Underpinning Requirements #1 - #7
The performance of Layers of Protection is underpinned by seven key foundational requirements. Conformance to these requirements is the first step to ensure the associated risk target is met.
Functional Safety Services can support your company with these activities
Underpinning Requirement #1 HAZOP and LOPA
Each asset or facility shall have an up to date (no older than 5 Years) HAZOP and LOPA that details the hazardous events and the associated layers of protection including the risk reduction claimed.
____________________
Layers of protection can consist of Safety Instrumented Functions (SIFs), Safety Related Alarms (SRA), Process Control Loops and mechanical protection (eg PSV, check valve).
The HAZOP is used to identify the hazardous events and the associated risk and then LOPA is used to identify the hazard mitigation and any gaps from the Target event frequency.
It is imperative that all Layers of Protection (LoP) are correctly identified and maintained in order to adequately address the hazards identified.
Underpinning Requirement #2 Basic Process Control / Interlock Layers of Protection
Any control loops that are used as Layers of Protection (LoP) are clearly identified and known to Operations and Maintenance. The control loop should remain in automatic mode and any time in manual should be minimised.
____________________
Any failure of a control loop LoP will place demands on other layers of protection and this should be avoided by ensuring control loops are maintained and remain in automatic mode.
Each LoP control loop shall be identified in a register and clearly identified on the HMI process graphics. Before a LoP control loop is placed in manual mode a defined procedure should be followed to ensure it is clearly recorded, risk assessed and compensating risk reduction or mitigations implemented.
Underpinning Requirement #3. Safety Related Alarm (SRA)
Any safety related alarms (SRA) are clearly identified and known to Operations and Maintenance. All SRA are identified in a register and each has a clearly prioritised corrective action.
____________________
Any failure to respond to a SRA LoP will place demands on other layers of protection and if a SIF will result in a loss of production and more chance of an incident progressing.
An Alarm Response Manual (ARM) shall be documented with all SRA and their response and be always available to operations. Each SRA shall be clearly identified on the HMI process graphics and subject to an override procedure if disabled. As with all layers of protection SRA shall be subject to periodic proof testing.
Underpinning Requirement #4. Overrides
If a Layer of Protection LoP is to be overridden (for example for maintenance or testing) then a Safety Override and Risk Assessment (SORA) shall be performed and documented.
____________________
Overrides shall not be left active for long periods of time and it shall be clear to operations at any time and particularly during shift changeover which overrides are active. Suitable compensating measures shall be identified.
Underpinning Requirement #5. Lifecycle Activities.
Competency, Safety Requirements Specification, Assessments
____________________
Safety standards IEC61508/61511 are based on a Lifecycle approach from initial conception through to decommissioning. Personnel associated with SIS activities shall be assessed as competent. A safety Requirements Specification (SRS) shall be available for all Safety Instrumented Functions and will be referenced during proof testing. Before a SIF is used on live plant it shall be subject to a Functional Safety Assessment (Independent assessment that a SIF meets its SRS and integrity requirements) and thereafter a periodic assessment based on the SIL level of the SIF.
Underpinning Requirement #6. Proof Testing
All Layers of Protection (LoP) have an appropriate proof test and schedule defined and implemented.
____________________
Dangerous undetected failures if not detected via a proof test will stay dormant until there is a demand on the protection layer which may lead to a hazardous event. For low demand systems the SIF will not be actioned often and operations will not be aware of the undetected failure. Proof testing on a periodic basis can be used to identify and repair undetected failure. SIL verification will provide the testing frequency for a SIF and other Layers of Protection (LoP) can be periodically tested based on site component reliability data.
Appropriate proof test procedures will follow manufacture safety manual recommendations and combine a visual inspection with a functional test against safety requirements specifications (eg, required valve closure time and leakage rate).
Underpinning Requirement #7. Layer of Protection (LoP) Management
When a fault or failure is discovered in a Layer of Protection (LoP) it is imperative that the fault is rectified within the MTTR (Mean Time to Restoration) or an equivalent compensatory measure is implemented to cover the risk gap.
____________________
Operations shall be trained on the action to take when a SIS diagnostic alarm is presented. Faulty instrumentation in some cases is bypassed and if part of a Layer of Protection a significant risk gap can exist - Operations shall be trained in the management of Layers of Protection.
