Mitigating safety risk and maintaining operational reliability

Mitigating safety risk and maintaining operational reliability Date 03/29/2010 Assessment and cost-effective reduction of process risks are critical to protecting the safety of employees and the public, minimizing environmental damage, reducing potential capital losses, shortening business interruptions, and limiting legal and regulatory exposure. Premier Consulting Services (PCS) provides National and International Standards compliance verification, risk analysis, assessment, and reduction methodologies through the application of Safety Instrumented Systems (SIS) for all major industries, including refining, petrochemical, pulp and paper, utility, nuclear and manufacturing. PCS utilizes specific, high expertise skills to achieve an objective solution that increases safety and reliability performance for our clients. Creating solutions which yield the greatest cost-to-benefit ratio and increase competitive performance is the focus of Premier Consulting Services (PCS). This document concisely describes the typical SIS project flow with emphasis on compliance to National and International Safety Standards, specifically focused on the IEC 61511 safety lifecycle. Although some stages or functions may be performed by the end-user, engineering contractor and/or SIS vendor, the outline for each project stage describes all the objectives and deliverables in general terms, irrespective of the provider. Services that are within the PCS scope are highlighted separately. Page 1 of 1

Page 2 of 2

A Site Assessment The critical system site assessment is conducted to determine the risk associated with the operation of process units, and to evaluate the design, operation and maintenance of existing safety instrumented systems (SIS). The assessment involves the following: on-site surveys of operating units, Reviews of available documentation (operating and maintenance procedures, P&IDs, process safety management documentation, etc.), Examination of process hazards analysis results, and Discussions with plant personnel concerning operating history. Current national and international standards are utilized to benchmark the facility s risk exposure. Conformance to IEC 61511 and/or ANSI/ISA S84.01-2004 is reviewed. For systems designed and constructed prior to the issuance of the new standards, an evaluation of the design, maintenance and testing records for safe operation provides a basis for decision-making regarding the adequacy of the existing SIS (i.e. Grandfather clause in the U.S). Recognizing the importance of process uptime and the detrimental impact of spurious trips on operating costs as well as on safety, recommendations are made to improve reliability. The PCS report lists site findings with recommendations for compliance with the company s objectives concerning Safety and Reliability, including conformance to applicable national and international standards in the area of: 1. Design and architecture 2. Safety Availability issues 3. Reliability (spurious trip) issues 4. Support systems 5. Installation 6. Validation 7. Testing and Maintenance 8. Auditing 9. Hardware issues 10. Software issues Page 3 of 3

11. Security 12. Human-Machine-Interface 13. Management of Change issues 14. Competence requirements The site assessment provides management with a basis for prioritized capital spending by providing specific recommendations for risk reduction and reliability improvement. It demonstrates to, insurers, regulatory agencies, company personnel and to the public that a serious plan has been established to address safety and reliability issues. Site Assessment Inputs: On-site survey of operating units Process design drawings P&ID / Electrical dwgs Process HAZOP/PHA Operating history Maintenance and test procedures Maintenance and test records Deliverables: - Standards compliance - Safety availability issues - Reliability issues - Testing and maintenance issues - Procedures issues - Competence requirements - Risk exposure - Improvements recommendations B Competency Assessment International standards and Regulatory Agencies require that the organizations and the personnel involved in the safe operation of the plant demonstrate and document their competence for the activities for which they are accountable. IEC 61511-1 clause 5.2.2 makes the following statement: As a minimum, the following items should be addressed when considering the competence of persons, departments, organizations or other units involved in safety life-cycle activities: a. Engineering knowledge, training and experience appropriate to the process application. b. Engineering knowledge, training and experience appropriate to the applicable technology used (for example, electrical, electronic or programmable electronic). Page 4 of 4

c. Engineering knowledge, training and experience appropriate to the sensors and final elements. d. Safety engineering knowledge (for example, process safety analysis). e. Knowledge of the legal and safety regulatory requirements. f. Adequate management and leadership skills appropriate to their role in safety life-cycle activities g. Understanding of the potential consequence of an event. h. The safety integrity level of the safety instrumented functions. i. The novelty and complexity of the application and the technology. PCS has developed the PFSE Premier Functional Safety Engineering training program as a service to plant operators, engineering contractors and integrators, with the objective of addressing the requirements of the standards in the area of competency in safety engineering knowledge and safety regulatory requirements. PFSE Premier Functional Safety Engineering Program One week Mastering training program Instructor Class room setting Working examples and discussions Written tests and exams Compliance to: - IEC 61508-1 Paragraph 6.2.1 (h) - IEC 61511-1 Paragraph 5.2.2 Invensys-Premier Consulting Services offers the PFSE training course addressing Functional Safety in the field of Safety Instrumented Systems. Contents, material and final exams for this course have been reviewed and assessed positively by TÜV Industrie Service GmbH, Automation, Software and Information Technology, ASI. PCS is TÜV Industrie Service GmbH, ASI accepted course provider for the TÜV Functional Safety Program Participants of the Premier Consulting Services PFSE training course will receive, upon successful completion, a TÜV certificate including a TÜV Functional Safety Engineer logo and ID number. Page 5 of 5

See details of the TÜV Functional Safety Program at: www.tuvasi.com PCS Course Instructors are certified TÜV Functional Safety Experts SIS According to the TÜV Functional Safety Program C PHA /SIF Review SIL Assignment IEC 61511 and ANSI/ISA S84.01-2004, as well as Regulatory Agencies, require that a process hazard analysis (PHA) be performed to identify potential hazards in the operation of a process unit. The PHA is a methodical examination of the process design that involves the participation of a multidisciplinary team to identify potential hazards and operability problems that could result in undesired consequences with adverse impact on personnel, equipment or the environment. The initial process PHA is normally performed by the plant operator in conjunction with the process licensor or basic design team. The process design drawings and narratives together with the P&ID s and the PHA documents, form the basis for the identification of the safety instrumented functions (SIF) required to mitigate the potential hazards. Premier Consulting Services provides industry experts in the review process of the PHA results and allocation of Safety Instrumented Functions (SIF), leading to the assignment of a target Safety Integrity Level (SIL) for each SIF. Safety integrity is a measure of the likelihood that the SIF will achieve the specified safety function. A PCS senior consultant performs the role of facilitator and provides guidance to a multidisciplinary team consisting of plant experts in the areas of process, operations, safety, maintenance, instrumentation and electrical. The standards do not mandate any specific method for assigning the target SIL rating, but do provide examples of industry-recognized techniques. The PCS facilitator reviews the different methodologies (Risk Matrix, Risk Graph, LOPA, Semi-quantitative, etc) and applicability to each situation, leading to a consensus on the techniques to be utilized. Page 6 of 6

PCS provides further guidance in the approach to aligning the SIL assignment method selected with the corporate risk tolerance criteria. Where necessary, the ALARP risk tolerance principle is discussed and taken in to account. The multidisciplinary team reviews every SIF, and with PCS guidance, a SIL rating is assigned to each safety instrumented function. SIS View software tool-set is made available for the target SIL determination process. The final report reflects the assumptions made with regards to potential hazards likelihood, consequence and risk tolerance criteria in conjunction with the target SIL assigned to each independent SIF. Premier Consulting Services (PCS) reports are recognized worldwide for their integrity and professionalism by plant operators, regulators and risk insurers. PHA /SIF Review SIL Assignment Inputs: Process Narratives Process design drawings P&ID / Electrical dwgs Process HAZOP/PHA SIF allocations Multidisciplinary Team Corporate Guidelines Deliverables: - PHA review - Corporate Risk Tolerance review - SIL assignment methodology review - Hazards assumptions review - SIL target assignment to each SIF - PCS written report. Tools: SIS View Page 7 of 7

D SRS Safety Requirements Specification The safety requirement specification (SRS) is a documentation requirement of IEC 61511 and ANSI/ISA S84.01-2004(IEC 61511 Mod) and is an integral part of the Safety Lifecycle model. The SRS is a summary of key decisions that must be made prior to the conceptual design. The purpose of the SRS is to define the envelope of the Safety Instrumented System (SIS) design. This document, or collection of documents, should be viewed as a basis of design. It is a crucial review step that will minimize downstream detail design changes that could impact cost and/or schedule. The SRS consists of both safety functional requirements and safety integrity requirements. The software safety requirements specification shall be derived from the safety requirements specification and the chosen architecture of the SIS. The SRS should include the following requirements: Description of all the SIF necessary to achieve the required functional safety; Requirements to identify and take account of common cause failures; Definition of the safe state of the process for each identified SIF; Definition of any individually safe process states which, when occurring concurrently, create a separate hazard (for example, overload of emergency storage, multiple relief to flare system); The assumed sources of demand and demand rate on the SIF; Requirement for proof-test intervals; Response time requirements for the SIS to bring the process to a safe state; The SIL target and mode of operation (demand/continuous) for each SIF; Description of SIS process measurements and their trip points; Description of SIS process output actions and the criteria for successful operation, for example, requirements for tight shut-off valves; The functional relationship between process inputs and outputs, including logic, mathematical functions and any required permissives; Requirements for manual shutdown; Requirements relating to energize or de-energize to trip; Requirements for resetting the SIS after a shutdown; Page 8 of 8

Maximum allowable spurious trip rate; Failure modes and desired response of the SIS; Any specific procedure requirements for starting up and restarting the SIS; All interfaces between the SIS and any other system (including the BPCS and operators); Description of the modes of operation of the plant and identification of the safety instrumented functions required to operate within each mode; The application software safety requirements; Requirements for overrides/inhibits/bypasses including how they will be cleared; The specification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the SIS; The mean time to repair which is feasible for the SIS; Identification of the dangerous combinations of output states of the SIS that need to be avoided; The extremes of all environmental conditions that are likely to be encountered by the SIS shall be identified; Identification of normal and abnormal modes for both the plant as a whole (for example, plant start-up) and individual plant operational procedures (for example, equipment maintenance, sensor calibration and/or repair). Additional safety instrumented functions may be required to support these modes of operation; Definition of the requirements for any safety instrumented function necessary to survive a major accident event, for example, time required for a valve to remain operational in the event of a fire. Note: Non-safety instrumented functions may be carried out by the SIS to ensure orderly shutdown or faster start-up. These should be separated from the safety instrumented functions. SRS - Safety Requirement Specifications Development: Inputs: Deliverables: PHA / Process design data - Functional Safety Requirements Process dynamics for each SIF - Integrity Safety Requirements Process common cause considerations - Software Safety Requirements List of SIF with individual SIL targets. - Comprehensive SRS Report Process design drawings /narratives SIF Cause & Effect Matrices P&ID / Electrical drawings Data gathered during SRS development. Page 9 of 9

E SIS Device Selection PIU - MHFT IEC 61511 and ANSI/ISA S84.01-2004 require that components and subsystems (sensors, logic solvers and final elements) for use as part of a SIS for SIL 1 to SIL 3 applications, be designed in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else comply with the Proven-In-Use (PIU) requirements of IEC 61511. Additionally, the standards require that sensors, logic solvers and final elements selected for use as part of a SIS for SIL 1 to SIL 3 applications conform to a Minimum Hardware Fault Tolerance (MHFT) criteria. The MHFT has been defined to alleviate potential shortcomings in SIF design that may result due to the number of assumptions made in the design of the SIF, along with uncertainty in the failure rate of components or subsystems used in various process applications. IEC 61511 and ANSI/ISA S84.01-2004 have further design requirements regarding the independence of the SIS and the BPCS (sensors, logic solver and final elements). IEC 61511-2 clause 11.2.4 deals with the special concern for SIS-BPCS Separation, Independence, Diversity, Hardware common cause, Systematic (software) common cause and Human errors. Premier Consulting Services provides expert consulting in the selection of components and subsystems (sensors, logic solvers and final elements), addressing the requirements of proven-in-use and minimum hardware fault tolerance in IEC 61511 and ANSI ISA S84.01-2004. Specific emphasis is made on determining the adequacy of field devices with prior use records, including the number of these devices with sufficient operating experience in a similar operating profile and process application environment. PCS provides further guidance and analysis of test results (i.e. FMEDA s) or third party certifications (i.e. TUV, FM, etc) for field devices with certain SIL claim limits and their adequacy for the SIS application, including any application guidelines and/or restrictions. Bearing in mind that the logic solver is normally shared by a number of safety functions, selection of the safety PLC technology is crucial to a safe and reliable SIS. Page 10 of 10

Premier Consulting Services expertise can prove invaluable in the analysis of logic solvers manufacturers claims for safety availability, reliability, fault tolerance, safe failure fraction as it relates to demand mode or continuous mode of operation. Furthermore, an analysis of any third party (i.e. TUV, FM, etc.) certification guidelines and restrictions, as well as an analysis of the manufacturer s safety manual becomes an essential review process in the selection of the logic solver technology. Premier Consulting Services recognizes that third party certifications (i.e. TUV, FM, etc) to IEC 61508 and other applicable standards are focused exclusively on a fail safe mode of operation of the device. Premier Consulting Services also recognizes the importance of process up-time and therefore provides the expertise for the selection of SIS devices that will issue not only safety, but a high degree of reliability and low spurious trip rate. There are some devices and PLCs on the market that have low fault tolerance and low redundancy but high safe failure fraction, and thus get certified to even a SIL 2 or SIL 3 rating. PCS expert analysis and recommendations build towards avoiding the trap of designing a safe but unreliable SIS. SIS Device Selection PIU - MHFT Inputs: Field equipment performance data Site environmental data Process up-time requirements List of SIF with individual SIL targets. Project data gathered during study Deliverables: - Proven-in-use device analysis - Fault Tolerance device analysis - Third party certification analysis - Application restrictions analysis - Device safety & reliability analysis - BPCS-SIS independence analysis Page 11 of 11

F CONCEPTUAL DESIGN The SIS design and engineering phase of the Safety Lifecycle requires a solid Conceptual design which develops and verifies that all the items defined in the SRS Safety Requirements Specification are fulfilled. The following considerations shall be accounted for: Field instrumentation redundancy requirements and voting scheme. Field instrumentation process connection requirements, considering possible tap plugging, freezing, etc. Logic solver technology per the SRS. Cabinet integration requirements, material/ temperature/ humidity limits. BPCS technology and communication requirements. Field and communication wiring / routing requirements. Power source requirements, such as redundancy and/ or UPS. Environmental requirements, lightning, flooding, extreme temperatures. Requirements for intrinsic safety / explosion proof. SIS equipment and junction boxes identification / tags / color painted, etc. Possible sources of common cause failures of the SIS. Non-safety instrumented functions in the SIS that may negatively affect a SIF shall be treated as part of the SIS complying with the highest SIL requirements Common hardware and software SIS that share SIF of different SIL will be designed to meet the highest SIL. BPCS-SIS separation, independence and diversity shall be assessed. Requirements for operability, maintainability and testability shall be assessed. (i.e. bypass facilities for on-line testing, including alarms when in bypass). Design of HMI shall account for human capabilities and limitations and accommodate level of operator training. Manual E-Stop should be implemented per the SRS. Subsystems that do not fail to the safe state on loss of power require line monitoring and special power loss detection measures. Action required upon detection of a fault, either by diagnostics or proof testing. Operator response time to critical alarms shall be accounted for. Bypasses protection by key locks or passwords shall be implemented. SIS status, such as active, bypassed or tripped shall be a function of the HMI. SIS operator interface shall be protected against unauthorized changes. Page 12 of 12

Any failure of the SIS maintenance/engineering interface should not prevent the SIS from bringing the process to its safe state. The maintenance /engineering interface should not be used as operator interface. SIS communication failures should not prevent the SIS from bringing the process to its safe state. Electromagnetic interference and power surges in the SIS communication should not cause dangerous failures. Where required by the SRS, the design should allow for on-line proof testing of the SIS, either end to end or in parts. Operator should be alerted of the bypass of any part of the SIS by an alarm or procedure. Forcing of I/O in the PES should not be allowed, unless supplemented by procedures and access security. Conceptual Design Inputs: SRS- Safety Requirements Spec. Field technology / voting PES technology Power sources data Environmental data Project data gathered during study Deliverables: - Power & Grounding conceptual drawings - Field installation typical drawings - Bypass typical drawings - E-Stop typical drawings - HMI Requirements - Communication requirements - SIS P & ID s (as applicable) - SIS Cause & Effect Matrix (as applicable) G SIL Verification IEC 61511 and ANSI/ISA S84.01-2004 require a quantitative verification of the SIL of each SIF to meet the target SIL determined in the SRS. Modeling methods are referred to in IEC 61511-2 Annex A and described in IEC 61508-6 and ISA TR84.0.02 a- Reliability block diagram technique b- Simplified equations technique c- Fault tree analysis technique d- Markov modeling technique Page 13 of 13

The modeling technique is selected as appropriate for each application. Fault Tree Analysis (FTA) was developed in the 1960s by Bell Laboratories in the United States. During the Polaris Missile Project, FTA was utilized to evaluate the probability of an inadvertent launching of a Minuteman missile. FTA has been used extensively by the military, the space program, and the nuclear industry. It is a highly adaptable logic diagram based technique that can be readily applied to the processes of the refining, petrochemical, chemical, oil and gas production, pipeline, pulp and paper, utility, nuclear, manufacturing and pharmaceutical industries. Premier Consulting Services recommends this FTA technique for complete SIF SIL quantified verification. The principal benefits include: A clear graphical representation of the system. Mathematical models for numerous modes of operation (i.e., repairable, non-repairable, and stand-by). Results directly indicate key contributors to system unavailability. Consideration of sensitivity cases for modifications to system components, architecture, and component testing intervals. Easy conversion of system model for evaluation of nuisance trip rates Fault tree analysis is a top down deductive method for identifying the numerous ways in which equipment failures, software failures, human error, environmental factors, and external events can lead to accidents or other undesirable conditions. A fault tree model consists of a top event and a connecting logic structure of events that must take place in order for the undesired top event to result. In the evaluation of Safety Instrumented Systems, there are two scenario top events that are typically of interest: SIS Failure on Demand and SIS Spurious Trip. A model of the SIS failure on demand investigates the potential for the SIS failing to perform its designed safety function. In the event of a failure on demand, the process plant is experiencing an undesired condition that the SIS has been designed to detect and, upon detection, automatically take the process to a safe state but because of a latent failure, the SIS fails to function, allowing the undesired condition and the subsequent consequences to continue. Simply stated, the SIS fails to perform its designed function when needed. The second scenario top event that is considered in the evaluation of SIS is a spurious trip. In the event of a spurious trip, the SIS has taken action when no process condition warranting such action is present. Both the failure on demand and the spurious trip are critical performance characteristics of an SIS. Page 14 of 14

The fault tree model consists of a single top event, a number of simple faults called basic events and logical operators that dictate how the basic events must combine to result in failure described by the fault tree top event. Basic events, which represent a simple failure or fault, are the building blocks of the model. It may be a hardware failure, a human error, or an adverse condition. Basic events are always assumed to be independent of each other. A common cause event must be modeled as its own basic event, and be assigned its own failure probability or failure rate. This event is then regarded as statistically independent of all other basic events. Logical gates are used to connect the basic events and the resulting secondary conditions, in order to represent the ways to achieve the top event. The basic events are assigned a corresponding failure rate, proof test interval and mission time data for computation in the Fault Tree. The resulting PFD avg calculation for each SIF is referenced to the SIL number and compared with the target SIL determined in the SRS. This constitutes the quantified SIL verification process for the fail to function or Safety Availability. A second Fault Tree is constructed to verify the MTTF spurious. The computed result is compared with the maximum spurious trip rate established in the SRS. This constitutes the quantified verification of the spurious trip rate. Special Tools Fault Tree Analysis requires the use of Boolean algebra for the mathematical quantification in order to achieve correct and repeatable results. Therefore, a computer model is recommended for quantification of the fault trees. The US Department of Energy supports a fault tree analysis program with the appropriate mathematics capability and minimum cut sets assessments, which was initially developed for the Nuclear Industry. The software package, SAPHIRE (Systems Analysis Programs for Hands-on Integrated Reliability Evaluations), is utilized by Premier Consulting Services. Additionally, PCS may also utilize SILwatch, which is a Fault Tree based computer modeling tool for the simpler safety instrumented functions. Both tools have been verified to yield equivalent and repeatable results. Page 15 of 15

SIL Verification Inputs: Deliverables: SRS- Safety Requirements Spec. - Safety Availability (PFD avg ) P&ID s and /or Cause and effect Matrix - Minimal cut-sets Instrumentation description - Devices % contributions to PFD avg Interlock description - SIL verification to SRS targets Expected proof testing frequency - MTTF spurious (Spurious trip rate) Process Safety Hazard Analysis - Devices % contributions to MTTF spurious - Recommendations for proof test intervals - Recommendations for SIS improvements Tools: SAPHIRE and SILwatch H Detailed Design The detailed design phase of a typical SIS project entails implementing the Conceptual Design through good engineering practices, verifying all the requirements in the SRS (Safety Requirements Specification). The detailed design is usually performed by the SIS vendor and/or the engineering contractor. The following considerations are accounted for: Verification of site applicable standards (API, NFPA, MMS, Authority having Jurisdiction, etc) Power and Grounding drawings Field equipment installation drawings Field wiring layouts / junction boxes, etc Intrinsic safety, explosion proof considerations. Environmental considerations. Logic solver equipment layout drawings. Cabinet integration drawings. Communications wiring drawings HMI workstations layout Application program development Verification of use of Fixed or Limited Variability Languages Page 16 of 16

Use of V-Model or other verification process Peer review and testing of application software Application software behavior in presence of hardware failures. Security implementation (access restrictions) HMI screens development Critical alarms implementation. Implementation of bypass keys / permissives / inhibits. Maintenance procedures development Proof Testing procedures development. FAT - Factory Acceptance Test. I Installation & Commissioning Installation and Commissioning activities involve strict planning and implementation activities in compliance with the detail design and the SRS. This phase of the SIS project is usually implemented by a combination of the engineering contractor, SIS vendor and the user. The following considerations are accounted for: Installation and Commissioning plan. Procedures, measures and techniques to be used. Persons, departments and organizations responsible. Safety loop drawings / instrument lists. Field instrumentation calibration. Power and grounding verified. Equipment functional tests Loop checks Interface communications tests Application software version control. As built drawings verified against SRS. PSAT Pre-Startup Acceptance Test Page 17 of 17

J Functional Safety Assessment IEC 61511 requires that a functional safety assessment (FSA) be performed prior to the introduction of process materials in to the equipment under control (EUC). This requirement is similar to the pre-startup safety review (PSSR) called for by OSHA and other regulatory bodies around the world. IEC 61511 requires that at least one senior, competent, independent (from the project team) person, take part in the FSA. This independent individual must have the authority to prevent the process unit startup, if necessary. The Functional Safety Assessment is documented in a SIS validation plan and is usually performed by the user/operator in conjunction with the engineering contractor and/or the SIS vendor. The FSA should at minimum verify the following: The SIS has been constructed, installed and tested in accordance with the SRS. All procedures for safety, operation, maintenance and management of change (MOC) are complete and in place. Any pending PHA and/or SRS issues are resolved and implemented Operations and maintenance personnel are trained and competence is documented. Application software is validated in accordance with validation plan. All safety instrumented functions perform according to the SRS. Bypasses, overrides and reset functions perform in accordance with SRS. SIS is not affected by adverse interactions of the BPCS or any shared instrumentation. Loss of utilities do not impede proper SIS action. Verification of EMC immunity. BRPB or other manual independent e-stop operate correctly. Critical Safety alarms function as per the SRS. HMI graphics function correctly. SIS safety validation (SAT) completed prior to startup. PSSR completed. All bypasses returned to normal, isolation valves set to startup position, test materials removed and all forces removed. Page 18 of 18

K Operation & Maintenance IEC 61511 requires that the SIS be operated and maintained so that the designed safety function is preserved. The SIL of each SIF must be maintained throughout the lifecycle of the plant. This function is usually performed by the user/operator and/or a maintenance contractor. However, the responsibility resides with the owner. The operation and maintenance plan should address, at minimum, the following: Proof testing, preventive and breakdown maintenance activities. Verification of adherence to operation and maintenance procedures. Designation and competence of persons, departments and organizations responsible. Schedule adherence to all activities. Additional mitigation actions necessary during bypass and/or testing. Recording of actual process demand rate on the SIS. Identification of the cause of process demands Recording of actual failure rates of SIS devices, including field equipment. Identification of the cause of false trips. Correct operation of each field sensor and final element. Correct logic action of the SIS Correct alarms and indicators. Verification and Validation of actual SIL of each SIF and confirmation of equipment failure rate assumptions during the design phase, as well as adequacy of the proof test interval necessary to maintain the designed safety function. Note: COSIL Safety System management tool-set for on-line / real time continuous SIL monitoring of all the Safety Instrumented Functions (SIF) in a process plant s SIS is an excellent tool that provides the mechanism for SIS operation and maintenance validation. COSIL additionally provides the functionality to perform continuous on-line calculations of the Safety Instrumented Function s (SIF) instantaneous probability to fail on demand (PFD). This measurement provides plant engineers with real time data for evaluating the actual instantaneous Risk Reduction Factor (RRF), conducive to better decision making in the area of improvements in plant safety. Knowledge of the instantaneous PFD provides a wealth of information over and above the PFD avg based SIL. Page 19 of 19

COSIL is applicable to both Demand mode of operation and Continuous mode of operation as defined in IEC 61511-1 paragraph 3.2.43.2 L Safety Audits SIS safety audits are requirements for validation of the design safety function. IEC 61511, true to the criteria of a performance base standard, has no specific requirements regarding the frequency or the procedures. However, the safety audits must be independent and objective. Process industry experience would indicate that: Audit frequency of 3 years is a starting point. Based on the number of negative findings, the frequency may be adjusted accordingly. Individuals conducting the audit should be independent of the plant personnel. Standards and/or Corporate documents against which the audit is to be conducted, should be agreed upon in anticipation. Procedures review should reveal if they are in place, understood and followed. Interviews should start with managers, followed by engineering and finally operation and maintenance personnel. All maintenance and testing records should be reviewed in detail. Especially critical is the review of management of change records. Visual inspection of field equipment condition and tagging is a key indicator of general health. Checking for unauthorized systems in bypass is critical. Records of the SIL for each SIF should be clearly documented. Records of the validation of the SIL and RRF for each SIF should be documented. Records of the number and cause of process demands should be clearly documented. Records of the number and cause of nuisance trips should be clearly documented. Records of the actual failure rates of the SIS devices, as they compare to the design assumptions, should be clearly documented. Documentation should reflect up to date installed hardware and software. Page 20 of 20

The safety audits are normally conducted by corporate personnel independent of the plant and/or by specialized consulting companies, such as Premier Consulting Services. SCAMP Safety Compliance Auditing and Maintenance Program is an excellent service for this phase of the safety lifecycle and compliance to IEC 61511 clause 16.1.1, which states: To ensure that the required SIL of each safety instrumented function is maintained during operation and maintenance. To operate and maintain the SIS so that the designed functional safety is maintained. M Modifications / MOC IEC 61511 requires that modifications to any safety instrumented system (SIS) are properly planned, reviewed and approved prior to making the change. Additionally, the required safety integrity of the SIS should be maintained despite any changes performed. Management of Change (MOC) procedures should be in place and all requirements of the SRS should be assessed. Prior to making any modifications to the SIS, procedures for authorizing and controlling changes should be effective and understood. MOC authorizations should identify the hazards which may be affected. Modifications require a functional safety impact analysis prior to authorization. Any impact on safety requires returning to the first affected step in the safety lifecycle Modifications that imply a change of hardware or software calls for returning to the first affected step in the safety lifecycle (i.e. replacement in kind, proven-in-use, minimum hardware fault tolerance, maximum SIL claim limit, etc). Tests should verify that the changes were properly implemented. Tests should ensure that functional safety is not negatively affected. Modifications should be performed by qualified and competent personnel. All affected and appropriate personnel should be notified and trained regarding the change and its implications. Documentation should be updated to reflect the modifications, including the reason for the change, the hazards affected and the tests performed to verify that the safety integrity is maintained. Page 21 of 21

Modifications are normally performed by the user/operator and or a maintenance contractor, with supervision of competence engineering and safety personnel. For more information about how Premier Consulting Services can help you solve your critical control system problems, contact: Page 22 of 22