InstMC FS2016 (Rev 3.0)
Page
7
of
10
Nicol Instrument Engineering Limited
Table 6:
Minimum HFT requirements according to SIL
[SIL 2 and 3 rows corrected]
Suitable devices for the operating environment shall be determined through consideration of the man-
ufacturer’s documentation, the constraints within the SRS and the reliability parameters assumed.
When prior use is used for selection of the devices, then the prior use evaluation should gather the
evidence that the dangerous systematic faults have been reduced to a sufficiently low level compared
to the required safety integrity. This involves gathering documented information concerning the de-
vice performance in a similar operating environment (e.g. includes the process interfaces, communi-
cations, etc.). A management of change procedure is required for the control of selection when using
prior use, with continued validity justified when changes are made.
Management controls, as well as means to prevent unauthorized use is required for Bypass switches
or other means to inhibit a SIS or SIF, and should include setting the maximum time the SIS is allowed
to be in bypass (repair or testing) while safe operation of the process is continued.
There are new requirements that the random failure reliability data used must be credible, traceable,
documented, justified and based on field feedback from similar devices used in a similar operating
environment.
There is guidance on actions when the target failure measure for a SIF is not achieved, such as identi-
fying the devices or parameters contributing most, checking the effects of possible improvement
measures that can be made to this device or parameters (e.g., more reliable device, increased diag-
nostics, etc.), and comparing the new results and repeating until the target failure measure is
achieved.
Clause 12: SIS application program development
This Clause has had a major re-write with the focus and clarification on Application Program (AP) de-
velopment, with sub-clauses for Application program design, Application program implementation,
Requirements for application program verification (review and testing), and Requirements for appli-
cation program methodology and tools.
The AP of the SIS shall be in accordance with the APRS (Clause 10 (SRS)) and all the requirements of
this clause for all SILs up to and including SIL 3, with the programmer ensuring that the requirements
are comprehensive, unambiguous, understandable and consistent. This will include review the infor-
mation in the SRS and the APRS.
Like for hardware, when the AP is implementing both safety and non-safety functions, then all of the
AP must comply with this standard.
The design of the AP to be in a way as to ensure that once the SIS has placed the process in a safe
state, then the process remains in that safe state (including on loss of power and subsequent power
restoration) until a reset has been initiated. It shall also address all SIS logic including all process op-
erating modes for each SIF
The AP data shall be subject to modification, revision control, version management, back-up and res-
toration procedures.