Professional Documents
Culture Documents
ABOUT
SAFETY THIS EBOOK
This eBook is our 3rd edition aimed at industry professionals interested in safety instrument-
INSTRUMENTED
ed systems - SIS.
In this new edition, we’ve included links to several eLearning modules to give you extra detail
on topics you may find helpful.
SYSTEMS This guide and the selected online modules are only a start. You can demonstrate your com-
petence by taking the full IChemE accredited learning path SIS and Functional Safety.
We hope that you find the guide and online materials useful.
EBOOK GUIDE
TO THE SIS SAFETY LIFE-CYCLE
of IEC 61511 edition 2
eFunctionalSafety.com
eFunctionalSafety® eFunctionalSafety®
Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809
Introduction
Safety is a general term we all use, although automation equipment such as sensors, logic
we rarely consider how to measure it. solvers and final elements will make the pro-
cess safe. When applied correctly, functional
Safety standards define safety as “Freedom safety principles should ensure that each
from danger, risk, or injury” or “Freedom hazardous event is prevented or mitigated by
from unacceptable risk”. These definitions equipment designed with the correct level of
confirm that risk is present in daily life while integrity for the risk posed.
recognizing that we should not have to ac-
cept high risk. This guide focuses on the automated IEC
61511 specified safety instrumented systems
Achieving a tolerably safe environment - SIS - used to prevent loss of containment
when working with large quantities of haz- events to protect life, the environment and
ardous chemicals and flammable substances company finances.
can be challenging. Those who work in and
around industrial processes should wear The IEC 61511 standard outlines a function-
appropriate personal protective equipment, al safety lifecycle for the process industry
but that will not be sufficient if there is any sector and is now internationally accepted by
significant loss of containment or explosion. operating companies and regulators world-
wide. The safety lifecycle provides an outline
Process safety is a broad and varied subject flowchart detailing the stages of different
in itself. Still, for our purposes, we’ll say that activities needed to assess hazards and then
the target is keeping processes under control develop instrumented protection layers to
THE SAFETY INSTRUMENTED SYSTEM and stopping the loss of containment of haz- prevent or mitigate risk.
There are links in this ebook to several eLearning courses & quizzes. ardous materials from pipes, vessels and other
process equipment. Process safety involves
To access the ELEARNING LINKS in this document you must REGISTER HERE many disciplines, including materials experts,
process engineers, mechanical, electrical, con- REGISTER HERE to access the
trol and instrumentation, and process safety ELEARNING LINKS in this document
professionals.
E
IPL Register
Specification for SIS & SIF
INPUT
Document/Information
FSA 1-3 Plan /
ALARP Justification
Procedure
Functional Safety
ACTIVITY Assessment Stage 1
2
FSA Stage 1 Report
OUTPUT Report
Hazard Identification, Layer of Protection Analysis, IPL and SIL target assessment
led by the duty holder (hazard owner).
1
LOPA and SIL targets
Hazard and risk assessment
After HAZOP, there often needs to be further analysis to
Any company operating systems or processes resulting in loss assess the independence and effectiveness of protection
of life or significant environmental damage must carry out layers. There are no standardized techniques for this step, so
hazard identification and risk assessment. For process facilities, each duty holder needs to decide on a method that will best fit
this usually involves looking for events that could result in the their requirements.
“loss of containment” (LOC) of hazardous materials.
This step can only be attempted with clear risk criteria.
There are many ways of approaching process hazard analysis Tolerable risk usually comes in a company-approved risk matrix or a set of numerical targets
(PHA), often using a combination of study methods like HAZOP with maximum frequencies for undesired consequences.
- Hazard and Operability studies. Whichever methods are
adopted, the key is to use a systematic procedure covering all One effective technique at this stage is a layer of protection analysis (LOPA). A LOPA study
process areas using a multi-discipline team. considers each significant hazard scenario and determines whether the safeguards identified
during PHA/HAZOP are adequate as independent protection layers (IPL).
If approached methodically, a HAZOP should provide:
• Credible information on possible causes of hazards. After considering all possible IPLs, one or more Safety Instrumented Functions (SIF) will often
• Estimated consequences of hazardous events. be needed to reduce risk to tolerable levels. With the correct procedural steps in place, the
• Safeguards that can prevent event occurrence or mitigate escalation. LOPA study can also determine each SIF’s Safety Integrity Level (SIL) target.
• Actions for safety and operational improvement.
ELEARNING LINK: LOPA INTRODUCTION
ELEARNING LINK: hazard analysis workflow and methods
UPDATED Safety
SIL Verification Report
Requirements
Specification for SIS & SIF
Proposed design can
meet SIL target with
selected equipment.
3
Development of the concept SIF design to meet the SIL target.
Sensor Manufacturer
Data Sheets
SIS Field Device Field Device
Installation Develop
Installation
Documentation Proof Test Procedures
Detail Design
Final Element
do. Functionality can be readily expressed by “cause and effect” diagrams that associate the
Development of detailed design of the SIS hardware and application program (software).
sensed condition and its required actions.
Integrity requirements set the standard for the design in terms of safety integrity and system
availability. The SIL target is one integrity requirement of a SIF, but not the only one. Others in-
clude Probability of Failure on Demand (PFD) or Probability of Failure per Hour (PFH), hardware
fault tolerance (HFT) and Systematic Capability (SC).
Installation, Commmissioning and Validation Testing Install BPCS / HMI Install SIS Logic Solver Install SIS Field Devices
5
Factory acceptance testing (FAT) is often the start of many stages that involve exercising the
system to mimic the required functionality on the plant. Simulated factory testing cannot be Commissioning
Documentation
Project
Modification
Integrated SIS
Procedure
the final step and should always be distinct from validation at (pre-installation)
on the hazard site involves an end-to-end physical test, from FSA1 and FSA 2 Report Operation &
Maintenance
the installed sensor to the installed final element, for every SIF Document “As-Built” SIS Documentation
6
listed in the safety requirements specification (SRS). UPDATED Safety
FSA Stage 3 Report Requirements
Specification for SIS & SIF
SIS installation, commissioning and validation testing on the plant before normal
operation.
Logic Solver Manufacturer Logic
FAT Plan / Test Solver Hardware &
Specification Software Build &
Integration
Logic Solver
Safety Manual
Integration Verification
Project
Modification
The SRS should be the primary reference source for creating the
Duty Holder
Procedure
(pre-installation) witnessed validation plan to specify the validation crew’s detailed steps.
FAT
These include physical inspection steps, drawing review versus
FAT Punch List –
FSA 1-3 Plan /
following Project
Modification Procedure
actual installed equipment, positive and negative test activities
Procedure FSA Stage 2
and test logs.
By now, inspection and proof test procedures for the SIS A sound FSM system will ensure that personnel are competent in the part of the lifecycle they
and each SIF should be available. Ideally, the proof tests get are involved with. Management should provide adequate policies, planning and procedures to
scheduled to tie in with turnarounds to enable safe offline control the many lifecycle activities over a potentially long life that will often outlive the person-
testing. Maintainers must keep detailed inspection and test nel working on the plant. With correct management systems, companies should retain safety
records for future assessment, audit and further analysis of knowledge as people move on or retire.
equipment failure root cause.
In planning lifecycle steps, it is essential to consider the inputs, procedures and expected out-
Special procedures for bypassing a SIF or SIS during operation puts for each stage. Referring to the sample lifecycle in the IEC 61511 standard is only a start
may also be needed, especially for continuous process plants. Such practices must account because it is too generic. Instead, each duty holder must develop a custom lifecycle showing the
for the full risks of inhibiting a safety function and have appropriate technical review and steps, methods and procedures they will adopt to deliver functional safety objectives.
authorization.
8
Therefore, projects involving SIS must be conducted with sound project management principles,
As demands occur that require the SIS to react, operations should track these over time to look including a clear and concise plan, well-developed procedures and sign-off activities that may
for negative trends which might lead to plant or system modification. otherwise be less stringent on non-safety-related projects.
FSA 5 Plan /
Independent FSA
Procedure
Operation &
Maintenance
Procedure
FSA 5 Report
Functional Safety Assessment (FSA) is one specific FSM activity
proposed at several stages in the SIS safety lifecycle and man-
Repeat appropriate
FSA 5 After Modification
life-cycle activities
Updated Safety
dated in IEC 61511 to be carried out at least once before the
Permit to Work
startup of an SIS and at intervals during the operations stage.
Normal Operation Maintenance Requirements
Procedure
Specification
Note that FSA planning should be done at the start of any project where an SIS is ex-
Decommissioning of
pected to be needed. If the SIS already exists, plan for an operations and maintenance
FSA 4 Report
individual SIF or SIS
FSA stage 4.
There are five stages at which functional safety assessment is recommended, as shown in the
detailed diagrams in the remainder of this document.
Operation and maintenance of an SIS involves inspection, proof testing and controlled modification.
9
the previously validated system is not
compromised. All change requests must
identify and repeat the relevant parts of the
lifecycle to ensure the impact of change is
Audit and Revision - FSAR fully understood before proceeding.
The FSA must be conducted by a competent and independent person from those making the
However, the distinction between FSA and FSAR may be over-
changes. It is mandatory to re-validate the system and update all relevant documentation.
played if an FSA is already planned or conducted on a project.
The only exception is for fully like-for-like changes that do not involve changed software or
The person leading any FSA activity must take account of the detailed lifecycle phases of the
embedded firmware.
assessed stages. By definition, every lifecycle step includes management, planning and verifica-
tion activities, so the FSA must consider these. In this sense, FSAs already contain elements of
Making changes to the SIS must only occur under pre-authorized conditions and regular work-
an audit.
permit practices. As expected, those making changes must have the required competence. All
those impacted by the change must be trained.
One thing that needs to be clarified about the distinction between FSA and FSAR is that FSAR
does not have the specific goal of making a technical judgement about the functional safety
Any decommissioned SIF or SIS must follow the same MoC procedure, with a full justification
achieved by each SIF design.
record retained.
Like a Quality or Gap audit, FSAR can only be conducted once functional safety procedures are
Documentation
in place and have been implemented long enough to prove whether the processes are being fol-
lowed. However, it is feasible that some methods will be put in place and followed at least once Keeping hazard, risk and safety system documentation consistent, up-to-date, easy to under-
during an SIS project development. An FSAR alongside an FSA activity is a reasonable prospect, stand, and fit-for-purpose is challenging but crucial. We highly recommend moving away from
even for a new build. static documents and reports to an interlinked safety lifecycle database environment.
FSAR also involves the vital aspect of making recommendations for improvement, including pos- Here are a few advantages of a safety lifecycle database approach to documentation:
sible revising of procedures or systems under management-of-change control. From experience,
this is no different in an FSA, given that non-conformances would lead to an action for change. • Link the stages of HAZOP, LOPA, SRS, SIL Verification, Test Plans and Operational KPIs.
• Control revisions without human intervention*.
ELEARNING LINK: FUNCTIONAL SAFETY ASSESSMENT AND AUDIT • Share active data amon remotely located teams.
• Simple to update when inevitable changes happen.
* Make sure your selected software has this crucial feature.