www.sis-tech.

com

Module 12
Operating Basis

Introduction
• There are many day-to-day operation and
maintenance activities that must take place for the SIS
to sustain its expected performance throughout its
installed life
• Operation and maintenance procedures must be
developed and verified prior to the introduction of
hazards into the process unit
• These procedures support the detection and response
to faults and process alarms, the initiation of manual
shutdown, reset after shutdown, and proof tests

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Mechanical Integrity

ISA TR84.00.03-2012 3

Validation
• Confirmation by examination and provision of
objective evidence that the particular requirements
for a specific intended use are fulfilled
Note 1: In the IEC 61511 series this means demonstrating
that the SIF(s) and SIS after installation meet the SRS in all
respects
- IEC 61511-1:2016 clause 3.2.86
• Plan content
– Scope
– Method
– Boundary
– Pass/Fail criteria
– Fault found, impact, resolution or action plan

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Verification and Validation Opportunities

• Hardware Verification
– Factory Acceptance Test
• Software Verification
– Emulation
– Simulation
• Hardware and Software Integration Verification
– Factory Acceptance Test
• Safety Function Validation
– Site Acceptance Test

Factory Acceptance Test

• Test of equipment in controlled setting
– Manufacturer
– Engineering contractor
• Demonstrates that equipment functions as
desired
– Detects integration issues
– Does not substitute for site acceptance test
• Reduces site acceptance test issues
– Reduces on-site work

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

FAT Coverage
• Safety function logic
• Notifications – diagnostic, alert, alarm
• Testing logic
• Bypass logic
• Data boundary tests
• Execution times
• Sequence implementation

Validation
• For new or modified SIS, validation should be
performed to demonstrate the required SIF
functionality
– Complete input to output test
– Only way to completely verify field integration
• Power supplies, instrument air, etc. were simulated in
previous tests. Now, you have the real thing
• Typically called the Site Acceptance Test (SAT)
or Pre-startup Acceptance Test (PSAT)

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Validation
• No substitutions for this test
• Demonstrates the SIS meets all aspects of the
design basis after installation and commissioning
• Detects commissioning problems
• Great opportunity to train operators and
maintenance staff
COMPLETE INPUT TO OUTPUT TEST IS REQUIRED FOR
ALL NEW INSTALLATIONS
Validation is also required after any change to the
application program, unless an exception is approved
- See IEC 61511-1:2016 clause 16.3.1.6

Pre-start-up safety review

• Stage 3 Functional Safety Assessment
– Appropriate hazard and risk analysis or management
of change reviews have been conducted and their
recommendations addressed
– New or modified equipment is installed and
demonstrated to operate per design intent
– Adequate procedures are in place
– Training of affected personnel has been completed
• Performed prior to hazards being present
- See IEC 61511-1:2016 clause 5.2.6.1.5

10

10

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Procedures and Training

• Each person assigned responsibility should be
trained on the procedures and work practices
applicable to their assigned job tasks
• Refresher training should occur at a sufficient
interval to ensure that each person involved with
SIS procedures understands and adheres to the
operating basis
• A training record should be maintained which
contains the dates of training and the means
used to verify that the training was understood

11

11

Procedures
• Should be periodically reviewed to assure that
they reflect current practice
– Operator procedures must be reviewed and approved
annually (OSHA PSM)
• Should include consideration for various
management of change activities that occur
throughout the equipment life

12

12

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Training Content
• Procedures
– Specific to discipline
• Permit requirements
– When it is acceptable to use bypasses
– Who approves
– How long can bypass be in place
• Management of change
– Configuration management
• Access security
• Reporting and recording demands, faults and failures

13

13

Develop Operating Procedures

• Functionality – what SIS prevents and how it
works
• Diagnostics - response to detected failures
• Alarms - response to hazards
• Bypassing – when and what authorization is
required
• Compensating measure – when and how to use
back-up equipment
• Manual shutdown – when to execute
• Emergency response – what to do when safe
state is not achieved
• Start-up – process conditions for reset

14

14

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Detected Failure and Compensating Measure

• Fail reliable
– Configure to alarm on failure
rather than to take trip condition
– System loss of integrity
DANGEROUS
– Operator gets the problem DETECTED
REVEALED BY
• Compensating action
– Quickly
DD DIAGNOSTICS

– Reliably
• Replace lost IPL
– Redundant equipment
• Sensors & Valves to use

Dangerous Detected Failures Do Not Become Safe

Just Because They are Detected

15

15

Dangerous Detected Failures

• Provisions for safe operation must be equivalent
to the loss of safety integrity or there is a risk
gap
– When choice is to alarm, the effectiveness of the
operator’s response must be considered
– Response capability should be within process safety
time or the defined maximum allowable response time
RISK GAP

EFFECTIVENESS OF
COMPENSATING
MEASURES
DD
16

16

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Mean Time to Restoration

(MTTRes)
• Peak Risk Period
– High occupancy
– Out of service equipment
– High potential for error to cause upset
• Cannot judge risk by contribution to annualized
risk
– MTTRes is always much smaller than TI.
– PFDavg equation only considers one repair period
based on the estimated dangerous failure rate λD
– MTTRes will rarely contribute much to the calculated
PFDavg for an SIF
17

17

Mean Time to Repair (MTTRes)

• Risk is not adequately represented by single
cause-consequence scenario concept
• Risk is cumulative to maintenance personnel
and field operators who are either continuously
or under high demand exposure
• The safety integrity requirements must be
achieved during the planned maintenance
period
– Compensating measures!

18

18

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Mean Time to Repair (MTTRes)

• Also known as Mean Time to Restoration
– the time to detect the failure
– the time spent before starting the repair
– the effective time to repair
– the time before the device is put back into operation
• Industry trend is to assume that repair can be
completed and the device returned to service
within 24 to 72 hour
• How many failures exist within the same time
period?
Do you have adequate compensating measures
for the repair time?
19

19

Minimum Repair Time

• Expected Time to:
– Schedule and Plan
– Mobilize and Equip
– Test, Repair and Test
– Verification and return to service
• Availability of resources
– Personnel location
– Scheduling or work order timing
– Spare parts availability
– Special tool availability

20

20

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Mechanical Integrity
• Inspection
– Identifies incipient, degraded, and complete failures
• Preventive Maintenance
– Detects degradation and prevents failures
• Proof Tests
– Demonstrates by witnessed test that inspection and
preventive maintenance is sufficient to prevent
complete failures

Goal is to maintain the device in an

“as good as new” condition
21

21

Inspection
• Inspection
– Identifies problems before they become failures
• Incipient and degraded failures
– Generally supported by checklists
– Improves reliability
– Examples:
• water in junction boxes
• corrosion of valve linkages
• loose electrical connections
• etc.
ISA TR84.00.03 Annex E Inspection items and forms

22

22

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Preventive Maintenance
• Fixed Schedule
– Prevents failures through periodic activities
– Periodic calibration
– Replacement – weekly for PH Probe
• Condition-based Schedule
– Respond to detected degradation
– Slow response in diagnostic comparison
– Density reading change
• indicating coriolis tube coating
• Never run to failure
ISA TR84.00.03 Annex F Example Calibration Forms

23

23

Preventive Maintenance
• Battery replacement
• Process connection cleaning
• Replacement of eroded components
– For example, Flow tubes, Thermowells, Orifice plates
• Rebuilding valves
• Gasket replacement
• Instrument air filter replacement and separator cleaning
• Lubrication
• Electrical contact replacement

24

24

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Incidents – Test Contribution

• Inadequate test coordination with operations
• Inadequate communication to adjacent
operations and maintenance who were unaware
of the potential impact of testing
• Improper bypassing
• Poor test facility design
• Misunderstood or incomplete test procedures
• Inadequate return to service procedures

25

25

Reducing Incidents
• Well-integrated test facility design
• Review, approval and notification of bypass
• Good plan, procedures, and communication
• Confirmation of return to service
• Trained and qualified personnel
– Even temporary contractors at turnaround!

SIS performance is limited by rigor,

timeliness, and repeatability
26

26

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Proof Test
• A test, or series of tests, performed to detect
failures in a protective system and includes
inspection and preventive maintenance activities
necessary to maintain the system in its “as good
as new” condition
• This periodic activity validates the device
operation for those functions covered by the
specific proof test

27

27

Proof Test Program

• Have updated list of SIS equipment including tags,

service description, and associated SIF
• Develop a specific schedule and procedures for
inspection, test, and preventive maintenance
• Develop process for recording and reporting results
– As-found/As-left
– Mean Time Between Failures
– Mean Time Between Work Orders
– Mean Time to Repair
– Total Bypass Time
• Provide a mechanism to ensure program compliance
and improvement

28

28

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Proof Test Procedures

• Hazardous event being prevented by the SIF
• Permit requirements
• Approved test equipment and tools
• Special isolation requirements
• Precautions for safe testing, including special
PPE
• Scope of test
• Pass-fail criteria
• Bypass requirements

29

29

Proof Test Procedures

Test requirements
– Step by step procedure
• Initials/signoff of important work steps
– Reporting As Found/As Left
– Reporting and notification of failure
Return to service “good as new”
– Adjustment or replacement
– Site verification by independent person
• Supervisor
• Field operator

30

30

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Proof test - gotchas

• Beginning a test without satisfying the pre-test
conditions
• Attempting start-up when a test is still in progress
• Violations of lock-out/tag-out
• Leaving SIS equipment bypassed long-term in error
• Working on the wrong device
• Leaving a transmitter with a simulated signal or
point in manual source mode
• Leaving analyzers in zero or span
ISA TR84.00.03 Annex I Proof test examples

31

31

Test Documentation
• Date of inspection or proof test
• Name of person who performed the test or
inspection
• Serial number or other unique identifier of
equipment
• Procedure used
• Equipment used
• Result of inspection/test
– “as found”
– “as left”
• Comments on condition
• Recommendations

32

32

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Actual Repair Time

• Should be consistently less than mean time to
repair
– Reduces operations cost of maintaining
compensating measures
– Reduces risk of incident during repair
– Reduces the amount of time that you are operating
without deriving benefit from your instrumentation and
controls investment

33

33

Allowable Repair Time

• Prior to exceeding the Mean Time to Repair (or
Allowable Repair Time):
– a safety review should be conducted to determine
whether the compensating measures already in place
are acceptable for extended operation under fault,
and
– additional management approval of continued
operation should be obtained

34

34

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Tracking and trending

• Trips
– Process demands
– Spurious trips
• Device failures
– Detected failures (work orders)
– Proof test records
– Bypass log
– Out-of-service times (time to repair and test)

ISA TR84.00.04 Annex R and

ISA TR84.00.03 Annex C Example Failure Reports

35

35

Quality Assurance
Periodically Compare Required to Actual
• Identify gaps for further analysis
• Understand root causes
– Device
– Human
– System
– Procedure
– Management system
• Develop action plan for closing gap
When equipment is not working for you, it should be
removed from service and something else installed

36

36

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Resolve gaps
• Action plans for improvement
– Define concrete plan to address root causes
– Establish timelines for short and long-term
improvement
• Short term – temporary or interim measures to reduce risk
exposure
• Long term – permanent measure to close gap
• Increase monitoring to verify gap closure
• When improvement is not possible
– Inform Management
– Change risk analysis assumptions to match

37

37

Formosa Plastics HAZOP

CSB Safety Videos 2005-2011, Formosa Plastics Vinyl Chloride Explosion

38

38

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Things to think about…

• Multiple hazards analysis identified risk
– Human errors recognized as initiating cause
– Valve interlock listed as safeguard
• Common cause – human error
– Limited communication between operators on different
levels
– No process variable indication near valve
– Override was easy to use
• No barrier to prevent use
• Why include this bypass hose?

39

39

Wrap-Up

• Identify SIFs and required risk reduction for each

mode of process operation
• Document SIS design basis and software
specification
• Specify, verify, install, commission, and validate
SIS to meet the design basis
• Maintain SIS in the “as good as new” condition
through mechanical integrity
– Run to failure is not acceptable

40

40

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

MI Strategy and Performance

41

41

Wrap-Up
• Protect process when operating with a known
SIS failure
– Compensating measures defined
• Changes are evaluated by independent
competent reviewers through a management of
change process;
• Access is controlled administratively and
physically; and
• Device failures and trips tracked and periodically
assessed to ensure prompt resolution of any SIS
inadequacy

42

42

Module 12 – Operating Basis © SIS-TECH

www.sis-tech.com

Documentation
• Hazard and risk analysis reports
• Design basis documents
• Operation, testing, and maintenance procedures
• Inspection, proof test, and maintenance records
• Failure reports (e.g., trip reports and device failure
reports)
• Near miss and incident investigation reports
• Management of change records
• Training records
• Audit reports

43

43

Module 12 – Operating Basis © SIS-TECH