WIXLIB

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Revision no.: 02Date revised: October 20041 of 159APPLICATION OFIEC 61508 AND IEC 61511IN THE NORWEGIAN PETROLEUMINDUSTRY

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Revision no.: 02Date revised: October 20042 of 159Table of contentFOREWORD .51INTRODUCTION .61.11.2SCOPE AND PURPOSE OF DOCUMENT .6RISK REDUCTION, SIS AND SAFETY BARRIERS .82THE IEC 61508 AND IEC 61511 STANDARDS.93REFERENCES .124ABBREVIATIONS AND DEFINITIONS.134.14.25ABBREVIATIONS .13DEFINITIONS .14MANAGEMENT OF FUNCTIONAL SAFETY .165.1OBJECTIVE .165.2REQUIREMENTS .165.2.1Competence.165.2.2Responsible Person.165.2.3Planning.175.2.4Follow up .175.2.5Assessment, auditing and revisions .176VERIFICATION, VALIDATION AND FUNCTIONAL SAFETY ASSESSMENT .186.16.26.36.46.57DEVELOPMENT OF SIL REQUIREMENTS .7.27.7.37.88INTRODUCTION .18INTERPRETATION OF TERMS .18VERIFICATION.18VALIDATION .19FUNCTIONAL SAFETY ASSESSMENT .19OBJECTIVE .20APPROACH .20DEFINITION OF EUC .20HAZARD AND RISK ANALYSIS .22Scope of hazard and risk analysis .22Hazard identification (HAZID).22DEFINITION OF SAFETY FUNCTIONS .22Scope.22Requirements .23MINIMUM SIL REQUIREMENTS.23HANDLING OF DEVIATIONS FROM THE MINIMUM SIL REQUIREMENTS .27Identification of deviations .27Required input for handling of deviations .28Determination of SIL for safety function deviations .28SAFETY REQUIREMENTS SPECIFICATION.29SIS DESIGN AND ENGINEERING .308.18.28.38.48.58.5.18.5.28.5.38.5.4OBJECTIVES .30ORGANISATION AND RESOURCES .30PLANNING .30INPUT .31REQUIREMENTS .32SIL requirements.32Requirements to Failure Data .33Subsystem interface .34Field Sensor .34

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 0708.5.58.5.68.5.78.5.88.68.78.88.98.109Date effective: October 2004Revision no.: 02Date revised: October 20043 of 159Logic Solver .36Final element .37Utilities .37Integration .38SELECTION OF COMPONENTS.38HMI – HUMAN MACHINE INTERFACE .38INDEPENDENCE BETWEEN SAFETY SYSTEMS .39FACTORY ACCEPTANCE TEST (FAT) .39DOCUMENTATION FROM DESIGN PHASE .40SIS INSTALLATION, MECHANICAL COMPLETION AND VALIDATION .429.1OBJECTIVES .429.2PERSONNEL AND COMPETENCE .429.3REQUIREMENTS .429.3.1Installation and mechanical completion planning.429.3.2Installation.429.3.3Mechanical completion.429.3.4SIS safety validation planning .429.3.5SIS safety validation .439.3.6Documentation from SIS safety validation .4410SIS OPERATION AND MAINTENANCE.4510.1 OBJECTIVE .4510.2 OPERATION AND MAINTENANCE PLANNING .4510.3 OPERATIONS AND MAINTENANCE PROCEDURES .4510.4 COMPETENCE AND TRAINING .4610.5 MAINTENANCE .4610.5.1 Functional testing .4610.5.2 Maintenance reporting .4710.6 COMPENSATING MEASURES UPON OVERRIDES AND FAILURES .4810.6.1 Compensating measures procedures .4810.6.2 Dangerous Detected Failure .4810.6.3 Override/Inhibit/Disable.4810.7REPORTING OF NON-CONFORMITIES AND DEMANDS .4910.8CONTINUOUS IMPROVEMENT OF OPERATION AND MAINTENANCE PROCEDURES .4911SIS MODIFICATION .5011.1 OBJECTIVE OF MANAGEMENT OF CHANGE (MOC) .5011.2 MOC PROCEDURE.5011.3 MOC DOCUMENTATION .521212.112.2SIS DECOMMISSIONING .53OBJECTIVES .53REQUIREMENTS .53APPENDIX A BACKGROUND FOR MINIMUM SIL A.12A.13A.14A.15A.16INTRODUCTION .56DATA DOSSIER .57PSD FUNCTIONS .63SEGREGATION THROUGH ESD WITH ONE ESD VALVE .68BLOWDOWN.69ISOLATION OF TOPSIDE WELL .71ISOLATION OF RISER.73FIRE DETECTION .74GAS DETECTION .75ELECTRICAL ISOLATION .76FIREWATER SUPPLY .77BALLASTING SAFETY FUNCTIONS .78ISOLATION OF SUBSEA WELL .81DRILLING AND WELL INTERVENTION .86MANUAL INITIATORS .93REFERENCES .94

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Revision no.: 02Date revised: October 20044 of 159APPENDIX B EXAMPLES ON HOW TO DEFINE EUC .95B.1B.2B.3INTRODUCTION .97DEFINITION OF EUC FOR LOCAL SAFETY FUNCTIONS .97DEFINITION OF EUC FOR GLOBAL SAFETY FUNCTIONS .98APPENDIX C HANDLING OF DEVIATIONS – USE OF QRA.100C.1C.2C.3C.4INTRODUCTION .102EXAMPLES ON HANDLING OF DEVIATIONS (EXAMPLE 1 AND 2) .102VERIFICATION BY QRA OF A STATED SAFETY INTEGRITY LEVEL (EXAMPLE 3) .110QRA AND IEC 61508 .114APPENDIX D QUANTIFICATION OF PROBABILITY OF FAILURE ON DEMAND ON BETWEEN PFD AND OTHER MEASURES FOR LOSS OF SAFETY .117FAILURE CLASSIFICATION .119COMMON CAUSE FAILURE MODEL .120CALCULATION OF PFDUK .120CALCULATION OF PFDK .121WHY SHOULD WE ALSO QUANTIFY SYSTEMATIC FAILURES (PSF)? .121RECOMMENDED APPROACH FOR QUANTIFICATION OF LOSS OF SAFETY WHEN IEC 61508 IS USED .122EXAMPLE QUANTIFICATION .123COMMON CAUSE FAILURES BETWEEN DIFFERENT TYPES OF COMPONENTS (DIVERSITY).124SOME USEFUL FORMULAS .124REFERENCES .125APPENDIX E LIFECYCLE PHASES, ACTIVITIES AND DOCUMENTATION .126E.1E.2E.3LIFECYCLE PHASES FOR A TYPICAL OFFSHORE PROJECT .128SRS STRUCTURE AND CONTENT .130SAR STRUCTURE AND CONTENT .136APPENDIX F SIL FOLLOW UP .138F.1F.2F.3OVERVIEW OF OPERATION AND MAINTENANCE ACTIVITIES FOR SIL WORK .140PROCEDURES FOR UPDATE OF TEST INTERVALS.143ACTUAL SHUTDOWNS AS TEST .146APPENDIX G INDEPENDENCE BETWEEN SAFETY FUNCTIONS .148G.1G.2G.3G.4IMPLEMENTATION OF INDEPENDENCE BETWEEN SYSTEMS .150CONNECTION BETWEEN SYSTEMS .151CONNECTIONS TO EXTERNAL SYSTEMS .152DATA FLOW BETWEEN SYSTEMS .153

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Revision no.: 02Date revised: October 20045 of 159ForewordThis document was originally developed as a joint industry project between operators and the various suppliers ofservices and equipment with the financial support of OLF. The original work was performed during the autumn of2000 and the first revision of the document was issued February 2001.Through the application of the IEC standards and this guideline on various projects, a need was identified forupdating the document. This work was initiated early spring 2003 and the present document is the first official updateof the original guideline.The overall purpose of the document is to issue a guideline on the application of IEC 61508 and IEC 61511 in theNorwegian Petroleum Industry, and thereby simplify the use of the standards.Additional information can be found at www.itk.ntnu.no/sil.

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Revision no.: 021Introduction1.1Scope and purpose of documentDate revised: October 20046 of 159The purpose of this document is to adapt and simplify the application of the IEC 61508 and IEC 61511 standards foruse in the Norwegian petroleum industry.According to the PSA management regulations (§1 and §2), performance requirements shall be established for allsafety barriers on an installation. For instrumented safety systems, special reference is made to IEC 61508 and thisdocument as the recommended standard for specification, design and operation of such safety systems.Whereas IEC 61508 describes a fully risk based approach for determining SIL (Safety Integrity Level) requirements,this document provides minimum SIL requirements for the most common instrumented safety functions on apetroleum production installation (ref. chapter 7). Deviations from these requirements may however be identified(ref. section 7.7), and in such case the overall methodology and documentation should be in accordance with IEC61508.As a basis for the given SIL requirements, typical loop diagrams for a number of safety functions have beenprovided, together with industrially verified component reliability data (ref. appendix A). It should be noted that thegiven reliability data, and in particular the rate of dangerous failures (λDU), are based on a number of assumptionconcerning diagnostic coverage, fail-safe design, etc. Hence, if the provided data are used for SIL verification, it mustbe ensured that the actual purchased components are satisfying all these assumptions.Some key areas related to SIS design are: Relationship between Safety Integrity Level (SIL) and failure probability (ref. Table 8.1);Restrictions on design based on the Safe Failure Fraction, Hardware Fault Tolerance and the complexity of thecomponent (ref. Table 8.2 and 8.3);Avoidance and control of systematic failures.These aspects are discussed in more detail in chapter 8. Furthermore, the document provides guidance on additionaldesign issues, on operation and maintenance, on modification of SIS and on management of functional safety.In general, this document applies to all instrumented safety functions as defined by PSA and NORSOK. In theguideline to the PSA Facilities Regulations, a list of relevant safety functions is given. Some of these functions arecovered explicitly in this document whereas some are not. Furthermore, some safety functions not explicitly definedby the PSA are also covered in this document. Table 1.1 summarises the functions covered / not covered in thisdocument.Table 1.1 Safety functions covered / not covered in this documentSafety functionsdefined in PSAGuidelines, TheFacilities RegulationsSafety functionscovered in thisdocumentRef.APP. ASectioning of the processXA.4Fire detectionXA.8Gas detectionXA.9Manual initiation of F&G / ESD functions fromfield and from CCR is covered in A.15See above comment.Isolation of sources ofignitionXA.10See above comment.Maintaining overpressurein unclassified areasStarting and stopping firepumps, both manually andXNotesNot covered by this document.A.11Part of deluge function

Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum IndustryNo.: 070Date effective: October 2004Safety functionsdefined in PSAGuidelines, TheFacilities RegulationsRevision no.: 02Date revised: October 2004Safety functionscovered in thisdocumentRef.APP. ANotesActive fire fightingXA.11DelugeProcess safetyXWell safetyXA.3.1 A.3.5A.6Isolation of riser*X7 of 159automaticallySubsea ESD isolation*Topside and subsea HIPPSprotection*DepressurisationX (new)A.7 andA.13A.13--XA.5General alarm andevacuation alarm(X)Emergency power-Emergency lighting-Ballasting for floatingfacilities*Maintenance of correctpressure, humidity,temperature and gascomposition in divingfacilitiesPrevention of blowouts andprevention of well leaksduring drilling operations*Prevention of blowouts andprevention of well leaksduring well interventionoperations*X (new)Isolation of wells included in this document*Isolation of riser is not explicitly listed by PSA*Subsea ESD isolation is not explicitly listed byPSA (covered under “Well safety”)*Covered as a deviation in appendix C. Ref. alsosection 7.7.Initiating signals from F&G system are covered inthis document by A.8 / A.9Alarm generation and distribution by the PA ordedicated alarm system is not covered.Presently not covered by this document.A.12-Presently not covered by this document.Particular requirements – Luminaries foremergency lighting covered by IEC 60598-2-22*Both initiation of rig re-establishment andemergency stop of ballast system coveredPresently not covered by this document.X(new)A.14*Prevention of blowouts is not explicitly listed byPSA but can be seen as part of “well safety”-A.14*As discussed in appendix A.14 no backgroundhas been found for stating a SIL requirement forthis function.Process safety functions, like PSD, shall be designed in accordance with ISO 10418 (former API RP 14C). SILrequirements to these functions are however not specified in ISO 10418, but are given in this document.Implementation of global safety functions like ESD and F&G are described by the PSA regulations and in relevantNORSOK standards, whereas SIL requirements are given in this document.