SAFETY

INSTRUMENTED
SYSTEMS

ULTIMATE GUIDE
TO THE SAFETY LIFE-CYCLE
of IEC 61511 edition 2

Document ID: eFS-ebook-SIS-r2.1

eFunctionalSafety.com

eFunctionalSafety.com
Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592
FIRSTLY

ABOUT THIS EBOOK

This is the 2nd edition of an eBook aimed at industry professionals interested in applications
of control and safety instrumented systems - SIS.

In this edition, I’ve included links to Functional Safety Blog articles to take you to more detail
that you may find useful.

This guide is only a start. You can get an accredited certificate in several topic areas by taking
one of our online courses.

I hope that you find the guide useful, and welcome any feedback.

Jon Keswick, CFSE - Founder

Feedback email:
learning@eFunctionalSafety.com

eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 The safety life-cycle is explained in detail in our accredited self-paced online training course.

THE SAFETY INSTRUMENTED SYSTEM

LIFE-CYCLE
This eBook should help you navigate through the different life-cycle steps of a
safety instrumented system project.

Use the QR code below to access our online guide to key terminology.

3 © eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

Introduction

Safety is a general term that we all use, although we rarely think about what it means. Safety
standards define it as “Freedom from danger, risk, or injury” or “Freedom from unacceptable risk”.
This terminology affirms that risk is always a factor while recognizing that we don’t have to accept
high-risk situations.

Achieving a tolerably safe environment for workers and the public is a huge topic. However, in this
guide, the focus is on delivering Process Safety and Functional Safety.

Process safety is a broad and varied subject in itself. Still, for our purposes, we’ll say that the target
is keeping processes under control and stopping loss of containment of hazardous materials from
pipes, vessels and process equipment. Process safety involves many different disciplines, includ-
ing materials experts, process engineers, mechanical, electrical, control and instrumentation, and
process safety professionals.

Functional safety in the process industry is focused explicitly on electrical, control and instru-
mentation equipment. When hazardous events occur, we need to know that instrumentation and
automation equipment such as sensors, logic solvers and final elements will bring the process to a
safe state. When applied correctly, functional safety principles should ensure that each hazardous
event is prevented or mitigated by equipment designed with the correct level of integrity, appropri-
ate for the risk posed.

The IEC 61511 standard outlines a functional safety life-cycle for the process industry sector. IEC
61511 is now internationally accepted by most operating companies and regulators. It now has the
status of being both a European Norm (EN) and a best practice standard in the USA.

The IEC 61511 safety life-cycle provides an outline flowchart showing the stages of different
activities needed to assess hazards and then develop instrumented protection layers to prevent or
mitigate risk.

Safety Instrumented Systems (SIS) are specialist protection layers that need careful specification,
design, testing and maintenance.

The following pages describe how the SIS safety life-cycle works in outline detail.

If you want to know more, visit our free online guide and sign up to be a member to get access to
protected pages on our website.

ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 4

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 The flow chart describes the typical management, technical and
project activities for producing high safety integrity at all stages of
the life-cycle.

Flow chart key:

INPUT Procedure
A RT H E R
ST

E
INPUT
Document/Information

ACTIVITY

OUTPUT Report

1
Process hazard and risk assessment

Owners of major accident hazard sites (duty holders) need

to identify hazards and make some grading of different
risks posed by their process to workers, visitors, the
surrounding public and the environment. For process
facilities, this usually involves looking for events that
result in the “loss of containment” (LOC) of hazardous
materials.

There are many different ways of approaching process

hazard analysis (PHA), often using a combination of study
methods like “What-If” or HAZOP - Hazard and Operability studies. Whichever methods
are adopted, the key is to use a systematic procedure covering all process areas using a
multi-disciplined team approach.

If approached methodically, a PHA/HAZOP should provide:

• Credible information on possible causes of hazards.
• Estimated consequences of hazardous events.
• Safeguards that can prevent or mitigate escalation.
• Actions for safety and operational improvement.

5 © eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 PHA/ Identify HAZID report
HAZID / Potential Hazards & HAZOP report
• Process Safety HAZOP Safeguards Preliminary Risk
Information Procedure Assessment
• Process Flow
Diagrams
• P&ID’s LOPA Procedure
• Facility Siting LOPA report
• Occupancy Allocate Safety IPL’s
Requirements to IPL SIF Candidates
• Cause & Effects
• Instrument list
• Preliminary IPL/SIF SIS
Functional Safety list Required?
NO
Management Plan
YES

Safety Requirements
IPL Register
Specification for SIS & SIF

FSA 1-3 Plan /

ALARP Justification
Procedure

Functional Safety
Assessment Stage 1

FSA Stage 1 Report

2
Hazard Identification, Layer of Protection Analysis, IPL and SIL target assessment
led by the duty holder (hazard owner).

Independent Protection Layers and SIL targets

After hazards and safeguards are identified, there often needs

to be further analysis of how adequate the safeguards are at
risk reduction. There are no mandated techniques for this step,
so the duty holder needs to decide on one or more methods
that they will adopt for further analysis.

You cannot complete this step without tolerable risk criteria

stipulated by the duty holder. These risk criteria usually get embedded in the form of a risk
matrix or a set of numerical targets with specified frequencies of undesired consequences.

One very effective technique at this stage is a layer of protection analysis (LOPA) study. A LOPA
study can consider each hazard scenario and determine whether the safeguards identified
during PHA are adequate as independent protection layers (IPL).

After considering all possible IPL’s, it may be the case that one or more Safety Instrumented
Functions (SIF) are needed to reduce risk to tolerable levels. With the correct procedure in place,
the LOPA study can determine the Safety Integrity Level (SIL) target of each SIF..

ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 6

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 IEC61508 Compliant
Select Technology
Item Safety Manuals
Hardware and Devices
AND/OR
Prior Use Information

Decide on required HFT

for safety & availability

Probability of Failure
Data Determine Proof Test
Philosophy
• Sensor(s)
• Logic Solver(s)
• Final Element(s) Verify HFT and
• Interposing Device(s) PFDavg/PFH to meet
target SIL for each SIF

SIL Target NO
Achievable
?
YES

UPDATED Safety
SIL Verification Report
Requirements
Specification for SIS & SIF
Proposed design can
meet SIL target with
selected equipment.

3
Development of the concept SIF design to meet the SIL target.

Safety Requirements Specification

The Safety Requirement Specification (SRS) is the SIF and Safe-

ty Instrumented System (SIS) design blueprint. The duty holder
must approve requirements to match the integrity identified in
the process hazard and SIL assessment stages.

Functional requirements should explain what each safety

instrumented function (SIF) should do. SIF functionality can be
easily expressed by “cause and effect” diagrams that associate
the sensed condition and its required actions.

Integrity requirements set the standard for the design in terms of safety integrity and system
availability. The safety integrity level (SIL) target is one integrity requirement of a SIF, but not the
only one. Others include PFD/RRF or PFH, Hardware Fault Tolerance (HFT), and other detail
needed for SIL Verification.

7 © eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 4
SIS Design & Engineering

When the requirements are sufficiently complete and stable, the

specifier can select appropriate SIS equipment. Long-lead items
such as final element valves and actuators may be among the first
things to be considered for selection.

IEC 61511 requires all equipment used in an SIS to justified.

Typically, this will involve ensuring only “SIL capable” devices get
used from reputable suppliers. Where SIL capable devices are
not available, the company responsible for equipment selection
and engineering will need to consider justifying the use of equipment on another basis such as
“prior use”.

Sensor Manufacturer
Data Sheets
SIS Field Device Field Device
Installation Develop
Installation
Documentation Proof Test Procedures
Detail Design
Final Element
Manufacturer Data
Sheets
Logic Solver Hardware
Logic Solver Hardware Detail Design
Detail Design Specification
Logic Solver
Manufacturer Data
Sheets
Logic Solver Application Preliminary Proof Test
Logic Solver Application
Program Detail Design Procedures
Program (AP) Detail
Specification
Design
BPCS/HMI Manufacturer
Data Sheets
BPCS Interface/HMI UPDATED Safety
BPCS Interface/ HMI Detail Design Requirements
Detail Design Specification Specification for SIS & SIF

Development of detailed design of the SIS hardware and application program (software).

ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 8

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 Logic solver application programs will also be further specified and developed. Verification by
design review and factory acceptance testing (FAT) will typically occur towards the end of this
stage.

Installation and Validation Testing

Factory acceptance testing (FAT) is often the start of many stages that involve exercising the
system to mimic the required functionality on the plant. Simulated factory testing cannot be the

5
final testing step and should never be confused with validation at the site.

The critical part of this phase of the life-cycle is known as valida-

tion or validation testing. Validation testing of the system in-situ
on the hazard site involves an end-to-end physical test, from
the installed sensor to the installed final element, for every SIF
listed in the safety requirements specification (SRS).

Logic Solver Manufacturer Logic

FAT Plan / Test Solver Hardware &
Specification Software Build &
Integration

Logic Solver
Safety Manual
Integration Verification

Project
Modification
Procedure Duty Holder
(pre-installation) witnessed
FAT

FAT Punch List –

following Project
FSA 1-3 Plan / Modification Procedure
Procedure FSA Stage 2

FSA 1 Report UPDATED Safety

FAT Report Requirements
Specification for SIS & SIF

FSA 2 Report

SIS logic solver hardware and application program Factory Acceptance Testing.

9 © eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 Install BPCS / HMI Install SIS Logic Solver Install SIS Field Devices

Commissioning Project
Documentation Modification
Integrated SIS
Procedure
(pre-installation)

SIS Installation Verification

Validation Plan / Updated SRS
and Commissioning
Procedure with
frozen SRS

Updated Proof Test

FSA 1- 3 Plan /
SIS Validation Procedures
Procedure

FSA1 and FSA 2 Report Operation &

Maintenance
Document “As -Built” SIS Documentation

UPDATED Safety
FSA Stage 3 Report Requirements
Specification for SIS & SIF

6
SIS installation, commissioning and validation testing on the plant before normal
operation.

The SRS should be the primary reference source for creating the
validation plan to specify the validation crew’s detailed steps.
These will include physical inspection steps, drawing review
versus actual installed equipment, positive and negative test
activities and test logs.

The operation and maintenance personnel must get trained

on all aspects of the SIS and SIF before startup. This training is
crucial for a novel system or unfamiliar equipment.

ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 10

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 7
Operation and Maintenance

Once the SIS is in operation, nobody must modify it unless

they follow change management processes.

Someone should have developed inspection and proof

test procedures for the SIS and each safety instrumented
function (SIF). Ideally, the proof tests get scheduled to tie in
with turnarounds to enable safe offline testing. Operations
must keep detailed inspection and test records for future
assessment, audit and further analysis of equipment failure
root cause.

Special procedures for bypassing a SIF or SIS during operation may also be needed, especially
for continuous process plants. Such practices will need to account for the full risks of bypassing
a safety function and have appropriate technical review and authorization.

As demands occur that require the SIS to react, operations should track these over time to look
for negative trends which might lead to plant or system modification.

FSA 5 Plan /
Procedure
Operation &
Maintenance
Procedure
FSA 5 Report
Repeat appropriate
FSA 5 After Modification
life-cycle activities

Permit to Work Updated Safety

Normal Operation Maintenance Requirements
Procedure
Specification

Bypass/ Override risk

SIS/SIF Inspection & Inspection & Proof Revised risk / SIL
assessment &
Proof Testing Test Procedure assessment
authorisation

Modification &
Modification
FSA 4 Plan / Decommissioning
FSA 4 & audit at periodic Inspection & Proof Request
Procedure Procedure
intervals Testing Records

FSA 4 Report Decommissioning of

individual SIF or SIS

Operation and maintenance of an SIS involves inspection, proof testing and controlled modification.

11 © eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 8
Functional Safety Management

To deliver the SIS safety life-cycle in practice requires careful

and considered functional safety management (FSM).

A good FSM system will ensure that personnel are competent

in the part of the life-cycle they are involved with. Management
should provide effective policies, planning and procedures to
control the many different life-cycle activities over a potentially
long life that will often outlive the personnel working life on the
plant. Without these management systems in place, companies
will lose safety knowledge as people move on or retire.

In planning life-cycle steps it is important to consider the inputs, procedures and expected out-
puts for each stage. It is not sufficient to simply refer to the sample life-cycle in the IEC 61511
standard because this is far too generic. Instead, each duty holder must develop a custom life-cy-
cle which will show the steps, methods and procedures they will adopt to deliver functional
safety objectives.

Projects involving SIS must, therefore, be conducted with sound project management principles
which include a clear and concise plan, well developed procedures and sign-off activities that
may otherwise be less stringent on non-safety-related projects.

Functional Safety Assessment

Functional Safety Assessment (FSA) is one specific FSM activity which is proposed at several
stages in the SIS safety lifecycle, and mandated in IEC 61511 to be carried out at least once prior
to startup of an SIS and at intervals during the operations stage.

The FSA activity must be led by a senior competent person, who is not involved with the step or
steps being analyzed.

Note that FSA planning should be done at the start of any project where an SIS is ex-
pected to be needed. If the SIS already exists, then plan for an operations and mainte-
nance FSA stage 4.

There are five stages at which functional safety assessment is recommended, as shown in the
detail diagrams in the remainder of this document.

Producing huge amounts of paper should not be a goal of any SIS project or operation. However,
there must be sufficient evidence upon which an independent assessor can make a judgement
for FSA conformance purposes. The goal should be to produce a trail of evidence at each stage to

ULTIMATE GUIDE TO THE SIS SAFETY LIFE-CYCLE 12

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592

 9
allow an effective independent assessment to take place.

Audit and Revision - FSAR

Functional safety audit and revision (abbreviated FSAR here,

but not in IEC 61511) is intentionally separated from FSA in
the IEC 61511 standard. The idea is that FSAR is an audit of
procedures and records to determine whether an appropriate
functional safety management system is in place and being
followed.

However, the distinction between FSA and FSAR may be

somewhat overplayed if an FSA is already being planned or
conducted on a project. The person leading any FSA activity must take account of the detailed
life-cycle phases of the stages being assessed. By definition, every stage of the life-cycle includes
management, planning and verification activities, so the FSA must take these into account. In this
sense, FSA’s already include elements of an audit.

One thing that is clear about the distinction between FSA and FSAR is that FSAR does not have
the specific goal of making a judgement about the functional safety achieved by each SIF design,
whereas FSA does have that goal.

Somewhat like a Quality or Gap audit, FSAR cannot be conducted until functional safety
procedures are in place, and they have been in place long enough to produce sufficient evidence
documents about whether the procedures are being followed. However, it is entirely feasible
that some procedures will be put in place and followed at least once during an SIS project
development, meaning an FSAR alongside an FSA activity is an entirely valid prospect even for a
new-build.
FSAR also involves the important aspect of making recommendations for improvement, including
possible revising of procedures or systems under management-of-change control. From expe-
rience, this is no different in an FSA given that non-conformances would lead to an action for
change
•

Management of Change

The objective of managing change to the SIS is to ensure that the previously validated system
is not compromised in any way. All requests for change must identify and repeat the relevant
parts of the life-cycle again, in order to ensure the impact of change is fully understood before
proceeding.

Modification planning should include documenting the reason for change, conducting an
impact analysis, and a functional safety assessment (FSA) of the impact analysis. The FSA must
be conducted by a competent and independent person from those making the changes. It is

13 © eFunctionalSafety.com
eFunctionalSafety.com
Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592
mandatory to re-validate the system and update all relevant documentation. The only exception to this
is for fully like-for-like changes which do not involve changed software or embedded firmware.

Actually making changes to the SIS must only occur under pre-authorized conditions and normal work-
permit practices. As usual, change must be made by those with the required competence, and the
changes should be logged as a record of completion. All those impacted by the change must be trained.

Any SIF or SIS which is decommissioned must follow the same MoC procedure, with a full justification
record retained for removal of a SIF or SIS from service.

SIS Documentation

It is difficult, but nevertheless crucial, to keep safety system documentation accurate, up to date, easy to
understand and fit for purpose.

If you want to manage the safety life-cycle for the long term it is well worth considering using special-
ist safety life-cycle software.

GET MORE ONLINE

BLOG COURSES FSA

eFunctionalSafety.com

Prepared exclusively for abdeldjalil.achour@live.fr Transaction: 0103744592