Do you want to print this guide?
We plan to have a free printable PDF version of this guide which you can download and keep. Request your copy now.
4.3 Assessment and Audit
Functional Safety Assessment is an activity which is proposed at several stages in the SIS safety lifecycle, and mandated in IEC 61511 to be carried out at least once prior to startup of an SIS and at intervals during the operations stage. The activity must be led by a senior competent person, who is not involved with the step or steps being analyzed.
Note that FSA planning should be included at the start of any project where an SIS is expected to be needed. If the SIS already exists, then plan for an operations and maintenance FSA stage 4.
There are five stages at which functional safety assessment is recommended, as shown in the following diagram.
Producing huge amounts of paper should not be a goal of any SIS project or operation. However, there must be sufficient evidence upon which an independent assessor can make a judgement for FSA conformance purposes. The goal should be to produce a trail of evidence at each stage to allow an effective independent assessment to take place.
From experience, it is highly recommended to start FSA review activities as early as possible after the hazard and risk assessment and SIL determination stage. Don't wait for the safety requirements specification to be complete.
4.4 Assessment table
The following table is a summary created by eFunctionalSafety for this Ultimate Guide To The Process Safety Life-cycle which summarizes the approximate level of effort required for each stage of conformance, separated by the relevant IEC 61511 clause numbers.
The intent is to provide an overview of the level of effort required for those planning to undertake a Functional Safety Assessment.
The table columns are as follows:
- Life-cycle stage and clause number.
- Number of sub-clauses and sub bullet-points or sections.
- Number of FSA questions (according to the eFunctionalSafety FSA protocol).
Turn to LANDSCAPE if using mobile:
# FSA Questions
Information and documentation
Process hazard and risk assessment
Factory Acceptance Test (FAT)
Functional safety management / life-cycle planning and verification
(Clauses 5, 6 and 7)
Allocation of safety functions to protection layers
SIS installation and commissioning
SIS safety validation
SIS design and engineering
SIS operation and maintenance
SIS Safety requirements specification
SIS application program development
The stages of FSA suggested in the standard do not necessarily line up in a linear way with how projects work in practice. This is perhaps best explained with FSA Stage 1 which is intended to analyze all stages up to and including clause 10 (the SRS). However, it is fairly commonplace for requirements to be split into multiple documents which gather in detail as a project progresses. A specific case is the Application Program (software) requirements. These will not be available in any depth until logic solver equipment selection has taken place, which often happens much later in a project than would be advisable for the FSA 1 activity to take place.
In some cases the number of clauses and associated conformance questions may be limited by the type of project, or by decisions made during a project.
For example, if a programmable logic solver system is not part of the SIS scope, then Clause 12 of the standard will not be applicable, and the SRS elements that relate to software will not be needed. Likewise, if equipment is not selected based upon prior use claims, then this will reduce Clause 11 requirements from 110 to around 80. This limitation of the relevant clauses for conformance should be something that is clearly outlined in FSA planning at each stage by the lead independent assessor.
Some companies have the impression that a simple system with very few SIF will somehow limit the conformance assessment activity significantly. However, this is a bit of a misunderstanding. For example, assessing the SRS for a single SIS and SIF will still require asking and answering at least 50 questions related to that part of the life-cycle. There is certainly additional effort if there are a large number number of uniquely designed SIF, but this effort does not reduce to zero even if there is only one SIF in the system.
4.6 Assessment by FSA stage
For the 5 stages recommended by IEC 61511 for FSA, the following summary table provides a breakdown of the level of effort required:
Turn to LANDSCAPE if using mobile:
# Key Documents
(after PHRA and the SRS has been produced
10 + # Drawings
(after the SIS has been designed)
FSA 1 + 15 + # SIS & SIF FAT RECORDS
(after I&C, validation & O&M manuals have been developed)
FSA 1 + FSA 2 + 10 + # SIS & SIF VALIDATIONS
(after gaining experience in operation and maintenance)
15 to 20 + # SIS & SIF PROOF TEST RECORDS
(after modification and prior to decommissioning)
* The level of effort will depend on the previous FSA stages completed and number of SIS and SIF being validated
** The level of effort may be affected by the age of the installation and available documentation.
*** The effort and required documents are only possible to estimate when the full size and scope of the modification is known.
Need to complete an FSA or Audit?
GET THE FSA TEMPLATE SET
4.7 Conformance results
From experience of conducting many different FSA's including all the stages listed above, the results can depend highly on the functional safety maturity of the Duty Holder's personnel and the personnel leading the project activities from supporting companies.
Typical results for conformance to IEC 61511 shows that around 60% to 75% of clauses can be shown to be adequately met when concluding an FSA activity on a new-build project (ie. not including operations, maintenance and decommissioning).
IEC 61511 conformance assessment typically results in around 60% to 75% of clauses adequately met when concluding an FSA activity on a new-build project.
The above statistic suggests that 100% conformance to IEC 61511 is not only difficult but also unlikely on a new-build project of any complexity. This is for a few reasons:
- There are a large number of elements to check, but evidence is not always easy to find within a restricted time and budget.
- Full conformance is often a judgement call by the assessor. In some cases a project or duty holder may meet a requirement such as "employee training has been completed", but in the view of the assessor the training is not sufficient.
Companies with existing systems who are conducting FSA at Stage 4 of the SIS safety life-cycle should be aiming at 100% compliance. However, this may not be immediately achievable.