Table of Contents Table of Contents
Previous Page  612 / 975 Next Page
Information
Show Menu
Previous Page 612 / 975 Next Page
Page Background

7

Disclaimer:

The content in this paper is loosely based on experiences, and have been embellished to bring out the salient points

against the objectives of this paper.

• All field devices are operational;

• Logic solver and input/outputs are operational;

• The interfaces to other systems and peripherals are operational.

The summary of this case study is that Greenfield / Brownfield:

1.

Design must include Functional safety assessment of designs to review all interfaces with

Brownfield systems.

2.

Installation, commissioning, and validation testing must include testing all interfaces with the

Brownfield systems, with activation of relevant shutdown levels.

Project 2: Modifications/ Decommissioning

During a routine process shutdown test only a small proportion of the process had shut down. The

process had to be manually shut down. The process was shut down for circa 3 days before the cause was

identified and rectified, which had a direct cost of in excess of £3M.

One year earlier the shutdown system had operated as required.

The initial site investigation identified modifications had been carried out on the system. All of which

had been installed and their functionality tested, and brought into service, and functionally operated as

per design.

Thus it appeared that cause of failure in the shutdown system was not from modification, and further

investigation into components started.

The further investigation added the technical authority and the system vendor to the team. The team

revisited each of the modification packs including the as built drawings.

One of the designed modification had to be changed during the implementation as the design assigned

input module had been used by another change. The installation used another input module that had

been previously decommissioned. This change to the design had been tested and the designed function

for this change had functioned as per design with the correct effects. No issues were found or evident,

however as was seen later this modification had a massive effect on the capabilities of the shutdown

system.

IEC 61511 Part 1 clauses 17 (Modifications) and 18 (Decommissioning) are very small in relationship to

the rest of the standard, but have clear messages about

approvals

and

safety integrity of the SIS is

maintained despite of any changes made to the SIS

.

The investigation identified that the decommissioned module had not been fully decommissioned as

wires had been left on the backplane. The modification for the new design that now used this module

added a 24V feed to one of the backplane pin, which in course tied the shutdown rail to a permanent

1 607 608 609 610 611 612 613 614 615 616-617 618-619 620-621 974-975  FlippingBook