Things IEC61508/61511 Doesn't Tell

You About Safety Systems- Why

You Should Care!

Implementing IEC61511 on real

Standards Process Plants
Certification
Education & Training
Publishing
Conferences & Exhibits
Presenter

• Simon Lucchini is the Chief Controls Specialist for Fluor

Canada at the Calgary, Alberta Office (an engineering,
fabrication & construction company) and is also the Fluor
Global Fellow for Safety Systems design. He has worked
at Fluor for 15 years
• He was previously with ICI Australia/Orica for 23 years
where he worked in operations, maintenance and
engineering at hazardous explosives, chemical and
petro-chemical facilities applying SIS. His last position
was as Company Instrument and Controls Engineer.
• He is currently the Chair of the SIS committee under the
ISA Safety & Cybersecurity Division.

2
Agenda Overview

• Far too many slides for 60 minutes

– Questions are more important than answers
• What is a Safety Function?
• ISA84.01, IEC 61508 & IEC 61511 Background
• Key IEC 61511 Clause
• Basic reliability & risk reduction factor
• Various Discussion Points
• ISA Safety & Cyber Security web page (10 minutes)
• Questions (15 minutes)

3
Various Discussion Points

• Hazard Identification and PHA/HAZOP

• Certifications and Approvals
• Understand the Process & effect of spurious trips
• Over reliance on multiple instrument layers
– Basic Control; Alarm/Interlock; Safety Function; High Integrity
Pressure Protection System; Fire & Gas System?
• Over analyzing designs based on inadequate field data
• Use of diagnostics & Partial Stroke Testing
– Low demand & sticking behaviours
• Proof Testing & Operations

4
Items for Further Thought (not really
covered today)

• Proper scheduling of PHA/HAZOP and HAZID

• Details of SIL allocation (e.g. LOPA)
• How are functional and integrity requirements identified
for safety functions?
• How to properly document functional requirements?
• Where do reliability equations come from and are there
conditions that they are not valid?
• Common cause, common mode failures

5
Items for Further Thought (not really
covered today)

• What does operations and maintenance need to do?

• Providing operations with a workable design that can be
maintained
• How do we cater for the complexity of software
interactions in today’s programmable systems; failure as
an emergent property?
• Systematic Capability & Hardware Fault Tolerance
• Over-emphasis on complex reliability equations

6
What is a Safety Function?
A Primer

• Logic Solver (PLC, DCS, SIS, Hardwired)

• Instrument Rack Room & HVAC
• Power Supply/Air Supply
• Wiring & Cabling System
• Field Instrument Installation
• Process & Process Hazard Identification
• HSSE Standards
• Operation and Maintenance
• Engineering & Design
• Management & Regulatory Framework
• Approved Vendors & Commercial

7
What is a Safety Function?
A Primer

H HH Flare/
PI
I
E Vent

PT A TT PT B

FFIC
S
IAS

FT 1

FEED 1 Generic Chemical

S Reactor
IAS

FT 2

FEED 2
IEC 61511 Allocation of safety functions
to protection layers

9
 Protection Layers Graphic

Boom!

SIS controlled Mechanical Shutdown Action

F&G Safety
System
Trip Level

Emergency Shutdown ESD Safety System

Action

Operator Action High Alarm Level

Process Operators
High Level

process value

Low Level Process PLC/DCS

Time
What is a Safety Function?
Systems Engineering

Corporate HSSE National

Corporate Management
Standards Regulators

Project Business Business

Management Management

Project Contract Project Director Plant Manager Local Regulators

Project Plant Project Maintenance HSSE (Plant Plant HSSE

Operation
Management Representatives Manager Process Safety) Standards

Project HSSE Control Room

Maintenance Plant Operators
Standards Operators

Physical Plant
Engineering Physical Environment
Project HSSE
Design Safety Instrumented Function

11
What is a Safety Function?
Simon’s Complexity Function

Complexity = 2N
where N = number of interfaces

12
SIS International Standards
History

• IEC61508 Generic standard applicable to any industrial

electrical/electronic/programmable safety-related
systems (first published in 1998)
– drew from organizations such as ICI and HSE in the UK, DIN in
Germany and ISA in the USA (ANSI/ISA S84.01 1996)
– basis for assessing the suitability of individual items of equipment
for application in a safety-related system
– development of embedded software
– Development of full variability program (e.g. C++, visual basic)
– generic for any industry
– more for manufacturers
– performance based rather than prescriptive
SIS International Standards

• IEC61511/ANSI/ISA 84.00.01 Functional safety of SIS

for the process industry sector (first published in 2003)
– group of international experts
– substantial contributions from chemical/petrochemical process
plant operating companies such as BP, Shell, DuPont, BASF and
British Nuclear Fuels Limited.
– sets criteria for the selection of equipment to be used in the
system.
– development of limited variability application software
– specific to the process industry
– more for systems integrators & end-users
• Part 2 Guidelines for Part 1
• Part 3 SIL Allocation Guidelines (including LOPA)
• ISA TR84.00.XX SIS Implementation Guidelines
14
IEC 61511 Safety Life Cycle

15
IEC 61511Key Clause

Clause 10.2 provides an excellent description of the general

requirements for producing a SRS (safety requirements
specification).
“The safety requirements shall be derived from the allocation of SIF
and from those requirements identified during H&RA. The SIS
requirements shall be expressed and structured in such a way that
they are
•clear, precise, verifiable, maintainable and feasible;
•written to aid comprehension and interpretation by those who will
utilise the information at any phase of the safety life-cycle.”

Important for verification and validation of safety functions

16
Hazard Identification & PHA
no story is complete without a comment

• PHA Identifies Hazards and their mitigation/control

• Most critical part of the Safety Life Cycle
• PHA
– theoretical “paper” exercise
– relatively easy to apply
– relatively easy to get wrong
– no immediate impact to the SIF design
– HSE department does not have to implement the design
– Process & HSE are the main drivers (SIS only one part)
– Getting earlier in project life cycle
– SIF designers may not be present
– SIL verification engineers may not be appointed yet
– SIL verification procedure most likely not started
17
Hazard Identification & PHA
the result

• Over emphasis on instrumentation for safety

– Basic Process Control
– Alarms & Interlocks
– SIF
– HIPPS
– Fire & Gas System?
• Field instrumentation is the “same” for all Protection
Layers!
• Industry anecdotal information
– 50% SIF over designed; spurious trips?
– 5% SIF under designed; safety performance plateau?
• Please, no SIL 3

18
Hazard Identification & PHA
try something different

• Basic training QRA & PHA all participants before PHA

• Prepare SIL verification procedure before the
PHA/LOPA; alignment with Business, Operations and
Maintenance
– plant turnaround schedule
– plant availability targets (spurious trips)
– proof test intervals & PST philosophy
– testing by Operations
– preventative maintenance schedule
– repair philosophy
– approved equipment list; reliability data
• Prepare SIL 1, 2 & 3 typicals/templates for PHA/LOPA
– reality check done at the source of the problem
– do not succumb to snowball effect 19
PHA Action Item Example
proper definition

• Consider flow transmitter failure

• Consider if failure rate of flow transmitter places
unacceptable demand on safeguards. If unacceptable
evaluate alternate technologies and present cost benefit
study to be evaluated at a ALARP review with operations
Get the best from PHA/HAZOP/HAZID

1. Application of HAZOP and What-If Safety Reviews to

the Petroleum, Petrochemical and Chemical Industries,
Dennis P. Nolan (ISBN 0-8155-1353-4)
2. Guidelines for Hazard Evaluation Procedures, Center
for Chemical Process Safety (third edition ISBN 978-0-
471-97815-2)
3. Loss Prevention in the Process Industries, Prof Frank P.
Lees (second edition ISBN 0-7506-1547-8)
4. Layer of Protection Analysis: simplified process risk
assessment, Center for Chemical Process Safety (ISBN
978-0-8169-0811-0)
5. Various books by Trevor Kletz

21
Hazard Mitigation & Reliability Equations

• Hazard Frequency (mitigated) = Hazard Frequency

(unmitigated) / RRF
• Hazard Frequency (mitigated) = Hazard Frequency
(unmitigated) * PFDavg
• RRF (target) = Hazard Frequency (unmitigated) / Hazard
Frequency (tolerable)
• Hazard Frequency = Hazard Rate

22
Basic IEC 61511 Safety Function
Integrity Requirements

• Safety Integrity Level (SIL) components

i. Reliability or likelihood that it can fail (term = PFDavg)
ii. Hardware fault tolerance; redundancy
iii. Systematic Capability (QA/QC).
• Higher the risk requires higher SIL (123)
– Higher reliability
– Increased redundancy
– Improved “quality assurance against systematic failures”
• Systematic Capability definition
– “….which applies to an element with respect to its confidence
that the systematic safety integrity meets the requirements of
the specified safety integrity level”

23
Hazard Mitigation & Reliability
Example

• PFDavg (availability)
– Proportional to failure rate X proof test interval
Unprotected Hazard Target Hazard Rate RRF SIL
Rate (1/yrs) (1/yrs)
1 in 10 1 in 100 10 1
1 in 10 1 in 1000 100 2

24
Control System Reliability

• Hazard Rate = Control System Failure Rate * Safety

Function PFDavg
• Control System (DCS, PLC) equally important as SIS to
plant safety
• Safety relies on having both not just one or the other;
backup
• Systematic failures are more important but more difficult
to analyze
– 3rd Party Qualification to IEC 61508
– Prior use (i.e. experience in similar applications)

25
Graphical Derivation of Reliability
(PFDavg)
Reliability Equation
(simplified & no redundancy)

• Based on low demand (i.e. does not have to act very

frequently)
• Tested more frequently than demand rate
• Constant failure rate systems
• PFDavg = ½* λ * T
– T = proof test interval & λ = failure rate of the device

27
Certifications & Approvals

• SIS Logic Solver Certification TUV/DIN standards

– significant history prior to IEC 61508 and ANSI/ISA 84
– well established s/w & h/w testing & validation processes to DIN
V 19250 & DIN V 801 (now withdrawn)
– very defined/controlled boundary of installation & operation
– less complex & more defined functions than for process control
– controlled testing
– widely accepted industry certification
• IEC 61508 gives the requirements but not details:
– manufacturing quality system
– safety life cycle
– h/w design & tests
– s/w design & tests
– competency of personnel
28
Certification of field SIF components

• Not a long history of certification prior to IEC/ISA

standards
• Not a well defined boundary for installation & operation
– temperature extremes
– vibration
– process fluids; corrosion, fouling,
– access for maintenance
– documentation
• Reliability Data Relevance
– accelerated wear out testing; low demand versus high demand
– proven-in-use data for different plants; different environments
– vendor return data; incomplete
– FMEDA; calibrated against different applications
29
Certification of field SIF components

• SIL Certificate does not appear in IEC 61508 nor IEC

61511
• Safety Manual (i.e. product safety manual) is mentioned
49 instances in IEC 61508 & >100 times in IEC 61511
• Details performance requirements for equipment used in
safety functions
• Does not give details on how to validate reliability data
for equipment used in safety functions

30
SIS International Standards

• Widely accepted and utilized international standards

– Mandatory in UK, Europe
– Not mandatory in North America unless there is an incident
– OSHA “Reasonable Care Standard”
• Guidance on the Safety Life Cycle
– establishing Safety Plan
– acceptable designs
– maintenance requirements
– and much more
• Comprehensive SIS literature & training
• There should be no issues with designing & maintaining
Safety Instrumented Systems?
• However…….
31
Bridging the Gap between Design &
Operations

• Operations do not want that SIS design

– Partial Stroke Testing
– Tripping on diagnostics
• Maintenance does not want that SIS design
– Proof Test Methods
– Repair Methods
– Non standard instrumentation
– Documentation of Basis of Design
– SIL 3 Safety Functions
• Business Managers do not want that SIS design
– Spurious Trips
– Speak a strange language (pedantic even for instrumentation
folk)
– Is it a SIS or a SIF?
32
Improving Performance

• Confirm with Process & Operations that the design

correctly addresses the hazard
• Review diagnostics and proof testing methodology with
maintenance and operations before finalizing the SIL
verification calculation,
• Use proven in use equipment wherever possible,
• Validate how maintenance is actually done,
• Validate how the plant is actually operated,
• Consider plant operating modes and operating
procedures that have a bearing on proof testing,
• Make reliability visible to operations (e.g. valve
performance)
33
Improving Performance

• Question unrealistic risk mitigation for SIF,

– Avoid SIL 3 at all costs (are they realistic?)
• Consider what facilities are required for proof testing,
• Determine how the instrumentation will be repaired,
– trip valve replacement
• Consider designing proof tests for Operations rather than
Maintenance groups,
• Give adequate consideration to the design of Operational
and Maintenance Overrides,
• Consider the effect of spurious trips on the reliability and
safety of the Plant.

34
Plant Transitions
Startup & Shutdown

• IEC61511 requires the “identification of the dangerous

combinations of output states of the SIS that need to be
avoided”
• IEC 61511 requires that “Where reasonably practicable,
processes should be designed to be inherently safe.”
• PHA/HAZOP is a blunt instrument that looks at
deviations for one variable at a time
– does not easily identify transition states
– not very good at hazards caused by combinations of states
– Markov?
• Reducing spurious trips is crucial for a safe design;
increased risks during plant transitions

35
Terminology

• FMEDA = Failure Modes & Effects Diagnostic Analysis

• HAZOP = HAZard and OPerability analysis, a type of PHA
• HAZID = Hazard Identification
• Lambda (λ) = Failure Rate per unit of time
• LOPA = Layers of Protection Analysis
• MTBF = Mean Time between Failures
• MTTF = Mean Time to Failure (MTBF=MTTF + MTTR)
• MTTR = Mean Time to Repair
• PFDavg = Probability of Failure Dangerous (on average)
• PHA = Process Hazard Analysis
• QRA = Quantitative Risk Analysis
• PST = Partial Stroke Test(ing)
• RRF = Risk Reduction Factor (inverse of PFDavg)
• SIF = Safety Instrumented Function
• SIL = Safety Integrity Level
• SIS = Safety Instrumented System
• SRS = Safety Requirements Specification
• Startup = Potential Hazard & Hopefully Making Money
• T = Proof Testing Interval
• Trip/Shutdown = Potential Hazard & Loss of Money
• Turnaround = When Plant is shutdown for extensive/statutory maintenance
Refinery Plant Transitions
Startup & Shutdown Considerations

• Size of the Facility

– Parallel Units
– Utilities (Steam, Power, Air, Flares & Vents)
• Complexity & Integration of the Facility
– Multi Step Separation and Reforming
– Reprocessing to obtain quality specification
– Multi Stream Production
– Environmental Controls
• Extensive Energy Recovery Systems
• Tight Energy Conservation pushes processing limits
• Recycle Flows
• Startup & Shutdown
• Long time to stabilize controls
• Many “timely” operator actions
37
Complex Processes
Refinery

38
Nice Day for a Proof Test

39
Identification of Unsafe combinations
how many are there?!

• How many trip valves in a typical refinery sub-unit S/D

– 5, 10, 20?
• Combinations = 2N
– 32; 1024; 1,048,576
• Are these the only combinations need to be considered,
– DCS outputs (increase demand on Safety Functions)
– manually operated valves
– other operator actions?
• Other considerations
– hot versus cold restarts
– inventory and surge capacities
– manual line ups
• More emphasis on spurious trip rates
40
Chemical Processes

• Size of the Facility

– Can still be large scale
• Complexity & Integration of the Facility
– Usually less complex process
– Little or no Reprocessing
– One or small number of Streams
– Environmental Controls
• Extensive Energy Recovery Systems
• Energy conservation is more straight forward
• Startup & Shutdown
• Stabilizing Reaction is faster/easier
• Hot startup versus cold startup less complex
• PST perhaps easier to sell

41
Chemical Processes
Explosives Ammonium Nitrate

42
Chemical Process
Ethylene Di-Chloride intermediate for vinyl chloride

43
Plant Transitions
Basic Message

• Avoid Spurious Trips

– Understand complexity of the Process:
– Startup interactions
– Dangerous trip interactions and states
– Hot startup versus cold startup
– Purge cycles
– Dumping to effluent streams
– Product re-processing
• SIF designers work with Operations
• Consider PHA Effectiveness (from before)

44
Partial Stroke Testing
scared of big valves?

45
Partial Stroke Testing
scared of big valves?

46
Partial Stroke Testing
he is not scared of big valves!

47
Partial Stroke Testing
he knows it’s the smaller guys you worry about!

48
Partial Stroke Testing Example:

• The good:
– Devised SIS programming for carrying out PST
– Arrange for checking stroke times of trip valves for FAT
– PST point of 80% open or measured time delay
– Devise test procedure and sign-off at acceptance test with client
– Repeated checks & acceptance tests at Site
• The bad:
– Valve smaller than 4 inch were too fast even with relatively fast
SIS
• The ugly
– Operators did not allow PST to be commissioned
– What was assumed for PFDavg calculation?

49
Partial Stroke Testing Example:
Background

• Difficult to undertake complete proof testing on trip

valves outside Plant Turnarounds
– Tests need to be done online
– Easier for measurements; duplicate measurements
– Hard for final elements
• PST is one way to achieve PFDavg target
• Plug/Seat Considerations
– 30% to 70% test coverage?
– Leakage requirements (e.g. heat off , backflow)
– Clean, fouling, erosive or corrosive service
– High pressure drop, severe service, vibration
– Speed of response requirements

50
Partial Stroke Testing:
qualitative review PST effect on PFDavg

• Potential faults that can be found by a full test

– Tested less frequently
• Potential faults that can be found by a partial test
– Tested more frequently
• Overall improvement in reliability or PFDavg by PST
when plant turnaround periods increase
• However, must ensure that Operations accept the
methodology

51
Partial Stroke Testing:
review simplified equations for PST effect on PFDavg

• PFDavg = Cm*λd*t/2 +(1-Cm)*λd*T/2

– (Cm/n + (1-Cm) )*λd*T/2
– Cm test coverage factor (e.g.70%)
– T proof test interval
– t the PST test interval
– n the ratio of proof test to PST interval
– assume 100% coverage at proof test interval
– assume RRF 100 with no PST
• Improvement in RRF = 1/((Cm/n + (1-Cm))
• Cm = 30% to 70% and N = 5 to 10
– RRF improvement 130 to 270
• Benefits?
• Risks?
52
Partial Stroke Testing
traditional straightforward design

53
Partial Stroke Testing

• Traditional: momentarily de-energize the solenoid

• Today there are more options
– special SIS I/O cards are available with some systems
– latest digital positioners provide more options with controlled
operation
– continuous positioning versus on/off control
• Solenoids and/or positioner for control of on/off valves
• Get involved with
– ISA TR84 SIS Guidelines
– ISA TR96.05.01 PST Guidelines

54
SIL Verification:

• What is the purpose of SIL verification calculation?

– Manipulate the variables/options to get the required answer
– Calculate what the SIF actually is and not “tweak” the factors to
get the result that LOPA prescribed
– There are traps when using sophisticated SIL verification
software for the unwary
• Where does the reliability data come from
– Does the instrument need to work or is the SIL certificate the
ultimate selection criteria
– some oil & gas majors uses only standard instrumentation for
their Proven-In-Use database and not “special” SIS instruments
– others do use only “special” SIS instruments
• There is more than one answer!

55
SIL Verification:
the assumptions for the SRS

• Basis for maintenance; document how verification was

done
– Instrumentation Model Listing
– Reliability Data
– Process Connection Details
– Use of PST
– Proof test coverage
– Common Mode failure
– Tripping on diagnostics & Coverage factor
– Plant Turnaround periods
– Proof Test Methods

56
SIL Verification:
Example: Process Fluid and Connections
Process Connection

Process Fluid Impulse Plugging

Clean Remote Seal
Low Med High

Steam (outside) X

Steam (inside) X

BFW Condensate (outside) X

BFW Condensate (inside) X

Intrument Air, Utility Air, N2, O2 , PSA Hydrogen X

Naphtha, Diluent, C5+ Product, Butane X

Lub Oil (outside) X

Lub Oil (inside) X

Gas Oil , LVGO, HVGO, Crude Unit, Depropanizer X

Atmospheric Bottoms, Vacuum Bottoms, DAO X

Soot Slurry X

Asphaltene X

Fuel Gas, Tail Gas, Syngas, Process Gas, X

57
Reliability/Failure Rate Data
another topic

• SIL certificates versus Product Safety Manual

• SIL certified versus SIL capable
• Performance standards versus detailed requirements
• Sources of reliability data for SIL verification
– Proven in use
– Stress testing
– FMEDA (failure modes & effects diagnostics analysis)
Proven In Use Data

• Where can it be obtained?

• Vendor returns and service history
– does it met IEC 61511 criteria?
– how does the vendor know?
– there are SIL certificates issued this way by well known certifying
bodies!
• Industry sector data
– OREDA (Offshore REliability DAta); how applicable to onshore?
– generic databases; very conservative
• End user records & analysis
– difficult to set up
Reliability/Failure Rate Data

• System for collecting Proven-in-Use reliability data

– Failure data categorized by process application (e.g. DP level on
gasoline) from DCS & SIS
– Make & Model not as relevant
– Difficult for smaller companies to get statistically valid data
• Why use instrumentation already in place to the facility
– Documentation
– Vendor backup
– Training
– Track record; known to work
– Larger statistical base
• When is reliability data valid (useful life)

60
Equipment Useful Life
When is reliability data valid (useful life)

The Bathtub Curve

Failure Rate versus Time
Increased Failure rate

Classical
Bathtub

Normal Life (Useful Life)

Infant Mortality Low “Constant” Failure
Decreasing rate
Failure Rate

Operating
Life (t)
Burn-in Useful Life Wear-Out
Ie. 10,000
Phase Phase Phase
cycles
Failure Rates, Plant Turnaround,
Proof Test Interval & Useful Life

• PFDavg = λd*T/2
• λd valid for only the useful life period (life time)
• Plant turnaround periods increasing
• Low Demand Mode
• Final elements “seizing/sticking”
• PFDavg = Cm*λd*T/2 +(1-Cm)*λd*LT/2
– Cm is proof test coverage factor (e.g.70%)
– LT is device life time
– Are devices being replaced after LT?
– How are devices being maintained
– Proof test does not equal maintenance
Stress Testing
Does it work?

• A batch of solenoids are operated for many thousands of

cycles over a period of several weeks under varying
environmental conditions. The failure rate data is then
normalised to the anticipated usage of the device
• Reliability data derived by this methodology rarely
applies to the process industry
• Review in context of reliability bath-tub curve
Equipment Useful Life:
Low Demand Applications

The Bathtub Curve

Failure Rate versus Time
Increased Failure rate

Apparent End Classical

of Life
Bathtub
Failures

Normal Life (Useful Life)

Infant Mortality Low “Constant” Failure
Decreasing rate
Failure Rate

Apparent useful life

Operating
Life (t)
Burn-in Useful Life Wear-Out
Ie. 10,000
Phase Phase Phase
cycles
FEMA, FEMDA & FMECA

• Important analysis tool for determining failure rate data

• Systematic process for identifying faults and errors in a
device
• Detailed list of all components
• Component failure modes, effect on other components
and the severity of the failure
• Diagnostic coverage factor, criticality and failure type
(e.g. dangerous, spurious).
• Team reviews the modes of operation & identify failure
mechanisms
Design out the Problem;
SIL Verification is not Enough

• FMEDA process distilled into one variable

– Each failure mode has differing mechanisms
– Each failure mode has differing “durations”
• Calibration of critical “sticking” failure data?
• Detailed failure modes confidential
• Verification versus design by different parties
• Identify the failure modes and remove the problem
• Partial stroke testing can be an important tool
– Acceptance by operations?
– Validating coverage factors?
Diagnostics:
review simplified equations effect on PFDavg

• λd = λdu + λdd
• λdd depends on diagnostic coverage (DC)
• PFDavg = λdu*T/2 = (1-DC)*λd
– DC factor (e.g.70%)
– T proof test interval
– assume 100% coverage at proof test interval
• Improvement in RRF = 1/((Cm/n + (1-Cm))
• DC = 20% to 75%
– RRF improvement 25% to 300%

67
Diagnostics:
who wants them?

• Improvement in PFDavg
– Dangerous Detected versus Undetected
– Comparison transmitters from DCS
– Signal Fault diagnostics
• Automatic trip upon diagnostic detection
• Manual intervention upon diagnostic detection
– Assumed repair times
• Dangerous Times
– Shutdown
– Startup
– Upset conditions

68
Proof Test Intervals
discuss with Operations, Maintenance & Business

• What is the plant turnaround schedule

• Who will devise the proof tests methods
• Can some proof tests be automated (e.g. recording valve
opening/closing performance)
• Who does the proof testing
• Is partial stroke testing acceptable
• How will faulty final devices be replaced (s/d the plant?)
• Is the design testable
• Do the actual proof test methods ensure the assumed
coverage factors in the SIL verification calculation are
valid

69
Proof Testing

• Checks by Operations
– 24/7
– Logs, inspections and walk downs
– Automatic valve closure & opening times
– Revision control of SIS s/w
– Example of pumping methanol in column sumps
– Comparison checks & logs of measurements
– Testing of duplicate offline trip valves
• Maintenance are typically fire fighters
– Regular checks are lower priority to keeping plant online
– Typical design of SIF does not take into account proof testing
– Asset Management System; who has completely implemented?

70
Do we have all the answers?
probably not, but!

• SRS is a very important document (IEC 61511 Sec10.3)

• Standards have good performance requirements
– read/understand them
• Standards do not have the all the design details
– learn about process and instrumentation
• Do not hide behind complex reliability equations
• Let’s do more to get realistic reliability data
• Get the right people in at HazID & PHA
– Realistic expectation for what can be done with instrumentation
layers
– It is too easy to pass on the problem to the instrumented
protection layers
• Please, no SIL 3
71
References

• Safety Instrumented Systems: Design, Analysis &

Justification, Paul Gruhn & Harry Cheddie (ISBN 1-
55617-956-1)…..ISA Publication
• Control Systems Safety Evaluation & Reliability, William
M. Goble (ISBN 1-55617-966-0)…..ISA Publication
• Evaluating Control Systems Reliability, William M. Goble
(ISBN 1-55617-128-5)…..ISA Publication (Markov)

• OREDA Offshore & Onshore Reliability Data 6th Edition

Vol 1 Topside Equipment (ISBN 978-82-14-05948-9)

72
The SIS Engineers are back;
are they going to disrupt my operations again?

Comments?

73
ISA Safety & Cyber Security
Webpage

• Visit, contact and raise questions

• Submit ideas for articles
• Contribute articles

74