InstMC FS2016 (Rev 3.0)
Page
5
of
10
Nicol Instrument Engineering Limited
Modifications identified during the testing are now required to be subjected to an impact analysis to
determine which SIS components are impacted and the necessary re-verification activities.
Clause 8: Process H&RA
This edition clarifies that the
average frequency
of dangerous failures of a BPCS as initiating source
that is claimed shall not be <10
-5
per hour.
It also adds requirements for a security risk assessment to identify the security vulnerabilities of the
SIS. Including descriptions of the; devices covered by this risk assessment, identified threats that could
exploit vulnerabilities and result in security events, the potential consequences resulting from the
security events and the likelihood of these events occurring, information on the measures taken to
reduce or remove the threats. It shall also consider the various phases such as design, implementation,
commissioning, operation, and maintenance.
Clause 9: Allocation of safety functions to protection layers
This edition enables the associated risk reduction to be by PFD or PFH, with the SIL derived from these.
The standard advises reconsideration for the application (e.g., process, other protection layers) for
risk reduction >10,000 or average frequency of dangerous failure >10-8 per hour
[this is an error and
should be <10-8 per hour, and applies to all times >10-8 per hour is quoted
] (i.e. SIL 4 equivalent) for a
single SIS or multiple SISs or SIS in conjunction with a BPCS protection layer. The reconsideration
should determine if any of the risk parameters can be modified so that the risk reduction requirement
is avoided, and shall consider the; process or vessels/pipe work modifications to remove or reduce the
hazards, use of additional non instrumented safety-related systems, reduction of the likelihood or
severity of the consequence (e.g. reducing the amount of hazardous).
If after consideration of alternatives the risk reduction remains at >10,000 (<10-8 per hour), then
multiple layers (e.g., SIS or BPCS) using lower risk reductions per layer should be considered. A
quantitative assessment is also required to confirm the safety integrity requirements, which shall
include considering dependency and common cause failures between other protective layers, other
SIS and other risk reduction means for reducing the likelihood of the hazardous event.
A SIF shall be recorded in terms of functional needs for the process, such as; action to be taken, set
points, reaction times, fault treatment, valve closure requirements (e.g. Tight Shut Off), etc.
Clarification on a BPCS as a protection layer claiming a risk reduction >10 is that the BPCS shall be
designed and managed to the requirements within the IEC 61511.
If it is not intended that the BPCS conforms to IEC 61511 series, then no more than one BPCS
protection layer can be claimed for the same sequence of event leading to the hazardous event when
the BPCS is the initiating source for the demand, or, no more than two BPCS protection layers can be
claimed for the same sequence of event leading to the hazardous event when the BPCS is not the
initiating source of the demand. Each BPCS protection layer shall be independent and separate from
the initiating source and from each other, such each BPCS protection layer is not compromised.
Clause 10: SIS safety requirements specification (SRS).
Clarification is provided, in to new requirements, on what is in a SRS. Such as includes; the cause and
effect diagram or logic narrative, listing the plant input and output devices related to each SIF (e.g.,
field tag list), defining the safe state to achieve stable state and the specific hazardous event has been
avoided or mitigated, defining requirements relating to proof testing, defining the response time to
bring the process to a safe state within the process safety time, having written procedures to be