by Greg Hardin, CFSE | Sr Principal Specialist, Practice Lead, SIS Engineering
In 2016, the International Electrotechnical Commission (IEC) published Edition 2 of the IEC 61511 standard, “Functional Safety – Safety Instrumented Systems for the Process Industry Sector,” which the International Society of Automation (ISA) 84 committee also adopted in 2018 as a U.S. national standard (ANSI/ISA-61511-1-2018). This standard covers the design and management requirements for a Safety Instrumented System (SIS) throughout its lifecycle. The 2nd edition of IEC 61511 now requires – by use of the word “shall” – that a Stage 4 Functional Safety Assessment (FSA) be conducted during normal operation of a facility to ensure the SIS is providing protection and risk reduction against the hazards as designed and intended.
Initial Stages of the SIS Lifecycle
An FSA is carried out in five (5) stages throughout the SIS lifecycle. Prior to designing a SIS, a hazard and risk assessment is conducted to determine required Independent Protection Layers (IPLs) for risk reduction. After Safety Instrumented Functions (SIFs) have been allocated to protection layers, the Safety Requirements Specification (SRS) documents the functional and integrity requirements for each SIF. Following the SRS, the Stage 1 FSA precedes the design and engineering of the SIS, Stage 2 FSA precedes the installation, commissioning, and validation, and Stage 3 FSA precedes the SIS operation and maintenance.
Stages 1-3 of the FSA cover the SIS from original concept as defined by the hazard and risk assessments, through design, construction, and commissioning. In practice, this is commonly where SIS assessment ends, yet Stage 4 is essential and now required for the operation and maintenance phase to ensure the SIS meets its safety performance targets.
Stage 4
A Stage 4 FSA is absolutely critical for monitoring SIS performance, understanding operating behavior of the installed devices, and verifying reliability assumptions made during design. It takes a number of years of experience with the operation for an FSA to truly reveal trends of how the SIS responds to process deviations. A Stage 4 FSA can determine whether:
Are the SIFs being called upon with the expected frequency?
Are the SIFs functioning correctly when called upon?
Do SIF trips result from the causes identified in the hazard and risk assessments?
Are proof tests procedures being executed at the required frequency and documented appropriately?
If bypassing elements of a SIF is allowed, is the correct procedure followed when this occurs?
Is a SIF in improper bypass mode?
Other aspects of operation and maintenance identified in Clause 16 of IEC 61511
Although IEC 61511 does not prescribe when or how often to perform Stage 4, Stage 4 FSAs should be conducted periodically over the lifecycle of the installed SIS as new hazards are identified, after plant modifications, and at periodic intervals during operation to confirm that the SIS continues to operate and protect against hazards as designed. Historical data collected over the lifecycle of the SIS can also help mitigate failures and provide a basis for statistical reliability.
The Bottom Line
The 2nd edition of IEC 61511 emphasizes understanding the behavior of a SIS in its operating environment. The most important conclusion, however, is whether the SIS is providing the necessary protection, regardless of how carefully it was designed in compliance with standards. Investing in periodic Stage 4 FSAs to fulfill SIS requirements per IEC 61511, as well as addressing SISss during normal operation as part of good practice, can result in safer operations and confidence that the SIS is achieving its designed risk reduction.
Related: