Safety Instrumented Systems (SIS)

& Layers of Protection

Section 13

Verification &Validation

Section 13 Haward Technology Middle East 1

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

TABLE of CONTENTS
▪ Introduction
▪ Verification
▪ Validation
▪ A Structured Approach
▪ System Decomposition
▪ Test Planning

Section 13 Haward Technology Middle East 2

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

Introduction

Section 13 Haward Technology Middle East 3

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

INTRODUCTION
▪ We all know that the best design is only as good as its
implementation. That's why designing a safety
instrumented system (SIS) to meet safety requirements
isn't enough. It is necessary to prove that
▪ Each step of the design effort meets the appropriate
requirements as defined in the safety requirements
specification (SRS)
▪ The installed SIS will carry out its safety function.

Section 13 Haward Technology Middle East 4

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

INTRODUCTION
▪ These two activities are called verification and
validation.
• Verification takes place at each step in the safety
lifecycle.
• Validation occurs after the system is installed and
before it's put into service.
▪ Both activities help remove as many systematic failures
from the SIS as possible. Systematic failures are those
"built into" the system as a result of human error, as
opposed to random failures that happen when
equipment breaks down.
Section 13 Haward Technology Middle East 5
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

INTRODUCTION
▪ This section shows how verification and validation
provide a high level of assurance that the SIS will
operate in accordance with its safety requirements
specification (SRS).
▪ This section will also provide a means to structure
verification and validation efforts to make them more
manageable, and how good documentation practices
can help you produce (and maintain) the proof that the
SIS is properly designed and implemented.

Section 13 Haward Technology Middle East 6

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

Verification

Section 13 Haward Technology Middle East 7

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VERIFICATION
▪ Verification occurs at the end of every step of the
safety lifecycle. It demonstrates that the work has met
all the objectives and requirements for that specific
activity.
▪ Verification (and documentation of the results) takes
place at each stage of the safety lifecycle.

Section 13 Haward Technology Middle East 8

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VERIFICATION

Section 13 Haward Technology Middle East 9

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VERIFICATION
▪ Verification may be carried out through analysis, testing,
or a mixture of the two. Activities might include
• Reviews of documents from all phases of the safety
lifecycle to ensure compliance with the objectives
and requirements
• Design reviews
• Tests of the designed products to ensure that they
perform according to their specification. This is
especially valuable for modular components — such as
the code for a voter algorithm — that will be reused
many times.
Section 13 Haward Technology Middle East 10
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VERIFICATION
▪ Verification may be carried out through analysis,
testing, or a mixture of the two. Activities might
include
• Integration tests performed when different parts of
the system are put together.
• Verification activities and their results are
thoroughly documented to show not only that the
design met requirements, but also that checks have
been conducted to be certain it did — and made any
necessary fixes
Section 13 Haward Technology Middle East 11
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

Validation

Section 13 Haward Technology Middle East 12

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VALIDATION
▪ Validation builds on the verification activities by adding
thorough testing of the completed SIS to prove that
everything works as it should. It demonstrates that
every safety function in the SIS, as well as the SIS
itself, meets every requirement in the safety
requirement specification (SRS).
▪ While verification is performed throughout the project
and can be carried out wherever the work is being
done, validation happens only on site, after the system
has been installed and commissioned.

Section 13 Haward Technology Middle East 13

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VALIDATION
▪ Among other things, validation tests may include
confirming that:
• The system functions properly in all relevant modes
of operation (start-up, shutdown, automatic, semi-
automatic, etc.)
• The SIS satisfactorily performs under normal and
abnormal operating modes as defined in the SRS
• Interaction of the BPCS and other connected
systems doesn't affect or restrict the SIS's ability to
respond

Section 13 Haward Technology Middle East 14

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VALIDATION
▪ Among other things, validation tests may include
confirming that:
• Sensors, logic solvers, and final control elements
(including redundant channels) perform as required
• The SIS performs appropriately on invalid process
values, such as "out of range" sensor values
• The SIS performs as designed on loss and restoration
of utilities, such as electrical power, instrument air,
or hydraulics.

Section 13 Haward Technology Middle East 15

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

▪ Validation requires precise planning to identify and
document the procedures, measures, and tests that
will be used, as well as the order and schedule of the
tests and the competencies required of the staff who
will perform them.
▪ It's a big job that can require a lot of resources. But
when you remember that the SIS exists to protect your
community, neighbors, family, co-workers, and
environment, doing anything less isn't an option.
• And fortunately, there are ways to make the task
more manageable.
Section 13 Haward Technology Middle East 16
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

VALIDATION
▪ Validation requires precise planning to identify and
document the procedures, measures, and tests that will
be used, as well as the order and schedule of the tests
and the competencies required of the staff who will
perform them.
▪ It can be a major job that can require a lot of
resources. But when it is remembered that the SIS
exists to protect a community, neighbors, family, co-
workers, and environment, doing anything less isn't an
option.
• And fortunately, there are ways to make the task
more manageable.
Section 13 Haward Technology Middle East 17
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH

Section 13 Haward Technology Middle East 18

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ This well-understood, well-documented model breaks
the work into three phases:
• Installation qualification (IQ)
• Operational qualification (OQ)
• Performance qualification (PQ)

Section 13 Haward Technology Middle East 19

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ From previous sections, it will be remembered that IEC
61511 defines what must be done and why, leaving the
final determination to the individual company.
▪ The project team can organize and conduct the
verification and validation processes in whatever way
makes sense for the particular situation as long as the
team produce documented evidence that the SIS
complies with the SRS.

Section 13 Haward Technology Middle East 20

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ But rather than going through all the effort to create a
unique validation approach, consider adopting one that
is already commonly used in industry. Although not
defined in IEC 61511, one widely used example is the
structured approach prescribed by the U.S. Food &
Drug Administration (FDA) to validate basic process
control systems.

Section 13 Haward Technology Middle East 21

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ Installation Qualification tests and documents that the
individual physical aspects of the SIS solution devices and
subsystems are installed correctly. It occurs before
power is introduced.
▪ For the ammonia tank example we introduced in an
earlier section, IQ could include confirming that the
pressure sensors installed on the tank are the correct
model, have the required safety-related documentation,
have been installed according to the design and
manufacturer specifications, are wired correctly, and
have all switches and jumpers set properly.

Section 13 Haward Technology Middle East 22

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH

Section 13 Haward Technology Middle East 23

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ Operational Qualification tests and documents that the
individual physical and software aspects of the SIS
solution work the way they should. Like IQ, OQ tests
devices and subsystems.
▪ For example, it may be necessary to check that each
sensor has the correct voltages, that the partial-stroke
testing is correctly configured in the valve controllers,
and that the logic solvers have their configuration
downloaded and are reporting no errors.

Section 13 Haward Technology Middle East 24

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ Performance Qualification tests and documents that the
SIS as a whole is capable of performing the defined
safety functions according to the SRS.
▪ PQ is an integrated test of procedures, personnel,
processes, and the complete SIS. It occurs after all IQ
and OQ activities for both physical (hardware) and
functional (software) aspects of the SIS have been
completed. Any problems found during PQ must be
investigated, fixed, and documented

Section 13 Haward Technology Middle East 25

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

A STRUCTURED APPROACH
▪ Because IEC 61511 represents a framework for applying
good practices to achieve a robust SIS solution,
adopting existing good practices like the IQ-OQ-PQ
approach makes more sense than creating them from
scratch.
▪ This effort can be further simplified by conducting
testing on a safety function-by-safety function basis.
▪ This is referred to as "decomposition".

Section 13 Haward Technology Middle East 26

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

System Decomposition

Section 13 Haward Technology Middle East 27

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION
▪ Verifying and validating a complete SIS can be a very
daunting task unless it is broken down into manageable
chunks.
▪ One way to do this is by decomposing the SIS solution
into its safety instrumented functions (SIFs) and
identifying the devices and subsystems that carry out
each SIF. Looking at each component separately makes
it easier to identify and document the required skills,
test equipment, testing structure, and sign-off sheets
for specific parts and subsystems.

Section 13 Haward Technology Middle East 28

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION
▪ For example, it may be that some parts and
subsystems, such as sensors and final control elements,
are specific to a safety function. Others, such as AC
and DC power, grounding systems, and communications,
are more "generic."
▪ It is therefore possible to structure the efforts to firstly
confirm that the generic elements are providing the
necessary services or capabilities to support all safety
functions.

Section 13 Haward Technology Middle East 29

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION
▪ Once it has been established that this is the case, it
can then be verified that elements unique to each
safety function are also working properly. This
approach avoids re-testing the same generic elements
for each safety function.
▪ For the system shown in the next slide, for example,
decomposition enables validation of the power supply
only once, without having to test it again for each of
the safety functions it supports.

Section 13 Haward Technology Middle East 30

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION

Section 13 Haward Technology Middle East 31

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION
▪ The same principle applies to the logic solver on the
left in the diagram. Once it has been established that
it’s generic capabilities are operating correctly (for
example, that there are no diagnostic errors, the power
supplies are okay, and the network is working), there is
no need to retest these same functions for every SIF
the logic solver supports. However, it is necessary to
validate that every SIF works correctly in accordance
with the safety requirements specification.

Section 13 Haward Technology Middle East 32

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

SYSTEM DECOMPOSITION
▪ Decomposing the system into its parts and subsystems
also makes it easier and more efficient to use material
from product manufacturers, third-party consultants,
and public sources to create the required test plans.
▪ For example, the IQ test plan for a safety-certified
pressure transmitter can be developed by referring to
the relevant sections of the manufacturer's installation
documentation, augmented with an appropriate IQ
verification sign-off sheet.
▪ The pressure transmitter's OQ test plan can be similarly
developed based on the manufacturer's safety manual
and calibration requirements.
Section 13 Haward Technology Middle East 33
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

Test Planning

Section 13 Haward Technology Middle East 34

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

TEST PLANNING
▪ Each phase in verification and validation testing must
confirm that the corresponding development phase has
fully met each of its objectives. Reaching that goal
demands thorough and rigorous planning.

Section 13 Haward Technology Middle East 35

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

TEST PLANNING
For example, it is necessary to consider and document
▪ Testing strategy — including test scenarios, expected
results, and how to deal with any discrepancy
corrections
▪ Testing process — including criteria for declaring a test
complete
▪ People requirements — how many, for how long, and
with what skills
▪ Technology requirements — tools, analyzers, and
supporting software needed.

Section 13 Haward Technology Middle East 36

 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

TEST PLANNING
▪ Although SIS equipment suppliers are generally
responsible for testing embedded and utility software
before the customer receives the products, the project
plan should cover how installed SIS devices will be re-
tested following changes (including upgrades) to such
things as the operating system, utilities, firmware, and
communications protocols.
▪ It is also a good idea to have testing conducted by
different people apart from those who designed and
implemented the system. An independent tester is more
likely to exercise the equipment and software in ways the
designer and implementer did not anticipate, such as
inputting both legal and illegal data values.
Section 13 Haward Technology Middle East 37
 Safety Instrumented Systems (SIS)
& Layers of Protection

Verification & Validation

TEST PLANNING
▪ Keep in mind that IEC 61511 does not define how to do
all this, so it is likely that there will be a need to
consult other sources or enlist outside assistance in
developing a comprehensive software test plan.
▪ There's no reason to be embarrassed to ask for help.
Knowledgeable suppliers and consultants can provide
tools and expertise that can help make achieving IEC
61511 compliance easier. Additionally, new technologies
and product designs can simplify or even automate
much of the testing and documentation effort.

Section 13 Haward Technology Middle East 38