rather than ICF
frequency and the risk reduction factor (RRF) instead of the average probability of failure on
demand (PFDavg) in such a way that all powers of ten have positive exponents.
B.3.3.3 If FTOL has been satisfied without the need for SIF, it shall be registered that the automatic
function prescribed in the design or recommended by the HAZOP is not critical to safety and shall be
performed by the BPCS.
B.3.3.4 Beyond simply filling in the spreadsheet fields with standardized information about the team
and the scenario, the data obtained from HAZOP and calculation results, it shall be observed LOPA
recommendations for an objective design review, adding, modifying or eliminating existing or planned
safeguards, according to their effectiveness verified during the review process in order to prevent or
mitigate unwanted effects. It shall be also registered issues that need to be more detailed and
discussed in other forums as well as the actions to be taken and the points for continuous
improvement of this procedure.
B.4.2 Revalidation
Whenever there is any change that reflects either on review of the existing HAZOP or on a new
HAZOP, it shall be evaluated whether the assumptions made on the previous analysis remain valid,
and if not, to review LOPA results that were affected.
70
REV.
SHEET
REV.
SHEET
REV.
SHEET
REV.
SHEET
REV.
REV.
SHEET
REV.
SHEET
REFERENCE DRAWINGS
REV.
SHEET
REV.
SHEET
REV.
SHEET
REV.
DESCRIPTION
ABBREVIATIONS
NOTES:
No.
ORIGINAL
REV. A
REV. B
REV. C
REV. D
DATE
REV. E
REV. F
REV. G
REV. H
REV. J
REV. K
CLIENT OR USER:
DESIGN
PROGRAM OR DESIGN:
EXECUTION
REA OR UNIT:
VERIFICATION
TTLE:
APPROVAL
FORM BELONGING TO PETROBRAS N-2595 REV. C APPENDIX C - SHEET 01/02.
THE INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS. ITS UNREASONABLE USE IS PROHIBITED.
SHEET
of
Knot
Initiating Cause
Deviation
Description
MTTF
Consequence
EEL
Description
Severity of the
Consequence
H
NOTE
Safeguard
Presence of
People
Other
(Specify)
Required RRF
Description
H
Type
(P/A)
IPL
RRF
Advices
Total
RRF
Residual Risk
H
N.
Rec
Description
REA:
TTLE:
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE
Notes
Number
of the
Scenario
No.
DATA SHEET
CLIENT:
SHEET
of
PROGRAM:
AREA:
TITLE:
SIF SPECIFICATION
REVIEW INDEX
REV.
REV. 0
REV. A
REV. B
REV. C
REV. D
DATE
PROJECT
EXECUTION
CONTROL
APPROVAL
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 01/04.
REV. E
REV. F
REV. G
REV. H
No.
DATA SHEET
REV.
SHEET
of
TITLE:
SIF SPECIFICATION
"Tag":
SIF Description:
Causes of Demand:
Functional Specification
Tag
Tag
Manual Trip:
Yes
Tag
Description
No
Type
Safety Actions:
Secondary Actions:
Maximum Acceptable Response Time (seconds):
DelayTime (seconds):
Hazardous
Combination of
Final Elements:
Yes
No
Description
:
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 02/04.
Detection
(HH ou LL)
Trip Value
Actuation Mode
Safe State
Actuation Mode
Location
No.
DATA SHEET
REV.
SHEET
of
TITLE:
SIF SPECIFICATION
Application of Risk Graph
Frequency of Demand
( ) W1
( ) W2
( ) W3
Consequences to People
C:
F:
P:
E:
P:
Property Loss
L:
P:
Application of LOPA
Deviation:
MTTF
Enabling Event
EEL
Initiating Cause
MTTF
Enabling Event
EEL
Initiating Cause
MTTF
Enabling Event
EEL
Initiating Cause
MTTF
Enabling Event
EEL
Scenario:
Initiating Cause
Consequences
Scenario:
Tolerable Frequency:
Consequences
Total RRF:
Scenario:
Tolerable Frequency:
Consequences
Scenario:
Tolerable Frequency
Assessment Results
Required SIL:
Minimum MTTFS Acceptable
(years):
Implementation Requirements
Maintenance Bypass
Description:
No (
Additional Cautions:
By-Pass to start
Operations
Yes (
Description:
No (
Additional Cautions:
Yes (
Description:
No (
Additional Cautions:
NOTES:
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRAS N-2595 REV. C APPENDIX D - SHEET 03/04.
Modifying Factors
Total RRF:
Observations:
Yes (
Modifying Factors
Total RRF:
Tolerable Frequency:
Consequences
Modifying Factors
Modifying Factors
Total RRF:
Safeguards
P/A IPL
RRF
P/A IPL
RRF
P/A IPL
RRF
P/A IPL
RRF
Required RRF:
Safeguards
Required RRF:
Safeguards
Required RRF:
Safeguards
Required RRF:
No.
DATA SHEET
REV.
SHEET
of
TITLE:
SIF SPECIFICATION
COMPLETION INSTRUCTIONS
General Information
Each SIF shall have a single identifier (Tag) consisting of the unit number followed by a sequential number.
Example: SIF-2212001 (unit 2212, sequential number 001)
Risk Analysis Report: number of the document related to the SIF.
Cause and Effect Matrix: number of the document related to the SIF.
- Description of the SIF: brief description of the function containing deviation and action. Example: high-pressure on fuel gas blocks furnace gas F-501.
- Hazardous Event to be avoided, taken into account in the risk analysis. Example: formation of explosive mixture inside the combustion chamber.
- Demand Causes considered in the risk analysis. Examples: failure in the pressure control net of the fuel gas, process imbalance, etc.
- Consequences of Failure on Demand: possible harms and impacts caused by the hazardous event considered on the risk analysis. Examples: Flame extinguishment with formation of explosive
mixture and the possibility of explosion of the combustion chamber, followed by fire, injury/death of a person, production loss of about US$ 200 K, damage to the instalations of about US$ 2 M.
- Consequences of Spurious Trip. Examples: production loss, possibility of tubes coking, damage to refractory material, etc.
Cost of the Spurious Trip (US$): according to item 6.5.
Functional Specification
Tag: identifiers of sensors and final elements, according to engineering flowcharts and cause and effect matrix. Examples: PIT-2212101A, PIT-2212101B, XV-2212190A, XV-2212190B and XV2212190C.
Description: services of sensors and final elements, according to the instrument list and data sheet. Examples: pressure transmitters of the fuel gas header, block valve for blocking fuel gas to furnace,
intermediate vent valve for fuel gas.
Mode of Operation: de-energizes for trip or energizes for trip.
Detection (HH or LL): direction of change of the process variable that demands SIF actuation.
Trip Value: value of the process variable that requires the performance of the SIF, as indicated in the data sheets of the respective sensors.
Safe State: safet position of the final element. Examples: block valve closed, vent valve open to safe place.
Manual Trip: brief description of the implementation. Example: Tag: HS-2212150; Description: electromechanical push button with double contact (in series), normally closed; Type: pull to trigger with
protection against improper actuation; Location: F-501local panel.
Functional relation between sensors and Final Elements: description, via text or drawing, of the logical relation between the SIF sensor(s) (may include manual trip) and final element(s) as well as the
voting architectures of sensors and final elements. Example: Starting on the normal state of operation, in case a flame failure occurs on more than 50% of the burners or there is a low pressure on fuel
gas, the admission of gas into the burners shall be blocked and the intermediate vent open to a safe place.
Description of the Safe State to be Achieved and Maintained: caracterization of the success of the SIF operation. Example: fuel gas blocked to the furnace and intermediate vent hole open to a safe
place.
Safety Actions: actions performed by SIF to reach or maintain the safe state. Example: de-energize solenoid valve coils that depresssurize the pneumatic actuator of XV-2212190A and XV-2212190C.
Secondary Actions: actions triggered by the SIF actuation not directly related with the achievement ormaintenance of the safe state with the purposed of help the operation. Example: after trip in the
furnace, choking steam admision and opening of the chimney damper to facilitate the combustion chamber purge.
Maximum Acceptable Response Time (seconds): maximum SIF response time (see definition) without joepardizing the safety actions.
Delay Time (seconds): delay time value (see definition) to be applied, if necessary.
Hazardous Combination of Final Elements: In case there is more than one final element; if any hazardous condition due to failure of their joint actuation exists. Example: Non closure of the first block
valve (XV-2212190A) when opening the intermediate vent (XV-2212190B), causing a fuel gas cloud in the outer area near the furnace.
Application of Risk Graph
Demand: frequency of the SIF demand assumed on the application of risk graph
Personal Safety: classes of severity of consequences to people (C), of ocupation (F) and probability of avoiding damage (P) assumed during application of the risk charts
Material Loss: classes of severity of material consequences (L) and the probability of avoiding damage (P) assumed in the application of risk graph
Environment: classes of severity of environmental consequence (E) and the probability of avoiding damage (P) assumed in the application of risk graph
Application of the LOPA
Deviation: deviation of the process variable that demands the SIF performance, according to the HAZOP+LOPA report
Scenario: number of the scenarios in which the SIF is IPL, according to the HAZOP+LOPA report
Initiating Cause: equipment failure, human action, or external event that causes deviation, with its MTTF (time expected for the initiating cause to occur);
Enabling Event: description of the enabling event, if appliable, with its EEL (probability of occurring the enabling event);
Consequences: possible impacts of the scenario, with its respective categories of severity to people (S), environment (E) and property (L);
Modifying factors considered on the analysis, with values and justificatios for adoption;
Safeguards for the scenario considered on the HAZOP+LOPA report and, for each one: if Passive (P) or Active (A); if it is IPL or not; and, if IPL, its RRF;
Tolerable Frequency for the consequence of major severity in the scenario taken into account.
Total RRF: total risk reduction obtained with all the IPLs considered for the scenatio, except the SIF.
Requested RRF: risk reduction by the SIF, which meets the Tolerable Frequency for the scenario.
Assessment Results
Requested SIL: result of the application of the risk graphs or LOPA
Acceptable Minimum MTTFS (years): according to item 6.5
Implementation Requirements
Maintenance By-pass: if it is necessary or not. If necessary, describe how it is implemented.
Additional Care: special condition or specific procedure to be observed, when applicable.
By-pass to start the Operation: if it is necessary or not. If necessary, describe how it is implemented.
Additional Care: special condition or specific procedure to be observed, when applicable.
Reset in the Field: if it is necessary or not. It necessary, describe the implementation form.
Additional Care: special condition or specific procedure to be observed, when applicable.
MTTR: value taken into account on SIF reliability calculations.
Intervals Between Periodical Tests: time interval taken into account on SIF reliability calculations for mantain the requested SIL.
Legal Requirements: Examples: NR-13, NR-10, environmental laws, etc.
Observations:
NOTES:
Appliable notes, numbered and referenced along the SIF data sheet.
INFORMATION IN THIS DOCUMENT IS PROPERTY OF PETROBRAS, BEING PROHIBIT OUTSIDE THEIR PURPOSE .
FORM OWNED TO PETROBRA N-2595 REV. C APPENDIX D - SHEET 04/04.
N-2595
REV. B
ENGLISH
NDICE DE REVISES
REV. A
Affected Parts
Description of Alteration
Revised
Revised
4 to 4.2.9
4.30
Eliminated
5 to 5.1
5.1.1
5.1.2 to 5.7.3
Included
6 to 6.1.6
6.1.7 to 6.1.11
Included
6.2 to 6.24
6.2.5 to 6.2.6
Eliminated
6.3 to 6.30.10
Included
6.4 to 6.4.8
6.4.8.1 to 6.4.8.5
Eliminated
6.4.9 to 6.4.11
Included
6.5 to 6.5.12
6.6 to 6.11
Included
7 to 7.1.5
7.1.6
Eliminated
7.2 to 7.2.4
7.2.5 to 7.2.14
Eliminated
7.3 to 7.3.2
7.3.3 to 7.3.15
Eliminated
7.4 to 7.4.4
7.4.5 to 7.9.2
Eliminated
IR 1/2
12 / 2010
N-2595
REV. B
ENGLISH
REV. A
Affected Parts
Description of Alteration
8 and 8.1
8.1.1 to 8.1.4
Eliminated
8.2
8.2.1 to 8.2.3
Eliminated
8.3
Eliminated
8.4
Eliminated
8.5 to 8.5.2
8.5.2.1 to 8.5.2.3
Eliminated
8.5.4 to 8.8
Included
9 to 9.7
Eliminated
Anexo A
Revised
REV. B
Affected Parts
Description of Alteration
5.3
Revised
5.4.5.4
Revised
5.5.1
Revised
5.6.6
Revised
6.5.4
Revised
6.5.5
Revised
6.5.9
Revised
7.4.3
Revised
Anexo A
Revised
REV. C
Affected Parts
All
Description of Alteration
Revised
IR 2/2
12 / 2010
N-2595
REV. C
ENGLISH
12 / 2010
Department
Telephone
Key
ENGENHARIA/IEABAST/EAB/AIIS
8193307
SGZG
ENGENHARIA/IEABAST/EAB/AIIS
8193305
CSJ1
AB-RE/ES/TAIE
8140627
DPBT
E&P-ENGP/IPP/EISA
7042396
Q093
REPAR/EN
8562539
AR85
UN-RNCE/ATP-M
8344327
D5H4
CENPES/EB-AB-G&E/AEDC
8127084
BB29
ENGENHARIA/IEABAST/EAB/ENPRO
8193364
SGZP
ENGENHARIA/IEEPT/EEPTM/EIP
8116792
CTTD
CENPES/EB-AB-G&E/AEDC
CSG0
E&P-ENGP/IPP/EISA
7041618
Q070
E&P-CORP/SMS/SEG
7049202
RFX3
GE-LPGN/PLGN/PSL
8194422
CSJ0
CENPES/EB-E&P/PPEP
8122461
Q071
RH/UP/ECTG&E
8013174
Q012
819-3063
CDF9
Technical Secretary
Andr da Rocha Marques
ENGENHARIA/AG/NORTEC-GC