The new release of IEC61511:2016 has caused some confusion when it comes to the Functional Safety Assessments (FSAs). Which ones are mandatory?

The confusion comes from the wording in the standard and the clarifications in the notes. The relevant clause in the standard 5.2.6.1.4 states:

A FSA team shall review the work carried out on all phases of the safety lifecycle prior to the stage covered by the assessment that have not been already covered by previous FSAs. If previous FSAs have been carried out then the FSA team shall consider the conclusions and recommendations of the previous assessments.

This implies that if you decide to perform the first FSA at Stage 3, then you must make sure all the requirements of Stage 1 & 2 have been covered.

The stages in the SIS safety lifecycle in which the FSA activities are to be carried out “shall be identified during the safety planning.” 

The FSAs are defined as follows:

FSA 1 – Conducted after the analysis phase has been completed and the SRS has been developed

FSA 2 – Conducted after the SIS detailed design has been completed

FSA 3 – After the SIS has been installed and commissioned and prior to startup (mandatory)

FSA 4 – After gaining experience with operation and maintenance (mandatory)

FSA 5 - After any changes are made to the SIS and prior to decommissioning

The purpose of FSAs

The purpose of the FSA is to ensure that all the necessary steps within that stage of the Safety Lifecycle (SLC) have been carried out as defined. It is to help with reducing the likelihood of systematic failures. The current standard specifies that at least one FSA should be conducted—FSA 3, prior to startup, then periodically per clause 5.2.6.1.10 (FSA 4).

However, if you wait until FSA 3 to carry out your first FSA, you run the risk of delaying the startup of your system if discrepancies and/or non-compliances are discovered. The FSA 3 would still need to address the requirements of FSA 1 & FSA 2.

In our experience, we’ve found most companies do not perform all five FSAs, which is a shame. If done properly, mistakes/omissions and problems (systematic issues) can be detected early in the SLC, rather than waiting until startup to find out—delays can be extremely costly.

We often discover problems with the HAZOPs, LOPAs and SIL determination when performing SIL verification. Mostly this is because the HAZOP wasn’t facilitated by a “competent” person and/or hazard scenarios were missed; the team assigned wasn’t experienced enough to perform the LOPA correctly, and either credit has been taken twice for Operator and BPCS protection layers or the protection layers do not meet the “Independence” requirement.  

Performing a FSA after the SRS has been developed by a competent independent third party would likely expose problems and issues. The FSA would look specifically at whether the hazard and risk analysis has been carried out and whether any recommendations made have been addressed and/or resolved. This would then ensure that any Safety Instrumented Functions (SIFs) required for the SIS were properly defined, in terms of their functionality and their target integrity (SIL), as well as all other operating considerations to achieve the safe state.

If FSA 1 is not conducted but FSA 2 is, you risk the identified SIFs not achieving enough risk reduction, or achieving too much (i.e. their target SILs may be too low or too high), which can lead to a potentially dangerous under-design or an expensive over-design. Also, once the SIS and its SIFs have been designed, it is potentially more time-consuming and expensive to go back and re-design.

The 20, 20, 20 Rule

There’s an old adage known as the 20, 20, 20 rule for system design, whereby it takes 20 weeks to design, 20 months to implement and 20 years in operation. If we look at the SLC, the Operations and Maintenance phase is shown as one box (Clause 16)—but this is where the SIS will spend over 90% of its time.  

The IEC61511 standard is different from previous standards since it is non-prescriptive and is based upon performance around a safety lifecycle (i.e. it tells you what you need to do, but not how to do it).  In this respect, the standard specifies that the end user should periodically assess the performance of its SIS, which means that keeping good maintenance records, undertaking proof tests at the correct interval according to the SRS, and recording real and unintended (spurious) trips, failures, repair times, etc. is very important. 

The Intent of FSA 4 and FSA 5

The intent of FSA 4 is to ensure that the safety, operating, maintenance and emergency procedures pertaining to the SIS are in place and being followed, as well as confirming personnel are competent, adequate records are being kept, and field failure data is available and used to verify the relevant SIFs still achieves their target integrity level (i.e. their PFDavgor PFH has not changed).

Then, the intent of FSA 5 is to ensure that any proposed changes to the SIS and its SIFs are properly evaluated by a competent person to determine if there will be any impact on safety and, if so, to then return to the appropriate stage in the SLC. This may mean returning to the Hazard Analysis phase.

Therefore, the answer to the question “Which FSAs do I need to perform?” is simple. It’s all of them!