Embed Size (px)
Citation preview
Page 1 of 1
Assessment and cost-effective reduction of process risks are critical to protecting the safety of employees and the public, minimizing environmental damage,
reducing potential capital losses, shortening business interruptions, and limiting legal and regulatory exposure.
Premier Consulting Services (PCS) provides National and International
Standards compliance verification, risk analysis, assessment, and reduction methodologies through the application of Safety Instrumented Systems (SIS) for
all major industries, including refining, petrochemical, pulp and paper, utility,
nuclear and manufacturing. PCS utilizes specific, high expertise skills to achieve an objective solution that increases safety and reliability performance for our
clients.
Creating solutions which yield the greatest cost-to-benefit ratio and increase competitive performance is the focus of Premier Consulting Services (PCS).
This document concisely describes the typical SIS project flow with emphasis on
compliance to National and International Safety Standards, specifically focused on the IEC 61511 safety lifecycle.
Although some stages or functions may be performed by the end-user,
engineering contractor and/or SIS vendor, the outline for each project stage describes all the objectives and deliverables in general terms, irrespective of the
provider. Services that are within the PCS scope are highlighted separately.
Mitigating safety risk and maintaining operational reliability
Date 03/29/2010
Page 2 of 2
Page 3 of 3
The critical system site assessment is conducted to determine the risk associated
with the operation of process units, and to evaluate the design, operation and maintenance of existing safety instrumented systems (SIS). The assessment
involves the following:
on-site surveys of operating units, Reviews of available documentation (operating and maintenance procedures,
P&IDs, process safety management documentation, etc.), Examination of process hazards analysis results, and
Discussions with plant personnel concerning operating history.
Current national and international standards are utilized to benchmark the
facility’s risk exposure. Conformance to IEC 61511 and/or ANSI/ISA S84.01-2004 is reviewed.
For systems designed and constructed prior to the issuance of the new standards,
an evaluation of the design, maintenance and testing records for safe operation provides a basis for decision-making regarding the adequacy of the existing SIS
(i.e. Grandfather clause in the U.S).
Recognizing the importance of process uptime and the detrimental impact of spurious trips on operating costs as well as on safety, recommendations are
made to improve reliability.
The PCS report lists site findings with recommendations for compliance with the company’s objectives concerning Safety and Reliability, including conformance to
applicable national and international standards in the area of:
1. Design and architecture
2. Safety Availability issues 3. Reliability (spurious trip) issues
4. Support systems 5. Installation
6. Validation 7. Testing and Maintenance
8. Auditing 9. Hardware issues
10. Software issues
Site Assessment A
Page 4 of 4
11. Security
12. Human-Machine-Interface
13. Management of Change issues 14. Competence requirements
The site assessment provides management with a basis for prioritized capital
spending by providing specific recommendations for risk reduction and reliability improvement. It demonstrates to, insurers, regulatory agencies, company
personnel and to the public that a serious plan has been established to address safety and reliability issues.
International standards and Regulatory Agencies require that the organizations
and the personnel involved in the safe operation of the plant demonstrate and document their competence for the activities for which they are accountable.
IEC 61511-1 clause 5.2.2 makes the following statement:
As a minimum, the following items should be addressed when considering
the competence of persons, departments, organizations or other units involved in safety life-cycle activities:
a. Engineering knowledge, training and experience appropriate to the process
application. b. Engineering knowledge, training and experience appropriate to the
applicable technology used (for example, electrical, electronic or programmable electronic).
Competency Assessment B
Site Assessment
Deliverables:
Inputs:
On-site survey of operating units - Standards compliance
Process design drawings - Safety availability issues
P&ID / Electrical dwgs - Reliability issues
Process HAZOP/PHA - Testing and maintenance issues
Operating history - Procedures issues
Maintenance and test procedures - Competence requirements
Maintenance and test records - Risk exposure
- Improvements recommendations
Page 5 of 5
c. Engineering knowledge, training and experience appropriate to the sensors
and final elements.
d. Safety engineering knowledge (for example, process safety analysis). e. Knowledge of the legal and safety regulatory requirements.
f. Adequate management and leadership skills appropriate to their role in safety life-cycle activities
g. Understanding of the potential consequence of an event. h. The safety integrity level of the safety instrumented functions.
i. The novelty and complexity of the application and the technology.
PCS has developed the PFSE “Premier Functional Safety Engineering” training
program as a service to plant operators, engineering contractors and integrators, with the objective of addressing the requirements of the standards in the area of
competency in safety engineering knowledge and safety regulatory requirements.
Invensys-Premier Consulting Services offers the PFSE training course addressing Functional Safety in the field of Safety Instrumented Systems.
Contents, material and final exams for this course have been reviewed and assessed positively by TÜV Industrie Service GmbH, Automation, Software and
Information Technology, ASI.
PCS is TÜV Industrie Service GmbH, ASI accepted course provider for the
TÜV Functional Safety Program
Participants of the Premier Consulting Services PFSE training course will receive,
upon successful completion, a TÜV certificate including a TÜV Functional Safety Engineer logo and ID number.
PFSE – Premier Functional Safety Engineering Program
One week Mastering training program
Instructor – Class room setting
Working examples and discussions
Written tests and exams
Compliance to: - IEC 61508-1 Paragraph 6.2.1 (h) - IEC 61511-1 Paragraph 5.2.2
Page 6 of 6
See details of the TÜV Functional
Safety Program at: www.tuvasi.com
PCS Course Instructors are certified TÜV Functional Safety Experts – SIS
According to the TÜV Functional Safety Program
IEC 61511 and ANSI/ISA S84.01-2004, as well as Regulatory Agencies, require
that a process hazard analysis (PHA) be performed to identify potential hazards
in the operation of a process unit.
The PHA is a methodical examination of the process design that involves the participation of a multidisciplinary team to identify potential hazards and
operability problems that could result in undesired consequences with adverse impact on personnel, equipment or the environment. The initial “process” PHA is
normally performed by the plant operator in conjunction with the process licensor or basic design team.
The process design drawings and narratives together with the P&ID’s and the
PHA documents, form the basis for the identification of the safety instrumented functions (SIF) required to mitigate the potential hazards.
Premier Consulting Services provides industry experts in the review process of
the PHA results and allocation of Safety Instrumented Functions (SIF), leading to
the assignment of a target Safety Integrity Level (SIL) for each SIF.
Safety integrity is a measure of the likelihood that the SIF will achieve the specified safety function.
A PCS senior consultant performs the role of facilitator and provides guidance to
a multidisciplinary team consisting of plant experts in the areas of process, operations, safety, maintenance, instrumentation and electrical.
The standards do not mandate any specific method for assigning the target SIL
rating, but do provide examples of industry-recognized techniques. The PCS facilitator reviews the different methodologies (Risk Matrix, Risk Graph, LOPA,
Semi-quantitative, etc) and applicability to each situation, leading to a consensus on the techniques to be utilized.
PHA /SIF Review – SIL Assignment C
Page 7 of 7
PCS provides further guidance in the approach to aligning the SIL assignment
method selected with the corporate risk tolerance criteria. Where necessary, the
ALARP risk tolerance principle is discussed and taken in to account.
The multidisciplinary team reviews every SIF, and with PCS guidance, a SIL rating is assigned to each safety instrumented function.
SIS View™ software tool-set is made available for the target SIL determination
process. The final report reflects the assumptions made with regards to potential hazards
likelihood, consequence and risk tolerance criteria in conjunction with the target SIL assigned to each independent SIF.
Premier Consulting Services (PCS) reports are recognized worldwide for their
integrity and professionalism by plant operators, regulators and risk insurers.
PHA /SIF Review – SIL Assignment
Inputs: Deliverables:
Process Narratives - PHA review
Process design drawings - Corporate Risk Tolerance review
P&ID / Electrical dwgs - SIL assignment methodology review
Process HAZOP/PHA - Hazards assumptions review
SIF allocations - SIL target assignment to each SIF
Multidisciplinary Team - PCS written report.
Corporate Guidelines
Tools: SIS View™
Page 8 of 8
The safety requirement specification (SRS) is a documentation requirement of IEC 61511 and ANSI/ISA S84.01-2004(IEC 61511 Mod) and is an integral part of
the Safety Lifecycle model.
The SRS is a summary of key decisions that must be made prior to the conceptual design. The purpose of the SRS is to define the envelope of the
Safety Instrumented System (SIS) design. This document, or collection of documents, should be viewed as a basis of design. It is a crucial review step that
will minimize downstream detail design changes that could impact cost and/or schedule.
The SRS consists of both safety functional requirements and safety integrity
requirements. The software safety requirements specification shall be derived
from the safety requirements specification and the chosen architecture of the SIS.
The SRS should include the following requirements:
Description of all the SIF necessary to achieve the required functional
safety; Requirements to identify and take account of common cause failures;
Definition of the safe state of the process for each identified SIF; Definition of any individually safe process states which, when
occurring concurrently, create a separate hazard (for example, overload of emergency storage, multiple relief to flare system);
The assumed sources of demand and demand rate on the SIF; Requirement for proof-test intervals;
Response time requirements for the SIS to bring the process to a safe
state; The SIL target and mode of operation (demand/continuous) for each
SIF; Description of SIS process measurements and their trip points;
Description of SIS process output actions and the criteria for successful operation, for example, requirements for tight shut-off valves;
The functional relationship between process inputs and outputs, including logic, mathematical functions and any required permissives;
Requirements for manual shutdown; Requirements relating to energize or de-energize to trip;
Requirements for resetting the SIS after a shutdown;
SRS Safety Requirements Specification D
Page 9 of 9
Maximum allowable spurious trip rate;
Failure modes and desired response of the SIS;
Any specific procedure requirements for starting up and restarting the SIS; All interfaces between the SIS and any other system (including the BPCS
and operators); Description of the modes of operation of the plant and identification
of the safety instrumented functions required to operate within each mode;
The application software safety requirements; Requirements for overrides/inhibits/bypasses including how they will be
cleared; The specification of any action necessary to achieve or maintain a safe
state in the event of fault(s) being detected in the SIS; The mean time to repair which is feasible for the SIS;
Identification of the dangerous combinations of output states of the SIS that need to be avoided;
The extremes of all environmental conditions that are likely to be
encountered by the SIS shall be identified; Identification of normal and abnormal modes for both the plant as a
whole (for example, plant start-up) and individual plant operational procedures (for example, equipment maintenance, sensor calibration
and/or repair). Additional safety instrumented functions may be required to support these modes of operation;
Definition of the requirements for any safety instrumented function necessary to survive a major accident event, for example, time
required for a valve to remain operational in the event of a fire.
Note: Non-safety instrumented functions may be carried out by the SIS to ensure orderly shutdown or faster start-up. These should be separated
from the safety instrumented functions.
SRS - Safety Requirement Specifications Development:
Inputs: Deliverables:
PHA / Process design data - Functional Safety Requirements
Process dynamics for each SIF - Integrity Safety Requirements
Process common cause considerations - Software Safety Requirements
List of SIF with individual SIL targets. - Comprehensive SRS Report
Process design drawings /narratives
SIF Cause & Effect Matrices
P&ID / Electrical drawings
Data gathered during SRS development.
Page 10 of 10
IEC 61511 and ANSI/ISA S84.01-2004 require that components and subsystems
(sensors, logic solvers and final elements) for use as part of a SIS for SIL 1 to SIL 3 applications, be designed in accordance with IEC 61508-2 and IEC 61508-3,
as appropriate, or else comply with the Proven-In-Use (PIU) requirements of IEC 61511.
Additionally, the standards require that sensors, logic solvers and final elements
selected for use as part of a SIS for SIL 1 to SIL 3 applications conform to a Minimum Hardware Fault Tolerance (MHFT) criteria.
The MHFT has been defined to alleviate potential shortcomings in SIF design that may result due to the number of assumptions made in the design of the SIF,
along with uncertainty in the failure rate of components or subsystems used in
various process applications.
IEC 61511 and ANSI/ISA S84.01-2004 have further design requirements regarding the independence of the SIS and the BPCS (sensors, logic solver and
final elements). IEC 61511-2 clause 11.2.4 deals with the special concern for SIS-BPCS
Separation, Independence, Diversity, Hardware common cause, Systematic (software) common cause and Human errors.
Premier Consulting Services provides expert consulting in the selection of
components and subsystems (sensors, logic solvers and final elements), addressing the requirements of “proven-in-use “ and “minimum hardware fault
tolerance” in IEC 61511 and ANSI ISA S84.01-2004. Specific emphasis is made on determining the adequacy of field devices with
“prior use” records, including the number of these devices with sufficient
operating experience in a similar operating profile and process application environment. PCS provides further guidance and analysis of test results (i.e.
FMEDA’s) or third party certifications (i.e. TUV, FM, etc) for field devices with certain SIL claim limits and their adequacy for the SIS application, including any
application guidelines and/or restrictions. Bearing in mind that the logic solver is normally shared by a number of safety
functions, selection of the safety PLC technology is crucial to a safe and reliable SIS.
SIS Device Selection – PIU - MHFT E
Page 11 of 11
Premier Consulting Services expertise can prove invaluable in the analysis of logic
solvers manufacturers’ claims for “safety availability”, “reliability”, “fault tolerance”, “safe failure fraction” as it relates to “demand mode” or “continuous
mode” of operation. Furthermore, an analysis of any third party (i.e. TUV, FM, etc.) certification guidelines and restrictions, as well as an analysis of the
manufacturer’s “safety manual” becomes an essential review process in the selection of the logic solver technology.
Premier Consulting Services recognizes that third party certifications (i.e. TUV,
FM, etc) to IEC 61508 and other applicable standards are focused exclusively on a “fail safe” mode of operation of the device. Premier Consulting Services also
recognizes the importance of “process up-time” and therefore provides the expertise for the selection of SIS devices that will issue not only safety, but a
high degree of “reliability” and low “spurious trip” rate. There are some devices and PLCs’ on the market that have “low fault tolerance”
and low redundancy but high “safe failure fraction”, and thus get certified to even
a SIL 2 or SIL 3 rating. PCS expert analysis and recommendations build towards avoiding the trap of designing a “safe” but “unreliable” SIS.
SIS Device Selection – PIU - MHFT
Inputs: Deliverables:
Field equipment performance data - Proven-in-use device analysis
Site environmental data - Fault Tolerance device analysis
Process up-time requirements - Third party certification analysis
List of SIF with individual SIL targets. - Application restrictions analysis
Project data gathered during study - Device safety & reliability analysis
- BPCS-SIS independence analysis
Page 12 of 12
The SIS design and engineering phase of the Safety Lifecycle requires a solid
“Conceptual design” which develops and verifies that all the items defined in the SRS – Safety Requirements Specification are fulfilled.
The following considerations shall be accounted for:
Field instrumentation redundancy requirements and voting scheme. Field instrumentation process connection requirements, considering
possible tap plugging, freezing, etc. Logic solver technology per the SRS.
Cabinet integration requirements, material/ temperature/ humidity limits. BPCS technology and communication requirements.
Field and communication wiring / routing requirements.
Power source requirements, such as redundancy and/ or UPS. Environmental requirements, lightning, flooding, extreme temperatures.
Requirements for intrinsic safety / explosion proof. SIS equipment and junction boxes identification / tags / color painted, etc.
Possible sources of common cause failures of the SIS. Non-safety instrumented functions in the SIS that may negatively affect a
SIF shall be treated as part of the SIS complying with the highest SIL requirements
Common hardware and software SIS that share SIF of different SIL will be designed to meet the highest SIL.
BPCS-SIS separation, independence and diversity shall be assessed. Requirements for operability, maintainability and testability shall be
assessed. (i.e. bypass facilities for on-line testing, including alarms when in bypass).
Design of HMI shall account for human capabilities and limitations and
accommodate level of operator training. Manual E-Stop should be implemented per the SRS.
Subsystems that do not fail to the safe state on loss of power require line monitoring and special power loss detection measures.
Action required upon detection of a fault, either by diagnostics or proof testing.
Operator response time to critical alarms shall be accounted for. Bypasses protection by key locks or passwords shall be implemented.
SIS status, such as active, bypassed or tripped shall be a function of the HMI.
SIS operator interface shall be protected against unauthorized changes.
CONCEPTUAL DESIGN F
Page 13 of 13
Any failure of the SIS maintenance/engineering interface should not
prevent the SIS from bringing the process to its safe state.
The maintenance /engineering interface should not be used as operator interface.
SIS communication failures should not prevent the SIS from bringing the process to its safe state.
Electromagnetic interference and power surges in the SIS communication should not cause dangerous failures.
Where required by the SRS, the design should allow for on-line proof testing of the SIS, either end to end or in parts.
Operator should be alerted of the bypass of any part of the SIS by an alarm or procedure.
Forcing of I/O in the PES should not be allowed, unless supplemented by procedures and access security.
IEC 61511 and ANSI/ISA S84.01-2004 require a quantitative verification of the
SIL of each SIF to meet the target SIL determined in the SRS.
Modeling methods are referred to in IEC 61511-2 Annex A and described in IEC 61508-6 and ISA TR84.0.02
a- Reliability block diagram technique b- Simplified equations technique
c- Fault tree analysis technique d- Markov modeling technique
Conceptual Design
Inputs: Deliverables:
SRS- Safety Requirements Spec. - Power & Grounding conceptual drawings
Field technology / voting - Field installation typical drawings
PES technology - Bypass typical drawings
Power sources data - E-Stop typical drawings
Environmental data - HMI Requirements
Project data gathered during study - Communication requirements
- SIS P & ID’s (as applicable)
- SIS Cause & Effect Matrix (as
applicable)
SIL Verification G
Page 14 of 14
The modeling technique is selected as appropriate for each application.
Fault Tree Analysis (FTA) was developed in the 1960s by Bell Laboratories in the United States. During the Polaris Missile Project, FTA was utilized to evaluate the
probability of an inadvertent launching of a Minuteman missile. FTA has been used extensively by the military, the space program, and the nuclear industry. It
is a highly adaptable logic diagram based technique that can be readily applied to the processes of the refining, petrochemical, chemical, oil and gas production,
pipeline, pulp and paper, utility, nuclear, manufacturing and pharmaceutical industries. Premier Consulting Services recommends this FTA technique for
complete SIF SIL quantified verification.
The principal benefits include: A clear graphical representation of the system.
Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by).
Results directly indicate key contributors to system unavailability.
Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals.
Easy conversion of system model for evaluation of nuisance trip rates
Fault tree analysis is a top down deductive method for identifying the numerous ways in which equipment failures, software failures, human error, environmental
factors, and external events can lead to accidents or other undesirable conditions. A fault tree model consists of a top event and a connecting logic structure of
events that must take place in order for the undesired top event to result. In the evaluation of Safety Instrumented Systems, there are two scenario top events
that are typically of interest: SIS Failure on Demand and SIS Spurious Trip.
A model of the SIS failure on demand investigates the potential for the SIS failing to perform its designed safety function. In the event of a failure on demand, the
process plant is experiencing an undesired condition that the SIS has been
designed to detect and, upon detection, automatically take the process to a safe state but because of a latent failure, the SIS fails to function, allowing the
undesired condition and the subsequent consequences to continue. Simply stated, the SIS fails to perform its designed function when needed.
The second scenario top event that is considered in the evaluation of SIS is a
spurious trip. In the event of a spurious trip, the SIS has taken action when no process condition warranting such action is present.
Both the failure on demand and the spurious trip are critical performance
characteristics of an SIS.
Page 15 of 15
The fault tree model consists of a single top event, a number of simple faults
called basic events and logical operators that dictate how the basic events must combine to result in failure described by the fault tree top event.
Basic events, which represent a simple failure or fault, are the building blocks of
the model. It may be a hardware failure, a human error, or an adverse condition. Basic events are always assumed to be independent of each other. A common
cause event must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically
independent of all other basic events.
Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event.
The basic events are assigned a corresponding “failure rate”, “proof test interval”
and “mission time” data for computation in the Fault Tree. The resulting PFDavg
calculation for each SIF is referenced to the SIL number and compared with the target SIL determined in the SRS. This constitutes the quantified SIL verification
process for the fail to function or Safety Availability.
A second Fault Tree is constructed to verify the MTTFspurious. The computed result is compared with the maximum spurious trip rate established in the SRS. This
constitutes the quantified verification of the spurious trip rate.
Special Tools Fault Tree Analysis requires the use of Boolean algebra for the mathematical
quantification in order to achieve correct and repeatable results. Therefore, a computer model is recommended for quantification of the fault trees. The US
Department of Energy supports a fault tree analysis program with the appropriate mathematics capability and minimum cut sets assessments, which was initially
developed for the Nuclear Industry. The software package, SAPHIRE® (Systems
Analysis Programs for Hands-on Integrated Reliability Evaluations), is utilized by Premier Consulting Services.
Additionally, PCS may also utilize SILwatch™, which is a Fault Tree based computer modeling tool for the simpler safety instrumented functions. Both tools
have been verified to yield equivalent and repeatable results.
Page 16 of 16
The detailed design phase of a typical SIS project entails implementing the “Conceptual Design” through good engineering practices, verifying all the
requirements in the SRS (Safety Requirements Specification).
The detailed design is usually performed by the SIS vendor and/or the engineering contractor.
The following considerations are accounted for:
Verification of site applicable standards
(API, NFPA, MMS, Authority having Jurisdiction, etc)
Power and Grounding drawings Field equipment installation drawings
Field wiring layouts / junction boxes, etc Intrinsic safety, explosion proof considerations.
Environmental considerations. Logic solver equipment layout drawings.
Cabinet integration drawings. Communications wiring drawings
HMI workstations layout Application program development
Verification of use of Fixed or Limited Variability Languages
SIL Verification
Inputs: Deliverables:
SRS- Safety Requirements Spec. - Safety Availability (PFDavg)
P&ID’s and /or Cause and effect Matrix - Minimal cut-sets
Instrumentation description - Devices % contributions to PFDavg
Interlock description - SIL verification to SRS targets
Expected proof testing frequency - MTTFspurious (Spurious trip rate)
Process Safety Hazard Analysis - Devices % contributions to MTTFspurious
- Recommendations for proof test intervals
- Recommendations for SIS improvements
Tools: SAPHIRE® and SILwatch™
Detailed Design H
Page 17 of 17
Use of V-Model or other verification process
Peer review and testing of application software
Application software behavior in presence of hardware failures. Security implementation (access restrictions)
HMI screens development Critical alarms implementation.
Implementation of bypass keys / permissives / inhibits. Maintenance procedures development
Proof Testing procedures development. FAT - Factory Acceptance Test.
Installation and Commissioning activities involve strict planning and
implementation activities in compliance with the detail design and the SRS.
This phase of the SIS project is usually implemented by a combination of the engineering contractor, SIS vendor and the user.
The following considerations are accounted for:
Installation and Commissioning plan.
Procedures, measures and techniques to be used. Persons, departments and organizations responsible.
Safety loop drawings / instrument lists.
Field instrumentation calibration. Power and grounding verified.
Equipment functional tests Loop checks
Interface communications tests Application software version control.
As built drawings verified against SRS. PSAT – Pre-Startup Acceptance Test
Installation & Commissioning I
Page 18 of 18
IEC 61511 requires that a functional safety assessment (FSA) be performed prior
to the introduction of process materials in to the equipment under control (EUC). This requirement is similar to the pre-startup safety review (PSSR) called for by
OSHA and other regulatory bodies around the world.
IEC 61511 requires that at least one senior, competent, independent (from the project team) person, take part in the FSA. This independent individual must
have the authority to prevent the process unit startup, if necessary.
The Functional Safety Assessment is documented in a “SIS validation plan” and is usually performed by the user/operator in conjunction with the engineering
contractor and/or the SIS vendor. The FSA should at minimum verify the
following:
The SIS has been constructed, installed and tested in accordance with the SRS. All procedures for safety, operation, maintenance and management of change
(MOC) are complete and in place. Any pending PHA and/or SRS issues are resolved and implemented
Operations and maintenance personnel are trained and competence is documented.
Application software is validated in accordance with validation plan. All safety instrumented functions perform according to the SRS.
Bypasses, overrides and reset functions perform in accordance with SRS. SIS is not affected by adverse interactions of the BPCS or any shared
instrumentation. Loss of utilities do not impede proper SIS action.
Verification of EMC immunity.
BRPB or other manual independent e-stop operate correctly. Critical Safety alarms function as per the SRS.
HMI graphics function correctly. SIS safety validation (SAT) completed prior to startup.
PSSR completed. All bypasses returned to normal, isolation valves set to startup position, test materials removed and all forces removed.
Functional Safety Assessment J
Page 19 of 19
IEC 61511 requires that the SIS be operated and maintained so that the designed safety function is preserved. The SIL of each SIF must be maintained
throughout the lifecycle of the plant.
This function is usually performed by the user/operator and/or a maintenance contractor. However, the responsibility resides with the owner.
The operation and maintenance plan should address, at minimum, the following:
Proof testing, preventive and breakdown maintenance activities.
Verification of adherence to operation and maintenance procedures. Designation and competence of persons, departments and organizations
responsible.
Schedule adherence to all activities. Additional mitigation actions necessary during bypass and/or testing.
Recording of actual process demand rate on the SIS. Identification of the cause of process demands
Recording of actual failure rates of SIS devices, including field equipment. Identification of the cause of false trips.
Correct operation of each field sensor and final element. Correct logic action of the SIS
Correct alarms and indicators. Verification and Validation of actual SIL of each SIF and confirmation of
equipment failure rate assumptions during the design phase, as well as adequacy of the proof test interval necessary to maintain the designed safety
function.
Note: COSIL® Safety System management tool-set for on-line / real time
continuous SIL monitoring of all the Safety Instrumented Functions (SIF) in a process plant’s SIS is an excellent tool that provides the mechanism for SIS
operation and maintenance validation.
COSIL® additionally provides the functionality to perform continuous on-line calculations of the Safety Instrumented Function’s (SIF) instantaneous probability
to fail on demand (PFD). This measurement provides plant engineers with real time data for evaluating the actual instantaneous Risk Reduction Factor (RRF),
conducive to better decision making in the area of improvements in plant safety. Knowledge of the instantaneous PFD provides a wealth of information over and
above the PFDavg based SIL.
Operation & Maintenance K
Page 20 of 20
COSIL® is applicable to both “Demand mode of operation” and “Continuous
mode of operation” as defined in IEC 61511-1 paragraph 3.2.43.2
SIS safety audits are requirements for validation of the design safety function.
IEC 61511, true to the criteria of a performance base standard, has no specific
requirements regarding the frequency or the procedures. However, the safety audits must be independent and objective.
Process industry experience would indicate that:
Audit frequency of 3 years is a starting point. Based on the number of negative findings, the frequency may be adjusted accordingly.
Individuals conducting the audit should be independent of the plant personnel. Standards and/or Corporate documents against which the audit is to be
conducted, should be agreed upon in anticipation. Procedures review should reveal if they are in place, understood and followed.
Interviews should start with managers, followed by engineering and finally operation and maintenance personnel.
All maintenance and testing records should be reviewed in detail. Especially critical is the review of management of change records.
Visual inspection of field equipment condition and tagging is a key indicator of general health.
Checking for unauthorized systems in bypass is critical. Records of the SIL for each SIF should be clearly documented.
Records of the validation of the SIL and RRF for each SIF should be
documented. Records of the number and cause of process demands should be clearly
documented. Records of the number and cause of nuisance trips should be clearly
documented. Records of the actual failure rates of the SIS devices, as they compare to the
design assumptions, should be clearly documented. Documentation should reflect up to date installed hardware and software.
Safety Audits L
Page 21 of 21
The safety audits are normally conducted by corporate personnel independent of
the plant and/or by specialized consulting companies, such as Premier Consulting
Services. SCAMP® Safety Compliance Auditing and Maintenance Program is an excellent
service for this phase of the safety lifecycle and compliance to IEC 61511 clause 16.1.1, which states: “To ensure that the required SIL of each safety
instrumented function is maintained during operation and maintenance”. “To operate and maintain the SIS so that the designed functional safety is
maintained”.
IEC 61511 requires that modifications to any safety instrumented system (SIS)
are properly planned, reviewed and approved prior to making the change. Additionally, the required safety integrity of the SIS should be maintained despite
any changes performed.
Management of Change (MOC) procedures should be in place and all requirements of the SRS should be assessed.
Prior to making any modifications to the SIS, procedures for authorizing and
controlling changes should be effective and understood. MOC authorizations should identify the hazards which may be affected.
Modifications require a functional safety impact analysis prior to authorization. Any impact on safety requires returning to the first affected step in the safety
lifecycle Modifications that imply a change of hardware or software calls for returning
to the first affected step in the safety lifecycle (i.e. replacement in kind,
proven-in-use, minimum hardware fault tolerance, maximum SIL claim limit, etc).
Tests should verify that the changes were properly implemented. Tests should ensure that functional safety is not negatively affected.
Modifications should be performed by qualified and competent personnel. All affected and appropriate personnel should be notified and trained regarding
the change and its implications. Documentation should be updated to reflect the modifications, including the
reason for the change, the hazards affected and the tests performed to verify that the safety integrity is maintained.
Modifications / MOC M
Page 22 of 22
Modifications are normally performed by the user/operator and or a maintenance
contractor, with supervision of competence engineering and safety personnel.
For more information about how Premier Consulting Services can help
you solve your critical control system problems, contact:
