Does Your Existing SIS Get the Job Done?

An installed system now requires a formal determination of adequacy

By Angela E. Summers, SIS-TECH Solutions

2 of 2 1 | 2 > View on one page

Understanding maintenance history is an essential part of demonstrating the adequacy of existing equipment. The number of service hours needed to gain confidence increases in line with the complexity of an installation. A worthwhile approach for assessments is to treat equipment using similar technology as one pool of instruments because they share the same types of failure mechanisms, failure modes and systematic errors. Pooling similar technologies increases the likelihood there’s a sufficient number of total operating hours to have confidence the assessment results are valid. Field device performance is similar in safety and non-safety applications; so, also use control device history to accumulate the operating experience needed to gain confidence.

Historical data can contribute to a database for calculating hardware failure rates for the different technologies. However, the amount of operational experience needed to gain credible statistical reliability data typically far exceeds that necessary to get evidence of prior use. Contributing data to industry organizations, such as the Instrument Reliability Network, the Process Equipment Reliability Database and SINTEF, can yield statistically sound data by accumulating datasets for multiple installations.

Most process facilities use historical data for high-level metrics, such as bad actor analysis, mean time between work orders or mean time between failures, rather than to calculate dangerous failure rates. A focus on high-level metrics is understandable because site culture and practices must react to identified problems rather than waiting for the rate to get bad. Regardless, operations and maintenance should strive to reduce the potential for failure to a level as low as reasonably practicable.

Functional Safety Assessment

The existing SIS can remain ‘as is’ when the Stage 4 FSA confirms that the SIS is fulfilling its safety requirements.

The SIS hardware, software and associated procedures may undergo change throughout the operation and maintenance phase. New clause formally addresses what to do when making changes to an existing SIS. The FSA associated with the change must include what IEC 61511 calls an impact analysis (which probably is more commonly referred to as a risk assessment within the process safety community). The clause also requires that the FSA confirms the modification complies with IEC 61511.

FSAs ensure the SIS performance aligns with the claimed risk reduction and the work processes in place provide the needed rigor to sustain the performance. FSAs are performed at five different stages during the SIS life. Stages 1, 2 and 3 are integrated into the project execution process. New IEC 61511 clause requires periodically conducting Stage 4 during the operations and maintenance phase. Stage 5 concerns any proposed change to the SIS or decommissioning.

The standard doesn’t prescribe how often to perform Stage 4. Common considerations in Stage 4 timing include local regulatory requirements, the frequency of organizational changes at the site, the quality of operating discipline and functional safety management systems existing prior to the installation, the number of safety control, alarm and interlock functions and their complexity, and the extent of changes to the process equipment or its control system [2].

Stage 4 evaluates the work processes and records to confirm the requirements for functional safety management and verification are being met. Stage 4 also examines the data and information about the installed SIS to determine whether the assumptions made during design can be supported. If the in-service performance is less than expected, then the likelihood of loss events can be greater than desired. Documented and audited work processes are essential to sustaining the SIS performance and preserving the intended return on investment in the SIS.

The Bottom Line

The concept of grandfathering is out of date. You must judge existing systems by the same performance measures used for new ones. The evidence supporting the claimed performance changes as an SIS goes from being a project concept to an installed system.

The project view of the SIS lifecycle starts with the hazards and risk analysis and ends with the startup of the process unit. The safety integrity level (SIL) is defined during the risk analysis, a failure model of the function is created during design, and a calculation is executed using reliability data to verify the SIL. The model assumptions and data quality limit the relevance of the calculated result to the actual installed SIS.

The SIS becomes existing once placed in service and current performance demonstrates its acceptability “as is.” The determination the equipment is designed, maintained, inspected, tested and operating in a safe manner relies on the collection of quality information and data by operations and maintenance. This data feedback is necessary for determining acceptability not only of the SIS under consideration but also other SISs that use similar hardware, software, procedures and operating environments.

Does Your SIS Comply?

The grandfather clause in the 1st edition of IEC 61511 only applied to the equipment, i.e., the installed hardware and software. Grandfathering never applied to implementing the requirements for functional safety management. Compliance demands embracing the work processes and activities of IEC 61511. This includes the requirements for the hazards and risk analysis, design through implementation, operation, maintenance, management of change, and documentation.

The 2nd edition of IEC 61511 clarifies that claiming the installed SIS is good enough “as is” requires the collection and analysis of in-service data and information. Formal monitoring processes are needed to identify negative trends and to take corrective action, sustaining the functional and safety integrity requirements.

ANGELA E. SUMMERS, PhD, PE, is president of SIS-TECH Solutions, Houston. Email her at

1. Summers Angela E. and Hearn, William H., “Quality Assurance in Safe Automation,” Proc. Safety Progr., 27 (4), p. 323 (Dec. 2008).
2. Roche, Eloise, Hochleitner, Monica and Summers, Angela, “Introduction to Functional Safety Assessments of Safety Controls, Alarms, and Interlocks. How efficient are your functional safety projects?” Proc. Safety Progr., 36 (4), p. 392 (Dec. 2017).

2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • Thank you for the excellent clarifications on the grandfather clause. What are your recommendations on improving existing functional safety management system such as increase competency of personnel or even addition of cyber security functional safety?


RSS feed for comments on this page | RSS feed for all comments