SIL Verification Analysis - FEED

Pages modified under this revision:

14-JAN-2010

REV. DATE STATUS WRITTEN BY CHECKED BY APPROVED BY CLIENT APPROVAL

(name & sign) (name & sign) (name & sign) (name & sign)

DOCUMENT REVISIONS
 SIL VERIFICATION ANALYSIS - FEED

TABLE OF CONTENTS

1.0 INTRODUCTION............................................................................................................... 5

2.0 DEFINITIONS.................................................................................................................... 5

2.1 Clarification of terms.......................................................................5

2.2 Abbreviation and Acronyms.............................................................8

3.0 OBJECTIVE..................................................................................................................... 10

4.0 SCOPE............................................................................................................................ 10

5.0 ROLES AND RESPONSABILITIES.................................................................................11

6.0 METHODOLOGY............................................................................................................ 12

6.1 Reliability Data.............................................................................12

6.1.1 Failure rate:................................................................................................................. 12

6.1.2 MTTR and Frequency of Functional Testing:...............................................................13
6.2 Architectural Constraints...............................................................13

6.3 Probability of Failure on Demand...................................................14

6.4 Assumptions.................................................................................16

6.5 Codes and Standards.....................................................................16

6.6 Software.......................................................................................16

7.0 REFERENCES & DOCUMENTS USED..........................................................................16

8.0 RESULTS........................................................................................................................ 18

8.1 Safety Instrumented Functions......................................................19

8.2 SIL Analysis Results based on Architectural Constraints..................26

8.3 SIL Analysis Results based on Probability of Failure on Demand......34

8.4 Major Contributors to the Probability of Failure on Demand.............46

 SIL VERIFICATION ANALYSIS - FEED

9.0 REcommendations........................................................................................................... 47

TABLE OF TABLES
Table 7-1: Hardware Safety Integrity: AC on type “A” safety-related subsystems.........................14
Table 7-2: Hardware Safety Integrity: AC on type B safety-related subsystems...........................14
Table 7-3: Safety Integrity Level...................................................................................................15
Table 8-1: Piping and Instrumentation Diagrams..........................................................................17
Table 9-1: Safety Instrumented Functions....................................................................................19
Table 9-2: Safety Integrity Level – Architectural Constraints.........................................................26
Table 9-3: Safety Integrity Level – PFDAVG...................................................................................35
Table 9-4: SIL Targets Met - Base Case, Sensitivity Cases A,B,C................................................44
Table 9-5: Alternative Scenario Safety Integrity Level – PFDAVG..................................................44
Table 9-6: SIL Achievement - All cases.........................................................................................46

APPENDICES
APPENDIX 1: SIL CLASSIFICATION / RISK GRAPH RESULTS
APPENDIX 2: ASSUMPTIONS
APPENDIX 3: SIL CALCULATIONS – EXSILENTIA REPORT
 SIL VERIFICATION ANALYSIS - FEED

SUMMARY

This document contains the results of the Safety Integrity Level (SIL) verification analysis
conducted for the PDVSA’s Mariscal Sucre project.
The main purpose of conducting the SIL verification is to demonstrate that the SIF
achieves the target safety availability (referred to as average probability of failure on
demand ‘PFDAVG’) and the architectural constraints (AC) associated with the SIL
requirement identified during the SIL Classification workshop.
The study involves the SIL verification of the Safety Instrumented Functions (SIFs) of the
Dragon and Patao Production Platform off the coast of Venezuela (topside scope)
associated with the Mariscal Sucre project.
The results in this report are preliminary because some assumptions have not been fully
validated by PDVSA; some SIF components, mainly field instrumentation and logic
solvers, have not been defined yet; and some generic failure data has been used in most
of the cases evaluated. In cases where specific instrumentation to be used was unknown,
but a list of acceptable instrumentation was available, failure data for a representative
piece of instrumentation was used. Later on, when specific failure data associated with
the selected field instrumentation and logic solver is known, and maintenance program
and procedures are further developed, the calculation should be run again.
Based on the probability of failure on demand and architectural constraints it can be
concluded that 60% of the SIFs for the offshore platform associated with the Dragon-
Patao field development fulfill the requirements for their corresponding SIL (most of them
SIL 1) as designed, while the remaining 40% do not meet their SIL requirement. The SIFs
that do not meet their target SIL will require additional design considerations and possibly
some further analysis.
It is recommended that the requirements defined in this analysis, especially the ones that
focus on the failure rates (λ), diagnostic coverage (DC) factors and safe failure fractions
(SFF) of sensors and final elements be incorporated in the technical specification of the
SIF/SIS components. It is also recommended that the SIL verification process be re-
conducted once specific failure data from the SIF/SIS components (field instrumentation
and logic solver) become available, in order to ensure the fulfillment of the requirements in
terms of architectural constraints (AC) and probability of failure on demand (PFDAVG).
1.0 INTRODUCTION

Petróleos De Venezuela, S.A. (PDVSA) is currently conducting the Front End Engineering
Design (FEED) of the Mariscal Sucre Project. The project will consist of sixteen wells
from two gas fields being tied back via subsea pipelines to a gas production platform
(Dragon and Patao production platform). Produced gas is then transported from the
platform to the Venezuelan shore by an export gas pipeline. The platform will include, but
not be limited to, pig receivers, liquid removal facilities, gas metering, pressure control,
produced water handling facilities, venting, liquids metering, storage and disposal, and a
pig launcher.
PDVSA has requested TECHNIP to perform a SIL Verification analysis of the SIF
associated with the Dragon and Patao Production Platform.
This document describes the scope of work, methodology, assumptions used and the
preliminary results of the Safety Integrity Level (SIL) verification analysis conducted
through the FEED design for PDVSA’s Dragon and Patao production platform.

2.0 DEFINITIONS

2.1 Clarification of terms.

ALARP
“As Low As Reasonably Practicable”. The concept implies that ultimately there is a
trade-off between the costs of risk reduction and the benefits obtained. Most
decisions on whether risks are ALARP should be made by exercising professional
judgment on whether the risks are reasonable when set subjectively against the
cost of further risk reduction. In some cases, a formal cost-benefit analysis can be
used which can be seen to give a more objective analysis of costs against the
benefits of risk reduction.

Availability
The ability of an item to be in a state to perform a required function under given
conditions at a given instant of time or during a given time interval, assuming that
the required external resources are provided. This ability is expressed as the
proportion of time the item is in the functioning state.

Basic Process Control System

The system that responds to input signals from the process and generates output
signals to maintain operation of the process in a desired state. The system does
not perform functions assessed as SIL 1 or higher.

Beta Factor
 SIL VERIFICATION ANALYSIS - FEED

The fraction of the failures of a single component that cause all redundant
components to fail “simultaneously”.

Common Cause Failure

A failure having the potential to affect all redundant components in a robust
configuration by virtue of common or shared characteristics.

Dangerous Failure
A failure that has the potential to place the SIF/SIS in a state in which it will fail to
perform its function. Historically, this has been referred to as unrevealed failure.

Demand
A process or equipment condition or event which requires a SIF to take action to
prevent a hazardous situation.

Demand Rate
The frequency at which a demand occurs (i.e., the number of demands per unit
time).

Diagnostic Coverage (DC) Factor

The number of dangerous failures that diagnostic feature is capable of detecting
expressed as a fraction of all possible dangerous failures.

Failure
Termination of the ability of an item to perform a required function.

Failure Mode (FM)

The observed failure.

Failure Rate (λ)

The number of failures divided by the corresponding time.

Final Element
A device or combination of devices, which manipulate a process variable or attract
the attention of the operator to achieve risk reduction. The final element includes
output cards or output relays, solenoid valves and cabling. Examples are valves,
switchgear (rotating equipment stop circuits) and alarms.

Functional Proof Test

A test carried out on SIF components against an approved procedure to confirm
that all requirements of the SIF are met. It includes the entire SIF (sensor, logic
solver and final elements).

Hazard or Hazardous Situation

 SIL VERIFICATION ANALYSIS - FEED

A physical situation with the potential for human injury, damage to property,
damage to the environment or some combination of these.

Hazard Rate
The frequency at which hazardous situations occur per unit time.
Hazard Rate = Demand Rate x Probability of Failure on Demand.

Logic Solver
The portion of a SIS performing the application logic function. Examples are an
electromechanical relay, a solid-state/magnetic-core logic and a Central
Processing Unit (CPU) section of programmable electronic systems.

Mitigation
The action of making a consequence less severe or reducing the frequency of an
event.

Probability of Failure on Demand (PFD)

The probability of the SIF/SIS failing to respond to a demand.

Risk
The frequency at which a hazardous situation occurs multiplied by the
consequence of the hazardous situation.

Reliability
The ability of an item to perform a required function under given conditions for a
given time interval.

Safe Failure
A failure whose occurrence does not have the potential to place a SIF/SIS in a
dangerous state. Historically, this has been referred to as revealed failure.

Safe Failure Fraction

The fraction of all failures that drive the sub-system (e.g. sensor or final element)
to the safe state. It is also defined as the ratio of the average rate of safe failures
plus dangerous detected failures of the subsystem to the total average failure rate
of the subsystem.

Safety Integrity Level (SIL)

The definition in IEC 61511: discrete level (one out of four) for specifying the safety
integrity requirements of the safety instrumented functions to be allocated to the
safety instrumented systems. Safety integrity level 4 has the highest level of safety
integrity; safety integrity level 1 has the lowest.

Safety Instrumented Function (SIF)

 SIL VERIFICATION ANALYSIS - FEED

A function comprising one or more sensors, a logic solver and one or more final
elements whose purpose is to prevent or mitigate hazardous situations. A SIF is
intended to achieve or maintain a safe state for the process, in respect of a
specific hazardous event.

Safety Instrumented System (SIS)

The electromechanical, electronic and/or programmable electronic logic solver
component of the SIF, complete with sensors and final elements.

Sensor
A device, or combination of devices, that indicates whether a process or
equipment item is operating outside the operating envelope. The sensor (also
referred to as initiator) includes input cards and input relays. Examples are manual
switches, position switches and measurement systems.

Systematic Failure
Failures related in a deterministic way to a certain cause, which can only be
eliminated by a modification of the design or of the manufacturing process,
operational procedures, documentation or other relevant factors.

2.2 Abbreviation and Acronyms

AC Architectural Constraints
ALARP As Low As Reasonably Practicable
BPCS Basic Process Control System
C&E Cause and Effect Chart/Diagram
CCF Common Cause Failure
DC Diagnostic Coverage
DCS Distributed Control System
DED Detail Engineering Design
ESD Emergency Shutdown (system)
F&G Fire and Gas (system)
FMEA Failure Modes and Effects Analysis
FMEDA Failure Modes, Effects and Diagnostics Analysis
FTA Fault Tree Analysis
HAZOP Hazard and Operability study
HFT Hardware Fault Tolerance
HIPPS High Integrity Pressure Protection System
 SIL VERIFICATION ANALYSIS - FEED

I/O Input / Output

IEC International Electrotechnical Commission
IPL Independent Protection Layer
LAHH Level Alarm High High
LALL Level Alarm Low Low
MMS Maintenance Management System
MTBF Mean Time Between Failures
MTTF Mean Time to Failure
MTTR Mean Time to Restoration
OREDA Offshore Reliability Data
PAHH Pressure Alarm High High
PALL Pressure Alarm Low Low
PDVSA Petróleos de Venezuela S.A.
P&ID Piping and Instrumentation Diagram
PFD Probability of Failure on Demand
PFDAVG Average Probability of Failure on Demand
PHA Process Hazard Analysis
PLC Programmable Logic Controller
PSD Process Shutdown
QRA Quantitative Risk Analysis
RRF Risk Reduction Factor
SCADA Supervisory Control and Data Acquisition
SDV Shutdown Valve
SFF Safe Failure Fraction
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SLC Safety Life-Cycle
SO Spurious Operation
TAHH Temperature Alarm High High
TALL Temperature Alarm Low Low
TOR Tolerability of Risk
 SIL VERIFICATION ANALYSIS - FEED

3.0 OBJECTIVE

The objectives of a SIL verification analysis are as follows:

a. Demonstrate that the SIF achieves the required probability of failure on demand
(PFD) and the architectural constraints associated with the SIL requirements. This
includes reviewing the requirements related to system architecture, configuration
and test interval in accordance to IEC 61508 and IEC 61511 (Ref 1 and 2).
b. Identify the most important contributors to probability of failure on demand
associated with each SIF and propose alternative design/maintenance options to
improve the estimated SIL if necessary.
The final objective of the SIL Verification analysis is to verify that the Safety Instrumented
Functions (SIFs) will contribute to reduce the risk associated with the process as low as
reasonably practicable (ALARP).

4.0 SCOPE

The Safety Integrity Level (SIL) Verification analysis assesses the performance and
functional integrity of the Safety Instrumented Functions (SIFs) associated with the
Mariscal Sucre Project, specifically with the Dragon and Patao production platform and
compares them to the corresponding SIL targets defined during the SIL Classification
workshop (Ref 6).
The assessment is traditionally performed through the development of reliability models
that typically involve Reliability Block Diagram (RBD) or Fault Trees (FT).
The scope for this study included the pig receivers, liquid removal facilities, gas metering,
pressure control, produced water handling facilities, venting, liquids metering, storage and
disposal, and pig launcher. However, some specific SIFs associated with utility and third
party packages (that will be purchased as an individual module/skid) were not addressed
in this study as these have not been selected yet. Once these are selected and relevant
information is available, SIL targets for the corresponding SIFs should be determined and
a SIL verification analysis should be undertaken.
Appendix 1 contains the Safety Instrumented Functions (SIFs) associated with the Dragon
and Patao production platform that were evaluated in this SIL Verification analysis.
This document contains sensitivity cases for those Safety Instrumented Functions (SIFs)
that do not meet the SIL targets as currently designed. The objectives of these sensitivity
cases are to evaluate the different plausible alternatives to improve the performance of
the SIF to ultimately fulfill the SIL target. These sensitivity cases are based on important
 SIL VERIFICATION ANALYSIS - FEED

findings from the SIL analysis and the identification of major contributors to the Probability
of Failure on Demand (PFD).

5.0 ROLES AND RESPONSABILITIES

This section identifies key SIL study participants and their roles and responsibilities during
the SIL verification analysis.
The SIL Expert’s responsibilities were to:

 Develop reliability models, comprising all identified SIFs.

 Verify that architectural constraint considerations are met.

 Estimate the average Probability of Failure on Demand (PFDAVG) for each SIF and
verify that SIL requirements in terms of PFDAVG are met.

 Identify major contributors to the average Probability of Failure on Demand

(PFDAVG).

 Provide recommendations based on important findings

The responsibility to identify and develop sensitivities cases for those SIF not meeting the
SIL target is also under the SIL Expert’s responsibilities.
The Client is responsible for their input into the SIL verification analysis process by
participating in the safety review meetings and SIL workshops; providing any requirements
such as maintenance programs and procedures, and timely document reviews.
Specifically, Client responsibilities are to:

 Validate the assumptions used during the SIL verification process (system
architecture, data bases, maintenance considerations, etc).

 Review and validate the results arising from the SIL analysis.

The Project Manager is responsible for ensuring the implementation of the SIL analysis
recommendations, and the cooperation of the project members. He is also the key
interface point for Client communications.

6.0 METHODOLOGY

During the SIL verification task, calculations are performed to show if the designed SIF
meets the target SIL. This calculation takes into account, among other factors, the periodic
functional proof test performed by operators to ensure the required SIL is maintained
during the entire asset life.
 SIL VERIFICATION ANALYSIS - FEED

For compliance with the IEC 61508 or IEC 61511 functional safety standards (Ref 1 and
2), the achievement of the SIL of a SIF was verified against the average Probability of
Failure on Demand (PFDAVG) and the Architectural Constraints (i.e. hardware fault
tolerance of the subsystems, fraction of safe failures and type of system).
The SIL verification task followed the following sequence of steps:
Step 1: Identify SIFs for all sub systems included in the study.
Step 2: Develop reliability models, comprising all identified SIFs.
Step 3: Extract generic reliability data from available databases.
Step 4: Define MTTR and frequency of functional testing.
Step 5: Verify that architectural constraint considerations are met.
Step 6: Estimate the average Probability of Failure on Demand (PFDAVG) for each
SIF and verify that SIL requirements in terms of PFDAVG are met.
Step 8: Identify major contributors (main drivers) to the Probability of Failure on
Demand.
Step 9: Make recommendations based on important findings

6.1 Reliability Data

6.1.1 Failure rate:

No failure data is available yet for the specific instrumentation associated with the safety
instrumented functions, consequently generic failure rates (λ) for sensors and final
elements were taken predominantly from EXIDA Safety Equipment Reliability Handbook
(Ref 9) and OREDA (Ref. 7 and 8). In case of the logic solver associated with the ESD
system and logic solvers associated with non F&G SIFs, a probability of failure on
demand average of 6.36 x 10-5 was assumed based on SIL 3 certified PLC performance
described in Ref 9.

6.1.2 MTTR and Frequency of Functional Testing:

The MTTR used for SIL verification purposes was as follows:

 For those SIF/SIS components that can be repaired on-line without process
isolation, a repair time of 8 hours. These include PLC components (repaired by
change-out on line) and sensors that are not in direct contact with the process or
that can be isolated from it by using an isolation valve.
 SIL VERIFICATION ANALYSIS - FEED

 For those SIF/SIS components that require additional effort to be isolated from the
process (e.g. emergency shutdown valves), a repair time of 12 hours.

 Subsea isolation valves (SSIV) were considered to have a repair time of 48 hours.

A 48-month functional proof test interval was selected for sensors and final elements.

6.2 Architectural Constraints

Architectural constraints on hardware safety integrity are given in terms of three
parameters:

 The hardware fault tolerance of the subsystem (HFT)

 The safe failure fraction (SFF), i.e. the fraction of failures which can be considered
“safe” because they are detected by diagnostic tests or do not cause loss of the
safety function.

 Whether the subsystem is of “A-type” or “B-type”. For “A-type” subsystems all

possible failure modes can be determined for all constituent components, whereas
for “B-type” subsystems the behavior under fault conditions cannot be completely
determined for at least one component (e.g. a logic solver).
In the context of hardware safety integrity, the highest safety integrity level that can be
claimed for a safety function is limited by the hardware fault tolerance and safe failure
fraction of the subsystems that carry out the safety function. In order to determine the
maximum hardware safety integrity level that can be claimed for the total safety function
under consideration, each subsystem was assessed according to Table 2 and 3 of IEC
61508, part 2 (Ref. 1).
Table methodology-1 and Table methodology-2 are abstracts from IEC 61508 Part 2
(specifically, Tables 2 and 3) that details the architectural constraints (AC) related to each
target SIL we must be aware of.
Table methodology-1: Hardware Safety Integrity: AC on type “A” safety-related
subsystems
Hardware fault tolerance (A hardware fault tolerance of N means that N
Safe failure
+ 1 fault could cause a loss of the safety function.)
fraction
0 1 2
< 60 % SIL 1 SIL 2 SIL 3
60 % – < 90 % SIL 2 SIL 3 SIL 4
90 % – < 99 % SIL 3 SIL 4 SIL 4
> 99 % SIL 3 SIL 4 SIL 4
 SIL VERIFICATION ANALYSIS - FEED

Table methodology-2: Hardware Safety Integrity: AC on type B safety-related

subsystems
Hardware fault tolerance (A hardware fault tolerance of N means that N
Safe failure + 1 fault could cause a loss of the safety function.)
fraction 0 1 2
< 60 % Not allowed SIL 1 SIL 2
60 % – < 90 % SIL 1 SIL 2 SIL 3
90 % – < 99 % SIL 2 SIL 3 SIL 4
> 99 % SIL 3 SIL 4 SIL 4

6.3 Probability of Failure on Demand

The reliability of a system may be quantified by a number of reliability parameters. In the
present study the average Probability of Failure on Demand (PFD AVG) was used. It
represents the average probability that a safety system does not operate when required.
For a single component that is tested for failures at fixed time interval “” it is calculated by
the formula:
1
PFDavg  
2

where:
 = failure rate
 = periodic proof test interval

This equation assumes that a periodic proof test performed at the fixed interval will detect
all failures.
Table methodology-3 shows the safety integrity level according to IEC -61511/508
applicable for low demand mode (frequency of demands for operation of the SIF/SIS is no
greater than one per year and no greater than twice the proof test frequency).
SIL is a simply statistical representation of the integrity of the SIF/SIS when a process
demand occurs.
The acceptance of a SIL 1 SIF means that the level of hazard is sufficiently low and that a
SIF with a PFDAVG of 10-1 is acceptable. The probability of failure on demand of 0.1 would
mean that, out of every 10 times that the demand occurs, there would be one predicted
failure of the SIF, e.g. the SIF would fail to respond.
It should be noted that the SIL requirement applies to a complete function, e.g. the field
sensor, the logic solver and the final element. Such a quantitative analysis includes
random hardware failures, common cause failures, and if relevant, failures of any data
communication systems used to support the safety function (e.g. Field bus).
 SIL VERIFICATION ANALYSIS - FEED

The estimated PFDAVG is compared to the target measure as specified by the SIL level
(see Table methodology-3). For those SIFs which do not achieve the SIL target,
alternative scenarios are performed to evaluate the sensitivity of the PFD AVG to key
parameters such as failure rate (λ), diagnostic coverage (DC) factor, functional proof test
interval, etc.

Table methodology-3: Safety Integrity Level

Average Probability Risk Reduction

Safety Integrity
of Failure on Factor
Level (SIL)
Demand (PFDAVG) (1/ PFDAVG)

10-1 to 10-2 10 to 100

1

10-2 to 10-3 100 to 1000

2
10-3 to 10-4 1,000 to 10,000
3
10-4 to 10-5 10,000 to 100,000
4

6.4 Assumptions
The assumptions used during the Safety Integrity Level (SIL) verification process are
defined in Appendix 2.

6.5 Codes and Standards

IEC61508 and IEC61511 apply to the SIL process. They are not prescriptive standards;
these are performance based standards. These describe the processes to reach a
solution, rather than prescribing the solution itself.
IEC 61508: Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-
Related System.
The international standard IEC 61508 has been widely accepted as the basis for
specification, design and operation of Safety Instrumented Systems (SIS). The standard
sets out a risk-based approach for deciding the Safety Integrity Level (SIL) for systems
performing safety functions. The standard defines the requirement that manufacturers
must meet on Electric/Electronic/Programmable Electronic devices to be suitable for use
in safety applications. However, the standard only defines “product” requirements and
does not address safety system design or system implementation issues.
 SIL VERIFICATION ANALYSIS - FEED

IEC 61511: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-

Related System.
IEC 61508 is a generic standard common to several industries; the process industry has
developed their own sector-specific standard, IEC 61511, for application of SIS.

6.6 Software
SIL verification was performed using exSILentia Software, which is a SIL automated tool
that conforms to IEC 61508 and 61511 standards.

7.0 REFERENCES & DOCUMENTS USED

The following documents were used to perform the Safety Integrity Level (SIL) Verification
analysis:
1. IEC 61508: Functional Safety of Electrical/Electronic/ Programmable Electronic
Safety-Related System
2. IEC 61511: Functional Safety – Safety Instrumented System for the Process
Industry Sector
3. Fire Protection Philosophy (Ref. TF013493-000-JSD-1900-003 Rev E)
4. HAZOP Review Report: FEED Engineering (Ref. TF013493-000-RT-1900-002 Rev
B)
5. Safety Analysis Function Evaluation (SAFE) Chart (Ref. TF013493-000-DW-1514-
001 Rev. D)
6. SIL Classification Analysis report (Ref. TF013493-000-RT-1902-001 Rev C)
7. Offshore Reliability Data (OREDA), 3rd edition (1997)
8. Offshore Reliability Data (OREDA), 4th edition (2002)
9. EXIDA Safety Equipment Reliability Handbook, Third Edition, Volume 01.
10. Guidance for Testing of Process Sector SIF Implemented as or within SIS (ISA-
TR84.00.03-2002)

The P&ID shown in Error: Reference source not found were also used to perform the
Safety Integrity Level (SIL) Classification analysis.
 SIL VERIFICATION ANALYSIS - FEED

Table 8-1 - Piping and Instrumentation Diagrams

DESCRIPTION TPUSA Document/Drawing Number Rev

P&ID Dragon Platform: Flowline Pig Receiver/Launcher Dragon No. 1 TF013493-DRA-PID-0021-0011 F

P&ID Dragon Platform: Flowline Pig Receiver/Launcher Dragon No. 2 TF013493-DRA-PID-0021-0012 F
P&ID Dragon Platform: Flowline Pig Receiver/Launcher Patao No. 1 TF013493-DRA-PID-0021-0013 C
P&ID Dragon Platform: Flowline Pig Receiver/Launcher Patao No. 2 TF013493-DRA-PID-0021-0014 C
P&ID Dragon Platform: Gas Separator Train A TF013493-DRA-PID-0021-0015 F
P&ID Dragon Platform: Gas Separator Train B TF013493-DRA-PID-0021-0016 F
P&ID Dragon Platform: Gas Metering Train A TF013493-DRA-PID-0021-0029 C
P&ID Dragon Platform: Gas Metering Train B TF013493-DRA-PID-0021-0030 F
P&ID Dragon Platform: Export Pipeline Pig Launcher TF013493-DRA-PID-0021-0031 F
P&ID Dragon Platform: HP Fuel Gas Drum TF013493-DRA-PID-0021-0032 F
P&ID Dragon Platform: HP Fuel Gas Heater and Filters TF013493-DRA-PID-0021-0033 F
P&ID Dragon Platform: HP Fuel Gas Distribution TF013493-DRA-PID-0021-0034 F
P&ID Dragon Platform: LP Fuel Gas Drum TF013493-DRA-PID-0021-0035 F
P&ID Dragon Platform: LP Fuel Gas Distribution TF013493-DRA-PID-0021-0036 F
P&ID Dragon Platform: Methanol Storage Drum TF013493-DRA-PID-0021-0037 F
P&ID Dragon Platform: Methanol Injection Pumps for Dragon TF013493-DRA-PID-0021-0038 F
P&ID Dragon Platform: Chemical Injection for Dragon Package, Sheet 1 of 4 TF013493-DRA-PID-0021-0039 F
P&ID Dragon Platform: Chemical Injection for Dragon Package, Sheet 2 of 4 TF013493-DRA-PID-0021-0040 F
P&ID Dragon Platform: Chemical Injection for Dragon Package, Sheet 3 of 4 TF013493-DRA-PID-0021-0041 F
P&ID Dragon Platform: Chemical Injection for Dragon Package, Sheet 4 of 4 TF013493-DRA-PID-0021-0042 F
P&ID Dragon Platform: Chemical Injection Package for Export Pipeline TF013493-DRA-PID-0021-0043 F
P&ID Dragon Platform: Chemical Injection for Patao Package, Sheet 1 of 4 TF013493-DRA-PID-0021-0045 C
P&ID Dragon Platform: Chemical Injection for Patao Package, Sheet 2 of 4 TF013493-DRA-PID-0021-0046 C
P&ID Dragon Platform: Chemical Injection for Patao Package, Sheet 3 of 4 TF013493-DRA-PID-0021-0047 C
P&ID Dragon Platform: Chemical Injection for Patao Package, Sheet 4 of 4 TF013493-DRA-PID-0021-0048 C
P&ID Dragon Platform: Methanol Injection Pumps for Patao TF013493-DRA-PID-0021-0049 C
P&ID Dragon Platform: Fuel Gas H2S Removal TF013493-DRA-PID-0021-0050 A
P&ID Dragon Platform: HP Flare Header TF013493-DRA-PID-0031-0051 F
P&ID Dragon Platform: HP Flare K O Drum TF013493-DRA-PID-0031-0052 F
P&ID Dragon Platform: HP Flare TF013493-DRA-PID-0031-0053 F
P&ID Dragon Platform: Closed Drain Header TF013493-DRA-PID-0031-0055 F
P&ID Dragon Platform: Closed Drain Drum TF013493-DRA-PID-0031-0056 F
P&ID Dragon Platform: Open Drain Header TF013493-DRA-PID-0031-0057 F
P&ID Dragon Platform: Open Drain Tank TF013493-DRA-PID-0031-0058 F
P&ID Dragon Platform: Diesel Receiving and Treatment, Sheet 1 of 2 TF013493-DRA-PID-0031-0059 F
P&ID Dragon Platform: Diesel Receiving and Treatment, Sheet 2 of 2 TF013493-DRA-PID-0031-0060 F
 SIL VERIFICATION ANALYSIS - FEED

Table 8-1 - Piping and Instrumentation Diagrams

DESCRIPTION TPUSA Document/Drawing Number Rev

P&ID Dragon Platform: Diesel Storage and Pump TF013493-DRA-PID-0031-0061 F

P&ID Dragon Platform: Diesel Filters TF013493-DRA-PID-0031-0062 F
P&ID Dragon Platform: Diesel Distribution TF013493-DRA-PID-0031-0063 F
P&ID Dragon Platform: Instrument and Plant Air Distribution TF013493-DRA-PID-0031-0068 F
P&ID Dragon Platform: Potable Water Storage TF013493-DRA-PID-0031-0075 F

8.0 RESULTS

Due to the lack of information about the failure behavior of SIF/SIS components, the
results in this report are preliminary because some assumptions have not been fully
validated by PDVSA; some SIF components, mainly field instrumentation and logic
solvers, have not been defined yet; and generic failure data has been used in most of the
cases evaluated. Later on, when specific failure data associated with the selected field
instrumentation and logic solver is known, and maintenance program and procedures are
further developed, the calculation should be run again.

8.1 Safety Instrumented Functions

All SIFs that were classified during the SIL workshops and safety review sessions (SIL
rated SIFs) were evaluated during the SIL verification. From the revision of P&IDs, C&E
Diagram, and FEED HAZOP, 70 Safety Instrumented Functions (SIFs) were identified and
validated, and from them 54 were SIL rated (4 SIL 3, 10 SIL 2 and 40 SIL 1).
Table 9-1 shows the Safety Instrumented Functions (SIFs) included in the SIL Verification
analysis. Appendix 1 contains more detail information about the risk events these SIFs will
protect against.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
High flowline pressure coming into platform from Dragon
West (Wells 7,8,9,4). High pressure setpoint on PIT-1083
1 (PAHH-1083) causes valves SDV-0001A (subsea), SDV- TF013493-DRA-PID-0021-0011-F 1
1003, and SDV-1004 to close.

High flowline pressure coming into platform from Dragon

West (Wells 7,8,9,4). High pressure setpoint on PIT-1008
2 A/B/C (PAHH-1008 A/B/C) causes valves SDV-1006 and TF013493-DRA-PID-0021-0011-F 3
SDV-1007 to close.

Low flowline pressure coming into platform from Dragon

West (Wells 7,8,9,4). Low pressure setpoint on PIT-1083
3
(PALL-1083) causes valves SDV-0001A (subsea), SDV-
TF013493-DRA-PID-0021-0011-F 1
1003, and SDV-1004 to close.
High flowline pressure coming into platform from Dragon
East (Wells 5,6,10,11). High pressure setpoint on PIT-
4
1087 (PAHH-1087) causes valves SDV-0002A (subsea),
TF013493-DRA-PID-0021-0012-F 1
SDV-1020, and SDV-1021 to close.
High flowline pressure coming into platform from Dragon
East (Wells 5,6,10,11). High pressure setpoint on PIT-
5 1025 A/B/C (PAHH-1025 A/B/C) causes valves SDV-1023 TF013493-DRA-PID-0021-0012-F 3
and SDV-1024 to close.

Low flowline pressure coming into platform from Dragon

East (Wells 5,6,10,11). Low pressure setpoint on PIT-1087
6
(PALL-1087) causes valves SDV-0002A (subsea), SDV-
TF013493-DRA-PID-0021-0012-F 1
1020, and SDV-1021 to close.
High flowline pressure coming into platform from Patao A.
High pressure setpoint on PIT-1183 (PAHH-1183) causes
7
valves SDV-0001B (subsea), SDV-1103, and SDV-1104 to
TF013493-DRA-PID-0021-0013-C 1
close.
High flowline pressure coming into platform from Patao A.
High pressure setpoint on PIT-1108 A/B/C (PAHH-1008
8
A/B/C) causes valves SDV-1106 and SDV-1107 to close.
TF013493-DRA-PID-0021-0013-C 3

Low flowline pressure coming into platform from Patao A.

Low pressure setpoint on PIT-1183 (PALL-1183) causes
9
valves SDV-0001B (subsea), SDV-1103, and SDV-1104 to
TF013493-DRA-PID-0021-0013-C 1
close.
High flowline pressure coming into platform from Patao B.
High pressure setpoint on PIT-1187 (PAHH-1187) causes
10
valves SDV-0002B (subsea), SDV-1120, and SDV-1121 to
TF013493-DRA-PID-0021-0014-C 1
close.
11 High flowline pressure coming into platform from Patao B. TF013493-DRA-PID-0021-0014-C 3
High pressure setpoint on PIT-1125 A/B/C (PAHH-1025
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
A/B/C) causes valves SDV-1123 and SDV-1124 to close.

Low flowline pressure coming into platform from Patao B.

Low pressure setpoint on PIT-1187 (PALL-1187) causes
12
valves SDV-0002B (subsea), SDV-1120, and SDV-1121 to
TF013493-DRA-PID-0021-0014-C 1
close.
High pressure in V-101A Gas Separator.
13 High pressure setpoint on PIT-1039 (PAHH-1039) causes TF013493-DRA-PID-0021-0015-F No SIL(*)
valves SDV-1042, SDV-1056, and SDV-4038 to close.
Low pressure in V-101A Gas Separator.
14 Low pressure setpoint on PIT-1039 (PALL-1039) causes TF013493-DRA-PID-0021-0015-F 2
valves SDV-1042, SDV-1056, and SDV-4038 to close.
High level in V-101A Gas Separator.
15 High level setpoint on LIT-1036 (LAHH-1036) causes TF013493-DRA-PID-0021-0015-F No SIL(*)
valves SDV-1042, and SDV- 4038 to close.
Low level in V-101A Gas Separator.
16 Low level setpoint on LIT-1036 (LALL-1036) causes valves TF013493-DRA-PID-0021-0015-F 2
SDV-1042, SDV-1056, and SDV-4038 to close.
High pressure in V-101B Gas Separator.
High pressure setpoint on PIT-1139 (PAHH-1139) causes
17
valves SDV-1142, SDV-1146, SDV-1156, and SDV-4138 to
TF013493-DRA-PID-0021-0016-F No SIL(*)
close.
Low pressure in V-101B Gas Separator.
Low pressure setpoint on PIT-1139 (PALL-1139) causes
18
valves SDV-1142, SDV-1146, SDV-1156, and SDV-4138 to
TF013493-DRA-PID-0021-0016-F 2
close.
High level in V-101A Gas Separator.
19 High level setpoint on LIT-1136 (LAHH-1136) causes TF013493-DRA-PID-0021-0016-F No SIL(*)
valves SDV-1142, SDV-1146, and SDV- 4138 to close.
Low level in V-101B Gas Separator.
20 Low level setpoint on LIT-1136 (LALL-1136) causes valves TF013493-DRA-PID-0021-0016-F 2
SDV-1142, SDV-1146, SDV-1156, and SDV-4138 to close.
High pressure on export from platform.
High pressure setpoint on PIT-1210 (PAHH-1210) causes
21
valves SDV-1211, and SDV-1212, SDV-0010 (subsea) to
TF013493-DRA-PID-0021-0031-F 1
close.
Low pressure on export from platform.
Low pressure setpoint on PIT-1210 (PALL-1210) causes
22
valves SDV-4038, SDV-4138, SDV-1211, and SDV-1212,
TF013493-DRA-PID-0021-0031-F 1
SDV-0010 (subsea), SDV-1221 to close.
High pressure in output of E-205 Fuel Gas Pre-Heater.
High pressure setpoint on PIT-4259 (PAHH-4259) causes
23
valves SDV-4201, SDV-4263 and SDV-4233 to close, shuts
TF013493-DRA-PID-0021-0032-F 1
down pre-heater E-205 via XY-4260.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
Low pressure in output of E-205 Fuel Gas Pre-Heater. Low
pressure setpoint on PIT-4259 (PALL-4259) causes valves
24
SDV-4201, SDV-4263 and SDV-4233 to close, shuts down
TF013493-DRA-PID-0021-0032-F 1
pre-heater E-205 via XY-4260.
High temperature in heating element of E-205 Fuel Gas
25 Pre-Heater. High temperature setpoint on TIT-4258 TF013493-DRA-PID-0021-0032-F No SIL(*)
(TAHH-4258) shuts down pre-heater E-205 via XY-4260.
High temperature in outlet line of E-205 Fuel Gas Pre-
26 Heater. High temperature setpoint on TIT-4261 (TAHH- TF013493-DRA-PID-0021-0032-F No SIL(*)
4261) shuts down pre-heater E-205 via XY-4260.
High pressure in V-204 HP Fuel Gas Drum. High pressure
27 setpoint on PIT-4205 (PAHH-4205) causes valve SDV- TF013493-DRA-PID-0021-0032-F 1
4263to close
Low pressure in V-204 HP Fuel Gas Drum. Low pressure
28 setpoint on PIT-4205 (PALL-4205) causes valves SDV- TF013493-DRA-PID-0021-0032-F 1
4263, SDV-4213to close.
High level in V-204 HP Fuel Gas Drum.
29 High level setpoint on LIT-4215 (LAHH-4215) causes inlet TF013493-DRA-PID-0021-0032-F 1
valve SDV-4263 to close.
Low level in V-204 HP Fuel Gas Drum.
30 Low level setpoint on LIT-4215 (LALL-4215) causes valves TF013493-DRA-PID-0021-0032-F 2
SDV-4263, SDV-4213 to close.
High pressure in output of E-204 Fuel Gas Heater.
High pressure setpoint on PIT-4257 (PAHH-4257) causes
31
valve SDV-4263 to close, shuts down heater E-204 via XY-
TF013493-DRA-PID-0021-0033-F 1
4218.
Low pressure in output of E-204 Fuel Gas Heater.
Low pressure setpoint on PIT-4257 (PALL-4257) causes
32
valves SDV-4263, SDV-4213 to close, shuts down heater
TF013493-DRA-PID-0021-0033-F 1
E-204 via XY-4218.
High temperature in heating element of E-204 Fuel Gas
33 Heater. High temperature setpoint on TIT-4255 (TAHH- TF013493-DRA-PID-0021-0033-F No SIL(*)
4255) shuts down heater E-204 via XY-4218.
High temperature in outlet line of E-204 Fuel Gas Heater.
34 High temperature setpoint on TIT-4219 (TAHH-4219) TF013493-DRA-PID-0021-0033-F No SIL(*)
shuts down heater E-204 via XY-4218.
High pressure in V-205 LP Fuel Gas Drum.
35 High pressure setpoint on PIT-4239 (PAHH-4239) causes TF013493-DRA-PID-0021-0035-F 1
valves SDV-4233 to close.
Low pressure in V-205 LP Fuel Gas Drum.
36 Low pressure setpoint on PIT-4239 (PALL-4239) causes TF013493-DRA-PID-0021-0035-F 1
valves SDV-4233 and SDV-4245 to close.
High level in V-205 LP Fuel Gas Drum.
37 High level setpoint on LIT-4238 (LAHH-4238) causes valve TF013493-DRA-PID-0021-0035-F No SIL(*)
SDV-4233 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
Low level in V-205 LP Fuel Gas Drum. Low level setpoint
38 on LIT-4238 (LALL-4238) causes valves SDV-4233 and TF013493-DRA-PID-0021-0035-F 1
SDV-4245 to close.
High pressure in V-404 Methanol Storage Drum.
39 High pressure setpoint on PIT-4610 (PAHH-4610) causes TF013493-DRA-PID-0021-0037-F 1
valves SDV-4606 to close.
Low pressure in V-404 Methanol Storage Drum.
40 Low pressure setpoint on PIT-4610 (PALL-4610) causes TF013493-DRA-PID-0021-0037-F 1
valves SDV-4606 and SDV-4616 to close.
High level in V-404 Methanol Storage Drum. High level
41 setpoint on LIT-4608 (LAHH-4608) causes inlet valve SDV- TF013493-DRA-PID-0021-0037-F 1
4606 to close.
Low level in V-404 Methanol Storage Drum. Low level
setpoint on LIT-4608 (LALL-4608) causes valves SDV-4606
and SDV-4616 to close, shuts down the dragon methanol
42 injection pumps P-417A, P-417B, P-417C via XY-4617, XY- TF013493-DRA-PID-0021-0037-F 1
4623, XY-4629, respectively, and the patao methanol
injection pumps P-405A, P-405B, P-405C via XY-4637, XY-
4643, XY-4649 (missing on PID), respectively.
Low level in TK-402 Dragon Chemical Inhibitor Storage
Tank. Low level setpoint on LIT-4901 (LALL-4901) shuts
43 down the dragon chemical inhibitor pumps P-406A, P- TF013493-DRA-PID-0021-0039-F 1
406B, P-407A, P-407B via XY-4801, XY-4824, XY-4845, XY-
4865, respectively.
Low level in TK-406 Chemical Inhibitor Storage Tank for
Export Pipeline. Low level setpoint on LIT-4902 (LALL-
44 4902) shuts down the export line chemical inhibitor TF013493-DRA-PID-0021-0043-F 1
pumps P-412A, P-412B via XY-4886, XY-4892,
respectively.
Low level in TK-413 Patao Chemical Inhibitor Storage Tank.
Low level setpoint on LIT-4906 (LALL-4906) shuts down
45 the patao chemical inhibitor pumps P-419A, P-419B, P- TF013493-DRA-PID-0021-0045-C 1
420A, P-420B via XY-4701, XY-4724, XY-4745, XY-4765,
respectively.
High pressure in V-410A Fuel Gas H2S Removal Vessel.
46 High pressure setpoint in PIT-4276 (PAHH-4276) causes TF013493-DRA-PID-0021-0050-A No SIL(*)
valves SDV-4201 (inlet), SDV-4263, SDV-4233 to close.
Low pressure in V-410A Fuel Gas H2S Removal Vessel.
47 Low pressure setpoint in PIT-4276 (PALL-4276) causes TF013493-DRA-PID-0021-0050-A 1
valves SDV-4201 (inlet), SDV-4263, SDV-4233 to close.
High pressure in V-410B Fuel Gas H2S Removal Vessel.
48 High pressure setpoint in PIT-4282 (PAHH-4282) causes TF013493-DRA-PID-0021-0050-A No SIL(*)
valves SDV-4201 (inlet), SDV-4263, SDV-4233 to close.
49 Low pressure in V-410B Fuel Gas H2S Removal Vessel. TF013493-DRA-PID-0021-0050-A 1
Low pressure setpoint in PIT-4282 (PALL-4282) causes
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
valves SDV-4201 (inlet), SDV-4263, SDV-4233 to close.
High level in V-401 HP Flare KO Drum. High level setpoint
50 on LIT-5605 (LAHH-5605) initiates process shutdown of TF013493-DRA-PID-0031-0052-F 1
platform (level 2 shutdown w/o depressurization).
Low level in V-401 HP Flare KO Drum. Low level setpoint
on LIT-5605 (LALL-5605) causes outlet valve SDV-5612 to
51
close, shuts down pumps P-401A, P-401B via XY-5609,
TF013493-DRA-PID-0031-0052-F 1
XY-5620, respectively.
Low temperature in V-401 HP Flare KO Drum. Low
temperature setpoint on TIT-5611 (TALL-5611) causes
52
outlet valve SDV-5612 to close, shuts down pumps P-
TF013493-DRA-PID-0031-0052-F No SIL(*)
401A, P-401B via XY-5609, XY-5620, respectively.
Loss of flame in X-401 HP Flare Tip. Alarm from Flame
53 Ionization Monitor (BA-5630) initiates operator response TF013493-DRA-PID-0031-0053-F 1
for manual reignition of flare.
High pressure in V-405 Closed Drain Drum.
High pressure setpoint on PIT-5023 (PAHH-5023) causes
54 valves SDV-5008 (liquid outlet), SDV-1056 (gas separator TF013493-DRA-PID-0031-0056-F 2
A), SDV-1156 (gas separator B) and SDV-5612 (hp ko
drum) to close..
Low pressure in V-405 Closed Drain Drum.
Low pressure setpoint on PIT-5023 (PALL-5023) causes
55 valves SDV-5008 (liquid outlet), SDV-1056 (gas separator TF013493-DRA-PID-0031-0056-F 2
A), SDV-1156 (gas separator B) and SDV-5612 (hp ko
drum) to close..
High level in V-405 Closed Drain Drum.
High level setpoint on LIT-5002 (LAHH-5002) causes
56
valves SDV-1056 (gas separator A), SDV-1156 (gas
TF013493-DRA-PID-0031-0056-F 1
separator B) and SDV-5612 (hp ko drum) to close..
Low level in V-405 Closed Drain Drum.
Low level setpoint on LIT-5002 (LALL-5002) causes valves
SDV-5008 (liquid outlet), SDV-1056 (gas separator A),
SDV-1156 (gas separator B) and SDV-5612 (hp ko drum)
57
to close, shuts down hp ko drum pumps P-401A, P-401B
TF013493-DRA-PID-0031-0056-F 2
via XY-5609, XY-5620, respectively, and closed drain
pumps P-415A, P-415B via XY-5006, XY-5016,
respectively.
Low level in TK-407 Open Drain Tank.
Low level setpoint on LIT-5407 (LALL-5407) shuts down
58
open drain tank pumps P-416A, P-416B by closing SDV-
TF013493-DRA-PID-0031-0058-F No SIL(*)
5409 (air inlet to the pumps).
Low level in X-417 Open Drain Caisson.
Low level setpoint on LIT-5410 (LALL-5410) shuts down
59
open drain tank pumps P-416A, P-416B by closing SDV-
TF013493-DRA-PID-0031-0058-F No SIL(*)
5409 (air inlet to the pumps).
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
High level in TK-409 Diesel Receiving Tank.
60 High level setpoint on LIT-7202 (LAHH-7202) causes valve TF013493-DRA-PID-0031-0059-F 1
SDV-7203 to close.
Low level in TK-409 Diesel Receiving Tank.
Low level setpoint on LIT-7202 (LALL-7202) causes valves
61 SDV-7203 (inlet from diesel fill connection) and SDV- TF013493-DRA-PID-0031-0059-F 1
7234 (outlet) to close, shuts down diesel transfer pumps
P-418A, P-418B via XY-7207, XY-7211, respectively.
High pressure in P-418A Diesel Transfer Pump.
62 High pressure setpoint on P-7243 (PAHH-7243) shuts TF013493-DRA-PID-0031-0059-F 1
down the diesel transfer pumps P-418A via XY-7207.
Low pressure in P-418A Diesel Transfer Pump.
Low pressure setpoint on P-7243 (PALL-7243) causes
63 valves SDV-7234 (inlet) and SDV-7235 (outlet) to close, TF013493-DRA-PID-0031-0059-F 1
shuts down the diesel transfer pumps P-418A, P-418B via
XY-7207, XY-7211, respectively.
High pressure in P-418B Diesel Transfer Pump.
64 High pressure setpoint on P-7244 (PAHH-7244) shuts TF013493-DRA-PID-0031-0059-F 1
down the diesel transfer pump P-418B via XY-7207.
Low pressure in P-418B Diesel Transfer Pump.
Low pressure setpoint on P-7244 (PALL-7244) causes
65 valves SDV-7234 (inlet) and SDV-7235 (outlet) to close, TF013493-DRA-PID-0031-0059-F 1
shuts down the diesel transfer pumps P-418A, P-418B via
XY-7207, XY-7211, respectively.
High level in TK-401 Diesel Storage Tank.
High level setpoint on LIT-7230 (LAHH-7230) causes
66 valves SDV-7235 to close, shuts down the diesel transfer TF013493-DRA-PID-0031-0061-F 1
pumps P-418A, P-418B via XY-7207, XY-7211,
respectively.
Low level in TK-401 Diesel Storage Tank.
Low level setpoint on PIT-7230 (PALL-7230) causes valves
SDV-7235, and SDV-7236 to close, shuts down the diesel
67
transfer pumps P-418A, P-418B via XY-7207, XY-7211,
TF013493-DRA-PID-0031-0061-F 1
respectively, and diesel pumps P-404A, P-404B via XY-
7219, XY-7224, respectively.
Low level in TK-408A Potable Water Storage.
Low level setpoint on LIT-6403 (LALL-6403) starts
sea water pumps P-410A, P-410B via XY-6451, XY-
68
6476, respectively, shuts down potable water
TF013493-DRA-PID-0031-0075-F No SIL(*)
pumps P-408A, P-408B via XY-6407, XY-6409,
respectively.
69 Low level in TK-408B Potable Water Storage. TF013493-DRA-PID-0031-0075-F No SIL(*)
Low level setpoint on LIT-6405 (LALL-6405) starts
sea water pumps P-410A, P-410B via XY-6451, XY-
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-4: Safety Instrumented Functions

SIL
ID
Safety Instrumented Function (SIF) Description Drawing reference Required
Ref
(1,2,3,4)
6476, respectively, shuts down potable water
pumps P-408A, P-408B via XY-6407, XY-6409,
respectively.
Low pressure in Instrument Air system.
Low pressure setpoint on PIT-6057 (PALL-6057)
70
causes shutdown of platform level 2 w/o
TF013493-DRA-PID-0031-0068-F 2
depressurization.

(*) - No SIL Required

8.2 SIL Analysis Results based on Architectural Constraints

Table 9-2 below shows the results of the SIL verification analysis on the basis of
architectural constraints (AC). As can be observed from this table, architectural constraints
are not a constraint on any of the 70 SIFs achieving their associated SIL target. However,
as specific information on the actual instrumentation failure rates and architectures is
finalized these results should be re-evaluated and confirmed.
Appendix 3 contains additional information regarding the architectural constraints
associated with the safe failure fraction (SFF) requirements of the field instrumentation.

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
High flowline pressure coming into platform from
Dragon West (Wells 7,8,9,4). High pressure
setpoint on PIT-1083 (PAHH-1083) causes valves
1
SDV-0001A (subsea), SDV-1003, and SDV-1004 to 1 2 3 3 2
close.

High flowline pressure coming into platform from

Dragon West (Wells 7,8,9,4). High pressure This SIF will be
2 setpoint on PIT-1008 A/B/C (PAHH-1008 A/B/C) 3 independently verified as
causes valves SDV-1006 and SDV-1007 to close.
part of the HIPPS
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
Low flowline pressure coming into platform from
Dragon West (Wells 7,8,9,4). Low pressure
3 setpoint on PIT-1083 (PALL-1083) causes valves 1 2 3 1 1
SDV-0001A (subsea), SDV-1003, and SDV-1004 to
close.
High flowline pressure coming into platform from
Dragon East (Wells 5,6,10,11). High pressure
4 setpoint on PIT-1087 (PAHH-1087) causes valves 1 2 3 3 2
SDV-0002A (subsea), SDV-1020, and SDV-1021 to
close.
High flowline pressure coming into platform from
Dragon East (Wells 5,6,10,11). High pressure This SIF will be
5 setpoint on PIT-1025 A/B/C (PAHH-1025 A/B/C) 3 independently verified as
causes valves SDV-1023 and SDV-1024 to close.
part of the HIPPS
Low flowline pressure coming into platform from
Dragon East (Wells 5,6,10,11). Low pressure
6 setpoint on PIT-1087 (PALL-1087) causes valves 1 2 3 1 1
SDV-0002A (subsea), SDV-1020, and SDV-1021 to
close.
High flowline pressure coming into platform from
Patao A. High pressure setpoint on PIT-1183
7
(PAHH-1183) causes valves SDV-0001B (subsea), 1 2 3 3 2
SDV-1103, and SDV-1104 to close.
High flowline pressure coming into platform from
Patao A. High pressure setpoint on PIT-1108 This SIF will be
8 A/B/C (PAHH-1008 A/B/C) causes valves SDV-1106 3 independently verified as
and SDV-1107 to close.
part of the HIPPS
Low flowline pressure coming into platform from
Patao A. Low pressure setpoint on PIT-1183 (PALL-
9
1183) causes valves SDV-0001B (subsea), SDV- 1 2 3 1 1
1103, and SDV-1104 to close.
High flowline pressure coming into platform from
Patao B. High pressure setpoint on PIT-1187
10
(PAHH-1187) causes valves SDV-0002B (subsea), 1 2 3 3 2
SDV-1120, and SDV-1121 to close.
High flowline pressure coming into platform from
Patao B. High pressure setpoint on PIT-1125 This SIF will be
11 A/B/C (PAHH-1025 A/B/C) causes valves SDV-1123 3 independently verified as
and SDV-1124 to close.
part of the HIPPS
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
Low flowline pressure coming into platform from
Patao B. Low pressure setpoint on PIT-1187 (PALL-
12
1187) causes valves SDV-0002B (subsea), SDV- 1 2 3 1 1
1120, and SDV-1121 to close.
High pressure in V-101A Gas Separator.
High pressure setpoint on PIT-1039 (PAHH-1039)
13
causes valves SDV-1042, SDV-1056, and SDV-4038 No SIL 2 3 2 2
to close.
Low pressure in V-101A Gas Separator.
Low pressure setpoint on PIT-1039 (PALL-1039)
14
causes valves SDV-1042, SDV-1056, and SDV-4038 2 2 3 2 2
to close.
High level in V-101A Gas Separator.
15 High level setpoint on LIT-1036 (LAHH-1036) No SIL 2 3 2 2
causes valves SDV-1042, and SDV- 4038 to close.
Low level in V-101A Gas Separator.
Low level setpoint on LIT-1036 (LALL-1036) causes
16
valves SDV-1042, SDV-1056, and SDV-4038 to 2 2 3 2 2
close.
High pressure in V-101B Gas Separator.
High pressure setpoint on PIT-1139 (PAHH-1139)
17
causes valves SDV-1142, SDV-1146, SDV-1156, and No SIL 2 3 2 2
SDV-4138 to close.
Low pressure in V-101B Gas Separator.
Low pressure setpoint on PIT-1139 (PALL-1139)
18
causes valves SDV-1142, SDV-1146, SDV-1156, and 2 2 3 2 2
SDV-4138 to close.
High level in V-101B Gas Separator.
High level setpoint on LIT-1136 (LAHH-1136)
19
causes valves SDV-1142, SDV-1146, and SDV- 4138 No SIL 2 3 2 2
to close.
Low level in V-101B Gas Separator.
Low level setpoint on LIT-1136 (LALL-1136) causes
20
valves SDV-1142, SDV-1146, SDV-1156, and SDV- 2 2 3 2 2
4138 to close.
High pressure on export from platform.
High pressure setpoint on PIT-1210 (PAHH-1210)
21
causes valves SDV-1211, and SDV-1212, SDV-0010 1 2 3 3 3
(subsea) to close.
Low pressure on export from platform.
Low pressure setpoint on PIT-1210 (PALL-1210)
22
causes valves SDV-4038, SDV-4138, SDV-1211, and 1 2 3 1 1
SDV-1212, SDV-0010 (subsea), SDV-1221 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
High pressure in output of E-205 Fuel Gas Pre-
Heater. High pressure setpoint on PIT-4259
23 (PAHH-4259) causes valves SDV-4201, SDV-4263 1 2 3 2 2
and SDV-4233 to close, shuts down pre-heater E-
205 via XY-4260.
Low pressure in output of E-205 Fuel Gas Pre-
Heater. Low pressure setpoint on PIT-4259 (PALL-
24 4259) causes valves SDV-4201, SDV-4263 and SDV- 1 2 3 2 2
4233 to close, shuts down pre-heater E-205 via XY-
4260.
High temperature in heating element of E-205 Fuel
Gas Pre-Heater. High temperature setpoint on TIT-
25
4258 (TAHH-4258) shuts down pre-heater E-205 No SIL 2 3 2 2
via XY-4260.
High temperature in outlet line of E-205 Fuel Gas
Pre-Heater. High temperature setpoint on TIT-
26
4261 (TAHH-4261) shuts down pre-heater E-205 No SIL 2 3 2 2
via XY-4260.
High pressure in V-204 HP Fuel Gas Drum. High
27 pressure setpoint on PIT-4205 (PAHH-4205) causes 1 2 3 2 2
valve SDV-4263to close
Low pressure in V-204 HP Fuel Gas Drum. Low
28 pressure setpoint on PIT-4205 (PALL-4205) causes 1 2 3 2 2
valves SDV-4263, SDV-4213 to close.
High level in V-204 HP Fuel Gas Drum.
29 High level setpoint on LIT-4215 (LAHH-4215) 1 2 3 2 2
causes inlet valve SDV-4263 to close.
Low level in V-204 HP Fuel Gas Drum.
30 Low level setpoint on LIT-4215 (LALL-4215) causes 2 2 3 2 2
valves SDV-4263, SDV-4213 to close.
High pressure in output of E-204 Fuel Gas Heater.
High pressure setpoint on PIT-4257 (PAHH-4257)
31
causes valve SDV-4263 to close, shuts down 1 2 3 2 2
heater E-204 via XY-4218.
Low pressure in output of E-204 Fuel Gas Heater.
Low pressure setpoint on PIT-4257 (PALL-4257)
32
causes valves SDV-4263, SDV-4213 to close, shuts 1 2 3 2 2
down heater E-204 via XY-4218.
High temperature in heating element of E-204 Fuel
Gas Heater. High temperature setpoint on TIT-
33
4255 (TAHH-4255) shuts down heater E-204 via No SIL 2 3 2 2
XY-4218.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
High temperature in outlet line of E-204 Fuel Gas
Heater. High temperature setpoint on TIT-4219
34
(TAHH-4219) shuts down heater E-204 via XY- No SIL 2 3 2 2
4218.
High pressure in V-205 LP Fuel Gas Drum.
35 High pressure setpoint on PIT-4239 (PAHH-4239) 1 2 3 2 2
causes valves SDV-4233 to close.
Low pressure in V-205 LP Fuel Gas Drum.
36 Low pressure setpoint on PIT-4239 (PALL-4239) 1 2 3 2 2
causes valves SDV-4233 and SDV-4245 to close.
High level in V-205 LP Fuel Gas Drum.
37 High level setpoint on LIT-4238 (LAHH-4238) No SIL 2 3 2 2
causes valve SDV-4233 to close.
Low level in V-205 LP Fuel Gas Drum. Low level
38 setpoint on LIT-4238 (LALL-4238) causes valves 1 2 3 2 2
SDV-4233 and SDV-4245 to close.
High pressure in V-404 Methanol Storage Drum.
39 High pressure setpoint on PIT-4610 (PAHH-4610) 1 2 3 2 2
causes valves SDV-4606 to close.
Low pressure in V-404 Methanol Storage Drum.
40 Low pressure setpoint on PIT-4610 (PALL-4610) 1 2 3 2 2
causes valves SDV-4606 and SDV-4616 to close.
High level in V-404 Methanol Storage Drum. High
41 level setpoint on LIT-4608 (LAHH-4608) causes 1 2 3 2 2
inlet valve SDV-4606 to close.
Low level in V-404 Methanol Storage Drum. Low
level setpoint on LIT-4608 (LALL-4608) causes
valves SDV-4606 and SDV-4616 to close, shuts
down the dragon methanol injection pumps P-
42 417A, P-417B, P-417C via XY-4617, XY-4623, XY- 1 2 3 2 2
4629, respectively, and the patao methanol
injection pumps P-405A, P-405B, P-405C via XY-
4637, XY-4643, XY-4649 (missing on PID),
respectively.
Low level in TK-402 Dragon Chemical Inhibitor
Storage Tank. Low level setpoint on LIT-4901
(LALL-4901) shuts down the dragon chemical
43
inhibitor pumps P-406A, P-406B, P-407A, P-407B 1 2 3 2 2
via XY-4801, XY-4824, XY-4845, XY-4865,
respectively.
Low level in TK-406 Chemical Inhibitor Storage Tank
for Export Pipeline. Low level setpoint on LIT-4902
44 (LALL-4902) shuts down the export line chemical 1 2 3 2 2
inhibitor pumps P-412A, P-412B via XY-4886, XY-
4892, respectively.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
Low level in TK-413 Patao Chemical Inhibitor
Storage Tank. Low level setpoint on LIT-4906
(LALL-4906) shuts down the patao chemical
45
inhibitor pumps P-419A, P-419B, P-420A, P-420B 1 2 3 2 2
via XY-4701, XY-4724, XY-4745, XY-4765,
respectively.
High pressure in V-410A Fuel Gas H2S Removal
Vessel. High pressure setpoint in PIT-4276 (PAHH-
46
4276) causes valves SDV-4201 (inlet), SDV-4263, No SIL 2 3 2 2
SDV-4233 to close.
Low pressure in V-410A Fuel Gas H2S Removal
Vessel. Low pressure setpoint in PIT-4276 (PALL-
47
4276) causes valves SDV-4201 (inlet), SDV-4263, 1 2 3 2 2
SDV-4233 to close.
High pressure in V-410B Fuel Gas H2S Removal
Vessel. High pressure setpoint in PIT-4282 (PAHH-
48
4282) causes valves SDV-4201 (inlet), SDV-4263, No SIL 2 3 2 2
SDV-4233 to close.
Low pressure in V-410B Fuel Gas H2S Removal
Vessel. Low pressure setpoint in PIT-4282 (PALL-
49
4282) causes valves SDV-4201 (inlet), SDV-4263, 1 2 3 2 2
SDV-4233 to close.
High level in V-401 HP Flare KO Drum. High level
setpoint on LIT-5605 (LAHH-5605) initiates process
50
shutdown of platform (level 2 shutdown w/o 1 2 3 2 2
depressurization).
Low level in V-401 HP Flare KO Drum. Low level
setpoint on LIT-5605 (LALL-5605) causes outlet
51
valve SDV-5612 to close, shuts down pumps P- 1 2 3 2 2
401A, P-401B via XY-5609, XY-5620, respectively.
Low temperature in V-401 HP Flare KO Drum. Low
temperature setpoint on TIT-5611 (TALL-5611)
52 causes outlet valve SDV-5612 to close, shuts down No SIL 2 3 2 2
pumps P-401A, P-401B via XY-5609, XY-5620,
respectively.
Loss of flame in X-401 HP Flare Tip. Alarm from
53 Flame Ionization Monitor (BA-5630) initiates 1 1 3 2 1
operator response for manual reignition of flare.
High pressure in V-405 Closed Drain Drum.
High pressure setpoint on PIT-5023 (PAHH-5023)
54 causes valves SDV-5008 (liquid outlet), SDV-1056 2 2 3 2 2
(gas separator A), SDV-1156 (gas separator B) and
SDV-5612 (hp ko drum) to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
Low pressure in V-405 Closed Drain Drum.
Low pressure setpoint on PIT-5023 (PALL-5023)
55 causes valves SDV-5008 (liquid outlet), SDV-1056 2 2 3 2 2
(gas separator A), SDV-1156 (gas separator B) and
SDV-5612 (hp ko drum) to close.
High level in V-405 Closed Drain Drum.
High level setpoint on LIT-5002 (LAHH-5002)
causes valves SDV-1056 (gas separator A), SDV-
56
1156 (gas separator B) and SDV-5612 (hp ko drum) 2 2 3 2 2
to close, shuts down hp ko drum pumps P-401A,
P-401B via XY-5609, XY-5620, respectively.
Low level in V-405 Closed Drain Drum.
Low level setpoint on LIT-5002 (LALL-5002) causes
57 valves SDV-5008 (liquid outlet), SDV-1056 (gas 2 3 3 2 2
separator A), SDV-1156 (gas separator B) and SDV-
5612 (hp ko drum) to close.
Low level in TK-407 Open Drain Tank.
Low level setpoint on LIT-5407 (LALL-5407) shuts
58
down open drain tank pumps P-416A, P-416B by No SIL 2 3 2 2
closing SDV-5409 (air inlet to the pumps).
Low level in X-417 Open Drain Caisson.
Low level setpoint on LIT-5410 (LALL-5410) shuts
59
down open drain tank pumps P-416A, P-416B by No SIL 2 3 2 2
closing SDV-5409 (air inlet to the pumps).
High level in TK-409 Diesel Receiving Tank.
60 High level setpoint on LIT-7202 (LAHH-7202) 1 2 3 2 2
causes valve SDV-7203 to close.
Low level in TK-409 Diesel Receiving Tank.
Low level setpoint on LIT-7202 (LALL-7202) causes
valves SDV-7203 (inlet from diesel fill connection)
61
and SDV-7234 (outlet) to close, shuts down diesel 1 2 3 2 2
transfer pumps P-418A, P-418B via XY-7207, XY-
7211, respectively.
High pressure in P-418A Diesel Transfer Pump.
High pressure setpoint on P-7243 (PAHH-7243)
62
shuts down the diesel transfer pumps P-418A via 2 2 3 2 2
XY-7207.
Low pressure in P-418A Diesel Transfer Pump.
Low pressure setpoint on P-7243 (PALL-7243)
causes valves SDV-7234 (inlet) and SDV-7235
63
(outlet) to close, shuts down the diesel transfer 1 2 3 2 2
pumps P-418A, P-418B via XY-7207, XY-7211,
respectively.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Safety Integrity Level – Architectural Constraints

SIL Sensor Logic Final Estimated

ID Safety Instrumented Function
Required Solver Element SIL AC
Ref (SIF) Description
(1,2,3,4)
High pressure in P-418B Diesel Transfer Pump.
High pressure setpoint on P-7244 (PAHH-7244)
64
shuts down the diesel transfer pump P-418B via 2 2 3 2 2
XY-7207.
Low pressure in P-418B Diesel Transfer Pump.
Low pressure setpoint on P-7244 (PALL-7244)
causes valves SDV-7234 (inlet) and SDV-7235
65
(outlet) to close, shuts down the diesel transfer 1 2 3 2 2
pumps P-418A, P-418B via XY-7207, XY-7211,
respectively.
High level in TK-401 Diesel Storage Tank.
High level setpoint on LIT-7230 (LAHH-7230)
66 causes valves SDV-7235 to close, shuts down the 1 2 3 2 2
diesel transfer pumps P-418A, P-418B via XY-7207,
XY-7211, respectively.
Low level in TK-401 Diesel Storage Tank.
Low level setpoint on PIT-7230 (PALL-7230) causes
valves SDV-7235, and SDV-7236 to close, shuts
67 down the diesel transfer pumps P-418A, P-418B 1 2 3 2 2
via XY-7207, XY-7211, respectively, and diesel
pumps P-404A, P-404B via XY-7219, XY-7224,
respectively.
Low level in TK-408A Potable Water Storage.
Low level setpoint on LIT-6403 (LALL-6403)
starts sea water pumps P-410A, P-410B via
68
XY-6451, XY-6476, respectively, shuts down
No SIL 2 3 2 2
potable water pumps P-408A, P-408B via XY-
6407, XY-6409, respectively.
Low level in TK-408B Potable Water Storage.
Low level setpoint on LIT-6405 (LALL-6405)
starts sea water pumps P-410A, P-410B via
69
XY-6451, XY-6476, respectively, shuts down
No SIL 2 3 2 2
potable water pumps P-408A, P-408B via XY-
6407, XY-6409, respectively.
Low pressure in Instrument Air system.
Low pressure setpoint on PIT-6057 (PALL-
70
6057) causes shutdown of platform level 2
2 2 3 2 2
w/o depressurization.
 SIL VERIFICATION ANALYSIS - FEED

8.3 SIL Analysis Results based on Probability of Failure on Demand

The average probability of failure on demand (PFD AVG) was calculated for all 54 SIFs
identified using a base case scenario defined as:

 Full testing interval of 4 years

 Proof test coverage of 75%

 Current design on P&IDs

 Transmitters will be Rosemount or equivalent

 SIS PLC will be a SIL 3 system

 On/Off Valves will be Cooper Cameron or equivalent

 Pneumatic Actuators will be Bettis or equivalent

 Solenoids will be Versa or equivalent

 Generic failure data will be used for all other equipment

Further, 5 additional sensitivity cases were evaluated to identify the solutions available to
the team for meeting the SIL targets for all SIFs. These sensitivity cases are based on the
same assumptions used in the base case, with the following differences:

 Sensitivity Case A - Performance

o Increase proof test coverage to 85%

 Sensitivity Case B - Testing

o Increase full testing interval to once per year

o Add partial stroke testing to valves

 Sensitivity Case C – Architecture

o Use a 1oo2 sensor architecture

o Use a 1oo2 final element (valves) architecture

 Sensitivity Case D – Integrity Management

o Consider additional SIL credits that would be applied if operating

and maintenance procedures were fully developed and
implemented:
 2 SIL credits taken for PSVs that provide full protection from
identified hazard
 SIL VERIFICATION ANALYSIS - FEED

 1 SIL credit taken for mechanical integrity of vessel that

provides full protection from identified hazard

 Sensitivity Case E – Integrity Management and Testing

o Use credits taken in Sensitivity Case D

o Increase full testing interval to once per year

o Add partial stroke testing to valves

The sensitivity cases are ordered by ease of implementation, therefore any SIFs achieving
their SIL target in a particular sensitivity case were not evaluated in subsequent sensitivity
cases.
Table 9-3 contains the SIL verification results on the basis of average probability of failure
on demand (PFDAVG), with the results separated for the base case and sensitivity cases A,
B, and C. Red squares represent SIFs whose SIL does not meet the SIL target for that
particular case.
Appendix 2 and 3 provide more detail information about assumptions and particular failure
data used in PFDAVG calculations.

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High flowline pressure coming into platform
from Dragon West (Wells 7,8,9,4). High
pressure setpoint on PIT-1083 (PAHH-1083)
1
causes valves SDV-0001A (subsea), SDV-1003, 1 1 - - -
and SDV-1004 to close.

High flowline pressure coming into platform

from Dragon West (Wells 7,8,9,4). High This SIF will be independently
pressure setpoint on PIT-1008 A/B/C (PAHH-
2
1008 A/B/C) causes valves SDV-1006 and SDV- 3 verified as part of the
1007 to close. HIPPS(*)
Low flowline pressure coming into platform
from Dragon West (Wells 7,8,9,4). Low pressure
3 setpoint on PIT-1083 (PALL-1083) causes valves 1 0 0 1 -
SDV-0001A (subsea), SDV-1003, and SDV-1004
to close.
High flowline pressure coming into platform
from Dragon East (Wells 5,6,10,11). High
4 pressure setpoint on PIT-1087 (PAHH-1087) 1 1 - - -
causes valves SDV-0002A (subsea), SDV-1020,
and SDV-1021 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High flowline pressure coming into platform
from Dragon East (Wells 5,6,10,11). High This SIF will be independently
pressure setpoint on PIT-1025 A/B/C (PAHH-
5
1025 A/B/C) causes valves SDV-1023 and SDV- 3 verified as part of the
1024 to close. HIPPS(*)
Low flowline pressure coming into platform
from Dragon East (Wells 5,6,10,11). Low
6 pressure setpoint on PIT-1087 (PALL-1087) 1 0 0 1 -
causes valves SDV-0002A (subsea), SDV-1020,
and SDV-1021 to close.
High flowline pressure coming into platform
from Patao A. High pressure setpoint on PIT-
7
1183 (PAHH-1183) causes valves SDV-0001B 1 1 - - -
(subsea), SDV-1103, and SDV-1104 to close.
High flowline pressure coming into platform
from Patao A. High pressure setpoint on PIT- This SIF will be independently
8 1108 A/B/C (PAHH-1008 A/B/C) causes valves 3 verified as part of the
SDV-1106 and SDV-1107 to close.
HIPPS(*)
Low flowline pressure coming into platform
from Patao A. Low pressure setpoint on PIT-
9
1183 (PALL-1183) causes valves SDV-0001B 1 0 0 1 -
(subsea), SDV-1103, and SDV-1104 to close.
High flowline pressure coming into platform
from Patao B. High pressure setpoint on PIT-
10
1187 (PAHH-1187) causes valves SDV-0002B 1 1 - - -
(subsea), SDV-1120, and SDV-1121 to close.
High flowline pressure coming into platform
from Patao B. High pressure setpoint on PIT- This SIF will be independently
11 1125 A/B/C (PAHH-1025 A/B/C) causes valves 3 verified as part of the
SDV-1123 and SDV-1124 to close.
HIPPS(*)
Low flowline pressure coming into platform
from Patao B. Low pressure setpoint on PIT-
12
1187 (PALL-1187) causes valves SDV-0002B 1 0 0 1 -
(subsea), SDV-1120, and SDV-1121 to close.
High pressure in V-101A Gas Separator.
High pressure setpoint on PIT-1039 (PAHH-
13
1039) causes valves SDV-1042, SDV-1056, and No SIL 0 - - -
SDV-4038 to close.
Low pressure in V-101A Gas Separator.
Low pressure setpoint on PIT-1039 (PALL-1039)
14
causes valves SDV-1042, SDV-1056, and SDV- 2 0 0 1 1
4038 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High level in V-101A Gas Separator.
High level setpoint on LIT-1036 (LAHH-1036)
15
causes valves SDV-1042, and SDV- 4038 to No SIL 0 - - -
close.
Low level in V-101A Gas Separator.
Low level setpoint on LIT-1036 (LALL-1036)
16
causes valves SDV-1042, SDV-1056, and SDV- 2 0 0 1 1
4038 to close.
High pressure in V-101B Gas Separator.
High pressure setpoint on PIT-1139 (PAHH-
17
1139) causes valves SDV-1142, SDV-1146, SDV- No SIL 0 - - -
1156, and SDV-4138 to close.
Low pressure in V-101B Gas Separator.
Low pressure setpoint on PIT-1139 (PALL-1139)
18
causes valves SDV-1142, SDV-1146, SDV-1156, 2 0 0 1 1
and SDV-4138 to close.
High level in V-101A Gas Separator.
High level setpoint on LIT-1136 (LAHH-1136)
19
causes valves SDV-1142, SDV-1146, and SDV- No SIL 0 - - -
4138 to close.
Low level in V-101B Gas Separator.
Low level setpoint on LIT-1136 (LALL-1136)
20
causes valves SDV-1142, SDV-1146, SDV-1156, 2 0 0 1 1
and SDV-4138 to close.
High pressure on export from platform.
High pressure setpoint on PIT-1210 (PAHH-
21
1210) causes valves SDV-1211, and SDV-1212, 1 1 - - -
SDV-0010 (subsea) to close.
Low pressure on export from platform.
Low pressure setpoint on PIT-1210 (PALL-1210)
22 causes valves SDV-4038, SDV-4138, SDV-1211, 1 0 0 0 1
and SDV-1212, SDV-0010 (subsea), SDV-1221 to
close.
High pressure in output of E-205 Fuel Gas Pre-
Heater. High pressure setpoint on PIT-4259
23 (PAHH-4259) causes valves SDV-4201, SDV-4263 1 0 0 1 -
and SDV-4233 to close, shuts down pre-heater
E-205 via XY-4260.
Low pressure in output of E-205 Fuel Gas Pre-
Heater. Low pressure setpoint on PIT-4259
24 (PALL-4259) causes valves SDV-4201, SDV-4263 1 0 0 1 -
and SDV-4233 to close, shuts down pre-heater
E-205 via XY-4260.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High temperature in heating element of E-205
Fuel Gas Pre-Heater. High temperature setpoint
25
on TIT-4258 (TAHH-4258) shuts down pre- No SIL 1 - - -
heater E-205 via XY-4260.
High temperature in outlet line of E-205 Fuel
Gas Pre-Heater. High temperature setpoint on
26
TIT-4261 (TAHH-4261) shuts down pre-heater E- No SIL 1 - - -
205 via XY-4260.
High pressure in V-204 HP Fuel Gas Drum. High
27 pressure setpoint on PIT-4205 (PAHH-4205) 1 1 - - -
causes valve SDV-4263to close
Low pressure in V-204 HP Fuel Gas Drum. Low
28 pressure setpoint on PIT-4205 (PALL-4205) 1 0 0 1 -
causes valves SDV-4263, SDV-4213to close.
High level in V-204 HP Fuel Gas Drum.
29 High level setpoint on LIT-4215 (LAHH-4215) 1 1 - - -
causes inlet valve SDV-4263 to close.
Low level in V-204 HP Fuel Gas Drum.
30 Low level setpoint on LIT-4215 (LALL-4215) 2 0 0 1 1
causes valves SDV-4263, SDV-4213 to close.
High pressure in output of E-204 Fuel Gas
Heater.
31 High pressure setpoint on PIT-4257 (PAHH- 1 1 - - -
4257) causes valve SDV-4263 to close, shuts
down heater E-204 via XY-4218.
Low pressure in output of E-204 Fuel Gas
Heater.
32 Low pressure setpoint on PIT-4257 (PALL-4257) 1 0 0 1 -
causes valves SDV-4263, SDV-4213 to close,
shuts down heater E-204 via XY-4218.
High temperature in heating element of E-204
Fuel Gas Heater. High temperature setpoint on
33
TIT-4255 (TAHH-4255) shuts down heater E-204 No SIL 1 - - -
via XY-4218.
High temperature in outlet line of E-204 Fuel
Gas Heater. High temperature setpoint on TIT-
34
4219 (TAHH-4219) shuts down heater E-204 via No SIL 1 - - -
XY-4218.
High pressure in V-205 LP Fuel Gas Drum.
35 High pressure setpoint on PIT-4239 (PAHH- 1 1 - - -
4239) causes valves SDV-4233 to close.
Low pressure in V-205 LP Fuel Gas Drum.
36 Low pressure setpoint on PIT-4239 (PALL-4239) 1 0 0 1 -
causes valves SDV-4233 and SDV-4245 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High level in V-205 LP Fuel Gas Drum.
37 High level setpoint on LIT-4238 (LAHH-4238) No SIL 1 - - -
causes valve SDV-4233 to close.
Low level in V-205 LP Fuel Gas Drum. Low level
38 setpoint on LIT-4238 (LALL-4238) causes valves 2 0 0 1 1
SDV-4233 and SDV-4245 to close.
High pressure in V-404 Methanol Storage Drum.
39 High pressure setpoint on PIT-4610 (PAHH- 1 1 - - -
4610) causes valves SDV-4606 to close.
Low pressure in V-404 Methanol Storage Drum.
40 Low pressure setpoint on PIT-4610 (PALL-4610) 1 0 0 1 -
causes valves SDV-4606 and SDV-4616 to close.
High level in V-404 Methanol Storage Drum.
41 High level setpoint on LIT-4608 (LAHH-4608) 1 1 - - -
causes inlet valve SDV-4606 to close.
Low level in V-404 Methanol Storage Drum.
Low level setpoint on LIT-4608 (LALL-4608)
causes valves SDV-4606 and SDV-4616 to close,
shuts down the dragon methanol injection
42 pumps P-417A, P-417B, P-417C via XY-4617, XY- 1 0 0 1 -
4623, XY-4629, respectively, and the patao
methanol injection pumps P-405A, P-405B, P-
405C via XY-4637, XY-4643, XY-4649 (missing on
PID), respectively.
Low level in TK-402 Dragon Chemical Inhibitor
Storage Tank. Low level setpoint on LIT-4901
(LALL-4901) shuts down the dragon chemical
43
inhibitor pumps P-406A, P-406B, P-407A, P- 1 1 - - -
407B via XY-4801, XY-4824, XY-4845, XY-4865,
respectively.
Low level in TK-406 Chemical Inhibitor Storage
Tank for Export Pipeline. Low level setpoint on
44 LIT-4902 (LALL-4902) shuts down the export 1 1 - - -
line chemical inhibitor pumps P-412A, P-412B
via XY-4886, XY-4892, respectively.
Low level in TK-413 Patao Chemical Inhibitor
Storage Tank. Low level setpoint on LIT-4906
(LALL-4906) shuts down the patao chemical
45
inhibitor pumps P-419A, P-419B, P-420A, P- 1 1 - - -
420B via XY-4701, XY-4724, XY-4745, XY-4765,
respectively.
High pressure in V-410A Fuel Gas H2S Removal
Vessel. High pressure setpoint in PIT-4276
46
(PAHH-4276) causes valves SDV-4201 (inlet), No SIL 0 - - -
SDV-4263, SDV-4233 to close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
Low pressure in V-410A Fuel Gas H2S Removal
Vessel. Low pressure setpoint in PIT-4276
47
(PALL-4276) causes valves SDV-4201 (inlet), 1 0 1 - -
SDV-4263, SDV-4233 to close.
High pressure in V-410B Fuel Gas H2S Removal
Vessel. High pressure setpoint in PIT-4282
48
(PAHH-4282) causes valves SDV-4201 (inlet), No SIL 0 - - -
SDV-4263, SDV-4233 to close.
Low pressure in V-410B Fuel Gas H2S Removal
Vessel. Low pressure setpoint in PIT-4282
49
(PALL-4282) causes valves SDV-4201 (inlet), 1 0 0 1 -
SDV-4263, SDV-4233 to close.
High level in V-401 HP Flare KO Drum. High
level setpoint on LIT-5605 (LAHH-5605) initiates
50
process shutdown of platform (level 2 1 2 - - -
shutdown w/o depressurization).
Low level in V-401 HP Flare KO Drum. Low level
setpoint on LIT-5605 (LALL-5605) causes outlet
51 valve SDV-5612 to close, shuts down pumps P- 1 1 - - -
401A, P-401B via XY-5609, XY-5620,
respectively.
Low temperature in V-401 HP Flare KO Drum.
Low temperature setpoint on TIT-5611 (TALL-
52 5611) causes outlet valve SDV-5612 to close, No SIL 1 - - -
shuts down pumps P-401A, P-401B via XY-5609,
XY-5620, respectively.
Loss of flame in X-401 HP Flare Tip. Alarm from
Flame Ionization Monitor (BA-5630) initiates
53
operator response for manual reignition of 1 1 - - -
flare.
High pressure in V-405 Closed Drain Drum.
High pressure setpoint on PIT-5023 (PAHH-
5023) causes valves SDV-5008 (liquid outlet),
54
SDV-1056 (gas separator A), SDV-1156 (gas 2 0 0 1 1
separator B) and SDV-5612 (hp ko drum) to
close.
Low pressure in V-405 Closed Drain Drum.
Low pressure setpoint on PIT-5023 (PALL-5023)
causes valves SDV-5008 (liquid outlet), SDV-
55
1056 (gas separator A), SDV-1156 (gas 2 0 0 1 1
separator B) and SDV-5612 (hp ko drum) to
close.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
High level in V-405 Closed Drain Drum.
High level setpoint on LIT-5002 (LAHH-5002)
causes valves SDV-1056 (gas separator A), SDV-
56 1156 (gas separator B) and SDV-5612 (hp ko 1 0 0 1 -
drum) to close, shuts down hp ko drum pumps
P-401A, P-401B via XY-5609, XY-5620,
respectively.
Low level in V-405 Closed Drain Drum.
Low level setpoint on LIT-5002 (LALL-5002)
causes valves SDV-5008 (liquid outlet), SDV-
57
1056 (gas separator A), SDV-1156 (gas 2 0 0 1 1
separator B) and SDV-5612 (hp ko drum) to
close.
Low level in TK-407 Open Drain Tank.
Low level setpoint on LIT-5407 (LALL-5407)
58 shuts down open drain tank pumps P-416A, P- No SIL 1 - - -
416B by closing SDV-5409 (air inlet to the
pumps).
Low level in X-417 Open Drain Caisson.
Low level setpoint on LIT-5410 (LALL-5410)
59 shuts down open drain tank pumps P-416A, P- No SIL 1 - - -
416B by closing SDV-5409 (air inlet to the
pumps).
High level in TK-409 Diesel Receiving Tank.
60 High level setpoint on LIT-7202 (LAHH-7202) 1 1 - - -
causes valve SDV-7203 to close.
Low level in TK-409 Diesel Receiving Tank.
Low level setpoint on LIT-7202 (LALL-7202)
causes valves SDV-7203 (inlet from diesel fill
61
connection) and SDV-7234 (outlet) to close, 1 0 0 1 -
shuts down diesel transfer pumps P-418A, P-
418B via XY-7207, XY-7211, respectively.
High pressure in P-418A Diesel Transfer Pump.
High pressure setpoint on P-7243 (PAHH-7243)
62
shuts down the diesel transfer pumps P-418A 1 1 - - -
via XY-7207.
Low pressure in P-418A Diesel Transfer Pump.
Low pressure setpoint on P-7243 (PALL-7243)
causes valves SDV-7234 (inlet) and SDV-7235
63
(outlet) to close, shuts down the diesel transfer 1 0 0 1 -
pumps P-418A, P-418B via XY-7207, XY-7211,
respectively.
High pressure in P-418B Diesel Transfer Pump.
High pressure setpoint on P-7244 (PAHH-7244)
64
shuts down the diesel transfer pump P-418B 1 1 - - -
via XY-7207.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-6: Safety Integrity Level – PFDAVG

SIL Base Case Case Case
ID Safety Instrumented Function
Required Case “A” “B” “C”
Ref (SIF) Description
(1,2,3,4) SIL SIL SIL SIL
Low pressure in P-418B Diesel Transfer Pump.
Low pressure setpoint on P-7244 (PALL-7244)
causes valves SDV-7234 (inlet) and SDV-7235
65
(outlet) to close, shuts down the diesel transfer 1 0 0 1 -
pumps P-418A, P-418B via XY-7207, XY-7211,
respectively.
High level in TK-401 Diesel Storage Tank.
High level setpoint on LIT-7230 (LAHH-7230)
66 causes valves SDV-7234 and SDV-7235 to close, 1 1 - - -
shuts down the diesel transfer pumps P-418A,
P-418B via XY-7207, XY-7211, respectively.
Low level in TK-401 Diesel Storage Tank.
Low level setpoint on PIT-7230 (PALL-7230)
causes valves SDV-7235, and SDV-7236 to close,
67 shuts down the diesel transfer pumps P-418A, 1 0 0 1 -
P-418B via XY-7207, XY-7211, respectively, and
diesel pumps P-404A, P-404B via XY-7219, XY-
7224, respectively.
Low level in TK-408A Potable Water
Storage.
Low level setpoint on LIT-6403 (LALL-6403)
68 starts sea water pumps P-410A, P-410B via No SIL 1 - - -
XY-6451, XY-6476, respectively, shuts down
potable water pumps P-408A, P-408B via
XY-6407, XY-6409, respectively.
Low level in TK-408B Potable Water
Storage.
Low level setpoint on LIT-6405 (LALL-6405)
69 starts sea water pumps P-410A, P-410B via No SIL 1 - - -
XY-6451, XY-6476, respectively, shuts down
potable water pumps P-408A, P-408B via
XY-6407, XY-6409, respectively.
Low pressure in Instrument Air system.
Low pressure setpoint on PIT-6057 (PALL-
70
6057) causes shutdown of platform level 2
2 2 - - -
w/o depressurization.

(*) – HIPPS to be purchased as a certified SIL 3 system.

Most of the data used in the verification calculation was based on generic failure rates, which
represent the industry average, but not necessarily the reliability and performance behavior of
the instrumentation to be selected.
 SIL VERIFICATION ANALYSIS - FEED

Table 9-4 summarizes the total number of SIFs that achieved their assigned SIL targets in the
base case and the first three sensitivity cases evaluated above.

Table RESULTS-4: SIL Targets Met - Base Case, Sensitivity Cases A,B,C

Base Case Case Case Target

Total % Met
Case “A” “B” “C” Met

SIL 1 21 1 17 1 40 40 100%

SIL 2 1 0 0 0 1 10 10%

SIL 3 4 - - - 4 4 100%

Of the 70 SIFs, 61 met their SIL target in one of the first four cases evaluated (base case;
sensitivity case A, B, C). For the purposes of this report, only the 9 SIFs that were unable
to meet their SIL targets in the earlier cases were evaluated further.
As shown in the PDVSA SIL Classification Report (TF013493-000-RT-1902-001 Rev C),
an alternative scenario was considered that gave additional risk reduction credits to
existing Independent protection layers (IPL) that could be improved through the
implementation of an operational integrity management plan that includes the
maintenance and testing requirements to ensure the integrity of these IPL. These credits
resulted in some SIL targets being lowered.
As a result of this alternative SIL classification scenario, 9 SIFs originally classified as SIL
2 were reclassified as SIL 1. Table 9-5 lists the 9 SIFs and the SIL they achieved as part of
sensitivity cases D and E. Additionally, comments about the particular equipment that was
given additional risk reduction credit as an IPL are captured here. Appendix 2 and 3
provide more detailed information about these particular cases.
 SIL VERIFICATION ANALYSIS - FEED

Table RESULTS-5: Alternative Scenario Safety Integrity Level – PFDAVG

SIL Case Case

ID Safety Instrumented Function
Required*
Ref (SIF) Description
(1,2,3,4)
Low pressure in V-101A Gas Separator.
Low pressure setpoint on PIT-1039 (PALL-1039)
14
causes valves SDV-1042, SDV-1056, and SDV-4038
to close.
Low level in V-101A Gas Separator.
Low level setpoint on LIT-1036 (LALL-1036) causes
16
valves SDV-1042, SDV-1056, and SDV-4038 to
close.
Low pressure in V-101B Gas Separator.
Low pressure setpoint on PIT-1139 (PALL-1139)
18
causes valves SDV-1142, SDV-1146, SDV-1156, and
SDV-4138 to close.
Low level in V-101B Gas Separator.
Low level setpoint on LIT-1136 (LALL-1136) causes
20
valves SDV-1142, SDV-1146, SDV-1156, and SDV-
4138 to close.
Low level in V-204 HP Fuel Gas Drum.
30 Low level setpoint on LIT-4215 (LALL-4215) causes
valves SDV-4263, SDV-4213 to close.
Low level in V-205 LP Fuel Gas Drum. Low level
38 setpoint on LIT-4238 (LALL-4238) causes valves
SDV-4233 and SDV-4245 to close.
High pressure in V-405 Closed Drain Drum.
High pressure setpoint on PIT-5023 (PAHH-5023)
54 causes valves SDV-5008 (liquid outlet), SDV-1056
(gas separator A), SDV-1156 (gas separator B) and
SDV-5612 (hp ko drum) to close.
Low pressure in V-405 Closed Drain Drum.
Low pressure setpoint on PIT-5023 (PALL-5023)
55 causes valves SDV-5008 (liquid outlet), SDV-1056
(gas separator A), SDV-1156 (gas separator B) and
SDV-5612 (hp ko drum) to close.
Low level in V-405 Closed Drain Drum.
Low level setpoint on LIT-5002 (LALL-5002) causes
57 valves SDV-5008 (liquid outlet), SDV-1056 (gas
separator A), SDV-1156 (gas separator B) and SDV-
5612 (hp ko drum) to close.
“D” “E” Comments
SIL SIL
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-101A, Gas Separator A
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-101A, Gas Separator A
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-101B, Gas Separator B
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-101B, Gas Separator B
2 risk reduction credits were taken
1 0 1 for PSV-5024 A/B
2 risk reduction credits were taken
1 0 1 for PSV-5024 A/B
2 risk reduction credits were taken
for PSV-5024 A/B
1 0 1
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-405, Closed Drain Drum
1 risk reduction credit was taken for
an integrity management program
1 0 1 on vessel V-405, Closed Drain Drum

(*) – SIL required as part of the alternative SIL classification scenario.

 SIL VERIFICATION ANALYSIS - FEED

Of the 9 SIFs all were able to achieve their sensitivity case SIL target of 1 under Case “E”,
which is similar to case “B”, but with the additional risk reduction credits considered.
While implementation of a well developed operational integrity management plan will have
widespread effects over all of the independent protection layers considered for all 70 SIFs,
it is important to note that these particular SIFs which needed further analysis only involve
4 specific pieces of equipment – the two gas separators (V-101A, V-101B), the closed
drain drum (V-405), and the PSVs for the closed drain drum (PSV-5024 A/B). Particular
attention should be given to the design and integrity of these pieces of equipment as the
analysis indicates they were the point of primary concern for the design team.
Table 9-6 shows the combined results of all of the cases evaluated, with percentages of
SILs met listed for each case.

Table RESULTS-6: SIL Achievement - All

Cases

Case SIL Target Met

Base Case 42 60%

Sensitivity Case “A” 43 61%

Sensitivity Case “B” 60 86%

Sensitivity Case “C” 61 87%

Sensitivity Case “D” 61 87%

Sensitivity Case “E” 70 100%

8.4 Major Contributors to the Probability of Failure on Demand

A secondary objective of this study was to identify the most important contributors to
probability of failure on demand associated with each one of the SIFs identified during the
SIL classification workshop.
For ease of identification of the major contributors to the Probability of Failure on Demand,
each SIF was modeled as three subsystems: sensor, logic solver and final element.
 SIL VERIFICATION ANALYSIS - FEED

Appendix 3 shows the contribution of each SIF elements (sensors, logic solver and final
elements) to the overall probability of failure on demand. Sensors and predominantly final
elements (valves) represent the more important contributors to the probability of failure on
demand (PFD).

9.0 RECOMMENDATIONS

 Incorporate in the technical specification of the SIF/SIS components (especially

sensors and final elements) the requirements defined in this analysis, particularly
regarding the failure rates, diagnostic coverage factors and safe failure fractions.

 Re-conduct the SIL verification process once specific failure data from the SIF/SIS
components (field instrumentation and logic solver) become available, in order to
ensure the fulfillment of the requirements in terms of architectural constraints (AC)
and average probability of failure on demand (PFDAVG). *

 Consider developing a comprehensive operational integrity management plan that

will ensure the required performance of independent protection layers including
pressure relief valves operation and mechanical pressure vessel integrity.

 Ensure that the four (4) HIPPS are independently verified as SIL 3 systems under
the operating guidelines of this project. This includes using realistic testing
frequency (base case currently considers this to be every 4 years) and accounting
for the effect of the specific operational context (offshore environment) on the
failure rates.

(*) – The re-assessment process should also consider the

SIFs associated with utility and third party packages.
 Project No Unit Document Material Serial Rev. Page
Type Code No
TF013493 000 RT 1902 002 C 46/49

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

APPENDICES
APPENDIX 1: SIL CLASSIFICATION / RISK GRAPH RESULTS

APPENDIX 2: ASSUMPTIONS

APPENDIX 3: SIL CALCULATIONS – EXSILENTIA REPORT

 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 1

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

APPENDIX 1: SIL CLASSIFICATION / RISK GRAPH RESULTS

Appendix 1 below shows the potential events requiring SIF, which were identified through
the revision of the HAZOP and the P&IDs. Each event was evaluated during the SIL
Classification workshops and meetings, and the results of the risk graph evaluation and
corresponding SIL target were recorded. This table contains the following columns:

ID Reference:
It represents the sequential number used to identify risk events.
HAZOP Ref:
It contains the reference scenario (node number if available) from the FEED
HAZOP worksheet and the subsystem name.
P&ID Ref:
It contains the distinguishing number of the corresponding P&ID for this project,
i.e. TF013493-DRA-PID-XXXX-XXXX.
Rev:
It contains the revision of the P&ID.
Cause:
It defines the causes of the risk event under consideration.
Hazard:
It defines the possible hazards/consequences associated with the primary cause
of the risk event under consideration.
SIF Description:
It contains the description of the existing or proposed SIF.
Additional Layer of Protection/Indication:
It contains information about instrumentation already available to
detect/prevent/mitigate the risk event under consideration.
Risk Graph:
It defines the attributes used to assess the SIL target and their corresponding
ranking.
Initial SIL Required:
It defines the initial SIL target before any IPL credits are applied.
Independent Mechanical Protection (PSV-HIPPS):
It indicates if an existing PSV or HIPPS represents an IPL for the risk event under
consideration.
Safety Integrity Level Required (Base Case):
It defines the required SIL for the SIF evaluated with base case IPL credits applied.
Safety Integrity Level Required (Operational Integrity Sensitivity Case):
It defines the required SIL for the SIF evaluated with sensitivity case IPL credits
applied
Risk Reduction Factor:
It defines the RRF provided for the SIL-SIF evaluated.
Comments:
It contains comments made during the SIL Classification workshop.
Recommendations:
It indicates any additional recommendation identified during the SIL Classification
process.
 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 2

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

APPENDIX 2: ASSUMPTIONS
This appendix contains the assumptions used to demonstrate that the SIF/SIS achieve the
target average probability of failure on demand (PFD AVG ) and architectural constraints
associated with the SIL requirement identified during the SIL Classification workshop.

Given the lack of technical information of the field instrumentation, the following specific
assumptions were used during the SIL Verification analysis:
1. Calculations for SIFs that resulted in a platform shutdown were simplified
through the inclusion of relays which mimic the effect of an ESD sequence.
2. Generic failure rate data was used to represent the valve and hydraulic
actuator associated with the subsea isolation valve (SSIV).
3. A Beta factor of 10% is assumed.
4. A functional test interval of 48 months is selected for initial SIL Verification
purposes.
5. ESD logic solver, and logic solvers associated with any non F&G SIF are
assumed to meet the requirement for SIL 3. To fully protect against systematic
faults a Software Criticality Analysis and testing of all software tasks and
operating systems is assumed to have been fully documented and available for
third party verification.
6. By default a SIL 3 rated system (logic solver) is considered. Probability of
failure on demand has been assumed as 6.36 x 10-5.
7. Valves 6” and larger were considered to be trunion-mounted ball valves, while
4” and smaller were considered to be floating ball valves.
1. The repair time to be used for SIL verification purposes will be agreed with
PDVSA; however, by default the following Mean Time to Restoration (MTTR) is
used:
o For those SIF components that can be repaired on-line, without process
isolation, a repair time of 8 hours. These include PLC components
(repaired by change-out on line) and sensors that are not in direct contact
with the process or that can be isolated from it by an isolation valve;
o For those SIF components that require additional effort to be isolated from
the process (e.g. emergency shutdown valves), a repair time of 12 hours.
o Subsea isolation valves (SSIV) were considered to have a repair time of 48
hours.
 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 2

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

The general assumptions and criteria used during the SIL verification process are defined
below.
2. All SIF components have been properly specified based on the process
application. For example, final elements (valves) have been selected to fail
safe depending on their specific application.
3. If a dangerous detected failure occurs, the SIF/SIS will take the process to a
safe state or plant personnel will take necessary action to ensure the process
is safe.
4. Systematic faults are not be quantified. It is assumed that certain measures
and techniques have been adopted to avoid and control such failures.
5. Valves and mechanical final elements are considered as “A-type” safety related
subsystem.
6. Smart transmitter and Logic Solver are considered as “B-type” safety related
subsystem.
7. The Beta model is used to treat possible common cause failures.
8. Partial valve stroke testing (PVST) is treated as a self test with diagnostic
coverage (Diagnostic Coverage model). Therefore, the PVST must be frequent
enough to reduce the effect of the PFDAVG for partial stroke test. Assuming a
functional proof test of 1 year, as a rule of thumb the PVST should be
performed at least on a monthly basis. The fraction of failures detected must
be provided and properly documented by manufacturers (e.g. FMEDA
performed by vendor or third party).
9. All the SIF/SIS are considered as working on a low demand mode of operation,
consequently:
o The demand rate will be no higher than once (1) a year.
o The functional testing frequency will be at least twice the demand rate.
10. Human operation, or lack of such, is not included in the reliability models.
11. Repair time includes time for failure detection, equipment isolation from
process, delay and waiting for spare parts or tools, and equipment start-up.
12. Maintenance personnel have been well trained and provided with the tools and
resources to perform their job appropriately.
13. Signals from maintenance/operator bypass are not included in the reliability
models.
 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 2

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

14. Application software has been developed in accordance with the Safety
Requirements Specification (SRS) and following the Safety Life Cycle (SLC)
described in IEC-61508/61511.
15. SIF/SIS are designed, installed, and maintained in accordance with IEC-
61508/IEC-61511.
16. After a repair, the failed item will be as good as new. Testing and repair of
components in the system are assumed to be perfect
17. Test intervals apply to complete functional testing; that means full activation of
the shutdown system, including operation of isolation valves (0% to 100%).
18. Upon detection of failures of components associated with SIS, it is assumed
that appropriate actions are taken to keep the system in a safe state.
19. Failures of electrical cables and connections are not included in the present
analysis. Such failures are assumed to be detected and corrected.
20. Once a component has failed in one of the possible failure modes it cannot fail
again in one of the remaining failure modes. It can only fail again after it has
first been repaired.
21. A Maintenance Management System (MMS) with appropriate operational and
maintenance plans is in place to ensure that the required safety integrity levels
of the system are maintained throughout the operational phase.
22. Failure rate function is random and independent of time (exponential
distribution). The failure data does not reflect the burn-in or wear-out
characteristics of equipment.
23. The sensor failure rate includes everything from the sensor to the input module
of the logic solver including the process effects.
24. Failure rate for sensors and final elements, unless otherwise indicated, are
taken predominantly from Exida Safety Equipment Reliability Handbook.
When available, failure data from manufacturers specified in the PDVSA
Approved Vendors List was used.
25. The logic solver failure rate includes the input modules, logic solver, output
modules and power supplies.
26. The final element failure rate includes everything from the output module of the
logic solver to the final element..
27. Smart transmitters are considered, e.g. transmitters equipped with self-
diagnostic features. A diagnostic coverage factor higher than 75% is assumed.
 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 2

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

28. Smart transmitters will generate an alarm when over or under their normal
range. The Safety PLC will trip the SIF when these alarms occur.
29. Component repair rates are assumed to be constant over the life of the
SIF/SIS.
 Project No Unit Document Material Serial No Rev. Page
Type Code
TF013493 000 RT 1902 002 C Appendix 3

MARISCAL SUCRE PROJECT – DRAGON & PATAO FIELD DEVELOPMENT

PETROLEOS DE VENEZUELA, S.A.
SIL VERIFICATION ANALYSIS

APPENDIX 3: SIL CALCULATIONS – EXSILENTIA REPORT

This appendix contains the results of the SIL verification analysis on the basis of
architectural constraints (AC) and average probability of failure on demand (PFDAVG).
It also provides information about:

 Specific failure rates per SIF component

 Overall SIF Mean Time to Fail Spuriously (MTTFS)

 Contribution of each SIF component to PFDAVG and MTTFS

 SIF Block Diagrams