FIRSTLY

ABOUT
SAFETY THIS EBOOK
This eBook is our 3rd edition aimed at industry professionals interested in safety instrument-

INSTRUMENTED
ed systems - SIS.

In this new edition, we’ve included links to several eLearning modules to give you extra detail
on topics you may find helpful.

SYSTEMS This guide and the selected online modules are only a start. You can demonstrate your com-
petence by taking the full IChemE accredited learning path SIS and Functional Safety.

We hope that you find the guide and online materials useful.

EBOOK GUIDE
TO THE SIS SAFETY LIFE-CYCLE
of IEC 61511 edition 2

Jon Keswick, CFSE

Founder - eFunctionalSafety

Email us: learning@eFunctionalSafety.com

Document ID: eFS-ebook-SIS-r3.0

eFunctionalSafety.com

eFunctionalSafety® eFunctionalSafety®
Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809
 Introduction
Safety is a general term we all use, although
we rarely consider how to measure it.
Safety standards define safety as “Freedom
from danger, risk, or injury” or “Freedom
from unacceptable risk”. These definitions
confirm that risk is present in daily life while
recognizing that we should not have to ac-
cept high risk.
Achieving a tolerably safe environment
when working with large quantities of haz-
ardous chemicals and flammable substances
can be challenging. Those who work in and
around industrial processes should wear
appropriate personal protective equipment,
but that will not be sufficient if there is any
significant loss of containment or explosion.
Process safety is a broad and varied subject
in itself. Still, for our purposes, we’ll say that
the target is keeping processes under control
THE SAFETY INSTRUMENTED SYSTEM and stopping the loss of containment of haz-
LIFECYCLE Safety is a general term we all use, although we rarely
consider how to measure it.
There are links in this ebook to several eLearning courses & quizzes. ardous materials from pipes, vessels and other
process equipment. Process safety involves
To access the ELEARNING LINKS in this document you must REGISTER HERE many disciplines, including materials experts,
process engineers, mechanical, electrical, con-
trol and instrumentation, and process safety
professionals.
Functional safety in the process industry is
focused on electrical, control and instrumen-
tation equipment. When hazardous events
occur, we must know that instrumentation and
3 ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE
© Copyright 2006-2023, eFunctionalSafety®
Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809
automation equipment such as sensors, logic
solvers and final elements will make the pro-
cess safe. When applied correctly, functional
safety principles should ensure that each
hazardous event is prevented or mitigated by
equipment designed with the correct level of
integrity for the risk posed.
This guide focuses on the automated IEC
61511 specified safety instrumented systems
- SIS - used to prevent loss of containment
events to protect life, the environment and
company finances.
The IEC 61511 standard outlines a function-
al safety lifecycle for the process industry
sector and is now internationally accepted by
operating companies and regulators world-
wide. The safety lifecycle provides an outline
flowchart detailing the stages of different
activities needed to assess hazards and then
develop instrumented protection layers to
prevent or mitigate risk.
REGISTER HERE to access the
ELEARNING LINKS in this document
ELEARNING LINK:
THE SAFETY LIFECYCLE
4
 PHA/ Identify HAZID report
HAZID / Potential Hazards & HAZOP report
• Process Safety HAZOP Safeguards Preliminary Risk

FLOW CHART KEY

Information Procedure Assessment
• Process Flow
Diagrams
• P&ID’s LOPA Procedure
• Facility Siting LOPA report
• Occupancy Allocate Safety IPL’s
Requirements to IPL SIF Candidates
• Cause & Effects
• Instrument list
• Preliminary IPL/SIF SIS
Functional Safety list Required?
NO
Management Plan
YES
INPUT Procedure
RT H E R
TA
Safety Requirements

E
IPL Register
Specification for SIS & SIF
INPUT
Document/Information
FSA 1-3 Plan /
ALARP Justification
Procedure

Functional Safety
ACTIVITY Assessment Stage 1

2
FSA Stage 1 Report

OUTPUT Report
Hazard Identification, Layer of Protection Analysis, IPL and SIL target assessment
led by the duty holder (hazard owner).

1
LOPA and SIL targets
Hazard and risk assessment
After HAZOP, there often needs to be further analysis to
Any company operating systems or processes resulting in loss assess the independence and effectiveness of protection
of life or significant environmental damage must carry out layers. There are no standardized techniques for this step, so
hazard identification and risk assessment. For process facilities, each duty holder needs to decide on a method that will best fit
this usually involves looking for events that could result in the their requirements.
“loss of containment” (LOC) of hazardous materials.
This step can only be attempted with clear risk criteria.
There are many ways of approaching process hazard analysis Tolerable risk usually comes in a company-approved risk matrix or a set of numerical targets
(PHA), often using a combination of study methods like HAZOP with maximum frequencies for undesired consequences.
- Hazard and Operability studies. Whichever methods are
adopted, the key is to use a systematic procedure covering all One effective technique at this stage is a layer of protection analysis (LOPA). A LOPA study
process areas using a multi-discipline team. considers each significant hazard scenario and determines whether the safeguards identified
during PHA/HAZOP are adequate as independent protection layers (IPL).
If approached methodically, a HAZOP should provide:
• Credible information on possible causes of hazards. After considering all possible IPLs, one or more Safety Instrumented Functions (SIF) will often
• Estimated consequences of hazardous events. be needed to reduce risk to tolerable levels. With the correct procedural steps in place, the
• Safeguards that can prevent event occurrence or mitigate escalation. LOPA study can also determine each SIF’s Safety Integrity Level (SIL) target.
• Actions for safety and operational improvement.
ELEARNING LINK: LOPA INTRODUCTION
ELEARNING LINK: hazard analysis workflow and methods

5 © Copyright 2006-2023, eFunctionalSafety® ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 6

Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809

 4
SIS Design & Engineering
IEC61508 Compliant
Select Technology
Item Safety Manuals
Hardware and Devices The specifier can select appropriate SIS equipment when the
AND/OR
Prior Use Information requirements are sufficiently complete and stable. Long-lead
Decide on required HFT items such as final element valves and actuators may be among
for safety & availability
the first to be considered for selection.
Probability of Failure
Data Determine Proof Test
Philosophy IEC 61511 requires all equipment used in the SIS to be justified.
• Sensor(s)
• Logic Solver(s)
Typically, this will involve ensuring only SIL-capable devices get
• Final Element(s) Verify HFT and used from reputable suppliers. Where SIL-capable devices are
• Interposing Device(s) PFDavg/PFH to meet
target SIL for each SIF unavailable, the company responsible for equipment selection
and engineering will need to consider justifying the use of equipment on another basis, such as
SIL Target NO “prior use”.
Achievable
?
YES ELEARNING LINK: SIS & SIF DESIGN

UPDATED Safety
SIL Verification Report
Requirements
Specification for SIS & SIF
Proposed design can
meet SIL target with
selected equipment.

3
Development of the concept SIF design to meet the SIL target.

Sensor Manufacturer
Data Sheets
SIS Field Device Field Device
Installation Develop
Installation
Documentation Proof Test Procedures
Detail Design
Final Element

Safety Requirements Specification Manufacturer Data

Sheets
Logic Solver Hardware
Logic Solver Hardware Detail Design
Detail Design Specification
The safety requirement specification (SRS) is the SIF and safety Logic Solver
Manufacturer Data
instrumented system (SIS) design blueprint. The duty holder Sheets
Logic Solver Application Preliminary Proof Test
Logic Solver Application
Program Detail Design
must approve requirements to match the integrity identified in Program (AP) Detail
Specification
Procedures
Design
the process hazard and SIL assessment stages. BPCS/HMI Manufacturer
Data Sheets
BPCS Interface/HMI UPDATED Safety
BPCS Interface/ HMI Detail Design Requirements
Functional requirements should explain what each SIF should Detail Design Specification Specification for SIS & SIF

do. Functionality can be readily expressed by “cause and effect” diagrams that associate the
Development of detailed design of the SIS hardware and application program (software).
sensed condition and its required actions.

Integrity requirements set the standard for the design in terms of safety integrity and system
availability. The SIL target is one integrity requirement of a SIF, but not the only one. Others in-
clude Probability of Failure on Demand (PFD) or Probability of Failure per Hour (PFH), hardware
fault tolerance (HFT) and Systematic Capability (SC).

ELEARNING LINK: safety requirements specification

7 © Copyright 2006-2023, eFunctionalSafety® ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 8

Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809

 Logic solver application programs will also be further specified and developed. Verification by
design review and factory acceptance testing (FAT) will typically occur towards the end of this
stage.

Installation, Commmissioning and Validation Testing Install BPCS / HMI Install SIS Logic Solver Install SIS Field Devices

5
Factory acceptance testing (FAT) is often the start of many stages that involve exercising the
system to mimic the required functionality on the plant. Simulated factory testing cannot be Commissioning
Documentation
Project
Modification
Integrated SIS
Procedure
the final step and should always be distinct from validation at (pre-installation)

the site. SIS Installation Verification

Validation Plan / Updated SRS
and Commissioning
Procedure with
frozen SRS
The critical part of this lifecycle phase is known as validation Updated Proof Test
FSA 1- 3 Plan /
or validation testing. Validation testing of the system in situ Procedure
SIS Validation Procedures

on the hazard site involves an end-to-end physical test, from FSA1 and FSA 2 Report Operation &
Maintenance
the installed sensor to the installed final element, for every SIF Document “As-Built” SIS Documentation

6
listed in the safety requirements specification (SRS). UPDATED Safety
FSA Stage 3 Report Requirements
Specification for SIS & SIF

SIS installation, commissioning and validation testing on the plant before normal
operation.
Logic Solver Manufacturer Logic
FAT Plan / Test Solver Hardware &
Specification Software Build &
Integration

Logic Solver
Safety Manual
Integration Verification

Project
Modification
The SRS should be the primary reference source for creating the
Duty Holder
Procedure
(pre-installation) witnessed validation plan to specify the validation crew’s detailed steps.
FAT
These include physical inspection steps, drawing review versus
FAT Punch List –
FSA 1-3 Plan /
following Project
Modification Procedure
actual installed equipment, positive and negative test activities
Procedure FSA Stage 2
and test logs.

FSA 1 Report UPDATED Safety

FAT Report Requirements The operation and maintenance personnel must get trained
Specification for SIS & SIF
on all aspects of the SIS and SIF before startup. This training is crucial for a novel system or
unfamiliar equipment.
FSA 2 Report

ELEARNING LINK: INSTALLATION, COMMISSIONING AND VALIDATION

SIS logic solver hardware and application program Factory Acceptance Testing.

9 © Copyright 2006-2023, eFunctionalSafety® ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 10

Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809

 7
Operation and Maintenance Functional Safety Management
Once the SIS is in operation, nobody must modify it unless Delivering the SIS safety lifecycle requires carefully considering functional safety management
they follow change management processes. (FSM).

By now, inspection and proof test procedures for the SIS A sound FSM system will ensure that personnel are competent in the part of the lifecycle they
and each SIF should be available. Ideally, the proof tests get are involved with. Management should provide adequate policies, planning and procedures to
scheduled to tie in with turnarounds to enable safe offline control the many lifecycle activities over a potentially long life that will often outlive the person-
testing. Maintainers must keep detailed inspection and test nel working on the plant. With correct management systems, companies should retain safety
records for future assessment, audit and further analysis of knowledge as people move on or retire.
equipment failure root cause.
In planning lifecycle steps, it is essential to consider the inputs, procedures and expected out-
Special procedures for bypassing a SIF or SIS during operation puts for each stage. Referring to the sample lifecycle in the IEC 61511 standard is only a start
may also be needed, especially for continuous process plants. Such practices must account because it is too generic. Instead, each duty holder must develop a custom lifecycle showing the
for the full risks of inhibiting a safety function and have appropriate technical review and steps, methods and procedures they will adopt to deliver functional safety objectives.
authorization.

8
Therefore, projects involving SIS must be conducted with sound project management principles,
As demands occur that require the SIS to react, operations should track these over time to look including a clear and concise plan, well-developed procedures and sign-off activities that may
for negative trends which might lead to plant or system modification. otherwise be less stringent on non-safety-related projects.

ELEARNING LINK: SIS OPERATIONS ELEARNING LINK: FUNCTIONAL SAFETY MANAGEMENT

FSA 5 Plan /
Independent FSA
Procedure
Operation &
Maintenance
Procedure
FSA 5 Report
Functional Safety Assessment (FSA) is one specific FSM activity
proposed at several stages in the SIS safety lifecycle and man-
Repeat appropriate
FSA 5 After Modification
life-cycle activities

Updated Safety
dated in IEC 61511 to be carried out at least once before the
Permit to Work
startup of an SIS and at intervals during the operations stage.
Normal Operation Maintenance Requirements
Procedure
Specification

Bypass/ Override risk

assessment &
authorisation
SIS/SIF Inspection &
Proof Testing
Inspection & Proof
Test Procedure
Revised risk / SIL
assessment The FSA activity must be led by a senior competent person not involved with the steps being
analyzed.
Modification &
Modification
FSA 4 Plan / Decommissioning
FSA 4 & audit at periodic Inspection & Proof Request
Procedure Procedure
intervals Testing Records

Note that FSA planning should be done at the start of any project where an SIS is ex-
Decommissioning of
pected to be needed. If the SIS already exists, plan for an operations and maintenance
FSA 4 Report
individual SIF or SIS
FSA stage 4.

There are five stages at which functional safety assessment is recommended, as shown in the
detailed diagrams in the remainder of this document.
Operation and maintenance of an SIS involves inspection, proof testing and controlled modification.

11 © Copyright 2006-2023, eFunctionalSafety® ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 12

Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809

 10
Producing vast amounts of paper should not be a goal. However, sufficient evidence is needed
Management of Change
for an independent assessor to judge. The goal should be to create a trail of evidence at each
stage to allow a practical independent assessment. Managing change to the SIS ensures that

9
the previously validated system is not
compromised. All change requests must
identify and repeat the relevant parts of the
lifecycle to ensure the impact of change is
Audit and Revision - FSAR fully understood before proceeding.

Functional safety audit and revision (abbreviated FSAR here,

Modification planning should include the
but not in IEC 61511) are intentionally separated from FSA in
following:
the IEC 61511 standard. The idea is that FSAR is an audit of
• Documenting the reason for the change.
procedures and records to determine whether an appropriate
• Conducting an impact analysis.
functional safety management system is in place and being
• A functional safety assessment (FSA) of the impact analysis.
followed.

The FSA must be conducted by a competent and independent person from those making the
However, the distinction between FSA and FSAR may be over-
changes. It is mandatory to re-validate the system and update all relevant documentation.
played if an FSA is already planned or conducted on a project.
The only exception is for fully like-for-like changes that do not involve changed software or
The person leading any FSA activity must take account of the detailed lifecycle phases of the
embedded firmware.
assessed stages. By definition, every lifecycle step includes management, planning and verifica-
tion activities, so the FSA must consider these. In this sense, FSAs already contain elements of
Making changes to the SIS must only occur under pre-authorized conditions and regular work-
an audit.
permit practices. As expected, those making changes must have the required competence. All
those impacted by the change must be trained.
One thing that needs to be clarified about the distinction between FSA and FSAR is that FSAR
does not have the specific goal of making a technical judgement about the functional safety
Any decommissioned SIF or SIS must follow the same MoC procedure, with a full justification
achieved by each SIF design.
record retained.

Like a Quality or Gap audit, FSAR can only be conducted once functional safety procedures are
in place and have been implemented long enough to prove whether the processes are being fol-
lowed. However, it is feasible that some methods will be put in place and followed at least once
during an SIS project development. An FSAR alongside an FSA activity is a reasonable prospect,
even for a new build.
Documentation
Keeping hazard, risk and safety system documentation consistent, up-to-date, easy to under-
stand, and fit-for-purpose is challenging but crucial. We highly recommend moving away from
static documents and reports to an interlinked safety lifecycle database environment.

FSAR also involves the vital aspect of making recommendations for improvement, including pos- Here are a few advantages of a safety lifecycle database approach to documentation:
sible revising of procedures or systems under management-of-change control. From experience,
this is no different in an FSA, given that non-conformances would lead to an action for change. • Link the stages of HAZOP, LOPA, SRS, SIL Verification, Test Plans and Operational KPIs.
• Control revisions without human intervention*.
ELEARNING LINK: FUNCTIONAL SAFETY ASSESSMENT AND AUDIT • Share active data amon remotely located teams.
• Simple to update when inevitable changes happen.
* Make sure your selected software has this crucial feature.

BLOG LINK: safety lifecycle software

13 © Copyright 2006-2023, eFunctionalSafety® ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 14

Prepared exclusively for safeviswanath@gmail.com Transaction: 0130286809