Guidance on Practice for

Safety Instrumented Systems (SIS) -

Implementation of the Process Requirements
Specification

INEOS Manufacturing Scotland Limited

ENGINEERING TECHNICAL PRACTICES
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Foreword

This is the first issue of Engineering Technical Practice (ETP) GP 30-80. This Guidance on Practice
(GP) is based on part of the heritage documents as follows:

IMSL
RP 30-5 Instrumentation and Control – Selection and Use of Equipment for
Instrument Protection Systems.
The portions of the heritage document RP 30-5 that relate to competency, management, verification,
and functional safety assessment have been replaced by GP 30-75 (Safety Instrumented Systems –
Management of the Safety Lifecycle). The remaining material from the heritage document RP 30-5 is
in this GP.

This GP reflects experience gained in implementing safety instrumented systems (SIS) since the
publication of RP 30-5. Significant differences exist between RP 30-5 and this GP, which is based on
IEC 61511 (Safety Instrumented Systems for the Process Sector).

Copyright  2007 INEOS Group. All rights reserved. The information contained in this
document is subject to the terms and conditions of the agreement or contract under which
the document was supplied to the recipient’s organization. None of the information
contained in this document shall be disclosed outside the recipient’s own organization
without the prior written permission of Site Engineering Authority, IMSL , INEOS
Group, unless the terms of such agreement or contract expressly allow.

Page 2 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Table of Contents
Page
Foreword............................................................................................................................................2
Introduction.........................................................................................................................................6
1. Scope........................................................................................................................................7
2. Normative references................................................................................................................7
3. Terms and definitions................................................................................................................8
4. Symbols and abbreviations.......................................................................................................8
5. General.....................................................................................................................................9
6. Safety lifecycle – Implementation of Process Requirements Specification.............................12
7. Procedures..............................................................................................................................14
8. Selection of equipment for subsystems..................................................................................14
9. Selection of SIS architecture...................................................................................................16
10. Reliability analysis of the proposed system............................................................................17
11. Development of SIS Full Requirements Specification............................................................18
12. Design of SIS subsystems......................................................................................................19
12.1. General........................................................................................................................19
12.2. Maintenance facilities...................................................................................................20
12.3. Operations facilities......................................................................................................21
12.4. Sensors........................................................................................................................22
12.5. Logic systems..............................................................................................................23
12.6. Actuation......................................................................................................................27
12.7. Power supplies and cabling between subsystems......................................................29
13. SIS Plans................................................................................................................................29
13.1. Development of the installation plan............................................................................29
13.2. Development of the validation plan..............................................................................29
13.3. Development of the commissioning plan.....................................................................30
13.4. Development of operations and maintenance plans....................................................30
14. Installation...............................................................................................................................30
15. Validation................................................................................................................................30
16. Commissioning........................................................................................................................30
17. Verification..............................................................................................................................30
18. SIS documentation..................................................................................................................31
18.1. General........................................................................................................................31
18.2. Design dossier for safety and environmental integrity.................................................31
18.3. Design dossier for commercial integrity.......................................................................31
19. Independent functional safety assessment.............................................................................32

Page 3 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Annex A (Informative) Choice of equipment or logic subsystems....................................................33

A.1. General...................................................................................................................................33
A.2. Types of logic subsystem........................................................................................................33
A.3. Compliance assessed equipment...........................................................................................35
Annex B (Informative) Typical subsystem architectures..................................................................38
B.1. Introduction.............................................................................................................................38
B.2. Architectures...........................................................................................................................38
B.3. IL 1 configuration.....................................................................................................................38
B.4. IL 2 configuration.....................................................................................................................39
B.5. IL 3 configuration.....................................................................................................................40
B.6. IL 4 configuration.....................................................................................................................41
Annex C (Informative) System design for robustness......................................................................42
C.1. Introduction.............................................................................................................................42
C.2. Evaluation of cost of spurious trips.........................................................................................42
C.3. Evaluation of the cost of additional equipment for robustness................................................43
C.4. Criteria for robustness.............................................................................................................43
C.5. Example..................................................................................................................................43
Annex D (Informative) Example of the development of an architecture for a SIS............................45
D.1. General...................................................................................................................................45
D.2. Process and background........................................................................................................45
D.3. Process Requirements Specification......................................................................................46
D.4. Selection of equipment for subsystems..................................................................................46
D.5. Selection of SIS architecture...................................................................................................46
D.6. Reliability analysis of the proposed architecture.....................................................................47
D.7. Architecture adopted...............................................................................................................48
Bibliography......................................................................................................................................49

List of Tables

Table 1 – SIS ETP objective, scope, input, and output....................................................................11

Table 2 – GP 30-80 Safety lifecycle objectives, scope, inputs, and outputs....................................14
Table D.1 – Robustness considerations...........................................................................................47
Table D.2 – PFD calculation.............................................................................................................48

List of Figures

Figure 1 – Relationship between SIS ETPs.....................................................................................10

Figure 2 – SIS implementation lifecycle...........................................................................................13
Figure B.1 – Architecture for IL 1 subject to conditions....................................................................39
Figure B.2 – Architecture for IL 1 (no conditions).............................................................................39

Page 4 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Figure B.3 – Architecture for IL 2 for specified conditions................................................................40

Figure B.4 – Architecture for IL 3 for specified conditions................................................................40
Figure B.5 – Architecture for IL 3 (no conditions).............................................................................41
Figure D.1 – Process plant and SIS.................................................................................................45
Figure D.2 – SIS system architecture...............................................................................................48

Page 5 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Introduction

Safety instrumented systems (SIS) have been used for many years within the process sector. The
original approach was prescriptive with standards (for example, API RP 14C in the offshore sector)
stating the specific equipment to use for a particular process application. In recent years, the increased
complexity of new applications and the complexity of new equipment becoming available for use have
made the prescriptive approach insufficient. This is particularly the case where programmable
equipment with complex failure modes is used for safety applications. Some years ago, the
international community recognised the need for new standards, and the International Electrotechnical
Commission (IEC) developed a new generic standard that adopted a risk-based approach.

The new standard IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-related Systems) was published in seven parts between 1997 and 2000. Before IEC 61508 was
published, a need was recognised for a process sector standard and work commenced on IEC 61511
(Safety Instrumented Systems for the Process Sector). IEC 61511 applies the generic standard
IEC 61508 to process industries. It also incorporates experience from national and industry standards,
such as ISA S84.01. Since publication of IEC 61508, the process sector has had significant experience
in the application of the risk-based approach.

The risk-based approach tailors equipment to the needs of the application and has significant safety
and economic benefits. This approach does, however, demand more management, competency,
planning, and technical judgement during all stages of realisation, from initial hazard and risk analysis
through to operation, maintenance, and modification.

The objective of this GP is to provide requirements and guidance on how to specify and implement an
SIS starting from the Process Requirements Specification through installation, validation, and
commissioning of the system. This GP relates to GIS 30-801, which addresses the specification and
procurement of the SIS logic solver subsystem.

As with all updated IMSL and industry standards, new facilities and modifications to existing
facilities should use the latest standards. While the new standards are not normally applied
retrospectively, facilities may wish to undertake a gap analysis against the new standard and address
any deficiencies.

Page 6 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

1. Scope

a. This GP provides guidance on implementation, installation, validation, and commissioning

of safety instrumented systems (SIS) used to reduce the following risks to tolerable levels:
1. Process safety risk.
2. Environmental risk.
3. Commercial risk, including rebuild cost and cost of lost production.
b. This GP addresses SISs that are based on the use of electrical and electronic
instrumentation for logic solvers.
c. The same basic principles of this GP shall apply to SIS logic solvers that are based entirely
on other technologies (pneumatic or hydraulic).
d. This GP relates to GIS 30-801 that addresses the specification and procurement of the SIS
logic solver subsystem.
e. This GP shall be used in conjunction with GP 30-75 Management of the Safety Lifecycle
that applies to all lifecycle phases.
f. This GP shall also be used in conjunction with the ETPs that apply to the other phases of
the safety lifecycle:
1. Development of the Process Requirements Specification (GP 30-76).
2. SIS Operations and Maintenance (GP 30-81).
g. Compliance with this GP requires:
1. All "shall" statements are complied with.
2. All "should" statements are considered and complied with unless alternate measures
are more appropriate in the context of the specific application.

2. Normative references

The following normative documents contain requirements that, through reference in this text,
constitute requirements of this technical practice. For dated references, subsequent amendments to, or
revisions of, any of these publications do not apply. However, parties to agreements based on this
technical practice are encouraged to investigate the possibility of applying the most recent editions of
the normative documents indicated below. For undated references, the latest edition of the normative
document referred to applies.

IMSL
GP 30-75 Guidance on Practice for Safety Instrumented Systems (SIS) –
Management of the Safety Lifecycle.
GP 30-76 Guidance on Practice for Safety Instrumented Systems (SIS) –
Development of the Process Requirements Specification.
GP 30-81 Guidance on Practice for Safety Instrumented Systems (SIS) –
Operations and Maintenance.
GIS 30-801 Guidance on Industry Standard for Safety Instrumented Systems (SIS) –
Design and Engineering of Logic Solvers.

Page 7 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

International Standards Organization (ISO)

ISO 10418 Petroleum and natural gas industries – Offshore production installations –
Analysis, design, installation and testing of basic surface safety systems.

Instrumentation, Systems, and Automation Society, The (ISA)

ISA 84.01 Application of Safety Instrumented Systems for the Process Industries.

International Electrotechnical Commission (IEC)

IEC 60085 Thermal evaluation and classification of electrical insulation.
IEC 61508-1-4, &6 Functional safety of electrical/electronic/programmable electronic safety–
related systems (parts 1 through 4 and part 6).
Part 1: General Requirements.
Part 2: Requirements for Electrical/Electronic/Programmable Electronic
Safety-related Systems.
Part 3: Software Requirements.
Part 4: Definitions and Abbreviations.
Part 6: Guidelines on the Application of IEC 61508-2 and IEC 61508-3.
IEC 61511-1 Functional safety: Safety Instrumented Systems for the process industry
sector (part 1).
Part 1: Framework, definitions, system, hardware and software
requirements.

3. Terms and definitions

Terms and definitions for this GP are provided in IMSL GP 30-75 and the Normative industry
standards.

4. Symbols and abbreviations

For the purpose of this GP, the following symbols and abbreviations apply:

CAE Cost of additional equipment.

CASS Conformity Assessment of Safety-related Systems.

CIL Commercial integrity level.

CST Cost of spurious trips per year.

CVP Capital value process.

DCS Distributed control system.

EIL Environmental integrity level.

EMC Electromagnetic compatibility.

EMF Electromotive force (voltage)

ESD Emergency shutdown.

Page 8 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

ESDV ESD valve.

F&G Fire and gas.

FAT Factory acceptance test.

FMEA Failure modes and effects analysis.

HSE Health, safety, and environment.

IL Integrity level (general).

INERIS National Institute for Industrial Environment and Risks (France).

OREDA Offshore reliability data.

OVP Operations value process.

P&ID Piping and instrumentation diagram.

PAS Process automation system.

PFD Probability of failure on demand.

PIP Process industry practices (USA).

PLC Programmable logic controller.

PT Pressure transmitter.

QA Quality assurance.

SIL Safety integrity level.

SIS Safety instrumented system.

SOV Solenoid-operated valve.

UKOOA United Kingdom Offshore Operators Association.

UPS Uninterruptible power supply.

5. General

a. The approach to developing SIS requirements shall be in two stages:

1. The first stage shall be development of the SIS Process Requirements Specification
(covered by GP 30-76).
2. The second stage shall be implementation of the SIS Process Requirements
Specification (covered by this GP), including development of the SIS Full
Requirements Specification.
b. The following shall be in accordance with GP 30-75:
1. Safety lifecycle phases defined in this GP.
2. Management of the safety lifecycle.

Page 9 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

3. Integration of the safety lifecycle into the project lifecycle.

4. SIS tasks with a specified integrity level (IL).
c. Because compliance with the ISO 9000 family of standards may not be sufficient for SIS,
organisations that have been compliance assessed as meeting the requirements of the
ISO 9000 family of standards should have an assessment to determine if the procedures
developed to comply with the ISO 9000 family of standards give sufficient assurance that
the risk of functional failure has been reduced to appropriate levels. In making such
judgements, account should be taken of the complexity of the task and the required
integrity levels.
d. Relationships between relevant SIS ETPs in the safety lifecycle (shown in Figure 1) shall
be considered along with objectives, input, and output for each SIS ETP (shown in
Table 1).

Page 10 of 46
 12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Figure 1 – Relationship between SIS ETPs

SIS – Development of the Process Requirements

Specification GP 30–76.

Hazard and Risk Analysis.

SIS – Management of the

safety lifecycle GP 30–75. Requirements Allocation.

Common Requirements
relating to all lifecycle SIS Process Requirements
activities: Specification.

Functional Safety
Management.
Competency.
Verification.
SIS – Implementation of the Other Technology
Independent Functional
Safety Assessment. Process Requirements and External Risk
Specification GP 30–80. Requirements Reduction
Specification for the Realisation.
SIS.

Planning of SIS Activities:

Installation. Design and
Validation. Engineering of
Pre–commissioning. SIS. SIS – Design and
Engineering of
Logic Solvers
SIS GIS 30– 801.
Installation,
Validation,
Commissioning.

SIS – Operation and Other Technology and

Maintenance Operation and External Risk Reduction
GP 30–81. Maintenance. Operation, Maintenance
& Modification.

Modification.

Decommissioning.

Page 11 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Table 1 – SIS ETP objective, scope, input, and output

ETP & safety

lifecycle phase Objective Scope Input Output
GP 30-75 Guidance on Specify overall Risks from 1. Corporate risk criteria. 1. Overall safety lifecycle
Practice for Safety framework and functional 2. HSE policy. and plan.
Instrumented Systems requirements failures leading 2. Functional safety
(SIS) – Management applied to all to safety, 3. CVP process.
management
of the Safety Lifecycle. safety lifecycle environmental, 4. OVP process. requirements for
phases. and asset competency, verification,
consequences. and independent
functional safety
assessment.
GP 30-76 Guidance on Specify Risks from 1. Process design. 1. Hazard list caused by
Practice for Safety requirements of functional 2. Manning levels. functional failures.
Instrumented Systems safety layers to failures leading 2. SIS Process
(SIS) – Development reduce risks to to safety, 3. Environment factors.
Requirements
of the Process tolerable levels. environmental, 4. Business impacts of loss Specification, including
Requirements and asset of production. function and performance
Specification. consequences. characteristics of safety
layers required to reduce
risks to tolerable levels.
GP 30-80 Guidance on 1. Design, Safety SIS Process Requirements 1. SIS Full Requirements
Practice for Safety procure, install, instrumented Specification. This Specification.
Instrumented Systems and pre- systems. specification includes 2. SIS Activities planning
(SIS) – Implementation commission SIS function and performance for installation, validation,
of the Process to achieve characteristics of SIS safety and precommissioning.
Requirements performance layers required to reduce
Specification. requirements. risks to tolerable levels. 3. SIS is installed
according to international
2. Specify standards, validated
operations and against functional and
maintenance performance requirement
requirements to specification.
maintain
required integrity 3. Operations and
during life of maintenance procedures
asset. to maintain performance
levels over life of asset.
4. Architectures
supporting high
availability, tolerable risk,
and low maintenance
cost.
GP 30-81 Guidance on Manage risk of Safety 1. SIS Installation – SIS is 1. Continuing
Practice for Safety functional failure instrumented installed according to achievement of tolerable
Instrumented Systems throughout life of systems. international standards, risk level throughout the
(SIS) – Operations and asset to validated against functional asset life.
Maintenance. maintain and performance 2. Tolerable plant
tolerable risk. requirement specification. availability and low
2. Operations and maintenance cost.
maintenance procedures to
maintain necessary
performance levels over life
of asset.
GIS 30-801 Guidance Procure SIS SIS logic SIS Full Requirements SIS logic solver
on Industry Standard logic solver. solver. Specification. procurement
for Safety specification.
Instrumented Systems
(SIS) – Design and
Engineering of Logic
Solvers.

e. In the U.S. and Canada, compliance with IEC 61511 may be replaced with a requirement
to comply with the equivalent clauses in OSHA, EPA, and ISA standards. (Refer to

Page 12 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

GP 30-75, Annex B for more detail. This annex maps some major clauses of GP 30-75 to
OSHA 29 CFR 1910.119 and ISA 84.01 standards.) In such cases, the following
documents apply:
1. ISA 84.01.
2. 29 CFR 1910.119.
3. 40 CFR, Part 68.

6. Safety lifecycle – Implementation of Process Requirements Specification

a. A detailed safety lifecycle shall be defined for the activities after specification of the
process requirements up to final validation.
b. The SIS implementation lifecycle shall be as shown in Figure 2 and Table 2. A modified
lifecycle may be used if justified, but this shall be documented and mapped to the
requirements of this GP and IEC 61511-1.
c. Development of plans for installation, validation, commissioning and operations and
maintenance shall be carried out during the design phase.
d. The SIS implementation lifecycle shall be integrated into the project lifecycle as described
in GP 30-75.

Page 13 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Figure 2 – SIS implementation lifecycle

Process requirement
specification from GP 30–76

Selection of equipment for

subsystems

Selection of the SIS

Architecture

Reliability analysis of the

proposed system

Development of the SIS Full

Requirements Specification

Design and procurement of

the SIS subsystems
Design and
Development of the procurement of
installation plan SIS Logic
Installation Solvers
GIS 30–801
Development of the
validation plan
Validation

Development of the
commissioning plan
Commissioning

Development of operation
and maintenance plans
Operation and maintenance
(Refer to GP 30–81)

Page 14 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Table 2 – GP 30-80 Safety lifecycle objectives, scope, inputs, and outputs

Safety lifecycle Objectives Scope Inputs Outputs

phase

Selection of To select equipment that will SIS Function requirements in List of vendors and
equipment for meet the needs of the GP. SIS Process Requirement equipment types
subsystems. Specification. approved for use
Selection of SIS To select equipment SIS Integrity and robustness Minimum
architecture. architectures that meet the requirements in SIS architectures for SIS
reliability and fault tolerance Process Requirement
requirements. Specification.
Reliability analysis of To ensure the equipment and SIS Integrity and robustness Confirmed
proposed architectures meet the PFD requirements in SIS architectures and
architecture. associated with the required Process Requirement required proof test
integrity levels. Specification intervals
Development of SIS To develop the final SIS SIS SIS Process requirements SIS Full
requirements requirements specification. specification, confirmed Requirements
specification. architectures Specification
Design and To develop the detailed SIS SIS Full Requirements 1. Detail installation
procurement of the design of the SIS.. Specification drawings.
SIS subsystems. 2. SIS Procurement
specifications.
Development of the To plan the installation of the SIS SIS full specification and Installation plans and
installation plan. SIS. installation drawings. specifications.
Development of the To plan the validation of the SIS SIS full requirements Validation plans and
validation plan. SIS. specification. FAT specification.
Development of the To plan the commissioning of SIS SIS full requirements Commissioning plans.
commissioning plan. the SIS. specification.
Development of the To plan the operations and SIS SIS full requirements Operation and
operation and maintenance. specification. maintenance plan.
maintenance plan.
Installation of the SIS To install the SIS SIS SIS installation plan SIS installed
Validation of the SIS. To validate the SIS. SIS SIS validation plan. SIS validated.
Commissioning of To commission the SIS. SIS SIS commissioning plan. SIS commissioned.
the SIS.

7. Procedures

a. The following procedures shall be applied during the safety lifecycle phases of this GP:
1. General procedures specified in GP 30-75, Clause 11.1.
2. Configuration management procedures in accordance with IEC 61511-1,
Clause 5.2.7.1.1.
b. Procedures shall be applied rigorously.
c. Independent functional safety assessment shall be performed as specified in this GP,
Clause 19.

8. Selection of equipment for subsystems

a. Equipment for implementing SIS functions with an IL requirement of 1 or higher shall

either:
1. Comply with IEC 61508-2 (and IEC 61508-3, if a programmable system is used).
2. Meet the requirements for the selection of components and subsystems based on prior
use specified in IEC 61511-1, Clause 11.5.3.

Page 15 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

b. General purpose industrial PLCs should not be used for implementation of SIL or EIL
rated functions.
c. Guidance provided in Annex A shall be considered in the selection of appropriate
technology for logic subsystems.
d. Preference should be given to equipment that has been assessed by an independent
organisation and shown to comply with IEC 61508-2 and IEC 61508-3 for the specified IL.
Independent organisations performing assessments should be approved by a national
accreditation body.
e. Logic systems for IL 4 applications shall be nonprogrammable.
f. Logic systems for IL 3 applications should be nonprogrammable. Proposed use of
programmable logic systems for IL 3 shall be specifically justified.
g. The type of logic system selected shall reflect the needs of the application. In selecting the
type of logic system, the following factors shall be considered:
1. Skills and experience available within the project and the application site.
2. Number of inputs and outputs, with further consideration of the following:
a) Relay systems may be cost-effective for small systems with very limited
numbers of inputs and outputs, but are not suitable for large applications.
b) Relay systems are difficult to document, test, and change.
3. Guidance included in Annex A, with respect to the choice of system.
4. Complexity of the function to be implemented, with further consideration of the
following:
a) Limited variability programmable systems may be needed for complex or
sequence applications.
b) In the case of sequence applications, the system selected should have suitable
application languages.
5. IL required, with further consideration of the following:
a) Higher ILs require a high level of assurance that the system can always fulfil the
required function under all conditions of input and output, and internal states of
the system.
b) This high level of assurance is difficult to provide with programmable systems
because testing all combinations is not practicable.
h. SIS logic solver shall be specified in accordance with GIS 30-801 and clause 12.5 of this
GP 30-80.
i. Functions that have been designated as “No special safety requirements” may be
implemented in general purpose control equipment such as DCS or PLC providing the
following conditions apply:
1. Failure of the general purpose equipment does not lead to a demand on the function
designated as “No special safety requirement”.
2. Facilities or procedures are provided to ensure overrides are not applied other than for
short periods of time.
3. Facilities or procedures are provided to ensure that settings are not modified without
approval.
4. The general purpose equipment is sufficiently reliable to justify a claimed risk
reduction factor of 10.

Page 16 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

9. Selection of SIS architecture

a. System designers shall review the SIS Process Requirements Specification to ensure the
following:
1. Requirements are clear and unambiguous.
2. Requirements include what the system should and should not do in specified
circumstances.
3. Information is sufficient for design, specification, and final validation.
b. Arrangements of measurements, logic, and final actuation subsystems shall achieve the
functional requirements specified in the SIS Process Requirement Specification.
c. Minimum subsystem architectures should comply with fault tolerance requirements
specified in IEC 61511-1, Clause 11.4.
d. The minimum architecture to comply with IEC 61511-1, Clause 11.4 should be the starting
point in the design of the SIS system and shall then be subject to the further requirements
below.
e. Architecture selected in accordance with Subclause above should be reviewed to establish
its suitability in the event of a diagnosed failure.
f. In the event of a diagnosed dangerous failure in a subsystem, IEC 61511-1, Clause 11.3
shall apply.
g. If the mode of operation is continuous/high demand and a nonredundant architecture is
applied, the process shall be put into a safe state upon detection of a dangerous failure.
This condition may be implemented automatically or by an operator action.
h. If the mode of operation is low demand and a nonredundant architecture is applied, the
process shall be put into a safe state, or additional measures and constraints applied
equivalent to the safety provided by SIS.
i. In accordance with IEC 61511-1, Clause 11.3, in most cases of nonredundant systems, the
process shall be shut down upon a diagnosed failure. This shutdown may not be acceptable
from a production viewpoint, in which case the fault tolerance of the system should be
increased.
j. Measurement and logic subsystems shall be failure robust if annualised cost of additional
capital and maintenance of additional hardware needed is less than calculated annual cost
of spurious trips.
k. Architectures used for programmable logic systems and digital communications between
SIS logic solver and DCS shall be failure robust.
l. Failure robust architecture for final elements should be used only if practicable and if it can
be shown that the increase in dangerous failure rate is small.

10. Reliability analysis of the proposed system

a. Maximum interval between proof testing for SIS subsystems shall be determined,
considering the following:
1. Interval at which the process plant will shut down for inspection or maintenance.
2. Availability of spare process equipment that would allow testing of SIS subsystems
without disruption to production.
3. Degradation mechanisms that could result in failure to function (for example, wear,
cavitation, and blockage).

Page 17 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

4. Availability of overrides (bypasses) that allow testing without disruption to

production.
b. Maximum repair time after a dangerous failure is detected by diagnostics or by proof
testing shall be determined by considering:
1. Repair times.
2. Availability of maintenance resources, including:
a) Personnel with the necessary training.
b) Equipment spares.
c) Logistics.
d) Special tools.
c. Proposed architecture developed in accordance with Clause 9 of this GP shall be subjected
to reliability analysis in accordance with IEC 61511-1, Clause 11.9.
d. Reliability analysis shall not take into account alarms, shutdown functions, or systems to
reduce demands that were considered during integrity level determination.
e. If credit is taken in the reliability analysis for diagnostics, the following issues shall be
taken into account:
1. Equipment undertaking the diagnosis shall be considered as part of the SIS if the
claimed diagnostic coverage is greater than 90%.
2. Failures of diagnostic facilities may not be detected by proof testing and this shall be
accounted for by calculating test coverage. Subsystems with complex diagnostics may
need to be returned to the vendor on a periodic basis to enable full testing of the
diagnostics to be performed.
f. Reliability analysis shall take into account common cause failures of the SIS and common
cause failures between the SIS and control systems that cause a demand on the SIS
function.
g. The beta factor used should take account of the proposed equipment and how it will be
installed. The following should be considered:
1. A recommended method of determining beta factors is included in IEC 61508-6,
Annex D.
2. IEC 61508-6, Clause D.5 contains an example of reliability analysis that includes
common cause failure, and use of the beta factor.
h. Results of the reliability analysis shall be compared with the following targets:
1. If the required IL was determined using a quantitative method, use the specified value
of average probability of failure on demand (PFD).
2. If the required IL was determined by a semi-quantitative method such as those
discussed in GP 30-76, use the range of values of the average PFD targets for the
specified IL.
i. If the calculated reliability does not meet the target, the following shall be considered:
1. Provision of additional redundancy in the subsystems that contribute most to the
dangerous failure rate or probability.
2. Provision of test facilities that allow more frequent testing.
3. If partial test facilities are incorporated, allowance shall be made for failures
undetected by the partial test.
4. Provision of alternate subsystems with lower unrevealed dangerous failure rates.

Page 18 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

j. Reliability analysis of applications with a specified IL of 3 or 4 shall be subjected to an

independent audit.

11. Development of SIS Full Requirements Specification

a. SIS Full Requirements Specification shall be prepared in accordance with IEC 61511-1,
Clause 10.3.
b. SIS Full Requirements Specification shall be verified against the Process Requirements
Specification.
c. SIS Full Requirements Specification shall encompass or reference all parts of the system
that function to terminate the identified hazards. For example:
1. Measurement devices.
2. Logic systems.
3. Final actuation devices.
4. Power supplies, if failure would lead to failure to function.
5. Additional elements (for example, interfaces and barriers).
d. Necessary functions may be executed by a single system or may be allocated to a number
of systems, depending on:
1. Functionality needed.
2. Size of the system.
3. Required IL.
e. Subsystem specifications shall be prepared for components of the system that will be
purchased as separate parts.
f. The subsystem specification shall reference the overall SIS Full Requirements
Specification and include functional requirements and details of IL requirements.
g. Subsystem specifications shall include response requirements derived from the SIS Process
Requirements Specification.
h. Subsystems with specified ILs of 3 or higher shall be redundant.
i. For systems applied offshore, account should be taken of the minimum redundancy
requirements of ISO 10418.
j. Component parts of subsystems shall be arranged such that loss of signal or power will not
cause an unsafe failure.
k. Equipment vendors shall be required to supply information on product history of failure
and degradation.
l. Equipment vendors shall be required to agree to supply information in the future about
reported failures and degradation.

12. Design of SIS subsystems

12.1. General
a. SIS shall be designed in accordance with IEC 61511-1, Clause 11.
b. Application software shall be designed in accordance with IEC 61511-1, Clause 12.
c. To warn the operator, trip functions should be preceded by a pre-alarm from a separate
device serving the same process variable or condition.

Page 19 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

d. During design, consideration should be given to the need for security as follows:
1. Equipment should be installed and located to maintain the required integrity by
preventing unauthorised or inadvertent modification of SIS functions.
2. To maintain SIS integrity, consideration should be given to sensor and valve security
as well as the security of the SIS logic solver, application software, and user interface.

12.2. Maintenance facilities

a. Maintenance facilities for SIS logic solvers shall comply with GIS 30-801, Clause 10.13.
b. Facilities shall be provided to enable proof testing without removal of equipment unless to
do so would be impracticable.
c. If not practicable to provide facilities for proof testing without equipment removal, the
proof test interval shall be taken as the interval at which the plant will be shut down for
inspection.
d. Independent keylock facilities for maintenance shall have unique keys.
e. To enable online testing of emergency shutdown valves (ESDVs), facilities may be
provided that:
1. Permit partial movement of the valve to be demonstrated.
2. Allow operation of the solenoid valve.
f. Such facilities shall be installed only after the following have been completed:
1. Failure modes and effects analysis (FMEA).
2. Reliability analysis.
g. The recommended FMEA and reliability analyses should preferably be performed by an
independent competent body.
h. Recommended methods of online testing include use of:
1. Original equipment manufacturer valve jammers (clamps).
2. Limited movement testing systems.
3. Bypass lines.
i. For applications with IL 3 or higher:
1. If online system testing is required, a complete system of at least the following shall
remain in commission during testing:
a) Single sensor.
b) Logic system.
c) Actuator.
d) ESDV.
2. Test facilities that prevent the system from fulfilling its intended function shall be
avoided (for example, valve jammers (clamps)).
3. The frequency and method of testing shall have been shown by reliability analysis to
give acceptable integrity.
j. For IL 2 applications, test facilities that prevent the system from fulfilling its intended
function (for example, valve jammers (clamps)) shall be acceptable if the duration of the
online test is negligible compared to the period between tests.

Page 20 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

k. For IL 1 applications, online testing of final actuator devices may not be required. An
adequate level of integrity may be achieved by testing during plant or spared equipment
shutdown.

12.3. Operations facilities

a. Operations facilities for SIS logic solvers shall comply with GIS 30-801, Clause 10.15.
b. Initiations of SIS functions shall be alarmed to a permanently manned operator station.
c. Consideration should be given to the provision of information to the operator on integrity
levels of trip alarms.
d. The operator shall be provided sufficient information to enable confirmation that SIS
functions have been fully implemented so that the hazard is avoided.
e. Consideration should be given to the installation of facilities that enable confirmation after
an unplanned shutdown that SIS performed in accordance with the functional
requirements.
f. Design of SISs shall minimise the need for operator selection of options and the need to
bypass the system.
g. Need for startup overrides should be avoided if feasible.
h. If startup overrides are necessary, such as in the case of low-level and low-pressure trips,
then overrides should be used that are manually applied, but which automatically reinstate
themselves when the process parameter has passed the setpoint.
i. Independent keylock facilities for operation shall have a unique key.
j. Consideration should be given to the installation of facilities that enable the logging of the
time of application and the time of removal of all manual bypasses (overrides).
k. A manual shutdown facility operating independently of the SIS logic solver shall be
provided at the permanently manned control centre to put final actuated devices to the safe
condition.

12.4. Sensors
a. Sensors shall comply with IEC 61511-1, Clause 11.6.
b. Inputs to the SIS should be through continuous analogue measurement devices, rather than
switches. These inputs should not use shared media (for example, Fieldbus) at IL 1 or
higher.
c. Transmitters used for trip shall:
1. Be separate from transmitters used for measurement, control, and alarm purposes
(subject to the exception in Clause below).
2. Use separate process tappings, particularly where impulse lines could become
blocked (plugged).
d. Trip and measurement transmitter sensors shall be in the same range, so that signal
comparison can be performed in the DCS [process automation system (PAS)] with alarm
on deviation above a set margin, typically 3%–5%. In addition:
1. Implementation shall be such that the integrity of the trip transmitter loop cannot be
impaired by failures of the DCS (PAS) or the communication system.
2. Credit for improved diagnostic coverage or safe failure fraction can then be taken [up
to the maximum 90% limit, if diagnostics are installed in the DCS (PAS)].
e. Multiple transmitters for the same measurement may be used for trip (in a voting
configuration) and measurement, control, and alarm purposes if:

Page 21 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

1. Credible faults in the measurement, control, and alarm functionality cannot cause loss
of the safety function.
2. IL is 2 or lower.
f. Measurement devices used to initiate SIS action when the parameter exceeds a specified
level shall be reverse ranged or an individual alarm shall indicate loss of signal.
g. Measurements used as inputs to the SIS should relate closely to the potential hazard.
Inferred measurements should be avoided.
h. In selecting the value at which a shutdown is initiated, account shall be taken of the
following:
1. Need for a margin above the normal operating range to ensure transients or errors in
measurement do not lead to spurious tripping.
2. Need for a margin before reaching a limit point (for example, vessel design pressure,
setpoint of a relief valve, or overflow level). High pressure trip settings should not
exceed 90% of the setpoint of the associated relief valve.
3. Process dynamics in the event of a demand.
i. Sensors shall have ranges selected for effective accuracy at the shutdown value of the
abnormal plant condition. Additional over-range protection (for example, low pressure
switches or transmitters) may be required. The switching differential should be checked to
ensure that the switch or trip amplifier resets when plant conditions return to normal.
j. If over- or under-range protection is provided, consideration should be given to the effect
on reliability.
k. In selecting sensors to use for a response specified in the SIS Process Requirements
Specification, account shall be taken of the process delay at the point of measurement.
l. The following shall not be used on protective systems:
1. Mercury bottles as switching mechanism.
2. Filled systems for temperature switching.
3. Instruments that use self-balancing potentiometers.
4. Differential pressure switches where the switching differential is less than 10% of
absolute pressure.

12.5. Logic systems

12.5.1. General
Organisations responsible for design and supply of SIS logic solvers shall be supplied with the
following information in the requisition:
a. Scope of supply as detailed in clause below.
b. Copy of GIS 30-801, without blue comments text, detailing general requirements for logic
solvers.
c. Dependent on the nature of the contract between IMSL or its engineering contractor and
the supplier of the SIS logic solver(s) there may be opportunity for an iterative process to
finalise the requirements specification to maximise ability of the supplier to offer their
standard specification while still meeting IMSL requirements to achieve the most cost-
effective, compliant solution.

Page 22 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

12.5.2. Scope of supply

12.5.2.1. General
a. Scope of supply shall include equipment, services, and information required for provision,
installation, testing, and maintenance of the SIS logic solver.
b. Scope of supply may include provision of information to enable the proposed logic solver
to be compliance-assessed.

12.5.2.2. SIS logic solver equipment and software

Scope of supply as defined in the requisition may include provision of any or all of the
following:
a. Manufacture and supply of the SIS logic solver, including the SIS logic solver internal
communication network. The technology of the SIS logic solver may be indicated in the
requisition, or may be at the discretion of the SIS logic solver Vendor.
b. Supply of SIS logic solver system software, if applicable.
c. Provision of the SIS logic solver external communication networks linking to:
1. The basic process control system ( IMSL CS).
2. An external sequence of events recorder (SER).
3. Maintenance and engineering facilities.
4. Alarm and status displays.
d. Supply and engineering of SIS interface hardware and software to facilitate
communications.
e. Provision of an engineering/diagnostic workstation.

12.5.2.3. Configuration
Scope of supply may include the following configuration activities:
a. Configuration of I/O in accordance with I/O listings in the requisition. This includes
diagnostic functions to support selected I/O field devices. It may also include any “second
fault timers” required to manage allowable first fault periods in voted field devices where
the allowable time to repair is exceeded.
b. Configuration of SIS logic solver communications in accordance with communication
listings in the requisition.
c. Configuration of the SIS to perform functions detailed in the documents listed in the
requisition and provided on a medium as indicated in the requisition.
d. Configuration of trip settings, timers, etc.

12.5.2.4. System testing and compliance

Scope of supply may include the following services:
a. Factory acceptance testing (FAT) of the systems.
b. Provision of information to:
1. Demonstrate supplied equipment complies with functional, integrity and spurious trip
rate requirements.
2. Enable others to demonstrate that supplied equipment, when used in conjunction with
other subsystems, complies with IEC 61511.

Page 23 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

12.5.2.5. Shipping, installation, maintenance and training

Scope of supply may include the following services:
a. Packing, shipping, and insurance up to and including point of delivery.
b. Provision of site assistance for specified installation, site acceptance testing (SAT), and
commissioning activities.
c. Supply of spare parts for the guarantee period.
d. Supply of documentation.
e. Training.
f. Provision of maintenance support for a specified period.

12.5.3. IMSL CS communication points

If external communication linking the SIS logic solver to the basic process control system
( IMSL CS) is to be supplied, the definition of the input and output points shall be provided and
specified in a standard database format. Point definitions may include:
a. For each analogue input to the IMSL CS:
1. Analogue measurement to IMSL CS. (SIS logic solver vendor shall indicate units
and resolution.)
2. Trip setting to IMSL CS.
3. Trip alarm to IMSL CS.
4. Measurement diagnostic status to IMSL CS.
5. Maintenance override (bypass) from IMSL CS.
6. Feedback on maintenance override to IMSL CS.
7. First-up indication to IMSL CS. (If this indication is not required, it shall be
indicated in the requisition.)
8. Input manual set (force) status (set or not set) to IMSL CS.
b. For each digital trip input to the IMSL CS:
1. Trip alarm to IMSL CS.
2. Input diagnostic status for inputs with line monitoring to IMSL CS.
3. Maintenance override (bypass) from IMSL CS.
4. Feedback on maintenance override to IMSL CS.
5. First-up indication to IMSL CS.
6. Input manual set (force) status (set or not set) to IMSL CS.
c. For fire and gas inputs to the SIS logic solver, point definition details depend on the
detectors used and shall be indicated in the requisition.
d. For each acknowledge and first-up reset and lamp test input, no signal to IMSL CS is
required from the SIS logic solver.
e. Relevant SIS logic solver input and output signals from the following:
1. Each first-up reset generated by the IMSL CS to the SIS logic solver.
2. Each operational override (bypass) input to the SIS logic solver also to IMSL CS.
3. Each reset and permissive input generated by the IMSL CS to the SIS logic solver.
4. Each reset and enable input to the SIS logic solver also to IMSL CS.

Page 24 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

f. For each SIS logic solver output:

1. The output state to IMSL CS.
2. The status of fault and/or discrepancy flags to IMSL CS.
3. The output diagnostic status for outputs with line monitoring to IMSL CS.
4. The output manual set (force) status to IMSL CS.

12.5.4. Service SER point parameters

If an SER (sequence of events recorder) is required, the first-up groups, the points to be
recorded, and the definition of the parameters for each point. Point definition may include:
a. For each hardwired analogue trip input to the SIS logic solver also to the SER:
1. Trip alarm.
2. Measurement diagnostic status (for example, out of range).
3. Maintenance override (bypass).
4. Feedback on maintenance override.
5. Input manual set (force) status.
b. For each hardwired digital trip input to the SIS logic solver also to the SER:
1. Trip alarm.
2. Input status (for example, signal line break).
3. Maintenance override (bypass).
4. Feedback on maintenance override.
5. Input manual set (force) status.
c. For fire and gas inputs, details depend on the detectors used (refer to requisition).
d. Relevant SIS logic solver input and output signals from the following:
1. Each hardwired acknowledge and first-up reset and lamp test input.
2. Each first-up reset input generated by the IMSL CS.
3. Each hardwired operational override (bypass) input.
4. Each reset and permissive input generated by the IMSL CS.
5. Each hardwired reset and enable input.
e. For SIS system and utility alarms each individual system and utility alarm.

12.5.5. Input and outputs

a. A list of inputs and outputs, including the functional relationship between them, the
required ILs for each input and output expressed in the respective SIL, EIL and CIL
ratings, and revealed failure robustness requirements shall be provided. A clear written
description supported by a single graphical presentation is the minimum requirement.
b. Any time-dependent, operational mode dependent or sequential requirements shall be
specified.
c. Any required voting degradation on diagnosed faults in voted field device sub-systems
shall be specified.
d. The functional relationship may be specified by one or more of the following methods:
1. A cause and effect chart.

Page 25 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

2. A written description.
3. A functional logic diagram drawn in failsafe mode using Boolean logic gates “and”,
“or” etc.

12.6. Actuation
a. Devices used for final actuation shall comply with IEC 61511-1, Clause 11.6.
b. Operational constraints may make proof testing of the final actuated valve unfeasible at the
frequency necessary to ensure the target reliability is achieved. In such cases, the following
alternatives should be considered:
1. Facilities to allow partial stroke testing of the valve.
2. Additional valves arranged in parallel, with separate isolation and depressuring
facilities for online testing and maintenance without interruption of the process.
c. Speed and sequencing of operation of the valves shall be such that action does not cause
pressure surges in the pipework that may lead to equipment damage.
d. Trip valves used as part of a safety function shall not be used for other functions, unless it
can be shown that valve failures will not lead to a demand on the system. In addition:
1. Such valves shall have no manual bypass.
2. Handwheels shall not be installed.
3. If dual parallel valves are installed to enable online testing, isolation valves shall be
secured in such a way as to prevent unauthorised operation.
e. Single control valves may be used as the sole method of asset protection under the
following conditions:
1. Failure to function results only in commercial consequences.
2. Integrity level requirements are limited to IL 1.
3. Dangerous failure rate of the valve can be shown to be two orders of magnitude less
than the expected demand rate.
f. Shutdown and blowdown valves shall be selected in accordance with IMSL GP 62 series
practices.
g. Relays and solenoids shall be installed with correctly rated suppression devices connected
directly to the coils.
h. Solenoid coils shall:
1. Be dc operated.
2. Have insulation rated for continuous operation at the maximum ambient temperature,
with Class A of IEC 60085 as an overall minimum requirement.
3. Be capable of dissipating additional power resulting from a higher than normal supply
voltage during online boost charging of battery systems.
i. Solenoid valves should latch in the shutdown position and have facilities for local manual
reset only except as otherwise permitted in clause below.
j. If agreed with local management, solenoids may be reset from a central location or in the
field on a group basis (except for applications on fuel lines).
k. Actuation of electrical equipment by protective circuits shall be through interposing relays
located in separate cabinets.
l. Use of electrically driven valves are nonpreferred because of difficulty in ensuring a
backup power supply.

Page 26 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

m. Electric motor operated valve actuators for valves on protective duty shall conform to
GP 12-70. In addition:
1. If Local/Off/Remote switches are provided, they shall be capable of being padlocked.
2. An alarm should be annunciated in the control room to indicate that the motor
operated valve is inoperative for any reason (for example, power failure, or Stop
button pressed).
3. The reversing starter, interlocking, and signalling switches shall be integral with the
actuator.
n. If two or more electrically operated valves are to be interlocked (for example, to ensure
that a bypass valve is open before the line main valve is permitted to close and vice versa),
operation shall be interlocked only in the main electrical contactor circuits. Design shall
ensure that:
1. Interlocks are effective in all remote and automatic modes of control. If interlocking
is implemented in the main contactor, it should be interlocked in both local and
remote modes.
2. There are physical means of preventing selection of the local control mode.
3. Local mode selection should be prevented by padlocking the selector switch in the
auto or remote position. The selector switch should be unlocked only under a
controlled procedure.
o. Actuators installed to emergency shutdown valves on applications with safety,
environmental, or commercial consequences and with IL 3 or greater shall:
1. Comply with GP 62 series practices.
2. Have transducers to measure online performance.
3. Have valve fault alarms for operators when the actuator does not reach the required
position within a predetermined time period after action is initiated.
4. Have fault alarm power supply that is independent of the actuator power supply.
p. If valve status indication is required, proximity switches should be used.
q. If high diagnostic coverage is required, position transmitters on valves may be preferred
over position switches because they provide an indication over the full range of valve
travel.

12.7. Power supplies and cabling between subsystems

a. SIS logic systems shall have redundant power supplies with automatic changeover
facilities.
b. One of the SIS logic system power supplies shall be a UPS system.
c. Batteries used for the UPS shall be capable of maintaining power for logic and actuating
devices for predefined period following a primary power supply failure. This predefined
period:
1. Shall be sufficient to allow an orderly shutdown of the process.
2. Shall depend on the complexity of the process and the available manning.
3. Should be agreed upon by operations management.
d. Logic power supply components should be arranged to permit removal of any one
component for maintenance while the system stays online and under power.
e. Relay systems shall be segregated into functional loops, each supplied through a separate
switch and fuse.

Page 27 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

f. Nonearthed/nongrounded systems shall have double-pole power switches.

g. Separate power supplies should be used for actuation circuits unless it can be shown that
switching transients are unlikely to affect input or logic circuits.
h. Wiring and cabling shall be in accordance with IEC 61511-1, Clause 11.6
i. Wiring and cabling for SIS shall not share cables, junction boxes or marshalling with non-
SIS equipment.
j. SIS cabling should avoid high fire risk areas.
k. Redundant signals for applications that require IL 3 and IL 4 should be diverse routed.

13. SIS Plans

13.1. Development of the installation plan

a. An installation plan shall be developed in accordance with IEC 61511-1, Clause 14
detailing the following:
1. Competency requirements for the installation contractor, including training
requirements.
2. Tools and workshop provisions necessary for installation.
3. Provisions for identification, storage¸ and security of equipment for the SIS.
4. Means of communicating to the installation contractor the function and integrity of
the equipment to be installed.
b. Installation plan shall be agreed upon by the installation contractor.
c. Field equipment should be installed in accordance with GP 30-25.

13.2. Development of the validation plan

a. A validation plan shall be developed in accordance with IEC 61511-1, Clause 15.
b. SIS logic systems shall be subjected to a factory acceptance test (FAT) and site acceptance
test in accordance with IEC 61511-1, Clause 13.

13.3. Development of the commissioning plan

a. A commissioning plan shall be developed in accordance with IEC 61511-1, Clause 14.
b. The commissioning plan shall detail validation activities to be performed at process
commissioning.

13.4. Development of operations and maintenance plans

a. Operations and maintenance plans shall be developed in accordance with IEC 61511-1,
Clause 16.
b. Operations and maintenance procedures shall comply with IEC 61511-1, Clause 16.
c. Functions designated as “No special safety requirements”, that is below IL 1 integrity, and
implemented in general purpose equipment shall have appropriate operations, maintenance
and modifications plans and procedures. These shall reflect their lower criticality but that
they can be relied on for risk reduction up to a factor of 10.
d. Strategy for spares holding and storage shall be specified, taking into account the
following:
1. Mean time to repair requirements.

Page 28 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

2. Need for spares to be retained in an environment that ensures maximum reliability

when installed.

14. Installation

Installation shall be performed in accordance with:

a. Drawings, schedules, and specifications developed during the design.
b. Installation plan developed under Clause 13.1 of this GP.
c. IEC 61511-1, Clause 14.

15. Validation

Validation shall be performed in accordance with:

a. Validation plan developed under Clause 13.2 of this GP.
b. IEC 61511-1, Clause 15.

16. Commissioning

Commissioning shall be performed in accordance with:

a. Commissioning plan developed under Clause 13.3 of this GP.
b. IEC 61511-1, Clause 14.

17. Verification

A verification plan shall be developed in accordance with GP 30-75, Clause 12.

18. SIS documentation

18.1. General
a. Documentation shall comply with IEC 61511-1, Clause 19.
b. Comprehensive design dossiers describing all aspects of the SIS shall be developed for
distribution to operations and maintenance management.
c. Design dossiers shall be in both paper and electronic format.

18.2. Design dossier for safety and environmental integrity

Design dossier for safety and environmental integrity shall include at least the following
information or references to where the information can be found:
a. Reference to P&IDs, including issue/revision number, relating to the SIS design.
b. Cause and effect charts showing relationships between inputs and outputs.
c. Written description of the hazards being protected against.
d. Functional description of how the SIS is intended to work.
e. Full reliability analysis that includes fault trees detailing the relationship between system
failures and process demands.
f. Details of the methods used and the source of failure rate data.

Page 29 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

g. Details of the Quality Assurance procedures that have been applied to the system design
and during system manufacture.
h. Details of the factory acceptance tests considered necessary at the Vendor location and the
onsite site acceptance tests.
i. A record of the factory acceptance tests carried out at the Vendor location and the onsite
site acceptance tests before and during commissioning.
j. Details of proof tests necessary to ensure integrity is maintained in operation, including
details of test procedure and test programme.
k. Details of operational requirements and assumptions on how the system is to be operated,
which are included in the reliability analysis.
l. A list of all safety-critical items. These should not be modified without reviewing the
safety implications.
m. Design specifications for all safety-critical items.
n. The results of independent functional safety assessments.
o. Detailed design drawings showing process, electrical, pneumatic, hydraulic, and power
supply arrangements.

18.3. Design dossier for commercial integrity

For applications involving commercial integrity:
a. A design dossier shall be maintained for each asset loss application that requires integrity
levels of IL 2 or greater. Contents of this dossier should be similar to those defined above
for safety and environmental systems.
b. For systems with integrity level requirements of IL 1 or lower, documentation conforming
to generally agreed upon project procedures shall be adequate.

19. Independent functional safety assessment

a. The design of the SIS shall be subject to independent functional safety assessment in
accordance with GP 30-75, Clause 11.2.
b. Independent functional capability assessment shall be performed at two stages during the
activities covered in this GP:
1. After development of the SIS specification to confirm that all actions from previous
independent functional safety assessments have been implemented and that the design
of the SIS meets requirements.
2. Before commissioning to confirm that the SIS is correctly installed and appropriate
plans prepared for commissioning and operation and maintenance are in place.

Page 30 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Annex A
(Informative)
Choice of equipment or logic subsystems

A.1. General

The choice of equipment for logic subsystems is complex. The decision impacts cost and
schedule during project implementation and has a significant effect during the operations and
maintenance phase discussed in GP 30-81.
This annex gives information that should be considered when selecting such equipment.

A.2. Types of logic subsystem

Equipment that can be used for logic systems is described below.

A.2.1. Relay systems (electromechanical)

A.2.1.1. General
a. Relay systems should be used if the ease of application, reliability of operation, and low
cost are important. Typical applications include:
1. Interlocking and protection of spare pumps.
2. Protection of self-contained packages that need not be integrated with the remainder
of the process protection.
b. Relay systems can be cumbersome to design as fault-tolerant systems and have very
limited diagnostics capability.

A.2.1.2. Advantages of relay systems

Advantages of relay systems include:
a. Cost savings for small, simple systems.
b. Ease of troubleshooting for small systems.
c. Predictable failure modes.
d. Low failure rates.
e. Immunity to electromagnetic interference.
f. Technology that is well understood by facility maintenance personnel.
g. Minimal common cause issues compared to other technologies.
h. Greater difficulty in making changes assists in maintaining integrity.

A.2.1.3. Disadvantages of relay systems

Disadvantages of relay systems include:
a. Not cost competitive for large systems.
b. Difficult to implement for larger, complex systems.
c. Easily defeated (bypassed).
d. May have limited self-diagnostics, necessitating design of additional diagnostic
capabilities.

Page 31 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

e. Failure robustness and redundancy may be difficult to implement.

f. Poor communication capability.
g. Fewer available personnel skilled in relay technology.
h. Reduced sales may result in reduced support.
i. Vibration concerns (for example, relays vibrating out of socket due to external causes, and
component and wiring failures due to relay pull in/out vibration sources).
j. Relay coils must be fitted with devices to limit the back EMF generated by a deenergizing
relay from propagating back through the logic.
k. Relay status indication is by either mechanical means or integral LED.
l. Relay contact arc suppression and protection requires either diodes or resistor-capacitor
networks for contacts that power inductive loads.
m. The need for a time delay function to avoid nuisance trips.
n. Cannot easily interface with analogue input devices.

A.2.2. Solid state systems (hardwired electronic logic)

a. Solid state systems should be used if the ease of application, greater reliability, and self-
checking capability are important.
b. Solid state systems are generally suitable if the system function is fixed and unchangeable.
Majority voting systems may be applied to achieve the desired reliability and availability.
c. Solid state systems may be used to build moderately large and complex systems.
d. Diagnostic technologies may be built in to cover the unpredictable failure modes of solid
state technology.
e. Advantages and disadvantages depend on the specific design.
f. Some designs have been compliance assessed (refer to Clause A.3 of this GP) and are well
suited for high-integrity applications that require a high level of assurance.

A.2.3. Programmable systems

A.2.3.1. General
Programmable systems may be considered in the following three categories:
a. Fixed program system – the function of the system is fixed and unchangeable.
b. Limited variability system – the user can configure the particular logic requirement,
typically provided by a PLC.
c. Full variability system – the system provides:
1. Facilities similar to those offered by limited variability systems.
2. Facilities similar to those in a minicomputer based real-time system (for example,
displays, high-level languages, and data links).

A.2.3.2. Advantages of programmable systems

Advantages of programmable systems include:
a. Space saving.
b. Low power.
c. Ease of configuration.

Page 32 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

d. Ease of reconfiguration.
e. Fault diagnosis.
f. Simple interface to computers.
g. Can be self-documenting.

A.2.3.3. Disadvantages of programmable systems

Disadvantages of programmable systems include:
a. Regulatory authorities may impose strict limitations for their application on any safety-
related duty.
b. Sector guidelines may recommend a maximum IL for which programmable systems can be
used (for example, United Kingdom Offshore Operators Association (UKOOA) Guidelines
recommend that programmable systems are not cost-effective for a few higher-rated
functions and, therefore, are not preferred for higher integrity levels than SIL 2).
c. Hardware and software faults (revealed or unrevealed) may result in common mode failure
and seriously impair functionality. Careful selection of vendor and vendor proposal is
essential to ensure:
1. Vendor has proven experience in the supply of similarly sized systems.
2. Vendor has established an effective QA system for both hardware and software
design and implementation; including modification procedures.
3. Bought-in hardware and software complies with su IMSL oints 1 and 2 above.
d. Additional costs may arise in complying with software QA requirements.
e. Such systems can be complex, leading to more difficult and time-consuming fault finding,
which can lead to higher cost of training.

A.2.4. Pneumatic or hydraulic logic systems

These systems are applicable only to simple applications that do not require high integrity.

A.2.5. Hybrid system comprising more than one technology

a. Diverse systems based on more than one of the technologies above may have advantages
for specific applications.
b. Hybrid systems may be needed for high integrity applications if limitations of common
cause make it difficult to achieve the required PFD.
c. The diversity introduced may make support more difficult because of the extra need for
training, spares, and maintenance procedures.

A.3. Compliance assessed equipment

a. It can be difficult to demonstrate that equipment for logic processing can achieve a
specified IL.
b. Assessment of equipment for compliance requires special skills and may take significant
time.
c. The following evidence is valuable when determining the suitability of equipment for
specified ILs:
1. Equipment has been shown by independent compliance assessment to comply with
IEC 61508.

Page 33 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

2. Systems have been independently assessed to previous standards (for example, the
German standard DIN VDE0801) for the associated risk class.
d. Independent compliance assessments on equipment are performed by TUV Rheinland in
Germany, FM Global Research in the U.S., INERIS in France, and others.
e. SIRA Test and Certification in the U.K. perform assessments under the CASS Scheme on
the capability of organisations to manage functional safety.
f. Reasons why general-purpose programmable electronic systems (for example, industrial
PLCs, which are not specifically developed and assessed for safety applications) should
not be used for logic processing include:
1. Failure and failure modes – Because a single microprocessor is often used to execute
the logic of the application, the failure of the microprocessor or associated
components usually result in some or all logic being halted thus plant protection may
be lost.
2. Predicting the mechanism of a hardware failure is unlikely and a fault may lie
unrevealed. Therefore:
a) To overcome these two difficulties, it is necessary to arrange (usually by
external equipment) to detect failure and take action (usually by forcing plant
outputs to a safe state).
b) To reveal dormant faults, regular testing of the system is necessary.
c) Considering the outcome of the failure states is of utmost importance in facility
design.
3. In addition to hardware faults, software problems may occur. Although software
failure can not occur, software faults may result from either:
a) Operating system software being insufficiently tested to reveal faults.
b) Application software being unable to cope with a certain facility condition.
4. Modifications – Programmable electronic systems provide flexibility and
convenience in configuring logic to meet facility requirements. A danger exists that if
such flexibility is applied in an uncontrolled manner, plant protection may be
downgraded due to indiscriminate modification of application software. Therefore,
application software should have closely controlled access and modification
procedures.
5. Overrides and interlocks – If application software has override (bypasses) or interlock
(permissive logic) capabilities, operators and plant managers should be informed that
the plant is being operated in such a manner. If the application of overrides (bypasses)
is not closely monitored, a danger exists that plant protection may be gradually
downgraded.

Page 34 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Annex B
(Informative)
Typical subsystem architectures

B.1. Introduction

a. This annex includes hardware options that normally meet the PFD and fault tolerance
requirements for a specified IL for a standard proof test interval of 1 year.
b. This annex is to be used for initial SIS design. Once the basic hardware selection has been
completed and data becomes available on the equipment to be used, a formal study will be
needed to confirm that requirements of IEC 61511-1 have been satisfied.

B.2. Architectures

a. Architecture required for a specified IL depends on a number of factors, not all of which
are known at an early stage.
b. During project execution, agreement upon an initial architecture to allow design and
procurement activities to proceed is often an early requirement.
c. Factors to consider in determining an architecture are listed below, along with assumptions
made in these example configurations:
1. Failure rate of subsystem components – a transmitter has been assumed and OREDA
has been used as the data source.
2. Diagnostic coverage of subsystem components – assumed to be zero.
3. Safe failure fraction of subsystem components – assumed to be higher than 60%
based on assumption that signals will go to the dangerous state upon loss of power or
signal.
4. Number of actions that need to function to achieve success – assumed that one input
is required to initiate the logic and one output is required to isolate one stream only.
5. Redundancy arrangement of subsystems – as indicated.
6. Beta factor – assumed to be 5%.
7. Proof test interval of components – assumed to be 1 year.
8. Test coverage of proof testing – assumed to be 100%.

B.3. IL 1 configuration

a. Architecture shown in Figure B.1 should provide appropriate reliability and fault tolerance
on the following conditions:
1. Control valve failure does not cause a demand on the SIS.
2. Tight shutoff is not required.
3. Control valve is not subject to such erosion or corrosion that it would not be able to
achieve shutoff requirements.

Page 35 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Figure B.1 – Architecture for IL 1 subject to conditions

b. Architecture shown in Figure B.2 should provide appropriate reliability and fault tolerance
for IL 1 applications that do not meet the application conditions for Figure B.1.

Figure B.2 – Architecture for IL 1 (no conditions)

B.4. IL 2 configuration

a. Architecture shown in Figure B.3 should provide appropriate reliability and fault tolerance
on the following conditions:
1. Control valve failure does not cause a demand on the SIS.
2. Tight shutoff is not required.
3. Control valve is not subject to such erosion or corrosion that it would not be able to
achieve the shutoff requirements.
b. Where the above conditions are not satisfied, the control valve shall be replaced with a
shutoff valve.

Page 36 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Figure B.3 – Architecture for IL 2 for specified conditions

B.5. IL 3 configuration

a. Architecture shown in Figure B.4 should provide appropriate reliability and fault tolerance
on the following conditions:
1. Control valve failure does not cause a demand on the SIS.
2. Tight shutoff is not required.
3. Control valve is not subject to such erosion or corrosion that it would not be able to
achieve the shutoff requirements.
b. To reduce common cause, consideration should be given to multiple physical
measurements (for example, pressure and temperature). Options available include use of:
1. Single solenoid-operated valve (SOV).
2. Shorter test interval.

Figure B.4 – Architecture for IL 3 for specified conditions

c. Architecture shown in Figure B.5 should provide appropriate reliability and fault tolerance
for IL 3 applications that do not meet the application conditions for Figure B.4.
d. If application conditions for B.4 are not met, limited credit should be taken for the control
valve because, for some demands, the control valve is incapable of terminating the hazard.

Page 37 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

e. IL 3 integrity should also be achieved with the two shutoff valves and without the control
valve.

Figure B.5 – Architecture for IL 3 (no conditions)

B.6. IL 4 configuration

a. A formal quantitative risk and reliability assessment is required in all cases for IL 4.
b. Reliability assessments should include:
1. Detailed consideration of common cause factors.
2. Human factor issues in maintenance, testing, and operation.
c. To achieve IL 4, consideration should be given to using multiple diverse physical
measurement and multiple diverse effects (for example, stop pump as well as close valves).
d. IL 4 will likely require shorter test intervals than 1 year.

Page 38 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Annex C
(Informative)
System design for robustness

C.1. Introduction

a. Spurious tripping of an SIS due to revealed (safe) faults may result in the following
consequences:
1. Lost production and/or lost market opportunities.
2. Lost inventory.
3. Environmental impact due to flaring or venting.
4. Additional hazards during shutdown or subsequent startup due to failures in the
process equipment or the SIS.
5. Stressing of equipment due to sudden change in system (for example, pressure,
temperature) that may, in some cases, cause the need for earlier maintenance.
6. Additional demands on other protection functions.
b. The first two consequences in the above list may be determined on a quantitative basis.
Remaining items should be considered on a qualitative basis.
c. The minimum SIS subsystem architecture required to achieve a specified IL should be
reviewed to determine whether additional equipment is justified to reduce probability of
the consequences listed above.
d. This annex describes a procedure to evaluate whether expenditure on additional equipment
is justified.

C.2. Evaluation of cost of spurious trips

a. Basic consequences of spurious tripping should have been evaluated when the SIS Process
Requirements Specification was developed as described in GP 30-76.
b. To evaluate expected annual costs of these consequences, information is required on
reliability of individual elements of the system.
c. In most cases, vendors should be able to provide data on equipment reliability. Such data
may also be available from within IMSL or from industry databases. However, care is
needed to ensure that provided data relates to spurious trip rate of the specific function
rather than overall reliability of the component.
d. In the case of an output card within an SIS logic solver, vendors may provide an overall
figure for the rate of failure to a safe condition. This figure may be relatively high because
it may include all output channels and ancillary functions (for example, communication
interfaces for status reporting). Data used should relate only to failures that cause change
of state for specific outputs used by the safety function. Care is also needed in cases where
diagnostics can be programmed to force signals to the high or low state.
e. Requirements that relate to actions on diagnosis of a fault in Clause 9.1.e through i of this
GP and IEC 61511-1, Clause 11.3 should be noted. Normally, a shutdown should be
assumed if a fault is diagnosed in a nonredundant system.
f. Evaluation of cost of spurious trips per year (CST) should be investigated under the
following three headings:

Page 39 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

1. Costs associated with the sensor and logic function. In general, architecture for logic
inputs, processing, and outputs follow the same architecture as the sensor
arrangement.
2. Costs associated with solenoid valve failures. In some cases, it is practicable to reduce
spurious trip rate by using robust architectures for solenoid valves.
3. Costs associated with the valve and actuator function. In general, costs of achieving
robust architectures for process valves are higher than costs associated with spurious
trips. Arranging valves on a 2oo2 basis also leads to an increase in average PFD.

C.3. Evaluation of the cost of additional equipment for robustness

a. For each function that includes a nonrobust subsystem, the costs of additional equipment
(CAE) for robustness should be evaluated.
b. Additional costs should be evaluated under the same three headings as listed in Clause C.2
above. Additional equipment required and additional costs are vendor specific. In general,
1oo2D architectures are more cost-effective than 2oo3 architectures.
c. Cost criteria for robustness depends on project requirements for rate of return. In general,
the required payback period is a maximum of 3 years, but alternate criteria may be
preferred on a specific project. In performing calculations, it is normal to assume that the
CST is reduced to negligible levels once a robust architecture is used.
d. Costs should be annualised by:
1. Taking additional capital costs associated with purchase, design, and installation.
2. Dividing by 3.
3. Adding annual maintenance costs for testing and equipment replacement.

C.4. Criteria for robustness

Robust architectures should be installed in the following cases:

a. CST exceeds the annualised CAE.
b. Environmental impact due to flaring or venting is judged to be unacceptable.
c. Spurious tripping is the dominant cause of demands on another protection system.

C.5. Example

a. A nonredundant system has been identified as the minimum architecture for an IL 1

system.
b. The following data relates to the application and the system used:
1. Consequence of spurious trip is production loss of 8 hours.
2. Marginal loss of profit for process is $10 000 per hour.
3. Transmitter safe failure rate is 5E–6 per hour.
4. Logic input, processing, and output safe failure rate is 2E–6 per hour.
5. Additional cost of equipment for failure robustness is $2 000 per year.
6. CST = $10 000 per hour x 8 hours x (5E–6 +2E–6) per hour.
= $5,6E–1 per hour.
= $4 900 per year.

Page 40 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

7. CAE = $2 000 per year.

c. Because CAE is greater than CST, installation of a robust sensor and logic arrangement is
justified.

Page 41 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Annex D
(Informative)
Example of the development of an architecture for a SIS

D.1. General

This annex describes an example architecture that could be developed for SIS.

D.2. Process and background

a. The process considered in this example involves the reaction of two liquids within a
catalytic reactor.
b. The reactor is designed for the process pressure and temperature that exists under normal
operation, but not for the pressure if heat is not removed or the exit valves are closed.
c. The two liquids are supplied from headers at a pressure above reactor design pressure.
d. The reactor has a thermal relief valve.
e. The pressure in the headers is sufficient to cause a major failure of the reactor if the outlet
flow is stopped. The pressure will also rise above failure pressure of the reactor if
insufficient cooling is provided.
f. The reactor is provided with an SIS to prevent overpressure.
g. The arrangement of process and SIS is shown in Figure D.1.

Figure D.1 – Process plant and SIS

PV

Logic

PT

FIC
Reactor

FCV ESDV TIC

FT Vessel

TT TCV Cooling
water
Chemical A

FIC LT

FCV ESDV
FT

Chemical B
LIC LCV

Page 42 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

D.3. Process Requirements Specification

The following process requirements for this example are derived from Annex E of GP 30-76:
a. Process function – If the pressure in reaction vessel XYZ rises above 90% of the maximum
allowable working pressure, the flow of Chemical A and Chemical B shall be reduced
below 25% of the capacity of the thermal relief valve within 5 seconds.
b. Integrity level – The function has the following integrity levels – SIL 2, EIL 0, and CIL 2.
c. Mode of operation – Demand mode.
d. Spurious tripping will result in a commercial loss of $10 000.

D.4. Selection of equipment for subsystems

In this example, equipment is selected for the subsystems as follows:

a. Sensor – Smart transmitters are commercially available that are compliance assessed
against the requirements of IEC 61508 (Parts 2 & 3) by an independent agency. The
subsystem specification includes this as a requirement.
b. Logic system – Logic systems are commercially available that are compliance assessed
against the requirements of IEC 61508 (Parts 2 & 3) by an independent agency. The
subsystem specification includes this as a requirement. A programmable system is used
with a minimum safe failure fraction of 90%.
c. Valves – Ball valves are used with spring return actuators that close the valve in the event
of loss of air or actuator failure. The valve is not compliance assessed, but has been
assessed as suitable based on prior use. The assessment based on prior use will have
considered the operational profile and a document detailing the previous experience will be
compiled.

D.5. Selection of SIS architecture

a. In this example, the minimum architecture for each subsystem is determined as follows:
1. Sensor – The sensors have been compliance assessed as meeting SIL 2 requirements
for a nonredundant configuration. In addition:
a) Clause 9.1.e through i of this GP requires a review to consider suitability in the
event of a failure being diagnosed.
b) The sensors have comprehensive diagnostics.
c) The system is operating in low-demand mode.
d) In the event of a dangerous failure being detected, there is no equivalent
protection available from other safety layers.
e) The requirements of IEC 61511-1, Clause 11.3 are to shut down in the event of a
failure being diagnosed.
f) The failure rate of the sensors is low and it is considered that this is acceptable.
g) Clause 9.1.j of this GP requires consideration of failure robustness.
h) The CST has been determined to be $10 000.
i) From Table D.1, it has been determined that failure robustness is not justified in
this case.
2. Logic system – The SIS logic solver has been compliance assessed as meeting SIL 2
requirements for a nonredundant configuration. In addition:

Page 43 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

a) Clause 9.1.k of this GP specifies that programmable logic systems shall be

failure robust.
b) Architecture based on 1oo2D or 2oo3 will be used.
3. Valves – IEC 61511-1, Clause 11.4.3 refers to Table 5b for the fault tolerance
requirements for valves. The table gives a fault tolerance of 1 for SIL 2. Clause 11.4.4
allows the fault tolerance to be reduced by 1 on condition that all the following are
met:
a) Hardware of the device is selected on the basis of prior use (refer to
IEC 61511-1, Clause 11.5.3).
b) Device allows adjustment of process-related parameters only (for example,
measuring range, and upscale or downscale failure direction).
c) Adjustment of process-related parameters of the device is protected (for
example, jumper or password).
d) The function has an SIL requirement less than 4.
b. SIS architecture complies with conditions in IEC 61511-1, Clause 11.4.4.
c. Minimum fault tolerance for the valves is determined as 0.

Table D.1 – Robustness considerations

Subsystem Failure Number CST Annual cost of Additional consequences Robustness

rate/hr per year robustness for each subsystem justified
Sensor 1E–6 1 $87,60 $3 000 Product is not released; No for
no environmental impact. sensors
Solenoid 2E–6 2 $340 $8 000 No demand on other No for
valves Note 1 protection. solenoid
No additional hazards valves
Process 2E–6 2 $340 Note 2 during startup or No for valves
valves shutdown.
Notes:
1. Solenoids for robustness cannot be arranged as 1oo2 because this increases the PFD. They need to be arranged 2oo3,
which requires 6 solenoid valves.
2. Valves for robustness cannot be arranged as 1oo2 because this increases the PFD. They need to be arranged 2oo3,
which is not practicable.

D.6. Reliability analysis of the proposed architecture

a. Tables in IEC 61508-6 are used to determine the average PFD for the minimum
architectures as developed in this example.
b. Subsystem vendors have provided information on the dangerous failure rate of the
equipment they provide.
c. The SIS is operating in demand mode, so the appropriate measure is average PFD.
d. A minimum proof test interval of 6 months has been agreed upon with the facility
maintenance team.
e. The contribution of each subsystem is shown in Table D.2.

Page 44 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Table D.2 – PFD calculation

Sub- Failure Table in Diagnostic PFD PFD

system Architecture rate/hr IEC 61508-6 coverage Beta factor Number element subsystem
Sensors 1oo1 1E–6 B.2.3 90% Not used. 1 1,1E–4 1,1E–4
Logic 1oo2D 1E–6 B.2.3 90% 10% 1 1,1E–5 1,1E–5
Solenoid
valves 1oo1 2E–6 B.2.3 0% Not used. 2 2,2E–3 4,4E–3
Process
Valves 1oo1 2E–6 B.2.3 0% Not used. 2 2,2E–3 4,4E–3
Total 8,9E–3

f. Results of the reliability calculation are also shown in Table D.2. Further explanation of
the calculation method is included in IEC 61508-6.
g. The average PFD for the overall system is calculated as 8,9E–3. This is within the SIL 2
range, so the proposed architecture is acceptable from a reliability consideration.
h. Further optimisation of test intervals may be considered. Analysis of the figures suggests
that the test interval for sensors and logic may be extended without significant impact on
the overall reliability.

D.7. Architecture adopted

The selected architecture for the example application is shown in Figure D.2.

Figure D.2 – SIS system architecture

Logic architecture

Logic system channel

PT
1oo2D
Logic system channel
SOV

ESDV

Page 45 of 46
12 November 2007
Guidance on Practice for Safety Instrumented Systems (SIS)- Implementation of the Process Requirements Specification

Bibliography

[1] 29 CFR 1910.119 - Process Safety Management of Highly Hazardous Chemicals, Explosives and
Blasting Agents.

[2] 40 CFR Part 68 - Risk Management Programs for Chemical Accidental Release Prevention.

[3] ISO 9000 Family – ISO 9000 Compendium – International Standards for Quality Management.

[4] ESR.97.ER.081 – On-line Testing of Emergency Shutdown Valves, issued in November 1997. A
IMSL internal publication available from Exploration and Production Technology Group, Sunbury,
UK.

[5] GP 30-45 - Guidance on Practice for Human Machine Interface.

[6] GP 30-01 - Guidance on Practice for Temperature Instrumentation.

[7] GP 30-05 - Guidance on Practice for Pressure Instruments.

[8] GP 30-10 - Guidance on Practice for Non-Fiscal Transfer Flow Instruments.

[9] GP 30-15 - Guidance on Practice for Level Instruments.

[10] GP 30-25 - Guidance on Practice for Field Instruments – General.

[11] DIN VDE0801 - Principles for Computers in Safety-Related Systems (German National Standard).

[12] IEC 61000-1-2 - Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the
achievement of functional safety of electrical and electronic equipment with regard to electromagnetic
phenomena.

[13] PIP PCESS001 – Safety Instrumented Systems Guidelines, issued December 1999.

[14] UKOOA Guidelines for Instrument-Based Protective Systems, Issue No. 2, November 1999.

Page 46 of 46