Professional Documents
Culture Documents
Safety Instrumented Systems: Ultimate Guide
Safety Instrumented Systems: Ultimate Guide
INSTRUMENTED
SYSTEMS
ULTIMATE GUIDE
TO THE SAFETY LIFE-CYCLE
of IEC 61511 edition 2
eFunctionalSafety.com
eFunctionalSafety.com
Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592
FIRSTLY
In this edition, I’ve included links to Functional Safety Blog articles to take you to more detail
that you may find useful.
This guide is only a start. You can get an accredited certificate in several topic areas by taking
one of our online courses.
I hope that you find the guide useful, and welcome any feedback.
Feedback email:
learning@eFunctionalSafety.com
eFunctionalSafety.com
LIFE-CYCLE
This eBook should help you navigate through the different life-cycle steps of a
safety instrumented system project.
Use the QR code below to access our online guide to key terminology.
3 © eFunctionalSafety.com
Safety is a general term that we all use, although we rarely think about what it means. Safety
standards define it as “Freedom from danger, risk, or injury” or “Freedom from unacceptable risk”.
This terminology affirms that risk is always a factor while recognizing that we don’t have to accept
high-risk situations.
Achieving a tolerably safe environment for workers and the public is a huge topic. However, in this
guide, the focus is on delivering Process Safety and Functional Safety.
Process safety is a broad and varied subject in itself. Still, for our purposes, we’ll say that the target
is keeping processes under control and stopping loss of containment of hazardous materials from
pipes, vessels and process equipment. Process safety involves many different disciplines, includ-
ing materials experts, process engineers, mechanical, electrical, control and instrumentation, and
process safety professionals.
Functional safety in the process industry is focused explicitly on electrical, control and instru-
mentation equipment. When hazardous events occur, we need to know that instrumentation and
automation equipment such as sensors, logic solvers and final elements will bring the process to a
safe state. When applied correctly, functional safety principles should ensure that each hazardous
event is prevented or mitigated by equipment designed with the correct level of integrity, appropri-
ate for the risk posed.
The IEC 61511 standard outlines a functional safety life-cycle for the process industry sector. IEC
61511 is now internationally accepted by most operating companies and regulators. It now has the
status of being both a European Norm (EN) and a best practice standard in the USA.
The IEC 61511 safety life-cycle provides an outline flowchart showing the stages of different
activities needed to assess hazards and then develop instrumented protection layers to prevent or
mitigate risk.
Safety Instrumented Systems (SIS) are specialist protection layers that need careful specification,
design, testing and maintenance.
The following pages describe how the SIS safety life-cycle works in outline detail.
If you want to know more, visit our free online guide and sign up to be a member to get access to
protected pages on our website.
INPUT Procedure
A RT H E R
ST
E
INPUT
Document/Information
ACTIVITY
OUTPUT Report
1
Process hazard and risk assessment
5 © eFunctionalSafety.com
Safety Requirements
IPL Register
Specification for SIS & SIF
Functional Safety
Assessment Stage 1
2
Hazard Identification, Layer of Protection Analysis, IPL and SIL target assessment
led by the duty holder (hazard owner).
One very effective technique at this stage is a layer of protection analysis (LOPA) study. A LOPA
study can consider each hazard scenario and determine whether the safeguards identified
during PHA are adequate as independent protection layers (IPL).
After considering all possible IPL’s, it may be the case that one or more Safety Instrumented
Functions (SIF) are needed to reduce risk to tolerable levels. With the correct procedure in place,
the LOPA study can determine the Safety Integrity Level (SIL) target of each SIF..
Probability of Failure
Data Determine Proof Test
Philosophy
• Sensor(s)
• Logic Solver(s)
• Final Element(s) Verify HFT and
• Interposing Device(s) PFDavg/PFH to meet
target SIL for each SIF
SIL Target NO
Achievable
?
YES
UPDATED Safety
SIL Verification Report
Requirements
Specification for SIS & SIF
Proposed design can
meet SIL target with
selected equipment.
3
Development of the concept SIF design to meet the SIL target.
Integrity requirements set the standard for the design in terms of safety integrity and system
availability. The safety integrity level (SIL) target is one integrity requirement of a SIF, but not the
only one. Others include PFD/RRF or PFH, Hardware Fault Tolerance (HFT), and other detail
needed for SIL Verification.
7 © eFunctionalSafety.com
Sensor Manufacturer
Data Sheets
SIS Field Device Field Device
Installation Develop
Installation
Documentation Proof Test Procedures
Detail Design
Final Element
Manufacturer Data
Sheets
Logic Solver Hardware
Logic Solver Hardware Detail Design
Detail Design Specification
Logic Solver
Manufacturer Data
Sheets
Logic Solver Application Preliminary Proof Test
Logic Solver Application
Program Detail Design Procedures
Program (AP) Detail
Specification
Design
BPCS/HMI Manufacturer
Data Sheets
BPCS Interface/HMI UPDATED Safety
BPCS Interface/ HMI Detail Design Requirements
Detail Design Specification Specification for SIS & SIF
Development of detailed design of the SIS hardware and application program (software).
Factory acceptance testing (FAT) is often the start of many stages that involve exercising the
system to mimic the required functionality on the plant. Simulated factory testing cannot be the
5
final testing step and should never be confused with validation at the site.
Logic Solver
Safety Manual
Integration Verification
Project
Modification
Procedure Duty Holder
(pre-installation) witnessed
FAT
FSA 2 Report
SIS logic solver hardware and application program Factory Acceptance Testing.
9 © eFunctionalSafety.com
Commissioning Project
Documentation Modification
Integrated SIS
Procedure
(pre-installation)
UPDATED Safety
FSA Stage 3 Report Requirements
Specification for SIS & SIF
6
SIS installation, commissioning and validation testing on the plant before normal
operation.
The SRS should be the primary reference source for creating the
validation plan to specify the validation crew’s detailed steps.
These will include physical inspection steps, drawing review
versus actual installed equipment, positive and negative test
activities and test logs.
Special procedures for bypassing a SIF or SIS during operation may also be needed, especially
for continuous process plants. Such practices will need to account for the full risks of bypassing
a safety function and have appropriate technical review and authorization.
As demands occur that require the SIS to react, operations should track these over time to look
for negative trends which might lead to plant or system modification.
FSA 5 Plan /
Procedure
Operation &
Maintenance
Procedure
FSA 5 Report
Repeat appropriate
FSA 5 After Modification
life-cycle activities
Modification &
Modification
FSA 4 Plan / Decommissioning
FSA 4 & audit at periodic Inspection & Proof Request
Procedure Procedure
intervals Testing Records
Operation and maintenance of an SIS involves inspection, proof testing and controlled modification.
11 © eFunctionalSafety.com
In planning life-cycle steps it is important to consider the inputs, procedures and expected out-
puts for each stage. It is not sufficient to simply refer to the sample life-cycle in the IEC 61511
standard because this is far too generic. Instead, each duty holder must develop a custom life-cy-
cle which will show the steps, methods and procedures they will adopt to deliver functional
safety objectives.
Projects involving SIS must, therefore, be conducted with sound project management principles
which include a clear and concise plan, well developed procedures and sign-off activities that
may otherwise be less stringent on non-safety-related projects.
Functional Safety Assessment (FSA) is one specific FSM activity which is proposed at several
stages in the SIS safety lifecycle, and mandated in IEC 61511 to be carried out at least once prior
to startup of an SIS and at intervals during the operations stage.
The FSA activity must be led by a senior competent person, who is not involved with the step or
steps being analyzed.
Note that FSA planning should be done at the start of any project where an SIS is ex-
pected to be needed. If the SIS already exists, then plan for an operations and mainte-
nance FSA stage 4.
There are five stages at which functional safety assessment is recommended, as shown in the
detail diagrams in the remainder of this document.
Producing huge amounts of paper should not be a goal of any SIS project or operation. However,
there must be sufficient evidence upon which an independent assessor can make a judgement
for FSA conformance purposes. The goal should be to produce a trail of evidence at each stage to
One thing that is clear about the distinction between FSA and FSAR is that FSAR does not have
the specific goal of making a judgement about the functional safety achieved by each SIF design,
whereas FSA does have that goal.
Somewhat like a Quality or Gap audit, FSAR cannot be conducted until functional safety
procedures are in place, and they have been in place long enough to produce sufficient evidence
documents about whether the procedures are being followed. However, it is entirely feasible
that some procedures will be put in place and followed at least once during an SIS project
development, meaning an FSAR alongside an FSA activity is an entirely valid prospect even for a
new-build.
FSAR also involves the important aspect of making recommendations for improvement, including
possible revising of procedures or systems under management-of-change control. From expe-
rience, this is no different in an FSA given that non-conformances would lead to an action for
change
•
Management of Change
The objective of managing change to the SIS is to ensure that the previously validated system
is not compromised in any way. All requests for change must identify and repeat the relevant
parts of the life-cycle again, in order to ensure the impact of change is fully understood before
proceeding.
Modification planning should include documenting the reason for change, conducting an
impact analysis, and a functional safety assessment (FSA) of the impact analysis. The FSA must
be conducted by a competent and independent person from those making the changes. It is
13 © eFunctionalSafety.com
eFunctionalSafety.com
Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592
mandatory to re-validate the system and update all relevant documentation. The only exception to this
is for fully like-for-like changes which do not involve changed software or embedded firmware.
Actually making changes to the SIS must only occur under pre-authorized conditions and normal work-
permit practices. As usual, change must be made by those with the required competence, and the
changes should be logged as a record of completion. All those impacted by the change must be trained.
Any SIF or SIS which is decommissioned must follow the same MoC procedure, with a full justification
record retained for removal of a SIF or SIS from service.
SIS Documentation
It is difficult, but nevertheless crucial, to keep safety system documentation accurate, up to date, easy to
understand and fit for purpose.
If you want to manage the safety life-cycle for the long term it is well worth considering using special-
ist safety life-cycle software.
eFunctionalSafety.com