Page 461 - Offshore Electrical Engineering Manual
P. 461

448    CHAPTER 3  Notes on Safety Integrity Level Assessment




                         DETERMINING SAFETY INTEGRITY LEVELS
                         – INSTRUMENTATION

                         SILs for field instruments are established by one of the following two methods:

                           1.   FMEDA (failure modes, effects and diagnostic analysis) is best when reviewed
                            or certified by a third party such as Exida or TUV, although self-declarations
                            can be carried out by the manufacturer. A systematic analysis is necessary to
                            determine failure rates, failure modes and the diagnostic capability as defined by
                            IEC 61508/651511.
                           2.   Proven in use (also called prior use) is typically used by a customer with a
                            mature instrument in known processes. This approach requires sufficient prod-
                            uct operational hours, revision history, fault reporting systems and field failure
                            data to determine if there is evidence of systematic design faults in a product.
                            IEC 61508 provides levels of operational history required for each SIL. It is
                            generally considered of more value when done by users in their facility when
                            comparing similar data. It is considered less reliable when done by a device
                            manufacturer whose data may be less relevant to the end-user’s application.



                         SAFEGUARDS
                         If at all possible, the system should be inherently safe and not require the need for an
                         SIS with a high SIL. With offshore installations, good design practice should keep
                         control loops of SIL 2 or above to an absolute minimum. This can be done by reduc-
                         ing the probability of the major accident event by

                          •   minimising the staffing level of the area where the risk is present,
                          •   providing passive fire and/or blast protection,
                          •   using relief devices such as relief valves and bursting disks,
                          •   keeping flammable inventories away from areas of expected high manning (e.g.,
                            accommodation modules).
                                Should the event occur, its effect can be reduced by mitigating elements some of
                            which will be SISs, such as
                          •   fire and gas detection systems
                          •   ignition prevention
                          •   emergency shutdown systems
                          •   blowdown and flare systems
                          •   active fire protection/suppression
                          •   communication and alarm systems
                          •   temporary refuge, escape and evacuation systems
                                Note that the SIL is based on the whole loop, i.e., all the components of the loop
                            play a part in achieving the SIL, so purchasing a logic panel with a high SIL
                            will not guarantee that each loop has a high SIL (Tables 9.3.2 and 9.3.3).
   456   457   458   459   460   461   462   463   464   465   466