InstMC FS2016 (Rev 3.0)

Page

5

of

10

Nicol Instrument Engineering Limited

Modifications identified during the testing are now required to be subjected to an impact analysis to

determine which SIS components are impacted and the necessary re-verification activities.

Clause 8: Process H&RA

This edition clarifies that the

average frequency

of dangerous failures of a BPCS as initiating source

that is claimed shall not be <10

-5

per hour.

It also adds requirements for a security risk assessment to identify the security vulnerabilities of the

SIS. Including descriptions of the; devices covered by this risk assessment, identified threats that could

exploit vulnerabilities and result in security events, the potential consequences resulting from the

security events and the likelihood of these events occurring, information on the measures taken to

reduce or remove the threats. It shall also consider the various phases such as design, implementation,

commissioning, operation, and maintenance.

Clause 9: Allocation of safety functions to protection layers

This edition enables the associated risk reduction to be by PFD or PFH, with the SIL derived from these.

The standard advises reconsideration for the application (e.g., process, other protection layers) for

risk reduction >10,000 or average frequency of dangerous failure >10-8 per hour

[this is an error and

should be <10-8 per hour, and applies to all times >10-8 per hour is quoted

] (i.e. SIL 4 equivalent) for a

single SIS or multiple SISs or SIS in conjunction with a BPCS protection layer. The reconsideration

should determine if any of the risk parameters can be modified so that the risk reduction requirement

is avoided, and shall consider the; process or vessels/pipe work modifications to remove or reduce the

hazards, use of additional non instrumented safety-related systems, reduction of the likelihood or

severity of the consequence (e.g. reducing the amount of hazardous).

If after consideration of alternatives the risk reduction remains at >10,000 (<10-8 per hour), then

multiple layers (e.g., SIS or BPCS) using lower risk reductions per layer should be considered. A

quantitative assessment is also required to confirm the safety integrity requirements, which shall

include considering dependency and common cause failures between other protective layers, other

SIS and other risk reduction means for reducing the likelihood of the hazardous event.

A SIF shall be recorded in terms of functional needs for the process, such as; action to be taken, set

points, reaction times, fault treatment, valve closure requirements (e.g. Tight Shut Off), etc.

Clarification on a BPCS as a protection layer claiming a risk reduction >10 is that the BPCS shall be

designed and managed to the requirements within the IEC 61511.

If it is not intended that the BPCS conforms to IEC 61511 series, then no more than one BPCS

protection layer can be claimed for the same sequence of event leading to the hazardous event when

the BPCS is the initiating source for the demand, or, no more than two BPCS protection layers can be

claimed for the same sequence of event leading to the hazardous event when the BPCS is not the

initiating source of the demand. Each BPCS protection layer shall be independent and separate from

the initiating source and from each other, such each BPCS protection layer is not compromised.

Clause 10: SIS safety requirements specification (SRS).

Clarification is provided, in to new requirements, on what is in a SRS. Such as includes; the cause and

effect diagram or logic narrative, listing the plant input and output devices related to each SIF (e.g.,

field tag list), defining the safe state to achieve stable state and the specific hazardous event has been

avoided or mitigated, defining requirements relating to proof testing, defining the response time to

bring the process to a safe state within the process safety time, having written procedures to be