Table of Contents
1. Purpose
This procedure defines the work sequence and responsibilities for the engineering/design and implementation of Safety Instrumented Systems to achieve an intended safety function up to field installation and commissioning.
This procedure shall be applicable for the Company.
The instrumented system shall be referred to in this document as Safety Instrumented Systems (SIS).
2.General
For the engineering/design and implementation of SIS, the standards and working procedures of IEC-61508 are adopted.
The implementation of SIS shall be considered separately for each system regardless what level of integrity is expected.
The IEC-61508 defines the lifecycle of SIS (see figure 3.1). Each step in the lifecycle involves a number of actions to be taken by a designated responsible department, discipline and/or group.
The responsibilities for the individual steps are defined in chapter 4.
2.1 Abbreviations
|
EFD |
Engineering Flow Diagram |
|
E/E/PES |
Electrical/Electronic/ Programmable Electronic System |
|
HAZOP |
HAZard and OPerability review |
|
IEC |
International Electrical Committee |
|
ITB |
Invitation To Bid (project definition) |
|
PPEM |
Project Procedure Execution Manual |
|
SIL |
Safety Integrity Level |
|
SIS |
Safety Instrumented System |
|
Sintef |
Norwegian verification authority |
|
TÜV |
German verification authority (Technische ?berwachungs Verein) |
2.2 Definitions
Electrical/Electronic/Programmable Electronic System
System for control, protection or monitoring based on one or more electrical/electronic/programmable electronic devices, including all elements of the system such as power supplies, sensors, other devices, data highways, communication path’s, actuators and other output devices.
Safety Integrity Level
Discrete level (one out of possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PES safety instrumented systems, where safety integrity level 4 is the highest level and safety integrity level 1 is the lowest level.
3. Procedure
The procedure for the implementation of SIS is divided in sequential steps as defined in the IEC-61508.
3.1 Concept (step 1)
3.1.1 Process Design
During the process design the likely potential sources of hazard for people, equipment and/or environment, when normal control functions fail, shall be determined.
3.1.2 Non Instrument Risk Reduction
Alteration of the process design and/or addition of non-instrument related safety functions might reduce the potential risk to a tolerable level. If this is not the case then it could be investigated if the application of a SIS would reduce the risk sufficiently.
3.2 Overall SIS Scope Definition (step 2)
During this step the scope for the hazard and risk analysis is defined.
3.3 Hazard and Risk Analysis (step 3)
The hazards and hazardous events of the equipment under control shall be determined under all reasonable foreseeable circumstances (including fault conditions, reasonable foreseeable misuse and relevant human factors) taking the overall scope definition of step 2 into account. The necessary risk reduction shall be determined for each hazardous event. The required Safety Integrity Level (herein after referred to as SIL) is determined.
Particular attention shall be given to abnormal or infrequent modes of operation.
3.4 Overall Safety Requirements (step 4)
Overall Safety Requirements
- Preparation of safeguarding narratives and Cause & Effect diagrams for the SIS.
- HAZOP Review Meeting
During the HAZOP reviews, all potential hazards and operability conditions are reviewed. The remedial actions to prevent a hazardous situation from occurring are then assessed.
Included in the HAZOP review is the requirements for in line/off line testing of safety functions and the operability of the equipment under control during testing.
3.5 Safety Requirement Allocation (step 5)
Determine the architecture and the required instrumentation (including on/off-line-testing facilities) for the realization of the SIS functions as defined in previous steps. The safety requirement allocation takes into account: the required SIL, the required separation from other systems and the required degree of diagnostic coverage.
3.6 SIS Operation and Maintenance Plan (step 6)
The operation and maintenance plan for the SIS is the Client’s responsibility. However it may be decided that RE&C has to prepare this as a special project requirement.
The operation and maintenance plan involves at least the following topics:
- maintenance procedures for E/E/PES (including software if applicable);
- testing and verification procedures (on and off line) of all involved equipment.
3.7 Safety Validation Plan (step 7)
The safety validation plan is Client’s responsibility. However it may be decided that RE&C has to prepare this as a special project requirement.
The safety validation plan defines the steps to be taken for safety validation as defined in step 13 (paragraph 3.13).
3.8 Installation and Commissioning Plan (step 8)
The installation and commissioning plan defines the step to be taken for installation, testing and verification of the SIS.
3.9 SIS Detailed Design (step 9)
3.9.1 Realization of the Safety Instrumented Systems
The realization of the SIS by equipment specifications and detailed installation design.
The equipment specification shall covers at least:
- requirements for all initiating equipment, including reliability and material certificates;
- requirements for all actuating devices, including reliability and material certificates;
- requirements for the E/E/PES, including reliability, hardware and software, communication with other systems and input/output channels.
The detailed installation design involves at least the preparation of:
- logic diagrams (alternative ladder diagrams) indicating the required function(s);
- instrument process hook-ups;
- instrument air supply hook-ups;
- instrument mounting hook-ups;
- cabling and wiring details.
3.9.2 Functional Safety Assessment
Investigation based on evidence, to judge the functional safety achieved by one or more E/E/PES safety related systems. A functional safety assessment is performed, for all SIL’s, (e.g. by applying the fault tree method) after completion of the design of each safety-instrumented function to confirm the requirements of the safety requirement specification. The detailed design of the SIS shall be according the requirements of IEC-61508-part 2 and part 3.
The required test interval time is determined/confirmed during the functional safety assessment.
The Functional Safety Assessment Report shall contain evidence that the equipment complies with the required SIL, assumptions for failure rates. Common causes and diagnostic features shall be qualified.
3.10 Other Technologies (step 10)
This is not part of this procedure.
3.11 External Risk Reduction (step 11)
This is not part of this procedure.
3.12 Overall Installation and Commissioning (step 12)
Installation, testing and commissioning shall be executed according the detailed design package as prepared under step 9.
3.13 Overall Safety Validation (step 13)
Validate that the SIS meets the overall safety requirements and safety integrity level. Verify that all required documentation is complete, this is a part of the functional safety assessment, which is carried out by an independent (external/internal) organization as intended in chapter 8 of IEC-61508.
In most countries, the Client is responsible for the correct implementation of SIS however certification of the complete SIS installation may be required from an authorized organization such as Sintef, TÜV etc. In Germany for example this is mandatory!
In order to follow the procedures correctly the selected organization should be involved as early as practical in the development of the SIS.
3.14 SIS Operation, Maintenance and Testing (step 14)
Operation, maintenance and testing are Client’s responsibilities, however testing and a regular testing interval are necessary for obtaining and maintaining the required SIL. The test methodology and test intervals are very important since they influence the SIL.
3.14.1 Operation
The operation of the SIS by the Client should be such that the safety availability remains at the same level as it was originally designed for. This is clearly the Client’s responsibility, however the SIS should be designed such that this is easily possible as a normal operation routine.
3.14.2 Maintenance
The Instrumentation needs to be maintained regularly (e.g. transmitter re-calibration, valve overhaul and stroking), this is the Client’s responsibility. The Client should follow the instructions from the manufacturers in detail (according to an approved quality procedure) to make certain that the once applied figures for functional safety assessment remains the same.
3.14.3 Testing
The regular testing of all the components in a SIS is a requirement for achieving the desired SIL. Without regular testing with pre-determined test intervals it is not possible to come to a reliable functional safety assessment.
There are three ways to determine the test interval time:
- Client Dictates the Test Interval per SIS
This has the possibility that the test interval is too long (Client’s regularly do not want to test very often because of the cost and the possible impact on production). In this case it affects the choice of the equipment. The equipment must be more reliable hence the equipment will be more expensive. - The Test Interval Depends on the Results of the Functional Safety Assessment.
If the equipment has been selected, then after the functional safety assessment has been made, the Client can be advised as to what the test interval should be and when it should start after process start up. Normally the equipment is sufficiently reliable, therefore a reasonable test interval will be found. - Combination of 1 and 2
The Client dictates the test interval for all SIS, which should operate in SIL 1 (the majority of all SIS). Depending on a realistic interval time this is acceptable for most systems.
For the SIL 2 and SIL 3 the test interval is determined during the functional safety assessment. The Client should accept a higher test frequency as a result of the functional safety assessment for the given SIL.
3.15 Overall Modification and Retrofit (step 15)
If modification and retrofit of an existing SIS is required then a complete function and functional safety assessment shall to be done. The report of this assessment shall be the input to step 3 in the lifecycle for the definition of new requirements of the SIS, which may involve new or additional safety functions with the same SIL or increased/decreased SIL.
3.16 De-Commissioning or Disposal (step 16)
This is the Client’s responsibility and is not part of this procedure.
Figure 3.1 Life Cycle of Safety Instrumented Systems
4. Responsibilities
In order to comply with the requirements of IEC-61508 a responsibility plan should be followed, in which is defined who is responsible and what the deliverable(s) is for each step in the SIS lifecycle. The responsibilities for the implementation of SIS are indicated in relation to the SIS lifecycle in figure 4.1.
The following departments, discipline and group are responsible for the implementation of SIS:
- Process department;
- Process Control group;
- Instrumentation & Control Systems discipline;
- Quality Assurance department.
4.1 Process Design Concept (step 1)
|
Responsibility |
: |
The Process department is responsible for the identification of potential hazards. |
|
Strategy & Implementation |
: |
The process design concept is based on the project definition (PPEM, ITB etc.) and Clients requirements. |
|
Deliverables |
: |
Process Flow Diagrams and Engineering Flow Diagrams. |
|
Communication |
: |
The output is relevant for step 2 (overall scope definition). |
4.2 Overall SIS Scope Definition (step 2)
|
Responsibility |
: |
The Process department and Process Control group are responsible for the SIS overall scope definition. |
|
Strategy & Implementation |
: |
The SIS scope is determined based on the different operation and fail scenarios. The Process department assesses the effect of each scenario. |
|
Deliverables |
: |
|
|
Communication |
: |
Communication between all parties involved is essential. The output is relevant for step 3 (hazard & risk analysis). |
|
Remarks |
: |
Part of the SIS scope definition is the HAZOP review. All parties should be involved when SIS is being reviewed. |
4.3 Hazard and Risk Analysis (step 3)
|
Responsibility |
: |
The Process department and Process Control group are responsible for the hazard and risk analysis. |
|
Strategy & Implementation |
: |
Applying the risk graph method for each identified system in the scope definition. |
|
Deliverables |
: |
Hazard and Risk Report for each system with justification for each parameter identifying the SIL for each SIS. |
|
Communication |
: |
The output is relevant for step 4 (overall safety requirements). |
|
Remarks |
: |
The independent party, responsible for the validation and the functional safety assessment shall be involved in this phase in order to avoid unnecessary rework, and related equipment cost, later. |
4.4 Overall Safety Requirements (step 4)
|
Responsibility |
: |
The Process Control group is responsible for the overall safety requirements. |
|
Strategy & Implementation |
: |
Define measures to avoid hazard separately for each safety function. |
|
Deliverables |
: |
Safeguarding narratives and Cause & Effect diagrams. |
|
Communication |
: |
The output is relevant for step 5 (safety requirement allocation). |
|
Remarks |
: |
Close cooperation between the Process Control group and Instrumentation & Control Systems discipline is vital for this step. |
4.5 Safety Requirement Allocation (step 5)
|
Responsibility |
: |
The Instrument & Control Systems discipline is responsible for the allocation of safety requirements. |
|
Strategy & Implementation |
: |
The instrument equipment and architecture is determined for the functions as described in the functional safety specification. |
|
Deliverables |
: |
EFD’s and philosophy diagrams. |
|
Communication |
: |
The output is relevant for step 9 (SIS detailed design). |
|
Remarks |
: |
Close cooperation is required between the Process Control department and the Instrumentation & Control Systems discipline. |
4.6 SIS Operation and Maintenance Plan (step 6)
|
Responsibility |
: |
The Client is responsible for the SIS operation and maintenance plan, however if RE&C has to prepare this than it is the responsibility of ICS discipline. |
|
Strategy & Implementation |
: |
Maintenance, testing, verification procedures according recommendations of the manufacturers of the instrument components. |
|
Deliverables |
: |
Operation and maintenance manuals. |
4.7 Safety Validation Plan (step7)
|
Responsibility |
|
The Client is responsible for the safety validation plan, however if RE&C has to prepare a safety validation plan than is it the responsibility of the QA department. |
|
Strategy & Implementation |
|
Define steps in the lifecycle for validation |
|
Deliverables |
: |
Validation plan |
4.8 Installation and Commissioning Plan (step 8)
|
Responsibility |
: |
The Instrument & Control Systems discipline is responsible for the installation and commissioning plan. |
|
Strategy & Implementation |
: |
Testing & commissioning procedure. |
|
Deliverables |
: |
Testing & commissioning manuals. |
|
Remarks |
: |
Cooperation with RE&C construction and commissioning teams is required. |
4.9 SIS Detailed Design (step 9)
|
Responsibility |
: |
The Instrument & Control Systems discipline is responsible for the SIS detailed design in accordance with the requirements of steps 4 and 5. |
|
Strategy & Implementation |
: |
Preparation of instrument specifications detailed installation, design documentation Perform a reliability analysis (e.g. fault tree method), based on selected equipment, to confirm compliance with SIL requirements. |
|
Deliverables |
: |
Specifications, logic diagrams, wiring diagrams, installation details, loop-diagrams, functional safety assessment report |
|
Remarks |
: |
The functional translation of Cause & Effect diagrams and safeguarding narrative shall be confirmed with the Process Control group. |
4.10 Other Technologies (step 10)
Not part of this procedure.
4.11 External Risk Reduction (step 11)
Not part of this procedure.
4.12 Overall Installation and Commissioning (step 12)
|
Responsibility |
: |
Instrumentation & control systems discipline is responsible for the installation and commissioning. |
|
Strategy & Implementation |
: |
Installation performed by Sub-Contractor and functional testing witnessed by Clients representatives. |
|
Deliverables |
: |
Installation completion and test certificates. |
4.13 Overall Safety Validation (step 13)
|
Responsibility |
: |
Independent external/internal party. (managed by Client) |
|
Strategy & Implementation |
: |
Verify completion and compliance with the followed integration steps and documentation. |
|
Deliverables |
: |
Statement of compliance. |
4.14 SIS Operation, Maintenance and Testing (step 14)
Client’s responsibility.
4.15 Overall Modification and Retrofit (step 15)
|
Responsibility |
: |
Instrument & Control Systems discipline. |
|
Strategy & Implementation |
: |
Safety and functional assessment of existing system. |
|
Deliverable |
: |
Assessment report. |
|
Communication |
: |
Assessment report is input for lifecycle step 3 activities. |
4.16 Decommissioning or Disposal (step 16)
Client’s responsibility.
Figure 4.1 Responsibility Plan
5. Flowchart
None.
6. Reference
|
|
Document Number |
Title |
Level |
| 6.1 | BN-EG-UE308 | Engineering Guide for Safety Instrumented Systems and Reliability Analysis | 5 |
| 6.2 | IEC-61508 (part1-7) | Functional Safety – Safety Related Systems |