SAFETY

INSTRUMENTED
SYSTEMS
EBOOK GUIDE
TO THE SAFETY LIFE-CYCLE

Document ID: eFS-ebook-SIS-r4.0

eFunctionalSafety.com

eFunctionalSafety®
Prepared exclusively for [email protected] Transaction: 0138688873
FIRSTLY

ABOUT THIS EBOOK

This eBook is our 4th edition aimed at industry professionals looking at complying with inter-
national standard IEC 61511 when designing, maintaining or modifying protection systems
that involve instrumentation.

In this latest edition, we’ve included links to our new MEMBERS area on the eFunctionalSafety
website. Register for a more interactive online course experience, with video and narrated
audio lessons, quizzes and featured downloads.

All the best,

Jon
Jon Keswick, CFSE
Founder - eFunctionalSafety

Linked-In
[email protected]

eFunctionalSafety®
Prepared exclusively for [email protected] Transaction: 0138688873
This guide focuses on the IEC 61511 standard for safety instrumented
systems - SIS - specialist protection layers used to prevent hazardous
events escalating to threaten life, the environment and company assets.
The IEC 61511 standard outlines a functional safety lifecycle for the
process industry sector and is now internationally accepted by operating
companies and regulators worldwide. The safety lifecycle provides an
outline flowchart (see section 2) detailing the stages of different activities
needed to assess hazards and then develop instrumented protection layers
to prevent or mitigate risk.

As working individuals, we accept risk on a daily basis. There are numerous examples of this;
from simply travelling to get to work, to working in environments that are inherently hazardous.
We typically accept some level of greater risk because we receive a benefit in the form of pay-
ment or other reward.

Achieving a tolerably safe environment when working with hazardous substances can be chal-
lenging. Those who work in and around industrial processes will be required to wear appropriate
personal protective equipment (PPE), but on its own PPE will not be enough if there are signifi-
cant hazards that cannot be easily controlled or predicted.

In designing processes to be as safe as possible, Process Safety principles ensure correctly de-
signed pipes, vessels and equipment with the right materials to withstand extremes of tempera-
ture, pressure and corrosiveness.

Where extremes can lead to loss of containment events, Functional Safety principles ensure that
Safety Instrumented Functions in the SIS get a Safety Integrity Level (SIL) applied.

People, Planning & Procedures

Delivering the SIS safety lifecycle requires carefully considering the people, planning and proce-
dures that will be needed. The IEC 61511 standard identifies this as functional safety manage-
ment.

A sound functional safety management system will ensure that projects get set up with people
who are competent in the part(s) of the lifecycle they are involved with. The goal is to provide
adequate policies, planning and procedures to control specialist functional safety activities. With
good management, companies should be in a position to retain safety knowledge as people
move on or retire.

In planning lifecycle steps, it is essential to consider the inputs, procedures and expected out-
puts for each of the specialist activities. Referring to the sample lifecycle in the IEC 61511
standard (see below) is only a start, because it is too generic. Instead, each duty holder must
develop a custom lifecycle showing the steps, methods and procedures they will adopt to deliver
functional safety objectives.
3 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

Management Safety Verification of Hazard and risk assessment
of functional Lifecycle each phase of
safety & Structure and activity
Functional Planning
Safety
Allocation of Safety Function to Protection Layers
Assessment &
Auditing

Safety Requirements Specification Design and

for the SIS & SIF Development of
Functional Safety Other Means of Risk
Management System Reduction

Design and Engineering of SIS

Project-specific Functional Safety
Verification Plan
with defined roles and responsibilities

Installation, Commissioning and Validation

Operation and Maintenance

Modification

Decommissioning

EXAMPLE PROCEDURES EXAMPLE TEMPLATES / CHECKLISTS

FS MANAGEMENT FS PROJECT PLAN

FS POLICY RACI MATRIX
FSA AND AUDIT COMPETENCE ASSESSMENT
HAZOP / CHAZOP FSA CHECKLIST
LOPA HAZOP / LOPA TEMPLATE
SIL DETERMINATION HAZOP / LOPA CHECKLIST
EQUIPMENT JUSTIFICATION SRS TEMPLATE
SIL VERIFICATION SRS CHECKLIST
SIS SYSTEM DESIGN EQUIPMENT CERTIFICATION CHECKLIST
SIF DESIGN FAT TEMPLATE
FAT SAT TEMPLATE
SAT / VALIDATION PROOF TEST TEMPLATE
OPERATION AND MAINTENANCE
MODIFICATION

GUIDE TO THE SIS SAFETY LIFE-CYCLE 4

Prepared exclusively for [email protected] Transaction: 0138688873

Projects involving SIS must be conducted with sound project management principles, includ-
ing a clear and concise plan, well-developed procedures and sign-off or “verification” activities.

We strongly recommend developing procedures and templates that will actually get used in
practice. This means keeping procedures as relevant as possible, preferably using flowcharts
and diagrams to simplify use and comprehension.

eFunctionalSafety COMPANY PROJECT

P-HZP
Review and adapt
to COMPANY
HAZOP
needs
Procedure

COMPANY OUTPUT:
ACTIVITY: HAZOP report
HAZOP HAZOP Study
Procedure

Project templates differ from procedures in that they provide a starting point for those en-
countering an SIS project. Templates and checklists can really help ensure completeness and
compliance for later assessment.

Hazard and risk assessment

Any company operating systems, processes or machinery resulting in loss of life or significant
environmental damage must carry out hazard identification and risk assessment. For most
process facilities, this involves looking for events that could result in the “loss of containment”
(LOC) of hazardous materials.

There are many ways of approaching process hazard analysis (PHA), often using methods
like HAZOP - Hazard and Operability studies. Whichever method is adopted, the key is to use a
systematic approach with a multi-discipline team.

If approached methodically, a HAZOP should provide:

• Credible information on possible causes of hazards.

• Estimated consequences of hazardous events.

• Safeguards or protection layers that can prevent event occurrence or mitigate escalation.

• Actions for safety and operational improvement.

5 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

 LOPA and SIL targets
After hazard identification, there often needs to be further analysis to assess Independent
Protection Layers (IPL) for the most severe hazards. LOPA - Layers of Protection Analysis is one
such analysis method.

HAZOP systematically works through piping and instrumentation diagrams using a multi-
discipline team to determine possible hazardous events, potential consequences and safeguards
in the current design, with actions proposed for improvement.

There are no standardized techniques for LOPA, so each duty holder should decide the rules they
will apply to ensure consistency within their tolerable risk guidelines.

LOPA can only be attempted with clear risk criteria in place. Tolerable risk usually comes in
the form of a company-approved risk matrix, and a set of numerical targets with maximum
frequencies for the most undesired consequences.

After considering all possible IPLs, one or more Safety Instrumented Functions (SIF) will often
be needed to reduce risk to tolerable levels. With the correct procedural steps in place, the LOPA
study can also determine the Safety Integrity Level (SIL) target for each SIF.

P&ID’s
Facility Siting
HAZOP
Occupancy HAZOP
Study
Levels Report

HAZOP
Procedure
LOPA
LOPA
Study
Report

LOPA
Procedure IPL Register
NO
SIF/SIS (non-SIS
Required? protection layers)

YES
Safety
Requirements
Specification for
SIS and SIF

GUIDE TO THE SIS SAFETY LIFE-CYCLE 6

Prepared exclusively for [email protected] Transaction: 0138688873

Safety Requirements Specification
When previous steps have determined that an SIS is needed, a Safety Requirement Specifica-
tion (SRS) needs to be developed.

Functional requirements must explain what each SIF is for, which hazard it protects against,
and what actions it. Functionality can be readily expressed by Cause and Effect diagrams that
associate the sensed condition and its required actions.

Integrity requirements set the standard for the design in terms of safety integrity and system
availability. The SIL target is one integrity requirement of a SIF, but not the only one. Others
include Probability of Failure on Demand (PFD) or Probability of Failure per Hour (PFH), hard-
ware fault tolerance (HFT) and Systematic Capability (SC).

At the early stages of design or modification, the hazard owner must determine around thirty
different integrity and functional requirements to fully describe each function in terms of hard-
ware. This is the “Initial SRS” in the diagram below.

Later in the design or modification of a SIS, more requirements will need to be carefully devel-
oped to fully describe the overall system, application program (software), and its interfaces to
other systems. These are the “Hardware SRS” and “Software SRS” in the diagram below.

Initial
SRS

Select Hardware
Devices

Decide on required HFT

for safety & availability

Determine Proof Test

Sensor, Logic Solver Method
and Final Element
Reliability Data
Verify PFDavg/PFHD &
HFT for each SIF PF Calculations for
each SIF

SIL NO
Achieved?

YES
HARDWARE SOFTWARE
SRS SRS

In practice, the hardware and software SRS may eventually be comprised of multiple docu-
ments that explain the SIS and SIF devices and software in increasing levels of detail.

7 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

 HARDWARE SOFTWARE
SRS SRS

SIF Sensors and Safety Manual &

Final Element Data Coding Rules
Sheets

SIF Application
Loop Drawings Program Design

Logic Solver
Hardware Detail
Design

Design Review

Hardware and Software of the SIS Logic Solver are usually integrated and tested at the Factory
Acceptance Test (FAT) stage.

SIS Design & Engineering

The specifier of an SIS can select appropriate equipment when the safety requirements are
sufficiently complete and stable. Long-lead items such as final element valves and actuators
may be among the first to be considered for selection.

IEC 61511 requires all equipment used in the SIS to be justified. Typically, this will involve en-
suring only SIL-capable devices get used from reputable suppliers. Where SIL-capable devices
are unavailable, the company responsible for equipment selection and engineering will need to
consider justifying the use of equipment on another basis, such as “prior use”.

Logic solver application programs (software) must also be developed. When using SIL capa-
ble Safety Programmable Logic Controllers (Safety PLCs), the software coding rules are often
specified in a safety manual by the Safety PLC manufacturer. When developing the Applica-
tion Program (AP), follow the manufacturer “do’s and don’ts” guidance closely.

GUIDE TO THE SIS SAFETY LIFE-CYCLE 8

Prepared exclusively for [email protected] Transaction: 0138688873

 Verification by design review and integrated hardware/software Factory Acceptance Testing
(FAT) will typically occur towards the end of this stage. FAT is not sufficient in itself, as the
field devices are typically not integrated at this stage.

Installation & Commissioning (SAT)

The end stage of the design and engineering lifecycle phase is known by various names in
industry. Some will term this whole stage as SAT - Site Acceptance Testing, which involves
various stages of mechanical completion at the installed site before any testing takes place.

Commissioning transforms the mechanically installed equipment into operational devices by

checking electrical wiring, connecting power sources and calibrating devices that need calibra-
tion.

Where there is an SIS installed, SAT must involve testing; which in IEC 61511 is known as Vali-
dation

Validation testing of the SIS in-situ on the hazard site involves an end-to-end physical test,
from the installed sensor to the installed final element, for every SIF listed in the safety require-
ments specification (SRS).

Site Acceptance Testing is an industry term for the whole installation stage of control and
safety systems. IEC 61511 uses the term Validation to denote the specific task of testing the
SIS in-situ with all devices connected.

The SRS should be the primary reference source for creating the validation plan to specify
the validation crew’s detailed steps. These include physical inspection steps, drawing review
versus all installed equipment, positive and negative test activities and test logs.

Operation & Maintenance

Once the SIS is in operation, nobody must modify it unless they follow change management
processes.

The operation and maintenance personnel must get trained on all aspects of the SIS and SIF
before startup. This training is crucial for a novel system or equipment that is new or unfamil-
iar.

By now, inspection and proof test procedures should have been developed for the SIS and
each safety instrumented function (SIF).

Ideally, the proof tests get scheduled to tie in with turnarounds to enable safe offline testing.
Operations must keep detailed inspection and test records for future assessment, audit and

9 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

 Repeat appropriate
activities
Validated
FSA 5
System

FSA 5 Plan / Modification

Procedure Approval
Operation &
Maintenance
Procedure
Permit to
Operation Maintenance Work
Procedure
Revised risk /
SIL assessment
Inspection &
Bypass/ Proof Test
Override risk Inspection & Procedure
assessment & Proof Testing
authorisation
FSA 4 Plan / Modification
Procedure Request
FSA 4 Inspection &
Proof Testing Modification
Records Procedure

Decommissioning

further analysis of equipment failure root cause.

Special procedures for bypassing a SIF or SIS during operation may also be needed, especially
for continuous process plants. Such practices will need to account for the full risks of bypass-
ing a safety function and have appropriate technical review and authorization.
As demands occur that require the SIS to react, operations should track these over time to look
for negative trends which might lead to plant or system modification.

Functional Safety Assessment (FSA) & AUDIT

Functional Safety Assessment (FSA) is a technical activity which is proposed at several stag-
es in the SIS safety lifecycle; mandated in IEC 61511 to be carried out at least once prior to
startup of an SIS, and at regular intervals during the operations stage.

The FSA activity must be led by a senior competent person, who is not involved with the step
or steps being analysed.

FSA planning should be done at the start of any project where an SIS is expected to be needed.
If the SIS already exists, then plan for an operations and maintenance FSA 4 (see above) after
some time in operation, and FSA 5 (see above) for all modifications.

The distinction between FS Assessment (FSA) and a functional safety audit is slightly nu-

GUIDE TO THE SIS SAFETY LIFE-CYCLE 10

Prepared exclusively for [email protected] Transaction: 0138688873

anced, but they are separate requirements in IEC 61511. The main difference is that FSA is an
activity that requires functional safety technical competence, whereas an audit can be com-
pleted by anyone with management and audit competence.

Management of Change
The objective of managing change to the SIS is to ensure that the previously validated system
is not compromised in any way. All requests for change must identify and repeat the relevant
parts of the lifecycle to ensure the impact of change is fully understood before proceeding.

Modification planning should include documenting the reason for change, conducting an
impact analysis, and a functional safety assessment (FSA 5) of the impact analysis. The FSA
must be conducted by a competent and independent person from those making the changes.

It is mandatory to re-validate the system and update all relevant documentation. The only
exception to this is for fully like-for-like changes which do not involve a change in software or
embedded firmware.

Actually making changes to the SIS must only occur under pre-authorized conditions and work-
permit practices. As usual, change must be made by those with the required competence, and
the changes should be logged with a record of completion. All those impacted by the change
must be trained.

Any SIF or SIS which is decommissioned must follow the a management of change procedure,
with a full justification record retained for removal of a SIF or SIS from service.

SIS Documentation
It is difficult, but nevertheless crucial, to keep safety system documentation accurate, up to
date, easy to understand and fit for purpose.

In practice, this is very challenging for many reasons. There can be changes that require up-
dates to multiple documents produced at different stages of the lifecycle, meaning an impact
on HAZOP, LOPA, SIL determination, the Safety Requirements Specification, Test Plans, and
more.

SOFTWARE for the Safety Lifecycle

If you want to manage the safety lifecycle for the long term it is well worth considering using
specialist software. The main reason for this is the interconnected stages of activity that often
occur over a lengthy period of time with the involvement of different people and companies.

Imagine a project modification where the SIS was installed more than three years ago by a
contractor, and the process has not yet been through any form of revalidation exercise for haz-
ards. A modification to the SIS must revisit the SRS, but it may also impact the HAZOP, LOPA

11 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

and SIL determination and many other aspects.

During the prolonged stages of a project, documentation has often been produced by third
parties, and all that now exists are “flat files” as PDF or Word documents. How do you ensure
consistency and completeness of the documentation when it comes to an update?

With these challenges in mind, we highly recommended aeShield software for multiple rea-
sons:

• Digitize and link together the stages of HAZOP, LOPA, IPL, SRS, SIL Verification, Test Plans
and Operational KPIs.

• Control revisions with minimal human intervention.

• Share active data with remotely located teams.

• Keep IPL, SIF and SIS documentation up to date when inevitable changes happen during
projects or for modifications in operation.

CASE STUDY: aeShield®

eFunctionalSafety provided HAZOP, LOPA,
SRS and SIL verification support to an Origi-
nal Equipment Manufacturer developing an
exciting new product for the emerging energy
sector; using hydrogen to generate backup
electricity for data centres, without any of the
harmful environmental emissions of tradition-
al diesel generators.
The project was fast-track and demanding,
and eventually required a validation test plan
to be delivered on a very tight timescale. This
may sound trivial, but it’s not.
As eFunctionalSafety had delivered the SRS
and SIL verification using aeShield, we were
able to turn around validation test plans in
record time, with the assurance of complete
consistency of the SIS test plan, the SRS and
system cause & effects.

GUIDE TO THE SIS SAFETY LIFE-CYCLE 12

Prepared exclusively for [email protected] Transaction: 0138688873

 eLP003
SIS & Functional Safety for IEC 61511
ONLINE LEARNING PATH

Learning Outcomes

• Outline the IEC 61511 safety lifecycle from hazard and risk assessment, through to final decom-
missioning;
• Provide an overview of Functional Safety Management, assessment and audit requirements of
IEC 61511;
• Describe an SIS, and refer to the key standards and regulations which drive SIS requirements;
• Follow a typical workflow of hazard and risk assessment, including explaining HAZOP, LOPA and
how these can be used to determine SIL;
• Describe the importance of Safety Requirements and why these are critical to SIS Validation;
• Summarise SIS equipment selection options, including hardware and software types;
• Outline the principles of SIS design, voting, hardware fault tolerance and SIL verification princi-
ples;
• Explain the main operation and maintenance requirements of IEC 61511 for sustaining SIL.
13 © Copyright 2006-2024, eFunctionalSafety®

Prepared exclusively for [email protected] Transaction: 0138688873

 SHOP

COURSES

REGISTER

GUIDE TO THE SIS SAFETY LIFE-CYCLE 14

Prepared exclusively for [email protected] Transaction: 0138688873