Safety Case Assessment Guide regarding Safety Instrumented Systems and IEC61511

Based on Safety Case Assessment Guide by MHD.

For Source

For technical discussion:  

3. Q:  Safety Case Assessment Guide requires MHIs to demonstrate competency in SIL level
determination, SIS design and maintenance of EC&I systems. Does competency refer to specific
functional safety competencies e.g. functional safety certifications, functional safety? Or would
competence gained through on-the-job-training and work experience in relevant areas such as
operation / maintenance / process safety and design be acceptable?

A: Relevant staff must have good understanding of the EC&I systems in order to implement the
requirements and maintain the systems.
To demonstrate this, MHIs could use a Training – Core Competency Matrix, which matches
training and experience to competencies needed for SIL implementation, SIF design, installation
and maintenance. The demonstration should include how the MHI determined the level of
understanding, training and education needed to perform those tasks.
Functional safety certification is not a requirement but would be useful for the demonstration of
EC & I competency.

4. Q: Can third parties be engaged for EC&I activities?
What proof/documentation is required in the safety case to demonstrate that the third party is
competent to do the work, especially for past projects?

A: Yes, third parties can be engaged.
The MHI will need to demonstrate competency for third parties e.g. relevant competencies and
experience in proof testing and SIS maintenance; basic understanding and training in functional
safety, especially in requirements for record keeping and SIS proof test procedure.

5. Q: What proof/documentation is required in the safety case to demonstrate survivability of critical
utilities and adequacy of backup e.g. UPS?
 Are there standards/guidelines for utilities?
 Is an instrument designed to fail safe on loss of utilities good enough?
 Can MHIs adopt in-house guidelines instead of IEC61511?

A: There are a range of codes, standards, good engineering practices and guidelines for the
design/maintenance of utilities that MHIs can take reference from.
Examples of critical utilities that could impact on safety are compressed air, N2, steam etc. In the
safety case, MHIs should describe the utilities, their sources, how loss of utility is detected and
actions taken upon loss detection. Information on utility specifications (e.g. compressor capacity),
availability of backup systems, utility recovery, maintenance, inspection and testing should be
provided. Documentation such as test records and diagrams would support demonstration in the
safety case.
Designing fail-safe instruments is good engineering practice and enhances reliability. However,
the use of fail-safe design does not remove the need for utility survivability. Instead, it should be
seen as a complement to utility design. The SIS should comply with IEC61511.
MHIs that adopt in-house guidelines for non-SIL control must demonstrate that in-house
guidelines are comparable to good industry engineering practices and guidelines

6. Q:  Does Safety Case require MHI to apply IEC61511 to:
– relay based systems, PLC and DCS with loops used for safety protection
– general alarm systems and Priority 1 Alarm systems used for safety protection

A: All systems deemed to be SIS and SIL-rated should adhere to IEC61511. For alarm management,
refer to EEMUA 191.
Beyond the scope covered by these standards, good engineering practices shall apply. For
example, selection and placement of detectors should be considered and could be addressed by
detector mapping.

7. Q: What proof/documentation is required in the safety case to demonstrate adequacy of non SILrated system?

A: The safety case should include the identification of SIFs, SRSs, inspection records etc. MHIs can
refer to HSE’s Operational Guidance on “Management of instrumented systems providing safety
functions of low / undefined safety integrity”.

8. Q:  Do MHIs need to adhere to all requirements in IEC 61511?

A: MHIs could determine and implement the relevant requirements. However, if the MHI claims to
comply with IEC61511, all requirements in the standard will need to be complied with.
MHIs adopting alternative standards will need to provide justifications.

9. Q: IEC 61511, Section 8.2.4 calls for “A security risk assessment shall be carried out to identify the
security vulnerabilities of the SIS”. Security risk assessment is new for the process industries in
Singapore. What is the timeline for MHIs to complete the assessment?

A: Safety case covers industrial risks that could lead to major accidents. Although security is beyond
the scope of SCAG, MHIs should ensure that their systems are secure and safe from cyber
attacks. Currently, demonstrations of security and cyber attack prevention are not required in
safety case.

10. Q: Fire and Gas detection has been taken out of the scope of IEC 61511. The general understanding
is that the PFD for detectors can be influenced by external environmental conditions (e.g. wind
direction), thus, SIL rating of detectors would not be sufficient. Would it be acceptable to use
detector mapping to demonstrate sufficient coverage by detectors of a SIF, as part of SIL
verification?

A: F&G systems is within the scope of IEC61511. Detector mapping is good practice to demonstrate
sufficient detection coverage.