IMPORTANCE OF SIS LIFECYCLE MANAGEMENT PLANNING

Most facilities in the process industry adapts to IEC 61511:2016, outlining requirements for lifecycle management of Safety Instrumented Systems (SIS). Experience shows that lack of sufficient SIS lifecycle management planning gives pitfalls such as increased documentation and costs and suboptimal timing of SIS lifecycle activities.

Most facilities in the process industry adapts to IEC 61511:2016, outlining requirements for lifecycle management of Safety Instrumented Systems (SIS). The standard addresses how to define, specify and follow up performance requirements for Safety Instrumented Functions (SIFs) acting as barriers for incidents with impact on safety, environment or asset. Successful implementation of the IEC 61511 standard requires early planning for all phases of the project. Experience shows that lack of sufficient SIS lifecycle management planning gives pitfalls such as:

  • Increased documentation and costs. Activities and documents part of the SIS lifecycle are linked. For instance, the hazard assessment, e.g. Hazard and Operability Study (HAZOP), gives the foundation for the SIL allocation. For SIL allocation using methods such as Layers of Protection Analysis (LOPA), it is critical that the HAZOP methodology takes into consideration that the results will be used for SIL allocation, e.g. by ensuring that all safeguards are thoroughly listed and consequences described in detail. With insufficient HAZOP documentation, follow-up studies such as the LOPA, becomes more time-consuming.
  • Suboptimal timing of SIS lifecycle activitiesSIS lifecycle activities performed too late may cause significant cost impact if re-design is needed after procurement of SIS subcomponents. Further, activities performed too early may lead to a need for significant updates of project documentation upon design changes.
  • Operations not covered in SIS lifecycle management. The operational phase typically receives limited attention compared to the design phase. However, thorough follow-up of SIS in operation, e.g. through demand rate monitoring and SIF component failure monitoring is required to ensure that the SIS meets its intended risk reduction, and can be used to e.g. optimize test intervals, potentially reducing OPEX and/or increasing safety.

Planning of SIS Activities
Good planning requires the SIS owner to, as early as possible, outline the holistic approach to how functional safety shall be implemented in the project, through the following main aspects as specified by IEC 61511-1:2016 Section 5:

  • Describe the project organization responsible for functional safety and demonstrate the competency
  • Describe how quality management is followed-up, both for the SIS owner and suppliers
  • Prepare a SIS lifecycle plan describing activities to be performed at various stages; input/out required, accountable party and verification activity needed.

Normally, the planning of the SIS lifecycle management is documented in a Functional Safety Management Plan (FSMP), which is to be kept updated through all phases of the SIS lifecycle. The intention with the FSMP is to detail how SIS lifecycle management will be handled through all phases of the project, from design to decommissioning.

To give sufficient guidance for the entire SIS lifecycle, it is recommended that the FSMP is as specific and to-the-point as possible, as the FSMP shall be used actively as the project functional safety road map. ORS recommends to keep the FSMP short by focusing on the actual implementation of functional safety in the given project, and avoiding repetition of requirements from IEC 61511 standard, and other applicable standards, governing documents and guidelines. Specific references to other company documents can with benefit be used where information is not unique for the specific project.

The list below gives a recommendation of a FSMP structure, including guidance on some of the main sections of the FSMP.

Definitions
Abbreviations
1 – Introduction
1.1 – Objective
1.2 – Project background
1.3 – Standards and references
Define standards that sets the requirements for functional safety and safety instrumented systems in the project, (e.g. IEC 61508:2010 and 61511:2016), guidelines (E.g. NoG GL 070) and company standards, but limit to those related to functional safety.

1.4 – Update of FSMP
Define who is responsible for keeping the FSMP up to date during all project phases. This should be a defined role/person. Clearly define milestones where an update of the FSMP is required.

2 – Competence and organization
2.1 – Organization
(IEC 61511-1:2016, 5.2.2.1). Define the organization responsible for implementing functional safety in the project. It is recommended to include this as a functional safety organization chart, including specification of accountabilities. The organization should also reflect the various phases of the SIS lifecycle, as responsibility is often shifted from an EPC contractor to the operator at a certain stage in the Lifecycle. It is recommended that the organization chart should reflect a single overall entity responsible for the implementation of functional safety across the project, in order to manage potential issues with several interfaces and subcontractors, and ensure that the application of functional safety in the project is kept consistent.

2.2 – Competence
(IEC 61511-1:2016, 5.2.2.2). The FSMP should specify minimum competency requirements for each of the roles specified in Section 2.1 (Organization). Examples of such competency requirements could be specification of minimum years of experience with functional safety related work. This could be included in the organization chart included in Section 2.1. Any internal procedures for competency management should also be referred, as specified in IEC 61511-1:2016 5.2.2.3.

 3 – Quality Management System
(IEC 61511-1:2016, 5.2.5.2). Describe the internal Quality Management System (QMS). Rather than repeating the content of the QMS, add a specific reference. Further, it should be described how quality management system of suppliers are followed-up. Often, suppliers are validated through a general vendor approval process. If this is the case, and it covers a check of the quality management system, this should be described and referred in the FSMP. Further, focus should be on functional safety related aspects of quality management rather than just generic quality management.

4 – Safety Planning 
(IEC 61511:1-2016, 5.2.4 and Clause 6) The intention with this chapter is to give a description of all SIS lifecycle activities to be performed, including description of timeline, accountabilities, input/output required and deliverables. This is to be specified per phase, in the following sub-sections. This first sub-section should give a timeline with an overview of each of the lifecycle phases and related activities. Further, this section should give a clear overall plan for how functional safety is to be implemented. The safety planning section should clearly indicate an overall plan for how to document and connect the various lifecycle phases including information flow to ensure a consistent functional safety approach.

  • What is the overall purpose for functional safety in the project?
  • Which aspects, packages, subcontractors and systems in the project must adhere to the FSMP and to IEC 61511 / 61508?
  • How shall these activities be documented
  • Which systems are in place to ensure that information related to functional safety is kept up-to-date?
  • Special MOC procedures required for functional safety?
  • Requirements for updating a SIS lifecycle document/phase and description of events and design changes that should trigger an update of a SIS lifecycle phase

4.2 – Phase 1 – Hazard and risk assessment
For each phase, the safety planning could be described in a table format with each row describing a deliverable or activity. Further, the following columns could be used:

  • Reference to IEC 61511:1-2016 requirement
  • Description of activity/deliverable
  • Responsible
  • Document number and revision number (to be kept updated)
  • Input required (Such as P&IDs in revision XX, C&E charts and design basis)
  • Output, including its application to subsequent lifecycle phases 

4.3 – Phase 2 – Allocation of safety functions to protection layers
4.4 – Phase 3 – Safety Requirement Specification (SRS) for the SIS
4.5 – Phase 4 – Design and Engineering of Safety Instrumented System
4.6 – Phase 5 – Installation, commissioning and validation
For operations typical activities necessary for SIS performance monitoring are periodic proof testing, reporting/handling of failures and demand rate monitoring. The FSMP should give an overview of the main activities that should be performed and how and where this will be documented (such as operating procedures, test procedures, procedures for failure and demand reporting etc.).

4.7 – Phase 6 – Operation and Maintenance
For operations typical activities necessary for SIS performance monitoring are periodic proof testing, reporting/handling of failures and demand rate monitoring. The FSMP should give an overview of the main activities that should be performed and how and where this will be documented (such as operating procedures, test procedures, procedures for failure and demand reporting etc.).

4.8 – Phase 7 – Modification
4.9 – Phase 8 – Decommissioning
4.10 – Functional Safety Assessment, Auditing and verification
(IEC 61511-1:2016, 5.2.5.1). Specify how actions/recommendations arising from a SIS lifecycle activity (e.g. HAZOP actions related to functional safety) will be followed-up. It should also be specified how to handle any non-conformances arising from a SIS lifecycle activity.

4.11 – Action tracking system
(IEC 61511-1:2016, 5.2.6). Describe the third party verification and auditing activities that are to be performed (and when), such as functional safety assessment and functional safety audit.