Gis 30-801

Document No.
GIS 30–801
Applicability Group
Date 23 May 2003
Guidance on Industry Standard for

Safety Instrumented Systems (SIS) - Design
and Engineering of Logic Solvers
GIS 30–801
DO NOT COPY BP GROUP

ENGINEERING TECHNICAL PRACTICES
23 May 2003 GIS 30–801
Guidance on Industry Standard for Safety Instrumented Systems (SIS) - Design and Engineering of Logic Solvers
Foreword
This is the first issue of Engineering Technical Practice (ETP) GIS 30–801. This Guidance on Industry
Standard (GIS) is based on parts of the following heritage document:
BP (Pre-1999)
BP GS 130–9 Specification for the Supply of Shutdown Systems.
Significant differences exist between this GIS and the heritage document in that this GIS is based on
IEC 61511, Safety Instrumented Systems for the Process Sector.
DO NOT COPY
Copyright © 2003, BP Group. All rights reserved. The information contained in this
document is subject to the terms and conditions of the agreement or contract under which
the document was supplied to the recipient’s organisation. None of the information
contained in this document shall be disclosed outside the recipient’s own organisation
without the prior written permission of Manager, Standards, BP Group, unless the terms of
such agreement or contract expressly allow.
Page 2 of 44
23 May 2003 GIS 30–801
Table of Contents
Page
Foreword............................................................................................................................................2
Introduction ........................................................................................................................................5
1. Scope........................................................................................................................................6
2. Normative references ...............................................................................................................6
3. Terms and definitions ...............................................................................................................7
4. Symbols and abbreviations.......................................................................................................7
5. Management of functional safety..............................................................................................8
5.1. General..........................................................................................................................8
5.2. Competency ................................................................................................................10
5.3. SIS safety lifecycle concepts .......................................................................................10
5.4. Accountability for safety lifecycle activities ..................................................................10
5.5. Tools and techniques ..................................................................................................11
5.6. Procedures ..................................................................................................................11
6. Verification ..............................................................................................................................12
7. Quality management systems ................................................................................................12
8. Independent functional safety assessment.............................................................................13
9. Specification of the SIS logic solver........................................................................................13
10. System requirements..............................................................................................................14
10.1. General........................................................................................................................14
10.2. Certification..................................................................................................................16
10.3. Response times...........................................................................................................16
10.4. Revealed failure robustness ........................................................................................16
10.5. Spare capacity.............................................................................................................17
10.6. System hardware.........................................................................................................17
10.7. System and application software.................................................................................20
10.8. Application software ....................................................................................................20
10.9. Communication............................................................................................................22
DO NOT COPY
10.10. Diagnostics ..................................................................................................................23
10.11. Alarm handling.............................................................................................................24
10.12. Sequence of events recorder (SER)............................................................................24
10.13. Maintenance facilities ..................................................................................................25
10.14. Engineering interface...................................................................................................26
10.15. Operations facilities .....................................................................................................27
11. Hardware construction requirements......................................................................................29
11.1. Cabinets ......................................................................................................................29
11.2. Cabling ........................................................................................................................29
11.3. Earthing (grounding)....................................................................................................30
Page 3 of 44
23 May 2003 GIS 30–801
11.4. Labelling ......................................................................................................................31

12. Power supplies .......................................................................................................................31
12.1. Power supply facilities .................................................................................................31
12.2. Power consumption and tolerances ............................................................................32
12.3. Power distribution ........................................................................................................32
12.4. Batteries ......................................................................................................................32
13. Environmental conditions........................................................................................................33
14. Testing ....................................................................................................................................33
14.1. Test plan......................................................................................................................33
14.2. Hardware and software testing....................................................................................33
14.3. Integrated testing .........................................................................................................34
14.4. Factory acceptance test (FAT) ....................................................................................34
15. Packing and transport.............................................................................................................37
15.1. Packing........................................................................................................................37
15.2. Transport .....................................................................................................................38
16. Drawings and documentation .................................................................................................38
16.1. General........................................................................................................................38
16.2. Information with quotation ...........................................................................................38
16.3. Drawing and information after order placement ..........................................................41
16.4. Approval of drawings ...................................................................................................43
16.5. As-built drawings .........................................................................................................43
Bibliography .....................................................................................................................................44
List of Tables
Table 1 – Maintenance and operation facilities................................................................................28
DO NOT COPY
Page 4 of 44
23 May 2003 GIS 30–801
Introduction
Safety instrumented systems (SIS) have been used for many years within the process sector. The
original approach was prescriptive with standards (for example, API RP 14C in the offshore sector)
stating the specific equipment to use for a particular process application. In recent years, the increased
complexity of new applications and the complexity of new equipment becoming available for use have
made the prescriptive approach insufficient. This is particularly the case where programmable
equipment with complex failure modes is used for safety applications. Some years ago, the
international community recognised the need for new standards, and the International Electrotechnical
Commission (IEC) developed a new generic standard that adopted a risk-based approach.
The new standard IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-related Systems) was published in seven parts between 1997 and 2000. Before IEC 65108 was
published, a need was recognised for a process sector standard and work commenced on IEC 61511
(Safety Instrumented Standards for the Process Sector). IEC 61511 applies the generic standard
IEC 61508 to process industries. It also incorporates experience from national and industry standards,
such as ISA 84.01. Since publication of IEC 61508, the process sector has had significant experience
in the application of the risk–based approach.
The risk-based approach tailors equipment to the needs of the application and has significant safety
and economic benefits. This approach does, however, demand more management, competency,
planning, and technical judgement during all stages of realisation, from initial hazard and risk
assessment through to operation, maintenance, and modification.
The objective of this GIS is to provide requirements for hardware and software for the logic solver
used as part of a safety instrumented system (SIS). Some of the requirements in this GIS may be
unnecessarily prescriptive for a specialist provider of safety systems to the process industries and if the
proposed equipment has already been used in BP. In such cases a reduced form of this GIS may be
used but the deleted clauses should be documented with reasons why they are not required.
DO NOT COPY
Page 5 of 44
23 May 2003 GIS 30–801
1. Scope
a. This GIS provides guidance on industry standard for the design, engineering, and
implementation of SIS logic solvers in safety instrumented systems (SIS) used to reduce
the following risks to tolerable levels:
1. Process safety risk.
2. Environmental risk.
3. Commercial risk, including rebuild cost and cost of lost production.
b. The SIS logic solver includes all equipment from input termination to output terminations
necessary for implementation of the safety function. Implementation includes
configuration, provision of outputs for alarm, sequence of events and status, as well as
provision of outputs to field equipment that terminates hazards.
c. This GIS:
1. Addresses SIS that are based on the use of electrical and electronic instrumentation
for logic solvers.
2. Is concerned with asset and environmental protection, as well as safety; and where the
term “functional safety” is used, it applies equally to systems provided for asset and
environmental protection.
3. Shall be used together with information relating to the inputs, outputs, and functional
and integrity requirements that are specific to the project or application.
d. The same basic principles of this GIS shall apply to SIS logic solvers that are based
entirely on other technologies (pneumatic or hydraulic).
This GIS relates directly to GP 30-80 that addresses the implementation of the
Process Requirements Specification.
2. Normative references
The following normative documents contain requirements that, through reference in this text,
constitute requirements of this GIS. For dated references, subsequent amendments to, or revisions of,
any of these publications do not apply. However, parties to agreements based on this technical practice
are encouraged to investigate the possibility of applying the most recent editions of the normative
documents indicated below. For undated references, the latest edition of the normative document
referred to applies.
European Standards
EN 50159–1 Safety related communications in closed transmission systems.
DO NOT COPY
EN 61000-6-2
IEEE C63.14
Electromagnetic Compatibility (EMC). Generic standards. Immunity for
industrial environments.
Institute of Electrical and Electronics Engineers (IEEE)

Electromagnetic Compatibility Limits – Recommended Practice.
Instrumentation, Systems and Automation Society, The (ISA)

ANSI/ISA S84.01 Application of Safety Instrumented Systems for the Process Industries.
International Electrotechnical Commission (IEC)

IEC 60085 Thermal evaluation and classification of electrical insulation.
Page 6 of 44
23 May 2003 GIS 30–801
IEC 61131–3 Programmable controllers – Part 3, Programming languages.

IEC 61508–1 to 4&6 Functional safety of electrical/electronic/programmable electronic safety-
related systems (parts 1 to 4 and 6).
Part 1: General requirements.
Part 2: Requirements for electrical/electronic/programmable electronic
safety–related systems.
Part 3: Software requirements.
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3.
IEC 61511–1 Functional safety: Safety instrumented systems for the process industry
sector.
Part 1: Framework, definitions, system, hardware, and software
requirements.
3. Terms and definitions
For the purposes of this GIS, the terms and definitions provided in IEC 61511–1 and the following
apply:
2oo3
Safety instrumented system, or part thereof, made up of 3 independent channels which are so
connected that 2 channels are sufficient to perform the safety instrumented function.
Functional safety
Ability of SIS (or other means of risk reduction) to perform actions necessary to achieve or maintain
tolerable risk for the process and its associated equipment. Functional safety applies to all systems that
reduce asset risks, including safety, environment, and commercial.
Revealed failure robust

Subsystem architecture arrangement that does not cause the safety function to be executed in the event
of a safe failure.
For example, a subsystem arranged as two out of three is revealed failure robust
because a single failure does not cause the output to change state. However, a one
out of two configuration is not revealed failure robust if a spurious trip of a single
channel causes the output to change state.
Systems are available that degrade in a planned manner when diagnostics detect a
failure. For example a 1oo2D system degrades to 1oo1 on detection of a failure in
one channel. A 2oo3D system may degrade to either 1oo2D or 2oo2.
All systems have some single point failures and no system can be completely robust.
DO NOT COPY
Practicable
If revealed failure robust is specified, an indication should be given of the single
point failure causes and the likely single point failure rate.
Feasible without entailing excessive time, effort or cost.
4. Symbols and abbreviations
1oo1 One out of one.
1oo2D One out of two diagnostic.
Page 7 of 44
23 May 2003 GIS 30–801
2oo3 Two out of three.
BPCS Basic process control system (distributed control system or process automation system).
CASS Conformity assessment of safety-related systems.
CIL Commercial integrity level.
CPU Central processing unit.
EIL Environmental integrity level.
EPROM Electrically programmable read–only memory.
ESD Emergency shutdown.
ESDV Emergency shutdown valve.
FAT Factory acceptance test.
FMEA Failure mode and effect analysis.
I/O Input/output.
IL Integrity level.
IS Intrinsically safe.
PES Programmable electronic system.
PVC Polyvinyl chloride.
RAM Random access memory.
RTD Resistance temperature detector.
SAT Site acceptance test.
SER Sequence of events recorder.
SIF Safety instrumented function.
SIL Safety integrity level.
5.
DO NOT COPY
5.1.
SIS Safety instrumented system.
Management of functional safety
General
a. In the U.S. and Canada, compliance with a clause in this GIS that references IEC 61511
may be replaced with a requirement to comply with the equivalent clauses in
ANSI/ISA S84.01. In such cases the justification of the equivalent clauses between
IEC 61511 and ANSI/ISA S84.01 shall be documented. If there is no equivalent clause in
ANSI/ISA S84.01 the IEC 61511 requirement shall apply.
Page 8 of 44
23 May 2003 GIS 30–801
b. SIS logic solver Vendor shall have a functional safety management system that complies
with IEC 61511-1, Clause 5 or IEC 61508-1, Clause 6 for activities within the scope of
supply.
1. The principle requirements for functional safety management are:
a) The policy and strategy for achieving safety shall be identified together with the
means for evaluating its achievement.
b) A safety management system shall be in place to ensure that, where SIS are
used, they have the ability to place and/or maintain the process in a safe state.
c) Persons, departments, organisations, or other units that are responsible for
performing and reviewing each of the safety lifecycle phases shall be identified,
be informed of their assigned responsibilities, and be competent to perform the
activities for which they are accountable.
d) A safety plan shall be developed to define required activities that are to be
performed. Plans shall be updated as necessary.
e) Procedures shall be implemented to ensure prompt followup and satisfactory
resolution of recommendations pertaining to the SIS.
f) Procedures shall be in place to establish the adequacy of the quality management
system and evaluate performance of the SIS against its safety requirements.
g) Procedures shall be defined and executed for auditing compliance with
requirements and for independent functional safety assessment.
h) Management of modification procedures shall be in place to initiate, document,
review, implement, and approve changes to the SIS other than replacement in
kind.
2. Organisations may be able to demonstrate that the requirements of Clauses 5, 6, and 7
of this GIS are met by provision of a compliance assessment certificate from an
independent organisation. Availability of such a compliance certificate significantly
reduces the effort required to confirm that appropriate provision has been made for
safety management and increases confidence that provided equipment is suitable for
safety.
3. A compliance assessment certificate may be regarded as adequate if all the following
conditions are met:
a) Certificate conditions are valid (for example, the equipment to be used is
covered by the certification schedule).
b) The certification scheme has been approved by a national accreditation
organisation. (An example of such a scheme is the CASS scheme (conformity
assessment of safety-related systems) for Functional Safety Capability
DO NOT COPY 4.
c)
Assessment developed in the U.K.).
The independent organisation has been approved by a national accreditation
organisation.
The requirement for management of functional safety applies to all organisations (for
example, designers, subvendors, installation contractors, etc.) responsible for
performing tasks on an SIS with a specified integrity level (IL).
c. An organisation’s compliance assessment that meets the requirements of the ISO 9000
family of standards is unlikely to be sufficient. An assessment shall be made to establish if
the procedures in place provide sufficient assurance that the risk of functional failure has
been reduced to appropriate levels. In making such judgements, account shall be taken of
the complexity of the task and the required ILs.
Page 9 of 44
23 May 2003 GIS 30–801
5.2. Competency
a. Persons, departments, or organisations responsible for the specification, design, and
implementation of SIS shall be competent to perform the activities for which they are
accountable.
b. Competency shall be documented in a suitable scheme that details tasks for which
individuals have been assessed as competent to perform.
c. IEC 61511-1, Clause 5.2.2.2 lists what should be considered during a competency
assessment. The principle requirements applying to persons, departments, organisations, or
other units involved in safety lifecycle activities are:
1. Engineering knowledge, training, and experience appropriate to the process
application and the applicable technology for the SIS.
2. Knowledge of safety engineering and the legal and safety regulatory requirements.
3. Adequate management and leadership skills appropriate to their role in safety
lifecycle activities.
4. Understanding of potential consequence of an event and the SIL, EIL and CIL of the
safety instrumented functions (SIFs).
5. Novelty and complexity of the application and the technology.
An IEE Guideline, published in 1999, provides details of a suitable competency
scheme specifically developed for safety related systems. This scheme is
comprehensive and can be difficult to fully implement but it provides a useful
framework.
d. Organisations shall identify:
1. Requirements for competency functions.
2. Tasks associated with the work required.
3. Personnel available to perform the work.
The risk-based approach is still relatively new to some organisations working in the
process sector. In many cases, providing formal training of the team before project
implementation is beneficial. Training should cover all safety lifecycle phases to
achieve increased awareness of the application of SIS.
5.3. SIS safety lifecycle concepts

a. A safety lifecycle plan shall be developed to include all safety lifecycle activities within
the scope of supply.
b. The safety lifecycle used shall be developed to a level of detail that allows allocation of
tasks to a specified department.
DO NOT COPYc. Safety lifecycle phases shall be repeated, as necessary, as the design proceeds and greater
detail becomes available.
An example of a safety lifecycle phase that is often repeated is the phase in which
reliability calculations are made after SIS hardware has been modified.
5.4. Accountability for safety lifecycle activities

a. A plan shall be developed to define for each safety lifecycle activity the responsible
personnel, department, or organisation.
In defining accountability for SIS, it is important to consider all items necessary for
functionality. In some cases, responsibilities are split between different subsystems
Page 10 of 44
23 May 2003 GIS 30–801
(for example, one group responsible for SIS logic systems hardware and one group
responsible for software).
b. Personnel, departments, and organisations shall be informed of their assigned
responsibilities.
This requirement is particularly important for organisations that perform work,
such as installation, where identical equipment may be used for safety and non-
safety applications.
c. Identification of safety applications shall enable appropriate procedures for implementation
and verification to be applied.
5.5. Tools and techniques

a. The safety lifecycle plan shall describe the tools that are to be used during each safety
lifecycle phase.
Tools required may include reliability analysis software and software configuration
tools.
b. Tools and techniques used shall be considered safety-related, unless it can be shown that
failures of the tool or errors resulting from the use of the tool will not cause a dangerous
failure.
For example, a software configuration tool is regarded as safety-related, unless
audit procedures would detect an error. In such a case, the audit procedure would
then become safety-related.
5.6. Procedures
a. An appropriate set of procedures shall be developed and adhered to in accordance with
IEC 61511-1, Clause 5. The following procedures shall be implemented:
1. Procedures for prompt follow up and resolution of recommendations (in accordance
with IEC 61511-1, Clause 5.2.5.1).
Such procedures normally include maintaining a register of safety concerns and a
procedure that tracks recommendations to resolution.
2. Procedures to establish the adequacy of vendor quality management system (in
accordance with IEC 61511-1, Clause 5.2.5.2).
Even if a vendor has been compliance assessed as meeting the requirements of the
ISO 9000 family of standards, adequacy of the procedures shall still be reviewed for
safety purposes.
3. Procedures for auditing compliance with requirements (in accordance with
IEC 61511-1, Clause 5.2.6.2.1).
DO NOT COPY 4.
A high level of assurance is needed that procedures developed for safety and
environmental purposes are being applied rigorously. Audit methods, frequency,
and reporting arrangements need to take into account the required IL.
Procedures for management of change (in accordance with IEC 61511-1,
Clause 5.2.6.2.2).
5. Procedures for configuration management of the SIS during the SIS and software
safety lifecycle phases shall be available. In particular, the following shall be
specified:
a) Phase during which formal configuration control is to be implemented.
b) Procedures to be used for uniquely identifying constituent parts of each
hardware and software item.
Page 11 of 44
23 May 2003 GIS 30–801
c) Procedures for preventing unauthorized items from entering service.

b. A mapping procedure shall be used to reference procedures to be applied to specific
clauses in IEC 61511.
Mapping establishes missing procedures and provides evidence of compliance that
may be needed for inclusion in any document required to demonstrate that risks
have been properly managed (for example, the safety case in the U.K.).
c. Additional procedures specific to scope of supply shall be applied, as detailed in
IEC 61511-1.
6. Verification
a. A verification plan shall be developed in accordance with IEC 61511-1, Clause 7 and
Clause 12.7. (The latter clause applies if application software is required).
b. The need for verification influences documentation, design methods, tools, and techniques
applied at each safety lifecycle phase. Verification at each phase includes consideration of
the data used. Principle requirements include the development and implementation of a
verification plan that consists of the following:
1. Verification activities and when they will occur.
2. Procedures, measures, and techniques to be used for verification (for example,
implementation and resolution of resulting recommendations).
3. Persons, departments, and organisations responsible for these activities, including
levels of independence.
4. Identification of items to be verified and the information against which the
verification is performed.
5. Tools and supporting analysis and how to handle non-conformances.
c. Results of the verification shall be recorded.
d. Recommendations made as a result of verification activities shall be included in the
Register of Safety Concerns to ensure tracking to resolution (refer to Clause 5.6.a of this
GIS).
7. Quality management systems
a. Plans and procedures developed to comply with a quality management system (for
example, the ISO 9000 family of standards) shall be reviewed to establish their suitability
for safety applications. In particular, the following elements shall be considered:
1. Competency scheme.
DO NOT COPY 2.
3.
4.
Verification.
Audit.
Management of change.
Compliance with the ISO 9000 family of standards is not a requirement of
IEC 61511-1 or of this GIS, but it does provide some evidence that procedures are
in place and are being followed. Assurance needed for safety is normally greater
than the assurance needed for general product or system quality. For example, a
verification plan developed under ISO 9001 may permit sampling, but this is not
normally sufficient for safety applications.
Page 12 of 44
23 May 2003 GIS 30–801
b. Required additions to plans and procedures developed for compliance with the quality
management system shall be documented.
c. Requirements for any external compliance assessment are stated in Clauses 5.1.b.2 and 3
of this GIS.
8. Independent functional safety assessment
a. SIS logic solver Vendor shall participate in independent functional safety assessments as
specified in the requisition. Activities required may include attendance at one or more
assessment reviews and provision of specialist advice to the assessment team. The
assessment shall include any development and production tools used and the Vendor shall
provide details as required.
b. If specified in the requisition the Vendor shall organise a detailed independent functional
safety assessment to review hardware and software supplied. In such cases the Vendor
shall develop an assessment plan as described in Clause 5.2.6.1 of IEC 61511-1. The plan
shall detail the timing of the assessments, the scope of the assessment and who should be
involved. The plan shall be submitted for review and approval.
The objective of an independent functional safety assessment is to arrive at a
judgement that the required functional safety has been or will be achieved. It is
normally carried out in stages. In many cases BP or the engineering contractor
organises the assessment but the assistance of the logic solver vendor is required.
9. Specification of the SIS logic solver
The process of developing the SIS Full Requirements Specification, including the
specification for the logic solver, depends on the project procurement strategy. It
may be developed in vendor-specific terms if there is a nominated Main Instrument
Vendor or it may be vendor-independent if a competitive tendering approach is
used. In either case detailed discussion between BP (or the BP engineering
contractor) and the system vendor is required to achieve a common understanding
of the requirements and to minimise the need for special development work.
a. The requisition details the scope of supply and functional and integrity requirements of the
SIS logic solver.
b. Requirements in the following areas as a minimum are detailed in the requisition, as
appropriate:
1. List of systems and software to be supplied.
2. List of inputs and outputs with functional relationship between them, the integrity
levels required for safety, environment, and commercial risks, and requirements for
DO NOT COPY 3.
4.
5.
revealed failure robustness.
BPCS communications and point details.
SER point details.
System testing and compliance.
6. Shipping.
7. Site installation, testing and assistance with commissioning.
8. Documentation.
9. Spares.
10. Maintenance and training.
Page 13 of 44
23 May 2003 GIS 30–801
10. System requirements
10.1. General
a. Arrangements of the SIS logic solver subsystems shall be designed to achieve the
functional requirements in the requisition.
b. If practicable, safety instrumented functions should be implemented in separate SIS logic
solver subsystems from non-safety instrumented functions.
c. If the SIS logic solver is to implement both safety and non-safety instrumented function(s),
the shared or common hardware and software shall conform to the highest integrity level
(IL) of any safety instrumented function (SIF) in the SIS logic solver, unless it can be
shown that there is adequate independence between safety instrumented functions and non-
safety instrumented functions and that the failure of any non-SIF can not cause a dangerous
failure of the SIF.
d. To establish that the SIS with a specified level of integrity is separate and independent
from non-safety instrumented functions, it should be shown that equipment failures or
maintenance errors on the equipment with no specified IL do not cause loss of safety
function.
e. Requirements for operability, maintainability, and testability shall be addressed during the
design of the SIS logic solver to facilitate implementation of human factor requirements in
the design (for example, bypass facilities to allow online testing and alarm when in bypass
mode).
f. If practicable, maintenance and test facilities shall be designed to minimise the likelihood
of dangerous failures arising from their use.
g. Design of the logic system shall:
1. Take into account human capabilities and limitations.
2. Be suitable for the task assigned to operators and maintenance staff.
h. Design of human-machine interfaces (HMIs) shall:
1. Follow good human factors practice.
2. Accommodate the likely level of training or awareness that operators should receive.
i. The SIS logic solver shall be designed such that, once it has placed the process in a safe
state, the process shall remain in the safe state until a reset is initiated, unless otherwise
directed in the requisition.
j. Manual means (for example, emergency stop pushbutton), independent of the SIS logic
solver, shall be provided to actuate the SIS logic solver outputs, unless otherwise directed
in the requisition.
DO NOT COPYk.
Such manual control may not be practicable in all cases and the benefits should be
weighed against the difficulties. If complex switching is necessary, the additional
equipment required may introduce a new source of safe and unsafe failures.
Component parts of the SIS logic solver should be arranged such that loss of signal or
power causes a safe failure.
Fire and gas systems are frequently arranged to energise to trip. Such cases will be
specified in the requisition.
l. For SIS logic solver subsystems that, upon loss of power, do not fail to the safe state, the
following requirements shall be met:
1. Loss of circuit integrity shall be detected (for example, end-of-line monitoring).
Page 14 of 44
23 May 2003 GIS 30–801
2. Power supply integrity shall be ensured, using supplemental power supply (for
example, battery backup, uninterruptible power supplies (UPS)).
3. Loss of primary, secondary or subsystem power shall be detected and alarmed.
m. Minimum architecture of the SIS logic solver subsystems shall:
1. Comply with IEC 61511-1, Clause 11.4 for fault tolerance.
2. Comply with specified requirements in the requisition for revealed failure robustness.
3. If specified, allow continued operation in the event of a fault being diagnosed.
4. Be redundant for functions requiring IL 3 or greater.
n. The following shall be failure robust:
1. Architectures used for programmable SIS logic solvers.
2. Digital communications between SIS logic solver and BPCS.
o. Logic systems for IL 4 applications shall be non-programmable.
p. Logic systems for IL 3 applications shall be non-programmable, unless agreed otherwise
with BP and the following conditions are met:
1. The SIS logic solver has been independently assessed as meeting the requirements of
IEC 61508-2 and IEC 61508-3.
2. The organisation undertaking the application software development has been
independently assessed as meeting the requirements of Clause 6 of IEC 61508-1.
q. If the SIS logic solver Vendor is asked to select the type of SIS logic solver that will be
used, the recommendation shall reflect the needs of the application. In selecting the type of
system to use, the following factors shall be considered:
1. Skills and experience available within the SIS logic solver Vendor organisation.
2. Number of inputs and outputs.
3. Complexity of the function to be implemented.
4. IL required.
5. Knowledge and experience of the user organisation.
r. Requisitions shall indicate a suggested number of independent SIS logic solvers. This
number shall be based on the relationship between, and operation and maintenance of, the
various process units.
s. The SIS logic solver Vendor shall verify the resulting SIS logic solver loading and cycle
time, and propose a different arrangement, if required, in order to comply with loading
criteria.
DO NOT COPYt.
u.
Major items of process equipment (for example, boilers, turbines, and compressors) that
are in redundant configuration such that they can be operated independently shall have
their SIS implemented in separate SIS logic solvers, unless stated otherwise in the
requisition.
Process units that are independent from each other (can be operated while other process
units are shut down) shall have their SIS implemented in separate SIS logic solvers, unless
stated otherwise in the requisition.
v. Each SIS logic solver shall operate independently of other logic systems, except for
communication links.
w. If programmable SIS logic solvers are used facilities shall be provided to compare installed
software with an external master copy.
Page 15 of 44
23 May 2003 GIS 30–801
x. For redundant sub-systems facilities shall be provided to enable repair and reinstatement of
logic architectures that isolate faulty parts upon diagnosis of dangerous failure without
system shutdown.
A redundant architecture such as 1oo2D, upon diagnosis of a dangerous failure on
one channel, isolates the faulty part and continues to operate in a 1oo1 mode. After
repair of the faulty part, it should be possible to reinstate the system to 1oo2D
without removing power.
y. The SIS logic solver shall continue to perform correctly in the event of a large number of
digital or analogue signal changes, such as would arise if either a major plant fault
occurred or a power supply unit failed. In the event of such a failure, the information shall
be retained correctly within the system, even if peripheral devices are unable to process the
data output.
10.2. Certification
a. Equipment required for implementing SIS functions with an integrity level requirement of
1 or greater shall comply with either or both of the following as applicable:
1. IEC 61508-2 (and IEC 61508-3, if a programmable SIS logic solver is used).
2. IEC 61511-1, Clause 11.5.3 for the selection of components and subsystems based on
prior use.
b. If practicable, equipment should be used that has been:
1. Assessed by an independent organisation, and
2. Shown to comply with IEC 61508-2 and 3 for the specified IL.
If assessed and compliant equipment is available and it is not used, the reasons shall be
stated and justified.
c. Preference shall be given to equipment assessed by an independent organisation that has
been approved by a national accreditation body.
10.3. Response times

a. The time from input change to output response shall be less than 1 second with all spare
SIS logic solver capacity occupied. Based on the application, this response time
requirement may be more or less stringent and shall be stated in the requisition.
b. The SIS logic solver Vendor shall indicate in the quotation the system base load (overhead)
and the I/O load in terms of response time.
10.4. Revealed failure robustness

a. The following shall be revealed failure robust:
DO NOT COPY 1.
2.
3.
CPUs used in the SIS logic solver.
Internal communication busses in the SIS logic solver.
SIS logic solver communication to operator displays, SER, and maintenance and
engineering networks.
b. If a revealed failure robust component fails:
1. The other component(s) shall continue to operate in “crippled mode”.
2. A time limit of up to 72 hours (actual time limit depends on the application and shall
be stated in the requisition) shall be defined to allow for sufficient repair time of the
faulty component.
Page 16 of 44
23 May 2003 GIS 30–801
3. Without corrective action and after the defined time period, the outputs in “crippled
mode” shall be configurable to de-energise or remain in the current state. The default
configuration shall be to de-energise unless stated otherwise in the requisition.
4. The time outstanding before de-energising shall be transmitted to the BPCS for
information to the operator.
5. When in the “crippled mode” an alarm shall be initiated periodically to inform the
operator. The time period should be every 24 hours unless otherwise stated in the
requisition.
c. In the event of a failure of a revealed failure robust component, power supply, or other
function, the system shall:
1. Change over to crippled mode operation without causing spurious trips.
2. Provide an indication of fault type and location.
d. The SIS logic solver Vendor shall specify if there are cases where replacement of a
component can lead to a complete logic system stop, de-energising of outputs, or any loss
of functionality (for example, detection of trip conditions).
e. If revealed failure robust is specified in the requisition, the SIS logic solver Vendor shall
advise the single point failure causes and the likely single point failure rates.
All systems have some single point failures and no system can be completely
revealed failure robust.
10.5. Spare capacity

a. Minimum hardware spare capacity per process unit, in terms of unused I/O channels and
power supply, shall be as follows:
1. Indicated in the requisition.
2. Not less than 20% at completion of site commissioning.
3. Fully wired to SIS logic solver I/O terminations.
b. Application software spare capacity for the following shall be at least 15% at plant start-
up:
1. SIS logic solver (if applicable).
2. SER PC.
3. Communication links.
c. Cycle time calculations shall be based on the assumption that all spare capacity is used.
d. The SIS logic solver Vendor shall propose the minimum required number of different card
types.
DO NOT COPY
10.6.
e. If cost can be reduced significantly by introducing more card types, the SIS logic solver
Vendor shall provide options to achieve a balance between minimum number of card types
and system cost.
System hardware
10.6.1. General
a. Input and output cards shall have electrical isolation between field equipment and the SIS
logic solver.
b. Revealed failure robust inputs shall be wired to separate revealed failure robust sets of
input cards.
Page 17 of 44
23 May 2003 GIS 30–801
c. Because replacing cards without switching off the power or disturbing the process is
desirable, the SIS logic solver Vendor shall explain their system’s capability to offer this
feature.
d. Short-circuiting of individual inputs and outputs shall not affect other inputs and outputs,
respectively, unless otherwise specified to prevent an undesirable combination of output
states associated with the same protective function.
e. Current limiting devices should be used in preference to fuses for the protection of
individual inputs and outputs.
f. The SIS logic solver Vendor shall indicate whether antistatic precautions are necessary
when handling cards. If such precautions are required, earthing (grounding) wrist straps
shall be supplied as permanently installed items.
g. Equipment shall have adequate immunity to electromagnetic disturbance at frequencies
and field strengths as specified in the requisition. Also, the equipment shall not be the
source of electromagnetic disturbance at levels that may disrupt the operation of other
equipment.
h. SIS logic solver equipment shall comply with either of the following standards:
1. IEEE C63.14, Electromagnetic Compatibility Limits – Recommended Practice.
2. EN 61000-6-2, Electromagnetic Compatibility (EMC). Generic standards. Immunity
for industrial environments.
i. SIS logic modules shall include a labelling facility or location index for ease of
identification of individual I/O channel addresses.
j. Connection to equipment external to the SIS logic solver shall be designed to avoid the
need to disturb wiring during module replacement.
10.6.2. Analogue inputs

a. SIS logic solvers shall be able to receive the following types of input signals:
1. 4–20 mA, non-earthed (ungrounded), unpowered, 24 Vdc, 2-wire.
2. 4–20 mA, non-earthed (ungrounded), powered, 24 Vdc, 2-wire.
3. 3 or 4 wire platinum resistance temperature detector (RTD).
4. Pulse/frequency.
5. Type K, J, or B thermocouples.
b. Analogue signals shall be as follows:
1. Provide an accuracy of +/– 0,2% of requested input range.
2. At least 12-bit resolution.
DO NOT COPYc.
3.
4.
Accuracy, obtained within the extremes of applicable environmental conditions, shall
include any errors due to signal conditioning.
Have facilities for square root extraction.
Analogue inputs shall have open and short circuit and out-of-range detection as follows:
1. Out-of-range detection shall be configurable per input channel.
2. Detected results shall be available for use in the application logic.
d. Power for field-mounted unpowered 4–20 mA transmitters connected to the SIS logic
solver shall be supplied by the SIS logic solver.
Page 18 of 44
23 May 2003 GIS 30–801
e. For series mode rejection, a 30 dB 50/60 Hz interference signal applied at the signal
conditioning shall have no effect on the analogue signal.
10.6.3. Digital inputs/outputs

a. LEDs shall be used for local status indication of each input and output channel to the
module.
b. Isolation between plant signals and SIS logic signals shall be provided to a minimum of
240 Vac.
c. Digital inputs shall be fitted with filtering or very short time delays to mask contact
bounce.
d. If isolated externally-powered circuits are required by the specification, a common mode
rejection of 250 V rms 50/60 Hz and phase 0–360 degrees applied to each terminal shall
have no effect.
10.6.4. Digital inputs

a. The SIS logic solver shall provide 24 Vdc (10 mA) wetting voltage for digital inputs
connected to switches that have voltage free contacts (for example, reset and emergency
shutdown (ESD) switches).
b. For solid state sensors (for example, proximity sensors), voltage carrying inputs shall be
provided.
c. Normally Open digital inputs shall be provided with the following facilities:
1. Line monitoring per input channel.
2. Detection results available for use in the application logic.
3. No open and short circuit detection required for inputs from field mounted reset
switches, maintenance override enable switches, lamp test, acknowledge or reset
switches in local panels.
10.6.5. Digital outputs

a. The SIS logic solver shall provide power for output circuit loads.
b. The following output types shall be supported by the SIS logic solver:
1. Solenoid valves with coil voltage of 24 Vdc. Power consumption shall be indicated in
the requisition.
2. Interfacing relays (to motor control units) with coil voltage of 24 Vdc and power
consumption of 0,5 W.
3. Control room and/or local panel alarm lights with lamp rating of 24 Vdc and power
consumption of 0,5 W.
DO NOT COPYc. Normally de-energised outputs, except for outputs to lamps, shall be provided with line
monitoring per output channel. Detection shall be as follows:
1.
2.
Independent of cable length between output card and final element.
Results available for use in the application logic.
d. SIS logic solver outputs to low voltage devices (e.g. 24 Vdc) shall be switched through
solid-state switching and not through relay contacts.
e. Relays shall be as follows:
1. Fitted with correctly rated suppression devices connected directly to the coils.
Page 19 of 44
23 May 2003 GIS 30–801
2. Insulation rated for continuous operation at the maximum ambient temperature, with
Class A of IEC 60085 as an overall minimum requirement.
3. Provided with coils capable of dissipating additional power resulting from a higher
than normal supply voltage during online boost charging.
4. Plug-in type, if practicable.
f. Protective circuits that actuate electrical equipment shall do so through interposing relays
located in separate cabinets.
10.7. System and application software

a. Application programming software shall comply with IEC 61131-3.
b. Software configurations for microprocessor-based SIS logic solvers shall set:
1. Trip alarm levels for analogue inputs.
2. Timers and selection of normally open or normally closed configuration for digital
I/O.
c. For other types of SIS logic solvers, the configuration method shall be explained by the
SIS logic solver Vendor in the quotation.
d. The SIS logic solver Vendor shall indicate if floating point capabilities are not available for
performing calculations (for example, compressor surge trip parameters, furnace air-fuel
ratio, etc).
e. A combination of inputs into a calculation shall not cause a calculation error to occur (for
example, division by zero) that would cause a fault or failure such as program halt or plant
shutdown.
f. BPCS information points in the SIS logic solver shall be configurable. Neither mnemonic
nor high-level language type programming shall be used.
g. The application programs (software), if applicable, may be stored as follows:
1. Initially, in random access memory (RAM) for system testing, commissioning, and
plant start-up.
2. Thereafter, as indicated in the requisition, which may be either:
a) Non-volatile, electrically programmable read-only memory (EPROM).
b) Non-volatile RAM or flash EPROM.
c) Other means of preventing unwanted changes.
h. For microprocessor-based SIS logic solvers, a software package shall be supplied with
capabilities to compare two application software versions and indicate where the variations
have taken place.
DO NOT COPYi.
j.
Two sets of operating system storage media shall be supplied. If there are limitations with
regard to the number of installations, uninstall utilities shall be provided.
The SIS logic solver Vendor shall include manufacturer product support policy in the
quotation (for example, the policy upon detection of a software “bug” or deficiency by
Vendor or end user).
10.8. Application software

a. Application software shall be designed in accordance with IEC 61511-1, Clause 12.
b. Limited variability language in conjunction with a coding standard shall be used for
application software. Neither mnemonic nor high-level language type programming (for
example, PASCAL or BASIC) shall be used.
Page 20 of 44
23 May 2003 GIS 30–801
c. Application programs, if applicable, shall be split into well-defined functional modules.

d. Application software shall be readily understandable as follows:
1. Each software component shall be annotated to describe its function, inputs, and
outputs.
2. Program statements and data structure definitions shall be clearly distinguished.
3. Application software shall be presented such that the structure is understandable e.g.
indented.
4. Application software shall be clearly and informatively commented.
5. Variable names shall be as follows:
a) Meaningful within the application domain.
b) Explained by means of comments accompanying variable declarations.
c) Naming conventions shall be adopted that distinguish local and global variables.
d) Symbolic names shall be used for constants (for example, π for 3.14159).
6. Meaningful names shall be used for procedures and functions.
7. Modules shall be restricted to approximately 50 lines of instructions.
e. PLC software shall be documented, using the PLC annotation software as follows:
1. The format of annotation shall be agreed upon between the SIS logic solver Vendor
and the Customer at the design stage.
2. The SIS logic solver Vendor shall ensure that the annotation software is developed
simultaneously with development of the application software.
3. PLC annotation shall comprise, as a minimum, the following:
a) Descriptors for each relay contact and coil, including descriptive text and tag
number.
b) Descriptors for each timer, calculation, communication, or file handling
function.
c) Description of the function of each software module or sub-module.
d) Cross-reference facilities for all plant I/O and pseudo I/O.
e) Individual line or rung comments.
f) A report listing the program files or networks used, and their associated
reference number and title.
g) Code associated with each program or subprogram file or network, including an
DO NOT COPY
English description of the function and method of implementation of the code.
h) An index page that states salient features of the SIS logic solver hardware and
software, including description and location of I/O modules, memory
usage/spare, register/data table usage/spare, and system I/O count.
i) A cross-reference report for inputs, outputs, registers, data table elements,
calculations, and function blocks identifying their locations within the annotated
listing.
j) A listing of descriptors, comments, and titles used in the annotation.
k) A separate document from the annotated listing that contains all cross-references
and a written description of the software (for example, networks 1–50 perform
start-up checks).
Page 21 of 44
23 May 2003 GIS 30–801
f. Software replication and backup shall be as follows:

1. The SIS logic solver Vendor shall arrange for replication of the software provided, in
accordance with the contract.
2. Number of copies to be provided and type of media for each software item shall be
agreed upon and defined in the contract.
3. Backup copies of software shall be retained by SIS logic solver Vendor.
g. Software documentation shall be supplied as follows:
1. Relevant software documentation (for example, manuals and user guides) as defined
in the contract.
2. A single copy of proprietary third-party manuals.
3. As many copies of project-specific documents as are defined in the contract.
h. Licenses arranged by the SIS logic solver Vendor for the contract shall be transferred on
delivery of the associated software and SIS logic solver equipment to site.
10.9. Communication
a. Communication within the SIS logic solver that implements safety functions shall be as
follows:
1. Closed communications (as defined in EN 50159-1) shall be used. This means that all
the following shall apply:
a) The maximum number of participants that are linked by a transmission system is
fixed.
b) Participants have well known and fixed properties.
c) The risk of unauthorized access is considered negligible.
2. Communication protocols shall be predictable.
b. Secondary traffic may be superimposed on the communication system for the purposes of
maintenance (for example, remote diagnostics), if it can be shown that the secondary
traffic will not affect safety-related communications.
c. Each SIS logic solver shall communicate with external systems through individual, isolated
serial links. SIS logic solver communication links with the BPCS shall be through Modbus
remote transmission unit (RTU) protocol or Ethernet, as appropriate. Proprietary
communication links may also be used if indicated in the requisition.
d. Changing the memory allocation to suit the particular application shall be user-friendly.
e. SIS logic solver external communication interface design shall:
DO NOT COPY
1. Prevent changes to SIS logic solver application software. If safety information is to be
transmitted from the BPCS to the SIS logic solver:
a) Communication systems shall be used that can selectively allow writing from the
BPCS to specific SIS logic solver input variables.
b) Equipment or procedures shall be applied to confirm the proper variable
selection has been transmitted by the BPCS and received by the SIS logic solver
and the selection does not compromise the safety functionality.
2. Ensure that any failure of the communication interface shall not adversely affect the
ability of SIS to bring the process to a safe state.
f. The SIS logic solver shall be able to communicate with the BPCS and peripherals with no
impact on the SIF.
Page 22 of 44
23 May 2003 GIS 30–801
g. The SIS logic solver communication interface shall be sufficiently revealed failure robust
to withstand electromagnetic interference, including power surges, without causing a
dangerous failure of the SIF.
h. The SIS logic solver communication interface shall be suitable for communication between
devices referenced to different electrical earth (ground) potentials.
i. Information relating to all SIS logic solver I/O list specified parameters shall be available
for communications to the BPCS.
j. SIS logic solver and BPCS vendors shall work out message contents and other details (for
example, hardware and software requirements) as follows:
1. The BPCS system shall be communication master.
2. The BPCS Vendor has the final responsibility.
k. The SIS logic solver Vendor shall indicate in the quotation whether full floating point
communication between the SIS logic solver and BPCS is possible.
l. If generated in the SIS logic solver, signals shall be available for transmission to the BPCS
within one second.
m. The SIS logic solver Vendor shall indicate the refresh rate of the analogue signals available
for transmission to the BPCS.
n. The supply and testing of interconnecting cabling shall be the responsibility of the SIS
logic solver Vendor or the BPCS Vendor, as indicated in the requisition.
10.10. Diagnostics
a. Programmable SIS logic solvers shall demonstrate a minimum safe failure fraction of 60%,
or the faults listed in IEC 61508-2 Annex A, Table A1 to achieve 60% safe failure fraction
shall be diagnosed.
Achieving this 60% SFF may require additional functionality to be included as a
diagnostic function in the Logic Solver (e.g. out of range detection,
discrepancy/comparison of analogue values)
b. Programmable SIS logic solvers shall include a hardware diagnostic facility. This facility
shall detect and reveal:
1. Failure of programmable electronic system (PES) hardware (for example, CPU,
memory, power supply, communications).
2. Parity check errors in memory and communications.
3. Failure of diagnostic facility circuitry or auxiliary power supplies.
4. Unrecoverable failure of the programmable electronic system (PES) software due to
either failure of the applications software or the operating systems.
DO NOT COPYc.
5. Unsatisfactory incoming power supply condition.
The method of resetting the system in the event of an SIS logic solver failure shall be
agreed upon. The design of the resetting method shall ensure that minimal operator
interaction is necessary.
d. Measurement devices used to initiate an SIS action when the parameter exceeds a specified
level shall be reverse ranged, or an individual alarm shall indicate loss of signal.
The minimum architectures specified in IEC 61511-1 assume a safe failure fraction
of greater than 60%.
e. Programmable SIS logic solvers shall be capable of interrogation from a system terminal.
The data to be interrogated shall comprise, as a minimum, the following:
Page 23 of 44
23 May 2003 GIS 30–801
1. Status of variables, including inputs and outputs.

2. Executable program status.
3. Memory utilisation values.
f. Programmable SIS logic solvers shall include built-in facilities for maintenance personnel
to identify and debug system-related faults. Such facilities shall include a log of system
messages.
g. The following facilities shall be provided to maximise the revealed failure robustness of
the SIS logic solver:
1. Selectable consecutive scanning of inputs before validation, and/or digital filtering of
analogue inputs.
2. Error checking routines on operator actions and monitoring of peripherals device
states.
3. Monitoring of I/O interface equipment to check for continued operation.
h. All diagnostics shall be scheduled frequently. In the case of continuous mode applications
(including high demand mode) the time for scan and action shall be less than the process
safety time as specified in the requisition.
10.11. Alarm handling

a. SIS logic solvers shall have facilities to generate output signals for alarm purposes (serial
and hardwired).
b. SIS common utility and common system alarms shall be provided as volt free contacts for
the following conditions:
1. Power supply failures, partial and complete.
2. Abnormal temperature conditions within cabinets.
3. CPU failure.
4. Module failures.
5. For each SIS cabinet, at least one common utility alarm and one common system
alarm.
10.12. Sequence of events recorder (SER)

a. If specified in the SIS logic solver requisition, a sequence of events recording facility shall
be supplied.
b. SER systems supplied with the SIS logic solver shall primarily function as backup for
BPCS logging equipment and provide a high-resolution audit trail for facility incident
DO NOT COPY
investigation.
c. For post mortem analysis, the SER shall be capable of storing 100 000 time-stamped
events in a circular file. This time stamp shall equal the SIS clock time at the time the trip
alarm is generated, with a resolution equal to, or better than, the smallest scan time of any
of the SIS.
d. SER-related information should be transmitted with a timestamp to the BPCS through a
standard protocol.
Preferably, the BPCS should be able to combine SER information from various
subsystems with the BPCS alarm list such that a complete sequence of events can be
presented to the operator. In cases where the BPCS does not have this capability,
the SER should send information on first-ups for specified groups.
Page 24 of 44
23 May 2003 GIS 30–801
e. To allow for SER or communications failure, at least the last 100 events shall be stored in a
buffer in the SIS.
f. Signals or changes of state in the SIS logic solver to be logged by the SER shall be
specified with the default of points transmitted to the BPCS, as discussed in Clause 9 of
this GIS.
g. Time synchronisation of SIS, SERs, and BPCS shall be effected from an external clock.
The SIS logic solver Vendor shall state how this will be achieved.
h. For each SER input, a unique tag number and service description shall be assigned such
that:
1. The tag number consists of at least 12 alphanumeric characters, starting with either an
alpha or a numeric character.
2. The minimum number of characters for the service description is 30.
i. The SIS logic solver Vendor shall confirm the maximum system capacity for accepting tag
numbers and shall identify any constraints.
j. SER files shall be able to be copied onto a backup medium.
k. The location of the SER shall be indicated in the requisition.
l. The SER Vendor shall provide all software for the SER and its configuration.
m. Recording of inputs shall be capable of being enabled or disabled with the correct
authorization by a password or key. Such control shall be available for recording inputs on
an individual, selected group, and process unit bases.
n. The following SER reporting functions shall be provided (and their display activated on
request only):
1. Daily reports (24 hours).
2. Shift reports (8/12 hours).
3. Maintenance and operational overrides (bypasses) usage.
4. Process alarms per process unit.
5. System/utility alarms.
6. Manually set (forced) I/O.
o. The SIS logic solver Vendor shall state the following capabilities in the quotation:
1. Event playback and printout for selected time frames, process units, and tag numbers.
2. Common database facilities (for example, sorting or querying), as well as the
possibility to export the SER file to Microsoft Windows-based applications.
DO NOT COPY
p. Historical data shall be retained on loss of power supply to the system.
10.13. Maintenance facilities

a. Design of maintenance facilities shall allow for testing of the SIS logic solver either end-
to-end or in parts.
b. Test facilities shall be an integral part of the SIS logic solver design to test for undetected
failures.
c. Test and/or bypass facilities that are included in the SIS logic solver shall conform with the
following:
1. The logic system shall be designed in accordance with the maintenance and testing
requirements defined in the requisition.
Page 25 of 44
23 May 2003 GIS 30–801
2. The operator shall be alerted to the bypass of any portion of the logic system through
an alarm and/or operating procedure.
3. Forcing (manually setting) of inputs and outputs in the logic system shall not be used
as a part of:
a) Application software.
b) Operating procedure(s).
c) Maintenance, except as noted below.
d. Forcing (manual setting) of inputs and outputs without taking the SIS logic solver out of
service shall not be allowed, unless supplemented by procedures and access security. Any
such forcing shall be annunciated or alarmed, as appropriate.
e. Facilities shall be provided to enable proof testing of sensors, SIS logic solver and outputs
without removal of equipment, unless this can be shown to be impracticable. Such
facilities may include equipment necessary to test for stroke times of valves on critical
applications if specified in the requisition.
f. Maintenance facilities shall be in accordance with Table 1.
g. Maintenance overrides (bypasses) that prevent outputs going to a safe state shall not be
fitted to SIS logic solver outputs.
h. Facilities shall be provided to force outputs to a safe state from the panel or VDU screen as
a means of testing outputs.
i. Hard-wired keylock facilities for maintenance shall have unique keys. Overrides applied
through the BPCS shall comply with clause 10.15.g of this GIS.
Unique keys are required for effective permit procedures and to ensure key controls
have adequate authority levels.
j. To enable online testing of emergency shutdown valves (ESDVs), facilities may be
required that allow:
1. Partial movement of the valve to be demonstrated.
2. Operation of the ESD solenoid valve.
Such facilities may, however, increase the probability of spurious trips or failures to
act on demand.
k. Facilities that enable online testing of ESDVs shall be fitted only after a failure mode and
effect analysis (FMEA) and reliability analysis have been completed.
l. The recommended FMEA and reliability analysis should be performed by an independent
competent body.
m. Applications with IL 3 or greater shall require online SIS logic solver system testing. A
DO NOT COPY
10.14.
complete SIS logic solver system of at least one input card, logic system, and output card
shall remain in operation during testing so that protection is maintained.
Engineering interface
a. Design of the SIS logic solver maintenance/engineering interface shall ensure that any
failure of this interface does not adversely affect the ability of the SIS to bring the process
to a safe state. This capability may require disconnecting of maintenance/engineering
interfaces (for example, programming panels) during normal SIS operation.
b. The maintenance/engineering interface shall provide the following functions with access
security protection to each:
Page 26 of 44
23 May 2003 GIS 30–801
1. SIS logic solver operating mode, program, data, means of disabling alarm
communication, test, bypass, and maintenance.
2. SIS logic solver diagnostic, voting, and fault handling services.
3. Add, delete, or modify application software.
4. Data necessary to troubleshoot the SIS logic solver.
c. The maintenance/engineering interface should not be used as the operator interface.
d. SIS logic solver read-write access shall be enabled and disabled only by a configuration or
programming process, using the maintenance/engineering interface with appropriate
documentation and security measures.
e. Engineering interface shall be such that the status of group modules can be displayed
easily.
f. The following data shall be viewable:
1. Status of input and output signals.
2. Raw value of input signal.
3. Actual values of inputs (in engineering units).
4. Status of intermediate points in the logic.
g. Access to the maintenance/engineering interface of the SIS logic solver shall be password
protected or under keylock.
h. Engineering/maintenance interface shall be able to use SIS logic solver software with at
least the following facilities:
1. Utility program to allow reconfiguration of displays and control functions.
2. Communications between the SIS logic solver and operators in English words and
statements and industry-standard screen icons.
3. Programs that allow new or modified executable programs and data tables to be
created. This should be provided as an online facility, with SIS logic solver Vendor
assurance that there is no degradation in performance of the real-time processing.
4. Provision for editing data files and source programs. In addition:
a) The data files and source code shall include a facility to allow version history to
be appended.
b) A facility to display differences between versions of the source code shall be
provided.
5. Provision for creation, deletion, and printing of files.
DO NOT COPY
6. Utility program to allow for transfer of files from various storage media used on the
system.
i. Incorporation of new programs shall be achieved initially on a test basis, with the facility
to restore original programs at any stage. The process of incorporation of new programs
shall not cause disturbance to the real time operation of the system.
10.15. Operations facilities

a. Start-up overrides (bypasses), where necessary, on the SIS logic solver shall be:
1. Manually initiated.
Page 27 of 44
23 May 2003 GIS 30–801
2. Automatically reset when the process parameter has passed the setpoint, or after a
preset timeout. A differential between reset and trip values or a short time delay shall
be included to ensure a trip is not activated by normal variations in parameter values.
3. Prevented when the signal is in the normal operating region.
b. Consideration should be given to Maintenance bypasses being enabled by a combination of
a group enable from the BPCS under operations control and a key-lock under maintenance
control.
c. Operations overrides (bypasses) shall not be installed on SIS logic solver outputs.
d. Each independent keylock facility for operation shall have a unique key.
e. A manual shutdown facility, independent of the SIS logic solver, shall be provided at the
permanently manned interface to put all final actuation devices to a safe state.
f. Operations facilities shall be in accordance with Table 1.
Table 1 – Maintenance and operation facilities
Maintenance & CIL1 & CIL2 SIL1, SIL2, EIL1 SIL3 & SIL4
operation facilities & EIL2 not subject to EIL3 & EIL4
SIL1, SIL2, EIL1 & clause 10.15.g
EIL2 subject to
clause 10.15.g CIL3 & CIL4
Maintenance overrides Through BPCS Independent via keylock. Independent via keylock.
(bypasses) displays via interface.
Operations overrides Through BPCS Independent via keylock. Independent via keylock.
(bypasses) displays via interface.
Alarm on initiation Through BPCS Through BPCS displays Independent annunciator.
displays via interface. via interface.
Confirmation of action Through BPCS Through BPCS display Independent status display.
displays via interface. via interface. BPCS display of
independent measurement.
Manual shutdown Through BPCS Through BPCS displays Independent of BPCS and
displays via interface. via interface. SIS logic solver.
Password control is not an acceptable alternative to the use of key-applied overrides

because password controls do not have the same visibility, possibility to link
physically to operation of work permits, and do not offer the degree of independence
required.
g. Maintenance and operations overrides may be applied through BPCS displays for SIL1,
SIL2, EIL1 and EIL2 subject to all the following conditions being met:
1. The logic solver has been compliance assessed as meeting the requirements of
IEC 61508-2 and 3.
DO NOT COPY 2.
3.
4.
5.
A hard-wired enable is provided at master and unit level.
Removal of the enable clears all overrides.
The enable is automatically removed after a fixed time.
Status of enable on a unit basis is indicated by a hard-wired lamp.
6. Input status upstream of the override is indicated and alarmed in the BPCS.
7. Communication between the SIS logic solver and the BPCS is monitored, alarmed
and the enable is cleared after a time delay if the communication fails.
8. An operational procedure will be followed to address the risk of multiple overrides
being applied concurrently on the same process unit.
Page 28 of 44
23 May 2003 GIS 30–801
11. Hardware construction requirements
11.1. Cabinets
a. SIS logic solver cabinets shall be:
1. SIS logic solver Vendor standard, unless Rittal (or another type) is specified in the
requisition.
2. Free-standing type with two doors or four doors, as indicated in the requisition,
providing front and rear access.
b. Cabinets shall be:
1. Painted and finished to SIS logic solver Vendor standards.
2. Suitable for indoor general purpose use.
3. Identical, with the same physical dimensions.
c. If Rittal or other alternative cabinets are specified in the requisition in lieu of vendor-
standard, physical dimensions of cabinets shall be as specified in the requisition.
d. If cabinet design is dictated by environmental conditions, as specified in the requisition:
1. Cabinets shall be provided with:
a) A heat extraction fan.
b) Louvers.
c) Dust filters.
2. Each cabinet shall have a temperature switch to generate an alarm in the event of high
inside temperature. This alarm shall be included in the cabinet common utility alarm.
e. Failure of a single heat extraction fan shall not lead to such a high temperature that the
power has to be cut off. To prevent such cases, the SIS logic solver Vendor shall supply
revealed failure robust fans, and fan failure shall be included in the cabinet common utility
alarm.
f. Cabinets shall be designed so that they can be connected together. SIS logic solver Vendor
shall provide details of requirements for ventilation, heat dissipation, and interconnection
of cabinets. Side plates shall be used between adjacent panels to limit the transmission of
fire and overheating.
g. Cabinet layouts shall be of a standard design for the type of cabinet.
h. Doors shall be hinged opening, preferably π radians (180 degrees), and detachable. If the
requisition indicates that cabinets are to be lockable, the keys shall be identical for all
cabinets under the SIS logic solver Vendor’s scope of supply.
DO NOT COPY
i. If cabinets are permanently bolted together to form sections, the length of these sections
shall not exceed 1 800 mm (72 in), unless agreed otherwise.
j. Eyebolts shall be fitted on top of the cabinets for lifting purposes.
k. Anchor boltholes shall be provided.
l. Provision shall be made for cabinet lighting. Fluorescent strip lighting shall be provided
with a switch, wired to separate terminals for incoming lighting supply. The voltage shall
be specified on the requisition.
m. Unused card locations shall be fitted with cover plates.
11.2. Cabling
a. Allocation of I/O cards to connectors or terminations shall be as follows:
Page 29 of 44
23 May 2003 GIS 30–801
1. Cards always fully wired to connectors or terminations.

2. Cards shall not be shared by more than one connector.
3. A connector or termination block shall not contain I/O of more than one process unit.
b. Universal wiring shall allow use of all available terminals of I/O components (for example,
spare I/O channels shall be completely wired out). In the case of digital outputs providing a
changeover contact, only one-half (open if de-energised) of the contacts shall be wired to
the connectors.
c. Location of cable or conduit entry (top or bottom) shall be indicated in the requisition.
Bottom or top plates shall have removable sealing clamp plates for cable entries. Sufficient
free space shall be provided for proper accommodation and termination of the cables.
d. Cable clamps and supports shall be provided for incoming cables. Adequate cable
connection stress relief shall be provided.
e. Wiring shall have PVC or Teflon insulation that is suitable for applicable loads. If stranded
copper wire is used, wire ends at terminal points shall be provided with suitable wire crimp
pins/lugs and markers. If Termipoint® or Wire-wrap® is used, suitable terminating pins at
the connector boards or terminations shall be provided. SIS logic solver Vendor quotation
shall specify how wiring is to be terminated in the proposed design.
f. Wiring that is subject to flexing such as to swing frames or doors shall be of stranded
construction.
g. Internal wiring shall be laid in PVC close-slotted ducting with a covering lid. Ducting
(raceways) shall have at least 40% spare capacity.
h. If susceptible to electrical interference, wiring carrying signals shall be adequately
shielded.
i. Intersection wiring shall pass through normal cabinet entries.
j. Colour code and marking of wires shall be in accordance with standards indicated in the
requisition. Power wiring shall be clearly marked with reference codes and/or tag numbers.
k. Terminals shall be Weidmuller, or SIS logic solver Vendor recommended equivalent. If
fused terminals are required, they shall be equipped with “blown” indicators.
l. Terminal arrangements shall be such that all single conductors, including spares, of multi-
conductor cables can be connected in the same sequential order as the pattern and layout of
the conductors in the cable.
11.3. Earthing (grounding)

a. Two earth (ground) systems shall be provided as follows:
1. Instrument screen (shield).
DO NOT COPYb.
2.
3.
Plant safety earth (ground).
Earth (ground) bar for intrinsically safe barriers, if used.
Metallic equipment of and within the cabinets shall be connected to a single “common
cabinet” plant safety earth (ground) point. Each cabinet shall be provided with an M10
(3/8 in) earth (ground) bolt for connection to the plant safety earthing (grounding) system.
c. Screens (shields) for cables interconnecting cabinets shall be earthed (grounded) at one end
only to the instrument screen (shield) earth (ground). For this purpose, the SIS logic solver
Vendor shall provide an insulated instrument screen (shield) earth (ground) bar.
d. Screen (shield) earth (ground) for incoming and outgoing cables shall not be connected at
the SIS logic solver end. The screen (shield) earth (ground) terminal on the sockets shall
remain unconnected.
Page 30 of 44
23 May 2003 GIS 30–801
e. Screen (shield) earth (ground) for serial communication lines between the SIS logic solver
and the BPCS shall be connected at the BPCS end only.
f. SIS logic solver Vendor shall state the earthing (grounding) requirements for the system in
the quotation.
g. One earth (ground) leakage monitor per cabinet shall be provided on systems with non-
earthed (grounded) power supplies. The leakage monitor alarm shall be incorporated in the
common cabinet utility alarm.
11.4. Labelling
a. Terminals that carry voltages higher than 48 V shall be:
1. Protected against accidental contact by having removable cover plates.
2. Labelled to indicate high voltage.
b. Sockets, terminals, and wiring shall be clearly identified in accordance with system
documentation. Earthing (grounding) for instrument screens (shields), ac systems, and dc
systems shall be segregated and identified.
c. Each cabinet and system components, card files, and individual card locations shall be
clearly labelled and identified with a tag number. Nameplates shall be in the English
language, or other language specified in the requisition. In addition:
1. Equipment shall be durably identified with the SIS logic solver Vendor type and
serial number, and with the order number to facilitate future reference.
2. Cabinets shall be identified with tag numbers.
3. Labels or documents shall be provided to indicate the SIL, EIL and CIL associated
with each tag number.
d. Intrinsically safe (IS) signals shall be identified as follows:
1. Separate cabinets, or segregated sections within a cabinet, that are provided for IS
signals shall be labelled as such.
2. Cables and ducting (raceways) for IS signals shall have a blue colour.
e. Cabinets shall have labels to indicate that equipment within is safety-related with a
specified integrity and that maintenance and modifications should not be carried out
without authorisation.
12. Power supplies
12.1. Power supply facilities

a. Each SIS logic solver shall receive ac power from two different sources.
DO NOT COPYb. Power supply shall be to the following specifications, unless stated otherwise in the
requisition:
1.
2.
Voltage as indicated in the requisition (110 or 220 or 230 or 240) Vac ± 10%.
Frequency as indicated in the requisition (50 or 60) Hz ± 2%.
3. Total harmonic distortion of:
a) 5% max, linear load.
b) 15% max, nonlinear load.
c. SIS logic solver Vendor shall supply mains-to-24 Vdc power supply units that are fully
revealed failure robust. Internal power supplies for CPU and I/O shall be separated and
Page 31 of 44
23 May 2003 GIS 30–801
galvanically isolated, unless it can be shown that the CPU is immune from power supply
variations arising through I/O connections.
d. Separate power supplies shall be used for output actuation circuits, unless it can be shown
that switching transients are unlikely to affect input or logic circuits.
e. Each power supply in a revealed failure robust set of power supplies shall be rated such
that all loads, including spares, can be simultaneously powered.
f. Diagnostics, signalling, and isolation facilities shall be provided to service or replace a
faulty power supply unit.
g. Faulty power supplies shall be able to be isolated, disconnected, removed, and replaced
without loss of operation of the SIS logic solver.
12.2. Power consumption and tolerances

a. SIS logic solver Vendor shall provide a listing and detailed schematics of the number of
electrical feeders, their termination points, and respective loads.
b. SIS logic solver Vendor shall include in the quotation a calculation of estimated power
consumption of the system (volts, amps, watts, and heat dissipation). This data shall be
resubmitted two weeks after the hardware freeze date.
c. Mains power interruptions of up to 100 ms shall not affect operation.
d. SIS logic solver Vendor shall advise the maximum mains power surge that may occur
when the system is switched on.
e. SIS logic solver Vendor shall advise the maximum allowable mains voltage spikes
(amplitude and duration) that the system can withstand without affecting operation.
f. SIS logic solver Vendor shall advise the procedures to be followed and features of the
system that allow system recovery after power failure.
12.3. Power distribution

a. SIS logic solver Vendor shall specify the necessary power data (voltages, frequency, etc.)
that individual components and modules require.
b. Power distribution to modules shall be revealed failure robust.
c. Separate isolation of power for each process unit shall be provided in SIS cabinets by
means of miniature circuit breakers (including fuse functionality), or switch and fuse.
Exceptions to this, if any, shall be given in the requisition.
d. Circuit breakers shall use auxiliary contacts and fuses shall have monitoring facilities for
failure.
e. Fuses shall be able to be replaced easily. SIS logic solver Vendor shall provide proposed
DO NOT COPY
fusing method sketches.
f. On non-earthed (ungrounded) systems, double-pole power switches shall be used.
g. Fault discrimination shall be designed such that common cause faults do not cause the
redundancy concepts to be invalidated.
12.4. Batteries
a. SIS logic solver Vendor shall provide a detailed list of the batteries within the SIS logic
solver system. This list shall contain information on battery type, rating, shelf life, location,
duty, and renewal frequencies.
Page 32 of 44
23 May 2003 GIS 30–801
b. Charge state of batteries shall be displayed locally near the batteries or on the SIS
engineering/maintenance interface. SIS logic solver Vendor shall advise how battery
charge state is determined and the procedure to be used for replacement.
13. Environmental conditions
a. Equipment shall be suitable to operate in a room with the following ambient conditions, or
as specified in the requisition:
1. Temperature of 18–27°C (65–80°F) normal (5–40°C (40–105°F) abnormal,
maximum duration of one abnormal period 72 hours).
2. Relative humidity of 35–75% normal (20–95% abnormal, maximum duration of one
abnormal period 72 hours).
3. Temperature variation of less than 1°C (1,8°F) per minute.
4. Dust consistent with normal dust filters being used for heating, ventilation, and air-
conditioning (HVAC) equipment.
5. Corrosive or salty atmosphere as specified.
b. SIS logic solver Vendor shall specify required storage conditions for equipment and
spares.
14. Testing
14.1. Test plan

a. Test plans shall:
1. Reflect verification and validation activities proposed for the project.
2. Be sufficient in scope to test all system functions.
b. For programmable SIS logic solvers, the test plan shall, in addition, include the following:
1. Test records to be maintained, including fault reports and software error analysis.
2. Scope (or extent) of testing. SIS logic solver Vendor shall ensure that the anticipated
extent of testing is documented within the test plan (for example, the extent to which
the various software paths in logic are to be tested).
3. Dependence between modules that must be accounted for during integration of
hardware and software.
14.2. Hardware and software testing
DO NOT COPY
14.2.1. Hardware testing
Hardware testing shall verify that the equipment satisfies the mechanical and electrical
requirements of this GIS and the requisition.
14.2.2. Software Testing

a. Software testing shall be performed on individual software modules that are defined in the
functional design specification. (The contents of the functional design specification are
stated in Clause 16.3 of this GIS.)
b. Each module or unit of software shall be tested as a self-contained entity independent of
other modules.
c. Unit testing shall evaluate the module in terms of:
Page 33 of 44
23 May 2003 GIS 30–801
1. Output values being correct for values of input according to the unit specification.
2. Logic function, including abnormal paths.
d. Testing shall be achieved by simulation of the modules’ interface characteristics.
e. Elements of common software should only need to be tested once. However, the SIS logic
solver Vendor shall ensure a method of verification exists to ensure that the previously
tested common software is present within a given logic system.
f. Individual modules shall be coded and unit tested before software module integration and
testing.
g. If test harnesses are to be used, the SIS logic solver Vendor shall ensure that the harness
reasonably reproduces the conditions under which the software is to operate.
14.3. Integrated testing

Integrated testing is the testing of integrated SIS logic solver hardware and software
to fully test their interface interaction.
a. SIS logic solver Vendor shall ensure that all equipment undergoes full functional
integrated testing before a customer acceptance test is scheduled.
b. During integrated testing:
1. The software shall be integrated with the programmable system hardware.
2. The fully integrated SIS logic solver shall be tested as a whole, and then additionally
demonstrated at the factory acceptance test (FAT).
c. Integrated testing shall be performed in three phases:
1. Software integration.
2. Software and hardware integration.
3. Validation. The validation referred to here is partial validation against the SIS logic
solver specification. The remaining validation will be carried out on the end-to-end
system after installation at site.
d. Tests shall be performed in accordance with agreed test procedures.
e. Software integration testing shall test that the modules perform the required functions
when they are integrated as a whole.
f. The tested integrated software shall be installed in the target programmable SIS logic
solver equipment, and the hardware and software system shall be tested as a whole.
14.4. Factory acceptance test (FAT)

The FAT is performed to demonstrate that the SIS logic solver functions as per
DO NOT COPY
14.4.1. General
a.
requirements. It should not be used as a substitute for the SIS logic solver Vendor’s
own tests that should be completed successfully before FAT.
The planning and test procedures for a factory acceptance test (FAT) shall specify the
following:
1. Types of tests to be performed, including:
a) System functionality tests.
b) Testing of all performance to achieve the required function including timing,
accuracy and constraints.
Page 34 of 44
23 May 2003 GIS 30–801
c) Environmental tests (including EMC, and life and stress testing). The need for
such testing depends on the confidence already gained from track record of the
logic solver and the results of the independent functional safety assessment.
d) Interface testing.
e) Testing in degraded and/or fault modes.
f) Exception testing.
g) Application of logic system maintenance and operating overrides (bypasses).
2. Test cases, test description, and test data.
3. Dependence on other systems/interfaces.
4. Test environment and tools.
5. SIS logic solver configuration.
6. Test criteria on which the completion of the test shall be judged.
7. Procedures for corrective action on failure of test.
8. Test personnel competencies.
9. Physical location.
b. Equipment shall be subjected to interference tests at the radio frequencies to be used
onsite. During these tests, cabinet doors should be open and extender cards fitted if
appropriate.
c. FATs shall:
1. Be performed on a defined version of the SIS logic solver in accordance with the test
plan.
2. Show that the logic performs correctly.
d. For each test performed, the following shall be considered:
1. Version of test plan being used.
2. Safety instrumented function and performance characteristic being tested.
3. Detailed test procedures and test descriptions.
4. Chronological record of test activities.
5. Tools, equipment, and interfaces used.
e. Results of the FAT shall be documented, stating:
1. Test cases.
DO NOT COPY
2. Test results.
3. Whether test objectives and criteria have been met.
f. If a failure occurs during testing:
1. Reasons for failure shall be documented and analysed.
2. Appropriate corrective action shall be implemented and successful retesting
documented.
g. During the FAT, modifications or changes shall be subject to a safety assessment to
determine:
1. Extent of impact on each SIF.
2. Extent of retest, which should be defined, implemented, and documented.
Page 35 of 44
23 May 2003 GIS 30–801
h. Unless defined otherwise in the requisition, the FAT shall be divided into two phases:
1. Phase 1 – tests shall be performed at the SIS logic solver Vendor works.
2. Phase 2 – tests should be performed at the BPCS Vendor works (assuming the SIS
operator interface is to be provided through the BPCS).
i. Before Phase 1 of the FAT, the SIS logic solver shall be continuously energised for a
period of at least 7 days.
j. During the manufacturing period, the SIS logic solver Vendor shall perform hardware
checks to detect component failures. If any failures are discovered and replacements made,
these shall be noted and logged.
k. SIS logic solver Vendor shall provide adequate personnel, test facilities, and test
equipment for the FAT.
l. SIS logic solver Vendor shall provide FAT procedures, which shall include:
1. Timing of activities;
2. Supplier’s personnel attending the FAT (with responsibilities);
3. Methods by which deficiencies shall be identified, recorded, rectified, and retested.
m. Test procedures shall be provided to BP 6 weeks before the FAT.
n. SIS logic solver Vendor shall provide notification 4 weeks in advance of when the system
will be ready for FAT.
14.4.2. FAT phase 1

a. FAT Phase 1 shall consist of a full functional test performed at the SIS logic solver Vendor
works.
b. This phase shall also include:
1. Visual checks of workmanship.
2. Insulation tests.
3. Functional tests, including full simulation of inputs, outputs, and logic. Inputs and
outputs shall be simulated from the cabinet Elco, or equivalent, boards.
c. SIS logic solver Vendor shall provide to BP relevant hardware and system software
certificates before this phase of testing.
d. Latest revision documentation shall be available during this phase.
e. The SIS logic system and all applied features shall be checked against:
1. Compliance assessment certificate.
DO NOT COPY
2. Requirements in the requisition and the approved functional design specification.
14.4.3. FAT phase 2

a. The second FAT phase (if applicable) shall take place at the BPCS Vendor works, the
location of which shall be determined and specified upon selection of the BPCS Vendor.
b. SIS logic solver Vendor shall have the following responsibilities with respect to FAT
phase 2:
1. Load the equipment at the SIS logic solver Vendor works.
2. Transport the equipment to and unload/load it at the BPCS Vendor works.
3. Provide insurance for equipment from the time the system is installed at the BPCS
Vendor works.
Page 36 of 44
23 May 2003 GIS 30–801
4. Assist the BPCS Vendor as required for connection of the SIS logic solver to the
BPCS and testing of communications between the two systems.
c. FAT phase 2 includes:
1. Connection of the SIS logic solver to the BPCS system.
2. Testing of serial communication with the BPCS, which involves:
a) 100% test of maintenance override (bypass) switch functionality.
b) Random test of 25% of analogue signals transmitted to the BPCS from the SIS
logic solver. If no failures are found, the test shall be considered acceptable. If
failures are found, a further 25% of analogue signals transmitted to the BPCS
from the SIS logic solver shall be tested, and so on until no failures are found or
all analogue signals are tested.
c) Random test of 25% of digital signals transmitted to BPCS from the SIS logic
solver. If no failures are found, the test shall be considered acceptable. If failures
are found, an additional 25% of digital signals transmitted to BPCS from the SIS
logic solver shall be tested, and so on until no failures are found or all digital
signals are tested.
d) First-up alarms, testing at least two points per group of all first-up groups.
d. Punchlist items (minor failures) from FAT phase 1 shall be tested during FAT phase 2.
e. Accepted application software shall be archived and back-up copies taken.
f. After a successful FAT of the SIS logic solver system connected to the BPCS, the SIS
logic solver shall be released for shipment.
g. The testing specified under FAT phase 2 may be carried out as part of the site acceptance
test if agreed or specified in the requisition.
15. Packing and transport
15.1. Packing
a. After the successful FAT, SIS logic solver equipment shall be:
1. Securely packed, under responsibility of the SIS logic solver Vendor for type of
freight indicated in the requisition.
2. Properly marked and tagged.
b. The SIS logic solver shall be dismantled into individual shipping sections. Items that are
separated shall have interconnecting parts clearly tagged to facilitate reassembly at site.
c. If indicated in the requisition, cabinets and/or panels shall be wrapped in plastic sheeting
DO NOT COPY
and hermetically sealed.
d. Packing requirements depend on location of Vendor’s premises and plans for storage after
delivery. Unless specified otherwise, packing shall be as follows:
1. Moisture-absorbing desiccant crystals shall be placed in the cabinets.
2. A completely itemised packing list shall be enclosed in stout envelopes securely fixed
both inside and outside each shipping container.
3. The SIS logic solver system shall be packed in individual shipping section containers.
e. SIS logic solver Vendor shall state in the quotation special requirements for storage at the
destination.
Page 37 of 44
23 May 2003 GIS 30–801
15.2. Transport
a. The SIS logic solver shall be delivered in accordance with order instructions to the location
indicated in the requisition.
b. SIS logic solver Vendor shall be fully responsible for supplying necessary documentation
to enable customs clearance of the equipment.
16. Drawings and documentation
16.1. General
a. Documentation shall comply with IEC 61511-1, Clause 19.
b. Documentation shall be in the English language, unless specified otherwise.
c. Only the following standard paper (or N American equivalent) sizes, listed in order of
preference, may be used:
1. A4 210 * 297 mm (US Letter 8–1/2 * 11)
2. A3 297 * 420 mm (11 * 17)
3. A2 420 * 594 mm (17 * 22)
4. A1 594 * 841 mm (22 * 34)
d. Prints shall be folded to A4 (or US Letter) size with title block visible at the front.
e. Documentation, including drawings, shall be in electronic and hardcopy format as detailed
in the requisition.
While the default drawing format is AutoCAD, another format may be specified in
the requisition.
f. If provided, self-documenting features of the SIS logic solver shall be used.
16.2. Information with quotation
16.2.1. General information

a. SIS logic solver Vendor shall review the SIS logic solver specification, request for
quotation, and all information supplied by BP.
b. SIS logic solver Vendor shall provide the following details in the quotation:
1. Which requirements are unclear or ambiguous.
2. What information that is lacking for design, specification, and final validation.
3. Proposal of a more efficient way to achieve objectives.
DO NOT COPYc. SIS logic solver Vendor shall provide reliability calculations to demonstrate the required
integrity level has been met or otherwise provide the following reliability information on
all SIS logic solver subsystem elements (for example, input, output and logic channels)
that are required to terminate the hazard:
1. Safe failure fraction.
2. Dangerous diagnosed failure rate.
3. Dangerous undiagnosed failure rate.
4. Safe failure rate.
5. Common cause factor to be used for calculation of redundant configurations. This
factor should be calculated in accordance with the method detailed in IEC 61508-6. If
another method is used, it shall be detailed and justified.
Page 38 of 44
23 May 2003 GIS 30–801
6. Life of the subsystems for which the reliability information is valid.

d. If the vendor provides reliability calculations to demonstrate the required integrity levels
has been met then the following shall be provided:
1. Details of the reliability models used.
2. The reliability package used for the calculation.
3. Sources for all data.
e. Failure rate figures of all boards, power supply units, and other functional subassemblies in
the system shall be calculated in accordance with recognised methods (for example,
MIL-HDBK-217). Such calculations shall be based on the worst case and the normal
environmental conditions specified. The methods and data used shall be stated.
f. Additional cost of equipment to ensure each safety function is revealed failure robust shall
be provided.
g. SIS logic solver Vendor shall provide information on the safety lifecycle to be used and the
provisions made for functional safety management of the activities to be performed.
h. A weekly project planning schedule shall be provided with the quotation. This schedule
shall include at least the following activities:
1. Functional design specification, showing details of how the specification will be
executed in the SIS logic solver hardware and software.
2. Layout, cabling, and wiring for system/cabinets/panels.
3. Configuration (programming).
4. Hardware/software freeze dates.
5. Fabrication, testing, packing, and shipment schedule.
6. FATs.
7. Site installation (if applicable).
8. Documentation deliveries.
9. Spare parts deliveries.
10. Design check stages to be performed by the organisation that ordered the equipment.
i. Planning schedule shall show all critical path items.
j. The following standard documentation shall be provided:
1. Full technical specifications of SIS logic solver Vendor hardware and software
quoted.
2. Full details of guarantee offered both on the overall system and on (commissioning)
DO NOT COPY 3.
4.
5.
spares.
Project specific documentation.
System block diagrams (for example, a detailed system overview).
Functional system descriptions.
6. Tabular information, comparing the proposed system capability and the requirements
specification. System spare capacity shall be clearly indicated in terms of:
a) I/O.
b) Logic.
c) Memory.
Page 39 of 44
23 May 2003 GIS 30–801
d) Communication interface capabilities.

e) Electrical loads.
f) Other expansion capabilities associated with the system.
7. Power requirements.
8. Cabinet details (physical layout).
9. Heat dissipation data.
10. Earthing (grounding) requirements.
11. Completed “Table of compliance”.
16.2.2. Training
a. SIS logic solver Vendor shall supply detailed information on the various training facilities
that can be provided both at their works and onsite for instrument maintenance/design
engineers, maintenance technicians, and operators.
b. For each training programme, the following shall be provided:
1. Types of courses.
2. Duration and periods of courses.
3. Costs per course (at the SIS logic solver Vendor works or onsite).
4. Training documentation provided.
5. Prerequisite knowledge of participants.
16.2.3. After sales service

SIS logic solver Vendor shall indicate the types of services that can be provided onsite.
Information shall be provided on the following:
a. Detailed information on the various forms of maintenance and support service agreements
that can be offered.
b. Possibilities regarding remote maintenance and cost of such maintenance.
c. Details on SIS logic solver Vendor spare parts holding (for example, which spares are
available and at what notice).
16.2.4. Site support

a. SIS logic solver Vendor shall quote for the following activities:
1. Support to supervise system installation to ensure conformity to the SIS logic solver
Vendor specification.
DO NOT COPY 2.
3.
4.
Assistance to power-up the system and run diagnostic programs to ensure hardware
integrity.
Support to install system configuration.
SAT/startup/commissioning assistance.
5. Check operation of I/O in the field with the commissioning team.
6. Check communications with other integrated systems wherever possible.
7. Assist commissioning team with performance acceptance test.
8. Provide technical advice onsite to commissioning team and assist with SAT.
Page 40 of 44
23 May 2003 GIS 30–801
9. Provide experienced engineers or technicians to assist with onsite modifications

arising from design or commissioning requirements.
b. SIS logic solver Vendor shall ensure that only appropriate personnel, fully conversant with
the equipment and its intended operation, are utilised for the provision of various services.
c. Contract documents shall define training and access requirements for individuals attending
installation and commissioning activities.
16.2.5. Spare parts

a. SIS logic solver Vendor shall ensure that either repair capabilities or equivalent
replacements will be available for its standard parts for at least 10 years after production
line manufacturing of the system or 10 years after items have been discontinued,
whichever is the longer.
b. SIS logic solver Vendor shall include spares for commissioning in the quotation.
Quantities recommended shall take into consideration the SIS logic solver Vendor’s
experience regarding the failure rate of components.
c. Spares used during the guarantee period shall be replenished at the SIS logic solver
Vendor’s expense. The time and procedure for repair and/or replacement shall be clearly
stated in the quotation.
d. SIS logic solver Vendor shall quote maintenance spares required for 2 years of continuous
operation.
e. Equipment vendors shall be required to supply information on product history of failure
and degradation. This history shall be an important consideration in the choice of
equipment to be used.
f. SIS logic solver Vendor shall also agree to supply information in the future about reported
failures and degradation.
g. SIS logic solver Vendor shall advise on the strategy for spares holding and storage, taking
into account:
1. Mean time to repair requirements.
2. Need for spares to be retained in an environment that ensures maximum reliability
when installed.
16.3. Drawing and information after order placement

a. A full functional system description, showing details of how the specification will be
executed in the SIS logic solver Vendor hardware and software, shall be provided and
updated as necessary during the project execution.
b. The full functional system description shall be revised in accordance with comments
DO NOT COPY
provided by the purchaser or the independent functional safety assessment team.
c. The following reliability information shall be provided on the equipment selected:
1. Probability of failure on demand for each specified safety function, taking into
consideration:
a) Provisions made for redundancy.
b) Common cause factor.
c) Specified proof test interval.
d) Mean time to repair (MTTR).
2. Safe failure rate for each specified safety function that results in the one or more
outputs changing to a safe state.
Page 41 of 44
23 May 2003 GIS 30–801
d. In calculating the probability of failure on demand, account shall be taken of the number of
inputs and outputs necessary to terminate the hazard. The reliability information provided
shall encompass all equipment from input termination to output termination and include all
barriers and input converters. As an alternative the vendor may provide calculations to
show that the required integrity level has been achieved.
e. A dossier shall be provided with the following information:
1. Compliance assessment reports for the equipment that has been assessed by an
independent organisation and shown to comply with IEC 61508-2 and 3 for the
specified integrity level.
2. Documentary evidence of the suitability of equipment selected based on prior use and
safety manuals, as described in IEC 61511-1.
3. Fault tolerance report, showing compliance with IEC 61511-1, Clause 11.4.
f. Design drawings, information, and manuals necessary for overall system design shall be
submitted within 4 weeks after the supply of “released for construction” information to the
SIS logic solver Vendor.
g. Other drawings and information (for example, wiring diagrams) shall be submitted in
accordance with the planning schedule.
h. Two copies shall be supplied of intermediate and final issues of documents and drawings.
i. In addition to the above requirement, final issues of documents and drawings shall be
supplied on CD.
j. Two copies of the following shall be supplied:
1. Summary of SIS logic solver Vendor documents.
2. System block diagrams (for example, a detailed system overview).
3. Functional descriptions.
4. Power requirements.
5. Cabinet details with physical layouts and card arrangements.
6. System cable connection details.
7. Heat dissipation data.
8. Earthing (grounding) requirements.
9. System cable drawings, showing connections between SIS logic solver Vendor-
supplied equipment.
10. Dimensional drawings for each piece of equipment.
11. Cabinet cable drawings, showing internal cabling between items in the cabinets.
DO NOT COPY 12. Termination allocation diagrams.

13. Power supply distribution diagrams.
14. Single-line diagram of electrical supply for devices in the system.
15. Block diagrams, showing function blocks and modules, and the linkages between
them.
16. Software configuration listing.
17. Program listings for project specific programs.
18. SER listing.
19. FAT test procedure.
Page 42 of 44
23 May 2003 GIS 30–801
20. SAT test procedure.

21. List of batteries and fuses within the SIS.
22. Hardware maintenance manuals.
23. Software reference manuals.
24. Hardware reference manuals.
25. System operating and maintenance manuals.
26. Engineering manuals.
27. System installation and commissioning manuals.
28. Test reports signed by parties involved.
29. Records of authorized deviations.
16.4. Approval of drawings

a. Drawings and engineering documents shall be subject to comments and approval.
b. Approval is for the purpose of ascertaining conformance to the specifications and
standards. It does not relieve the SIS logic solver Vendor of the responsibility to provide a
fully operational system.
c. A period of 2 weeks shall be allowed for the provision of comments. The SIS logic solver
Vendor shall not commence fabrication before approval of the relevant drawings has been
received.
16.5. As-built drawings

a. Within 4 weeks of the acceptance of the system, SIS logic solver Vendor documents shall
be updated by the SIS logic solver Vendor and issued “as-built”.
b. Two hard copies and two CDs of documents and drawings shall be provided unless
specified otherwise in the requisition.
DO NOT COPY
Page 43 of 44
23 May 2003 GIS 30–801
Bibliography
[1] ISO 9000 Family – ISO 9000 Compendium – International Standards for Quality Management.
[2] IEE – Safety, Competency, and Commitment – Competency Guidelines for Safety-Related System
Practitioners. (ISBN 0 85296 787 X)
[3] IEC 61508–4, 5&7, Functional safety of electrical/electronic/programmable electronic safety-related

systems.
[4] MIL–HDBK–217, Military Handbook Reliability prediction of electronic equipment, 2 December 1991,
Department of Defence, United States of America, Washington DC, 20301
DO NOT COPY
Page 44 of 44

Gis 30-801

Uploaded by

Copyright:

Available Formats

You might also like

Gis 30-801

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gis 30-801

Uploaded by

Copyright:

Available Formats

Document No.

Guidance on Industry Standard for

DO NOT COPY BP GROUP

11.4. Labelling ......................................................................................................................31

Table 1 – Maintenance and operation facilities................................................................................28

The new standard IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic

Institute of Electrical and Electronics Engineers (IEEE)

Instrumentation, Systems and Automation Society, The (ISA)

International Electrotechnical Commission (IEC)

IEC 61131–3 Programmable controllers – Part 3, Programming languages.

3. Terms and definitions

Revealed failure robust

Feasible without entailing excessive time, effort or cost.

4. Symbols and abbreviations

1oo1 One out of one.

1oo2D One out of two diagnostic.

2oo3 Two out of three.

CASS Conformity assessment of safety-related systems.

CIL Commercial integrity level.

CPU Central processing unit.

EIL Environmental integrity level.

EPROM Electrically programmable read–only memory.

ESD Emergency shutdown.

ESDV Emergency shutdown valve.

FAT Factory acceptance test.

FMEA Failure mode and effect analysis.

PES Programmable electronic system.

PVC Polyvinyl chloride.

RAM Random access memory.

RTD Resistance temperature detector.

SAT Site acceptance test.

SER Sequence of events recorder.

SIF Safety instrumented function.

SIL Safety integrity level.

Management of functional safety

5.3. SIS safety lifecycle concepts

5.4. Accountability for safety lifecycle activities

5.5. Tools and techniques

c) Procedures for preventing unauthorized items from entering service.

7. Quality management systems

8. Independent functional safety assessment

9. Specification of the SIS logic solver

10. System requirements

10.3. Response times

10.4. Revealed failure robustness

10.5. Spare capacity

10.6.2. Analogue inputs

10.6.3. Digital inputs/outputs

10.6.4. Digital inputs

10.6.5. Digital outputs

10.7. System and application software

10.8. Application software

c. Application programs, if applicable, shall be split into well-defined functional modules.

f. Software replication and backup shall be as follows:

1. Status of variables, including inputs and outputs.

10.11. Alarm handling

10.12. Sequence of events recorder (SER)

10.13. Maintenance facilities