A few weeks ago, I posted Safety Instrumented Function-Focused Approach. It summarized a presentation by Emerson’s Russell Cockman and Andy Crosland on the role of an SIS integrator in the implementation phase of an IEC 61511 process safety project. Russell and Andy have just completed a series of five process safety seminars across the United Kingdom. Andy noted that they were all very well attended with most close to maximum capacity. There seems to be very high interest among process manufacturers in IEC 61511 safety lifecycle best practices.
In the above-mentioned blog post, I deferred the subject of SIS validation, so I’ll address it here. In the IEC 61511 implementation phase is a step “Installation, Commissioning and Validation.” Validation should not be confused with verification. Verification asks the question, “Did we do it right?” It happens at every step through the analysis, implementation, and operation phase of the safety lifecycle.
Conversely, validation asks the question, “Did we build the right thing?” It comes at the end of the implementation phase to confirm that the installed and commissioned SIFs meet the Safety Requirements Specification (SRS). Validation is described in IEC 61511 section 15.1.1 [emphasis added]:
The objective of the requirements of this clause is to validate, through inspection and testing, that the installed and commissioned safety instrumented system and its associated safety instrumented functions achieve the requirements as stated in the safety requirement specification.
The question is whether all of the installed safety instrumented functions (SIFs), also known as safety loops, that comprise the safety instrumented system (SIS) provide the required functional safety as specified in the SRS. This means that it’s important that the SRS be properly completed earlier in the analysis phase of the safety lifecycle. A plan is required to define who needs to validate what, when this validation should occur, how it needs to be done, and which tools, techniques, and knowledge are required.
Russell and Andy shared a validation workbook that formalizes this plan. It includes all of the SIFs and the validation work pack checklist associated with each SIF. These include sign offs for who completes the validation process as well as who approves the work performed. The checklist includes visual inspection, verification of process, electrical, and pneumatic connections as required.
A validation SIF checklist may contain steps such as:
- Verify that SIS performs under normal and abnormal operating modes as defined in the SRS
- Confirm that adverse interaction between basic process control system (BPCS) and other connected systems do not affect the SIS
- Verify that the communications between BPCS and other connected systems work properly
- Confirm that the sensors, logic solvers, and final elements perform as defined in the SRS
- Verify that the SIS documentation is consistent with the installed system
- Confirm that SIFs perform as specified on invalid process variable values
- Verify that the proper shutdown sequence is activated
- Confirm that the SIS provides proper annunciation and proper operation display
- Verify that computations included in the SIS are correct
- Confirm that bypass functions operate correctly
- Confirm that start-up overrides operate correctly
- Confirm that manual shutdown systems operate correctly
- Verify that proof test intervals are documented in maintenance procedures
- Verify that diagnostic alarm functions perform as required
- Verify that the SIS performs as required on loss of utilities
- When utilities are restored, confirm that the SIS returns to the desired state
- Confirm that the electromagnetic compatibility (EMC) immunity, as defined by the SRS, has been achieved
Once this detailed process has been successfully completed, the plant moves into the operation phase of the IEC 61511 safety lifecycle. A plan is required for routine actions such as proof testing, maintenance override conditions, documentation of system demand and failure rates to verify if they are consistent with the safety integrity level (SIL) verification calculations, audit and test documentation, and diagnostic and repair procedures.
As Russell and Andy note, the operations phase may last for the next 20 years. It’s critical that good recording and documentation practices are followed for the regular proof testing of the complete safety loop (or SIF)–the sensor, logic solver, and final elements.
Update: Welcome readers of Gary Mintchell’s Feed Forward blog! I hope you’ll consider adding your thoughts to this post or subscribing while you’re here.