International standards such as IEC 61508 and IEC 61511 define functional safety requirements for electronic systems and industrial applications to enable organizations to maintain robust protections for all their processes.

 

With our functional safety consulting services, we perform Functional Safety Assessments (FSAs) to ensure that your SIS contains the required Safety Instrumented Functions (SIFs) and that they are effective and reliable and maintain the required Safety Integrity Levels (SILs) throughout the entire process.

 

Safety Lifecycle. Our experts are knowledgeable and experienced in assessing systems based on relevant international standards and we are happy to collaborate with your team to improve the overall functional safety of your organization.

 

What is a security requirements specification (SRS)?

 

The safety requirements specification (SRS) covers all factors affecting the design and management of SIL-rated functions for the life cycle. The SRS is also a reference for the verification of a commissioned or modified SIS.

 

What is the content of the security requirements specification (SRS)?

 

• Description of all safety instrumented functions necessary to achieve the required functional safety,

• Requirements for identification and consideration of common cause failures,

• Definition of the safe state of the process for each defined safety instrumented function

• The definition of any individual safe process which, when occurring simultaneously, creates a separate hazard,

• Default demand sources and demand rate in the security instrumented function,

• Requirement for evidence testing intervals,

• Response time requirements of the SIS to bring the process to a safe state,

• Safety integrity level and operating mode (demand/continuous) for each safety instrumented function,

• Description of SIS process parameters and their set points,

• Description of SIS process output actions and criteria for successful operation (e.g. requirements for ESD valve closure action),

• The functional relationship between process inputs and outputs, including logic, mathematical functions and necessary permissions,

• Manual shutdown requirements,

• Requirements for energizing or de-energizing to switch on,

• Requirements for resetting the SIS after shutdown,

• Maximum allowable fake trip rate,

• Failure modes and desired response of the SIS (e.g. alarms, automatic shutdown),

• Any special requirements regarding the procedures for starting and restarting the SIS,

• All interfaces between the SIS and other systems (including BPCS and operators),

• Description of the operating modes of the plant and identification of the safety instrumented functions required for operation in each mode,

• Application software security requirements listed in 12.2.2,

• Override/blocking/bypass requirements, including how to clean SIS equipment,

• The specification of any action required to achieve or maintain a safe state in the event that faults are detected in the SIS. That any such action will be determined taking into account all relevant human factors.

• The average repair time that is appropriate for the SIS, taking into account spare parts availability, service contracts and environmental constraints,

• Identification of dangerous combinations of SIS output states that should be avoided,

​

What is a Functional Safety Assessment?

​

A Functional Safety Assessment (FSA) is an investigation to determine whether the safety function under investigation has achieved the required level of functional safety to support the decision to progress to the next stage of the life cycle or to remain in the same stage until all necessary measures have been taken.  Prior to the introduction of hazards/chemicals, it is a mandatory requirement to conduct a Functional Safety Assessment (FSA) in accordance with IEC61508 / IEC61511.

​

FSA-1:

​

The first Functional Safety Assessment review is performed during the Conceptual Design phase; the process design is still under review following the completion of the Initial Safety Requirements Specification (SRS).

The Stage 1 FSA (FSA 1) is performed after the Hazard and Risk Assessment has been completed and the Safety Requirements Specification has been written.

​

FSA 1 is performed before the SRS is transferred to the "SIS Design" function to ensure that the SRS is fit for purpose and (among other things) based on an appropriate level of rigor in ESD equipment selection studies. SIS Design should not start until there is confidence in the accuracy of the SRS.

At this stage, devices are selected by calculating and verifying the PFD for SIL level for SIFs under EN 61511.

 

Although IEC 61511 refers to FSA 1 as a single activity, it says to keep in mind that in large projects, the time between the initial hazard studies and the publication of the SRS can be significant, and that if FSA 1 finds a problem with the hazard study, this problem may disappear altogether.
A typical finding of FSA 1 is to verify and check the HAZOP analysis.

 

 

FSA-2:

​

This stage of the Functional Safety Assessment review should be carried out during the FEED stages of Detailed Design at a point in the design phase where the impact of changes such as additional SIS instrumentation or BPCS protective layers is minimized.

Stage 2 FSA (FSA 2) is performed after the SIS Design and (if appropriate) Factory Acceptance Test (FAT) has been completed.

​

If a 3rd party specialist is used, FSA 2 is performed before the panels are shipped to site. FSA 2 ensures that the SIS design is performed correctly and that the FAT correctly verifies that the completed design meets the SRS.

​

A typical finding of FSA 2 is that the 3rd party System specialist does not have adequate Functional Safety Management procedures to ensure compliance with IEC 61511.

In this context, LIFECycle procedures are established under EN 61511 and EN 61508.

 

FSA-3:

​

This assessment should be completed after the installation is complete, but before the application of hazardous chemicals. It is intended to verify the Safety Instrumented Functions (SIFs) as installed and to verify that the required Safety Instrument Levels (SILs) specified in the SRS document have indeed been achieved.

Phase 3 FSA (FSA 3) is performed following the Installation, Commissioning and final Verification (Field Acceptance Test) of the new SIS.

​

FSA 3 is the final confirmation that "SIL has been achieved" and that the SIS meets the requirements of IEC 61511 prior to handover to Operations. FSA 3 will also review O&M procedures and training and ensure that everything is in place. While the focus of FSA 3 is on the installation, commissioning and site acceptance and "readiness" of the SIS, it is also necessary to look at the previous FSA stages and ensure that there are no open actions. FSA 3 cannot be closed until both FSA 1 and FSA 2 are closed.

​

A typical finding of an FSA 3 is that it has been validated in the operation and maintenance and proof testing phases of the lifecycle and that the necessary procedures have been established and implemented. Adequate Change Management processes for Security Instrumented Systems must also be provided.

 

FSA-4:

​

The Approved Code of Practice states that the owner/operator of the Safety Instrumented System should periodically review all aspects of the SIS Functional Safety management system to determine if internal practices, operating procedures or regulatory expectations have changed. Typically every 3 years, these reviews should be formally documented and all actions should be finalized within a reasonable timeframe.

Stage 4 FSA (FSA 4) is performed periodically to examine the functional safety activities of the (ongoing) Operation and Maintenance (O&M) of the SIS.

​

FSA 4 will review O&M procedures and training, examine the approach to evidence testing and auditing, and evaluate the collection and analysis of SIS performance data.

A typical finding of FSA 4 is that systems and procedures are put in place by creating forms to not accurately report failures found in the evidence testing and instead simply "fix" all failures found.

FSA-5:

​

Similar to the Stage 3 Functional Safety Assessment, but on a smaller scale, this review should be carried out immediately following changes to the process plant/equipment prior to the re-introduction of hazardous chemicals into the process. It will normally be an integral part of the end user/operator's Change Management Procedures and is a legal requirement of IEC61508 / IEC61511.

​

A Stage 5 FSA (FSA 5) is required when a Change is made to a SIS.

​

A typical finding of FSA 5 is the establishment of operating procedures for a SIS Application and procedures for analyzing all normal operating processes with bypass and deactivation if ESD deactivation is required during start-up and shutdown or if ESD deactivation is required during maintenance processes.

 

For more information please contact us and please check out our BLOG and ARTICLE section

​

​