Best Practice

SABP–Z–091 22 March 2020

Safety Integrity Level Assignment and Verification for Existing Facilities
Document Responsibility: Process Control Standards Committee

Contents
1. Scope ................................................................. 2
2. Conflicts and Deviations ..................................... 2
3. References ......................................................... 2
4. Terminology........................................................ 3
5. Method Details ................................................... 7
Appendix-A: SIL Assignment for Existing Facilities
During HAZOP Revalidation ........................... 12
Appendix B: The Background and Basis for the Best
Practice Methodology...................................... 13

Previous Revision: None Next Revision: 22 March 2030

Contact: DAMLAX0A Page 1 of 13
©Saudi Aramco 2020. All rights reserved.

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Issue Date: 20 February 2020
Next Planned Update: TBD SIL Assignment and Verification for Existing Facilities

1. Scope
This best practice document provides a concise method to conduct Safety Integrity
Level (SIL) assignment and verification in an existing Saudi Aramco facility where no
prior SIL assignment has been conducted. This document also provides guidelines to
develop Safety Requirement Specification (SRS) for a Safety Instrumented System
(SIS) and Safety Instrumented Function (SIF) intended proof testing.
The tasks in this best practice are to be implemented one time in an existing facility
during the plant’s HAZOP revalidation session.
The purpose of this document is to provide a simplified and cost effective SIL
Assignment approach using the risk ranking established during HAZOP revalidation in
existing facilities. The best practice provides guidelines how to prepare and conduct SIL
Verification as required by company and international standards. The document also
provides guidelines to establish a Safety Requirement Specification (SRS) and how to
handle SIF Proof Testing.

2. Conflicts and Deviations

Any conflict between this and applicable Mandatory Saudi Aramco Engineering
Requirements (MSAERs) shall be addressed in writing to the EK&RD Coordinator.
See SAEP-203, Governance of Saudi Aramco Best Practices.

3. References
All referenced procedures, standards, specifications, codes, forms, drawings, and
similar material or equipment supplied shall be considered part of this Best Practice to
the extent specified herein and shall be of the latest issue (including all revisions,
addenda, and supplements) unless stated otherwise.
Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-203 Governance of Saudi Aramco Best Practices
SAEP-250 Safety Integrity Level Assignment and Verification
Saudi Aramco Engineering Standard
SAES-J-601 Emergency Shutdown and Isolation Systems
Saudi Aramco Best Practice
SABP-Z-076 Guidelines for Development of Safety Requirement
Specification (SRS)
4Industry Codes and Standards
International Electrotechnical Commission (IEC)

Page 2 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

IEC 61511 Functional Safety - Safety Instrumented Systems for the

Process Industry Sector

4. Terminology

Acronyms
BPCS Basic Process Control System
ESD Emergency Shutdown System
EIV Emergency Isolation Valve
HAZOP Hazards and Operability Study
IO Input/Output
IPL Independent Protection Layer
LOPA Layers of Protection Analysis
LPD Loss Prevention Department
LS Logic Solver
MEF Mitigated Event Frequency, [yr-1]
MTBF Mean Time Between Failure, [yr]
MTTF Mean Time To Failure, [yr]
MTTR Mean Time To Repair, [hr]
MOV Motor Operated Valve
MAOP Maximum Allowable Operating Pressure
P&CSD Process and Control Systems Department
PFDavg Probability of Failure on Demand Average
PHA Preliminary Hazard Analysis
RRF Risk Reduction Factor
RTF Risk Target Frequency
SAPMT Saudi Aramco Project Management Team
SIL Safety Integrity Level
SIF Safety Instrumented Function
SIS Safety Instrumented System
SRS Safety Requirements Specification
STR Spurious Trip Rate, [yr-1]
TI Test Interval
T&I Test and Inspection
TI Test Interval, [yr]
UPS Uninterruptible Power Supply
ZV Power Operated Emergency Isolation Valve

Page 3 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

Definitions
Basic Process Control System (BPCS): A system, which provides process control and
monitoring for a facility by responding to input signals from the process, associated
equipment or operators to generate output based on control functions and desired
control strategies but does not perform any SIF. Examples of a BPCS are DCS,
SCADA, and PLCs.
Beta Factor (β): The number of common cause failures expressed as a fraction of all
possible failures. A common mode failure is a failure that may affect duplicate
components in redundant configurations.
Dangerous Failure (λD): Component failures that will prevent the Safety Instrumented
Function from safely shutting down and isolating the process. Dangerous failures
consist of dangerous detected and dangerous undetected failures.
λD : The failure rate for a dangerous failure of a component.
λD = λDD + λDU
λD = 1/MTTFD
λDD : The failure rate for a dangerous detected failure of a component.

λDU : The failure rate for dangerous un-detected failure of a component.

Demand: A process or equipment condition, which requires the Safety Instrumented
Function to take action to prevent a hazardous situation.
Diagnostic Coverage Factor (DCF): The number of dangerous failures that diagnostic
features are capable of detecting as a fraction of all possible dangerous failures.
Emergency Shutdown System (ESD): A system composed of sensors, logic solvers,
and final control elements for the purpose of taking the process, or specific equipment
in the process to a safe state when predetermined conditions are violated. The system is
designed to isolate, de-energize, shutdown or de-pressure equipment in a process unit.
Another term commonly used throughout the hydrocarbon and petrochemical industry
is a Safety Instrumented System (SIS). ailure: An abnormal situation that prevents the
operation of the Safety Instrumented Function/s.
Final Control Element (FE): A de vice that manipulates a process variable. Final
elements include valves, relays, solenoids and switchgear.
Hardware Fault Tolerance (HFT): The ability of the system and SIF components to
continue to perform the required function in the presence of one of more faults. A
hardware fault tolerance of one means that the system will perform the required
function with the presence of a single fault.
Hazardous Event: Event that can cause injury or damage to the health of people, or
damage to property or to the environment. A loss of containment of flammable,
combustible or toxic materials is considered a hazardous event.
Hazards and Operability (HAZOP) Study: A Process Hazard Analysis technique
applied to processes to identify hazards and operability issues, which have the potential
to place the process plant, environment or personnel at risk. The HAZOP study
identifies abnormal process deviations that may require additional protection functions.

Page 4 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

Independent Protection Layer (IPL): Any mechanism that reduces risk by control,
prevention or mitigation. An IPL can be a process engineering mechanism such as size
of vessel, a mechanical mechanism such as a relief valve, a control system such as the
BPCS or ESD or an administrative procedure.
Inherent Safety: A design that avoids the hazards instead of controlling them, by
minimizing the amount of hazardous material present, substituting the material with a
material less hazardous, moderating the affect through dilution or pressure reduction
and to simplifying the design where practical to minimize equipment and process
failure.
Initiator: The input measuring device that initiates a trip signal to the ESD system.
Initiators include switches, transmitters and manual pushbuttons.
Legacy SIS: A Safety Instrumented System (ESD System) that was engineered,
designed, built and operated prior to the realization of performance based system
standards like IEC 61511.
Logic Solver (LS): The system that is used to perform the shutdown application logic.
Logic solvers may be programmable controller based, relay based or solid state.
Mechanical Integrity: is the suitability of the equipment to operate safely and reliably
under normal and abnormal (upset) operating conditions to which the equipment is
exposed.
Mean Time To Failure (MTTF): Is the expected time to failure of a system in a
population of identical systems.
Mean Time Between Failures (MTBF): Is the expected time between failures of a
systems component including its time to repair. MTBF = MTTF + MTTR
Mean Time To Repair (MTTR): Is the statistical average of time taken to identify
and repair a fault (including diagnosis), in a population of identical systems.
Process Hazard Analysis (PHA): Organized and systematic assessment of the
potential hazards associated with a process e.g. HAZOP.
Potentially Toxic Material: A liquid or a gas substance whereby the toxic
concentration in the gas phase, determined through equilibrium flash calculations,
exceeds its Immediately Dangerous to Life and Health (IDLH).
Probability of Failure on Demand (PFDavg): The average probability of a system
failing to respond to a demand in a specified time interval is referred to as PFDavg.
PFDavg = 1 - Safety Availability.
Process Safety Time (PST): The time between the Safety Instrumented Function trip
point being reached and a hazardous event occurring if no safety measures such as a
shutdown are taken.
Proof Test: A periodic test performed on SIF components according to test procedure
for the purpose of detecting dangerous hidden failures and ensuring that the SIF
component is functioning correctly.
Proven-in-use or Prior-use: When a documented assessment has shown that the
device, based on previous operating experience in a similar environment, is suitable for
use in the ESD system.

Page 5 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

Residual Risk: The risk remaining after protective measures have been taken.
Risk Reduction Factor (RRF): The reduction of risk that the Safety Instrumented
Function provides when operating in the process. RRF = 1/ PFDavg SIF
Safety Availability: The fraction of time that a safety system is able to perform its
designated function when the process is operating. The safety system is unavailable
when it has failed dangerously or is in bypass. Safety availability is equal to 1 - PFDavg
of the SIF.
Safe Failure (S): A failure that does not place the SIF in a dangerous state. A safe
failure results in a trip or an alarm to the operator.
S : The failure rate for a safe failure of a component.
S = SD + SU = 1/(MTTFS).
SD : The failure rate for a safe detected failure of a component.
SU : The failure rate for safe un-detected failure of a component.
Safety Instrumented Function (SIF): A safety function implemented in the ESD,
consisting of any combination of sensor(s), logic solver(s), and final elements(s), which
is intended to achieve or maintain a safe state for the process, with respect to a specific
hazardous event. SIFs are identified as part of SIL assignment or are prescriptive.
Safety Integrity Level (SIL): Discrete level allocated to the SIF for specifying the
safety integrity requirements to be achieved by the SIS. The SIL is a measure of the
performance of the SIF in terms of probability of failure on demand.
Table 1: SIL in terms of Probability of Failure on Demand or Risk Reduction
Safety Integrity
PFDavg Risk Reduction
Level
1 ≥ 10-2 to < 10-1 >10 ≤ 100
2 ≥ 10-3 to < 10-2 >100 ≤ 1000
3 ≥ 10-4 to < 10-3 >1000 ≤ 10000
4 ≥10-5 to < 10-4 >10000 ≤ 100000
Safety Requirements Specification (SRS): The specification that contains all the
functional requirements for the SIFs and their associated safety integrity levels. Refer to
SABP-Z-076.
Spurious Trip Rate (STR): The rate of unscheduled shutdown of the process occurring
each year. MTTFspurious = 1/ STRSIF.
Test Interval (TI): The time interval in years that a proof test would be made on a
sensor, logic solver and/final control element to ascertain that the components of a SIF
are operating correctly.
ZV: A power operated emergency isolation valve that is controlled from an Emergency
Shutdown System (ESD).

Page 6 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

5. Method Details
The method presented in this best practice is divided into five phases as follows:
Phase 1 Risk Ranking During HAZOP Revalidation
Phase 2 SIL Assignment
Phase 3 SIL Verification
Phase 4 Safety Requirement Specification (SRS)
Phase 5 SIF Proof-Testing

Phase-1 Risk Ranking During HAZOP Revalidation

During plant’s next PHA/HAZOP Revalidation apply risk ranking, to all identified
hazardous events, which are “unmitigated” i.e. without the consideration of the
safeguards. If the existing HAZOP report shows that the hazards were risk ranked with
consideration of safeguards (mitigated) it is necessary that during the HAZOP
revalidation the unmitigated severity is assigned to the event.
Refer to Appendix A which explains Phases 1 and 2 in a flowchart.
Deliverables of Phase-1:
1. Updated HAZOP Report with unmitigated Risk Ranking of all identified
hazards.
2. List of SIFs for low severity hazards
3. List of SIFs for high severity hazards
Phase-2 SIL Assignment

5.2.1 SIFs for Low Severity Hazardous Events

Assign SIL-1 to all SIFs deployed for low severity hazards. SIFs for low
severity hazards will not be subject to LOPA. All such SIFs and associated SIL
rating will be documented in the SIL Assignment Report.
5.2.2 SIFs for High Severity Hazardous Events
SIFs for high severity hazards (existing or new) will be further analyzed by LOPA
to determine their SIL.
5.2.3 Company LOPA Engineering Application
The company LOPA Engineering Application described in SAER-10335 shall
be used to conduct the required LOPA either during the HAZOP Revalidation or
immediately after it. The application is a spreadsheet based and has built in
dropdown menus for Initiating Causes, Probability of Ignition and Independent
Protection Layers listed in SAEP-250 making it a compliant to Company
standards, convenient and an easy to use tool.
5.2.4 SIL Assignment Report Recommendations

Page 7 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

LOPA sheets and the summary sheets are saved in PDF format to be included in
the final SIL Assignment Report. SIL Assignment report guidelines provided in
Appendix-A in SAEP-250 shall be followed.
5.2.5 SIL Assignment Report and Recommendations
The SIL Facilitator shall issue a SIL Study (LOPA) Report gathering the study
work effort, assumptions, LOPA sheets and recommendations.
The SIL Assignment Report should be reviewed by the SIL study team
members. SIL recommendation compliment SIL study analysis and plant
process safety. Therefore, all report recommendations shall be shall be
scheduled for implementation and final closing. A mechanism to monitor SIL
study report recommendations implementation progress shall be developed and
followed until all recommendations are implemented.
Deliverables of Phase-2:
1. SIL Assignment report as described in SAEP-250.
2. LOPA sheets for all SIFs for high severity hazardous events.
3. Recommendations.
Phase-3 SIF SIL Verification

5.3.1 SIL Verification Information

The required information for SIL Verification include:
 SIF components’ Instrument Specification Sheets (ISS).
 Detailed SIF component brand, model and part number of sensor, logic
solver and final element. The final latter could be an emergency
shutdown valve (solenoid valve, actuator and valve) or an interpose
relay.
 SIF components generic reliability data including:
o Dangerously Detected failure rate (λDD) from SAEP-250. (for SIL-2
and SIL-3 SIFs)
o Dangerously Undetected failure rate (λDU or MTBF) data from
SAEP-250.
o Safe failure rate (λS) data from SAEP-250.
o If any required reliability figure not available in SAEP-250 then a 3rd
party source shall be utilized.
o Prescriptive Test Intervals from SAES-J-601
o Current plant SIF test intervals
o Plant Turnaround and Inspection cycle
o Company SIL Verification tool, described in SAER-10336, if
conducted in-house.

Page 8 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

o List of potential contractors to conduct SIL Verification if contracted.

5.3.2 SIL Verification Calculation
SIL rated SIFs shall be verified against their assigned SIL rating. This is
achieved by calculating the SIF Probability of Failure on Demand (PFD).
The following shall be observed during SIL Verification,
 The calculation shall be conducted using Simplified Equations in SAEP-
250.
 Sources of all data used in the SIL Verification must be listed in the final
SIL Verification report.
 PFD target for SIL-1 assigned without LOPA during HAZOP
revalidation shall be not more than 7.5 x 10-2
 For LOPA assigned SIL rating the target shall be the LOPA sheet
specified PFD.
 The shortest TI used in SIL Verification shall be 6 months for switches
and 1 year for transmitters and final elements.
 The longest TI used in SIL Verification shall be no longer than 5 years.
 If SIL Verification initial calculations indicate much lower PFD than
target PFD (e.g. achieving a higher than the target SIL) TIs can be
relaxed/increased but should not exceed the maximum allowable set in
this best practice document.
 Final TI should be practical, does not exceed the plant T&I cycle and
achieves the LOPA assigned PFD (for the SIL).
 If SIL Verification calculations indicate that achieved PFD is higher than
the target PFD even with the shortest practical test intervals the
following to be observed:
o Use a shorter reasonable Test Interval
o Revisit the SIL assignment study and associated assumptions and
figures.
o Replace sensors or final element with new ones that have better
MTBF figures. Any sensor change is subject to Management of
Change (MOC) procedure.
o Add more sensors or final elements and check achieved PFD
values for 1oo2 or 2oo3, etc.
o SIL Verification is described in more details with an example in
SAEP-250 and SAER-10336.
6.3.3 Company SIL Verification Application
The Company SIL Verification Engineering Application described in SAER-
10336 can be used to calculate the SIF PFD. The Application is a spreadsheet
based and has built in dropdown menus for simplified equation data listed in

Page 9 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

SAEP-250 making it a compliant to Company standards, convenient and easy to

use tool.
6.3.4 SIF Spurious Trip Rate
Calculate the SIF spurious trip rate using the simplified equations in SAEP-250.
A balance situation between PFD and STR should be achieved. Guidelines for
STR in section 5.3 in SAEP-250 shall be observed.
6.3.4 SIL Verification Report
All SIL Verification calculations and associated information should be presented
in the final SIL Verification report. Guidelines provided in Appendix-B in
SAEP-250 for SIL Verification report shall be followed.
6.3.5 SIL Verification Report Recommendations
As a result of SIL Verification there could be a number of recommendations for
new SIF architecture including adding new sensors and final elements and
implementing voting for SIFs that used to have a 1oo1 architecture. These
recommendations must be implemented to confirm that the target SIF SIL is
validated.
Deliverables of Phase-3:
1- SIL Verification report containing the following:
a. SIF PFDavg calculations and results.
b. List of all verified SIF Test Intervals.
c. SIF Spurious Trip Rate Calculations and results.
2- Confirmation that the existing SIF hardware and design is adequate for
the assigned SIL.
3- Recommendations.
Phase 4 Safety Requirement Specifications
The existing SIS may not have an SRS document or SIF Specifications Templates. The
systems were engineered and built to Saudi Aramco Engineering Standards of the time.
Good keeping of these documents and updating them frequently could be considered as
a substitute to a modern system SRS. These documents are acceptable SIS reference
documentation during the lifecycle of the system. The design documents to be
maintained are:
Field instruments and final elements ISSs
 ILDs
 C&Es
 Logic Drawings
 ESD Control Narratives
 Process Control Philosophy
 ESD Functional Specification Document

Page 10 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

Utilizing an SRS template like the one in SABP-Z-076 for all SIFs in the plant is the
ultimate solution, welcomed and encouraged.
Deliverables for Phase-4:
1. Updated drawings and documents list and SRS.
2. A list of all up-to-date document and their locations.
3. SIF template (from SABP-Z-076) for each SIF in one folder/area or Unit.
Phase 5 SIF Proof-Testing
 Develop a proof test procedure for each instrument and final element.
 Consult company standards, reliability group in the plant, SRS and manufacturer
literature to determine instrument capabilities, limitation and specific
requirements.
 Document SIF test interval used in SIL Verification calculations.
 A shutdown in which final elements operate as intended is considered a test and
must be documented as such to reset the test cycle.
 Save all test documents, update the tracking system for previous tests and
schedule future tests.
Deliverables for Phase-5
1. Proof test procedure for all SIF Sensor.
2. Proof test procedure for all SIF Final Elements.
3. Updated SAP system SIF test interval to the SIL Verified TIs.

Page 11 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Publish Date: 22 March 2020
Next Revision: 22 March 2030 SIL Assignment and Verification for Existing Facilities

Appendix-A: SIL Assignment for Existing Facilities During HAZOP Revalidation

START

IS PROCESS Y
EXEMPTED
FROM SIL

EXISTING HAZOP
DOCUMENT

HAZOP
REVALIDATION
Y

FIRST N LAST
HAZARDOUS HAZARDOU
EVENT S EVENT

RISK RANK
DOCUMENT SIL ASSIGNMENT ISSUE SIL REPORT

ASSIGN SIL-1 ASSIGN SIL

PREVENTAB N TO SIF STOP
TO SIF
LE BY SIF

Y CONDUCT
LOPA

IS THE SIF Y
PRESCRIPTI
VE

N
SEVERITY ≥ 4

(*) ESD Prescriptive Functions Exempted from a SIL Assignment

ESD system may contain prescriptive functions as required by the Saudi Aramco mandatory standards as listed in
Sec. 5.4 in SAES-J-601. These prescriptive functions shall not be subject to a SIL assessment and shall meet the
test interval requirements stated in Sec. 11 in SAES-J-601.

Page 12 of 13

Saudi Aramco: Company General Use

 Document Responsibility: Process Control Standards Committee SABP-Z-091
Issue Date: 20 February 2020
Next Planned Update: TBD SIL Assignment and Verification for Existing Facilities

Appendix B: The Background and Basis for the Best Practice Methodology

General
This document applies a selection criteria for SIFs based on the unmitigated severity of the
hazard they are preventing or mitigating. The criteria assigns SIL-1 for SIFs deployed to
prevent or mitigate hazards with severity levels of 1 to 3. The criteria will take SIFs deployed
to prevent or mitigate hazards with severity levels of 4 to 5 to LOPA to determine the
appropriate SIL Assignment for.

SIFs for Low Severity Hazards

The severity levels 1-3 for personnel safety in HAZOP match the severity levels of 1-2 for
personnel safety in Appendix H in SAEP-250. This means the outcome of the SIL assessment
would likely be SIL-1 or less for SIFs allocated for such hazards. With initiating cause
frequency and any of one or more IPLs, conditional modifiers and enabling conditions it is
unlikely that the SIF SIL would be higher than 1. This is what the SIL-1 assignment in the
selection criteria in Appendix A is based on.
If LOPA is conducted for these SIFs some of them would be assigned SIL-0 and one would
question why assign SIL-1 to a SIF (by the criteria in this BP) that would be assigned SIL-0 if
LOPA was conducted for? Is this an overdesign case? The answer to the latter question is “no.”
The reliable sensors, logic solvers and final elements we use in the Company along the standard
testing intervals observed for SIF testing in Company plants a SIL-1 would be achieved
anyway even if a SIF is only assigned a SIL-0. Since the best practice addresses existing
facilities, moving SIFs to a BPCS will not be recommended nor entertained. Therefore, the
methodology meets and exceeds site requirements.

SIFS for High Severity Hazards

LOPA conducted to SIFs deployed for higher severity hazards may end up being assigned a
low or high SIL. The high SIL SIFs are what this Best Practice will identify, asses their
suitability and confirms that they are designed to achieve the required Risk Reduction.

Page 13 of 13

Saudi Aramco: Company General Use