PETROLEUM COMPANY OF TRINIDAD AND TOBAGO LIMITED

FUNCTIONAL SAFETY MANAGEMENT

PLAN

DOCUMENT
DIVISION: REFINING & MARKETING PCTT-RM-FSMP-R1.0
NUMBER:
ISSUE DATE PREPARED BY: REVIEWED BY: SUPPORTED BY: APPROVED BY:
1.0 2017.02.17
_________________ _________________ _________________ _________________
HE,I&CSE MES SMES VPR&M
REVISION HISTORY

Issue Date Author(s) Description

0.1 December Functional Safety Draft
17, 2014 Management Plan
Development Team
0.2 January Functional Safety Reviewed for submission to insurers
13, 2015 Management Plan
Development Team
0.3 April 15, Functional Safety Updated for following edits:
2016 Management Plan • Update to section 6.2.2 –Scope and Timing for
Development Team Phase 2 : “HAZOP Studies”
• Update to section 6.3.2 – Scope and Timing for
Phase 3: “SIL Studies”
• Inclusion of Appendix A: Petrotrin Risk
Assessment Matrix Modified
0.4 July 18, Functional Safety Revision to List of Key Stakeholders
2016 Management Plan Modification of responsibility for PSM
Development Team
0.5 November Functional Safety Development of RASCI Matrix designating roles and
2016 Management Plan responsibilities for each step in the Safety Lifecycle
Development Team
0.6 December Functional Safety Edits to document:
2016 Management Plan • Name change from SIF Management Plan to
Development Team Functional Safety Management Plan
• Update document to be consistent with
developed RASCI Matrix
• Removal of Appendix A: Petrotrin Risk
Assessment Matrix Modified to be consistent
with a LOPA driven framework
• Insertion of two new sections: References and
Functional Safety Management Planning (which
discusses the overall process/phase on
planning)
• Revision of section on Verification and addition
of this step to RASCI matrix
• Insertion of ACTIVIITIES and SUCCESS FACTORS
for each phase
• How To Use this plan reworded to remove plant
acronyms
• IEC 61508 and Proven In Use references
removed
• General formatting to numbering and
paragraphing changed
1.0 February, Functional Safety • Insertion of Signatories
2017 Management Plan • Correction of Typographical/Formatting Errors
Development Team Issued for Approval
i
CONTENTS
REVISION HISTORY .......................................................................................................................................... i
ABBREVIATIONS ............................................................................................................................................. 1
1 INTRODUCTION ...................................................................................................................................... 2
About SIF, IPF and SIS ................................................................................................................................ 2
Why have a Functional Safety Management Plan ..................................................................................... 2
How to Use this Plan .................................................................................................................................. 2
2 OVERALL OBJECTIVES............................................................................................................................. 3
3 REFERENCES ........................................................................................................................................... 4
4 FUNCTIONAL SAFETY MANAGEMENT LIFECYCLE .................................................................................. 5
5 ROLES AND RESPONSIBILITIES ............................................................................................................... 6
6 FUNCTIONAL SAFETY MANAGEMENT PLANNING ...............................................................................10
7 DATA COLLECTION ...............................................................................................................................11
Objective ..................................................................................................................................................11
Scope and Timing .....................................................................................................................................11
Activities...................................................................................................................................................11
Roles, Responsibilities & Deliverables .....................................................................................................11
Success Factors ........................................................................................................................................12
8 RISK ANALYSIS & PROTECTION LAYER DESIGN ....................................................................................13
Objective ..................................................................................................................................................13
Scope and Timing .....................................................................................................................................13
Activities...................................................................................................................................................13
Roles and Responsibilities .......................................................................................................................14
Inputs .......................................................................................................................................................15
Deliverables .............................................................................................................................................15
Success Factors ........................................................................................................................................15
9 ALLOCATION OF SAFETY FUNCTIONS TO PROTECTION LAYERS ..........................................................16
Objective ..................................................................................................................................................16
Scope and Timing .....................................................................................................................................16
Activities...................................................................................................................................................16
Roles and Responsibilities .......................................................................................................................16
Inputs .......................................................................................................................................................17

ii
 Deliverables .............................................................................................................................................17
Success Factors ........................................................................................................................................17
10 SAFETY REQUIREMENTS SPECIFICATION .........................................................................................18
Objective ..................................................................................................................................................18
Scope and Timing .....................................................................................................................................18
Activities...................................................................................................................................................18
Roles and Responsibilities .......................................................................................................................19
Inputs .......................................................................................................................................................20
Deliverables .............................................................................................................................................20
Success Factors ........................................................................................................................................20
11 SIS DESIGN AND ENGINEERING .......................................................................................................21
Objective ..................................................................................................................................................21
Scope and Timing .....................................................................................................................................21
Activities...................................................................................................................................................21
Roles and Responsibilities .......................................................................................................................21
Inputs .......................................................................................................................................................23
Deliverables .............................................................................................................................................23
Success Factors ........................................................................................................................................23
12 INSTALLATION, COMMISSIONING AND VALIDATION ......................................................................24
Objectives ................................................................................................................................................24
Scope and Timing .....................................................................................................................................24
Activities...................................................................................................................................................24
Roles and Responsibilities .......................................................................................................................24
Inputs .......................................................................................................................................................25
Deliverables .............................................................................................................................................25
Success Factors ........................................................................................................................................25
13 OPERATION AND MAINTENANCE ....................................................................................................26
Objectives ................................................................................................................................................26
Scope and Timing .....................................................................................................................................26
Activities...................................................................................................................................................26
Roles and Responsibilities .......................................................................................................................27
Inputs .......................................................................................................................................................28

iii
 Deliverables .............................................................................................................................................29
Success Factors ........................................................................................................................................29
14 MODIFICATION AND DECOMMISSIONING ......................................................................................30
Objective ..................................................................................................................................................30
Scope and Timing .....................................................................................................................................30
Activities...................................................................................................................................................30
Roles and Responsibilities .......................................................................................................................30
Inputs .......................................................................................................................................................31
Deliverables .............................................................................................................................................32
15 FUNCTIONAL SAFETY ASSESSMENT .................................................................................................33
Objective ..................................................................................................................................................33
Scope and Timing .....................................................................................................................................33
Activities...................................................................................................................................................33
Roles and Responsibilities .......................................................................................................................33
Inputs .......................................................................................................................................................34
Deliverables .............................................................................................................................................34
Success Factors ........................................................................................................................................34
16 VERIFICATION ..................................................................................................................................35
Objectives ................................................................................................................................................35
Scope and Timing .....................................................................................................................................35
Activities...................................................................................................................................................35
Roles and Responsibilities .......................................................................................................................36
Inputs .......................................................................................................................................................36
Deliverables .............................................................................................................................................37
Success Factors ........................................................................................................................................37

Figure 1– Petrotrin Functional Safety Management Plan (modelled after the IEC 61511 Safety Life Cycle)
....................................................................................................................................................................... 5

iv
ABBREVIATIONS
BDP Basic Design Packages
BOD Basis of Design
BPCS Basic Process Control System
CED Cause and Effect Diagram
DCS Distributed Control System
DEP Design and Engineering Practices
EPC Engineering, Procurement and Construction
FGS Fire and Gas System
HMI Human Machine Interface
HSE Health Safety and Environment
I&CE Instrument & Controls Engineer
IEC International Electrotechnical Commission
I/O Input/Output
IPF Instrumented Protective Function
IPL Independent Protection Layer
IPS Instrumented Protective System
LOPA Layers of Protection Analysis
ME Mechanical Engineer
MES Manager Engineering Services
MESC Material Equipment Standard Code
MOC Management of Change
MTTF Mean Time to Failure
MTTR Mean Time to Repair
OSHA Occupational Safety and Health Administration
PE Process Engineer
P&IDs Process and Instrumentation Diagrams
PEFS Process Engineering Flow Scheme
PFD Probability of Failure on Demand
PFDs Process Flow Diagrams
PHA Process Hazard Analysis
PIU Proven In Use
PLC Programmable Logic Controller
PM Project Manager
PS Project Specification
PSAT Pre-Startup Acceptance Test
PSM Process Safety Management
PSFS Process Safeguarding Flow Scheme
PSSR Pre-Startup Safety Review
RE Rotating Equipment Engineer
RRF Risk Reduction Factor
RRM Risk and Reliability Management
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SRS Safety Requirements Specification

1
1 INTRODUCTION

This Functional Safety Management Plan details the step-by-step process for the attainment of
functional safety within the processes at the Petrotrin Pointe-a-Pierre Refinery via the implementation
of Safety Instrumented Functions (SIF) and Safety Instrumented Systems (SIS), where they are so
needed.

This plan does not replace the engineering of inherently safe process design and allows for the
determination of whether or not it is applicable.

About SIF, IPF and SIS

A Safety Instrumented Function comprises of one or more sensors or initiators, a logic solver and one or
more final elements which work together to prevent or mitigate hazardous situations by performing a
specific safety related task in the event of a specific dangerous condition. Towards this end the SIF may
either assist with maintaining the safe operation of the process or may force the process to shut down
safely.

The term SIF may be used interchangeably with the term IPF - Instrumented Protective Functions which
is the terminology adopted by the Shell standard referenced by this document.

A Safety Instrumented System is made up of multiple SIFs/IPFs and may have interfaces with other
systems such as the Basic Process Control System (BPCS) and the Fire and Gas System (FGS).

Why have a Functional Safety Management Plan

The plan was created to ensure that functional process safety is attained and maintained in the running
of the various units and plants in the refinery. The plan identifies the inputs, activities and deliverables
for each phase and thus demonstrates how the objective of each phase will be met in practice.

The plan also identifies the roles and responsibilities of key participants that are needed for the
execution of the plan.

The plan is intended to lead to a high level of consistency within the various phases and stages of the
plan’s execution and amongst the different teams and plant personnel that will be involved.

How to Use this Plan

This plan is to be individually applied to all existing process units within the refinery at Pointe-a-Pierre
including those built or upgraded under the Gasoline Optimization Programme (GOP). This plan does not
include plants which are still under construction and not yet commissioned.

The plan itself makes provision for determining whether the implementation of Safety Instrumented
Functions is required based on the findings of the Process Hazard Analysis (HAZOP) report.

This plan is intended to be a living document that will be customized and updated for each plant or
process unit and will evolve throughout all the safety life cycle’s phases.

2
2 OVERALL OBJECTIVES

The overall objectives of the activities contained in this Functional Safety Management plan are:

• To identify which plants and process loops require additional risk reduction by way of
implementation of Safety Instrumented functions, SIFs

• To design and implement Safety Instrumented Functions and Systems as needed for each
process unit within the refinery that achieve the required risk reduction and integrate
seamlessly with the existing controls on the unit

• To re-design the shut-down instrumentation and systems and upgrade them to SIS so that
adherence to the relevant standards and best practices is attained

• To establish controls that ensure that the risk reduction that is achieved is also maintained
throughout the life of each SIF

3
3 REFERENCES

In this document the following publications are referenced and/or adhered to:

• IEC 61511 Functional safety - Safety instrumented systems for the process industry sector
• DEP 32.80.10.12 Management of Instrumented Protective Functions – Manual

Company Documents as referenced include:

• GEMS General Equipment and Material Specification

• PIP Process Industry Practices
• GFI General Field Instructions

4
 4 FUNCTIONAL SAFETY MANAGEMENT LIFECYCLE
The Petrotrin Functional Safety Management Plan is modelled after the IEC 61511 Safety Life Cycle and
seeks to structure the approach to Functional Safety Management in Petrotrin. It is a simplified
representation however and the sequence is not strictly prescriptive as some phases may be revisited in
an iterative fashion. Each phase or step shall be discussed later on in this document.

Figure 1– Petrotrin Functional Safety Management Plan (modelled after the IEC 61511 Safety Life Cycle)

1.0 DATA COLLECTION

NOTE:
IEC 61511 2.0 RISK ANALYSIS &
Model → PROTECTICTION LAYER DESIGN
Starts here

3.0 ALLOCATION OF SAFETY

FUNCTIONS TO PROTECTION LAYERS
0.0 FUNCTIONAL SAFETY MANAGEMENT PLANNING

Required

10.0 FUNCTIONAL SAFETY ASSESSMENT

4.0 SAFETY REQUIREMENTS
SPECIFICATION FOR SIS
DESIGN & DEVELOPMENT OF
OTHER MEANS RISK REDUCTION
11.0 VERIFICATION

5.0 SIS DESIGN & ENGINEERING

Recommended
6.0 INSTALLATION,
COMMISSIONING AND VALIDATION

Required
7.0 OPERATION AND
MAINTENANCE
Recommended

8.0 MODIFICATION

Recommended
9.0 DECOMMISSIONING

5
5 ROLES AND RESPONSIBILITIES
The IEC 61511 makes it very clear that the activities of the Functional Safety Management plan must be
performed by trained and competent individuals. Key technical staff, who have ownership of and overall
accountability for SIFs, shall undergo training in all relevant aspects of SIS design and management, as
defined in this document. Results and training development plans shall be recorded. The responsibilities
by role are described below.

Mgr., Mtce Services

VP Refining & Mktg

Mgr., Eng. Services

Mgr., Insp Services

Production Unit

Mgr., Technical
Enterprise Risk
Management

Senior Mgr.
Operations

Mgr., HSE
Mgr.
Lifecycle Step – Planning
Develop Functional Safety Management philosophy S R S A
Ensure that requirements outlined in Functional
R A
Safety Management Plan are followed
Owner of the Plant SIS R
Owner of the Functional Safety Management Plan S R
Competency Development of Key Technical Staff R R R R A
Corporate Risk Tolerability Criteria R A
Maintaining current Process Safety Information (PSI)
R A S S S
[e.g. P&IDs, PFDs, Data Sheets]

6
 Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step – Data Collection
Provide Piping and Instrumentation
R A
Diagrams (MECH)
Provide Process Flow Diagrams (MECH) R A
Provide Cause & Effect Diagrams (MECH) R S A
Provide Equipment Data Sheets (MECH) R A
Provide Plant Operating Procedures S R A
Provide Plant Incident Reports S R A
Provide Inspection Reports (INSP) R A
Provide Relief Valves Data (INSP) R A
Provide Process Control Narratives &
R A
Overview of Process
Provide Design Parameters R A
Provide MSDS for chemicals (including
R A
Products)
Provide Instrument Databases with Alarm
R A
Configuration (As applicable)
Provide Shutdown System Logic
Narratives and descriptions (As R A
applicable)
Provide Instrument Data Sheets (As
R A
applicable)
Provide Logic Solver specifications (As
R A
applicable)
Lifecycle Step - Risk Analysis
Conduct PHA (HAZOP) and provide a
report on SIF’s identified
S A S S S R
Lifecycle Step - Allocation of Safety Functions to Protection Layers
Perform SIL determination via LOPA and
provide a report with target RRF for each
SIF identified1
S A S S S I R

1This step must be executed by a Certified Functional Safety Expert for the first cycle of all plants in order to
ensure the initial quality of the output of this step.

7
 Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step - Safety Requirements Specification for SIS
Equipment Selections / Manuals / I
Certificates R A C
Prepare Safety Requirements R
Specification (SRS) S A C
Lifecycle Step - SIS Design and Engineering
Perform SIS / SIF detailed design A R
Perform Verification Report (Calculations) A R
Prepare Validation Test Procedures A C R
Procure Equipment R C C
Prepare Proof Test Procedures S A R
Prepare Installation Contract Package R
Perform Factory Acceptance Testing S A R

Lifecycle Step - Installation, Commissioning and Validation

Perform Inspection and Retain Test
Records R S I
Perform Calibration and Retain Reports R S I
Maintain Equipment Manuals R C
Perform Validation Testing and Retain
Records S A S R
Update and Maintain Operating
Procedures S R A
Lifecycle Step - Operation and Maintenance
Prepare SIF activation investigation
reports S S S R I C
Managing SIF bypasses per MOC S S S R
Maintain Logic Solver and Records of
same I R
Perform SIF Proof Testing and Retain
Records S S I S S R C
Perform IPL Alarm Proof Tests and Retain
Records S S I S S R C
Maintain SIF Field devices and Records of
same S S I S S R C
Review SIF component performance
R S C
against SRS

8
 Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step - Modification and Decommissioning
Adhere to Management Of Change
S S
Process S R A S
Perform SIF Modifications (As required) I I I S R A I C
Lifecycle Step - Functional Safety Assessment
Perform Functional Safety Audits at
S A S R
defined stages
Review SIF performance against SRS S S A S R
Lifecycle Step - Verification
Review the execution of the entire
S A S
management plan
Conduct audits2 S A S
Table 1 - Functional Safety Management Plan Roles and Responsibilities

Responsibility Codes:

R Responsible The resource(s) who owns the task and is responsible for leading the activity /
ensuring that it gets completed.
A Accountable The resource ultimately accountable for the completion of the task. This
resource must sign off (approve) the work before it can be implemented.
S Support Plays a role in executing the task or provides resources to execute the task
C Consult Those whose opinions or guidance are sought. They have information or capability that
is necessary to complete the task. 2 way communication.
I Inform Those that are kept up-to-date on progress and must be notified of results. 1 way
communication

Note: Discipline Engineer refers to the following engineering roles: Mechanical, Inspection, Reliability,
etc.

2 To be executed by the Internal Audit department as a minimum level of independence

9
6 FUNCTIONAL SAFETY MANAGEMENT PLANNING
The very first step towards functional safety management was the development of this philosophy
document which seeks to strategize and consequently manage the implementation of functional safety
within the refinery.

This document must now be applied to the various units within the refinery. That is to say, the plan must
be worked for each unit. Each project or unit for which functional safety is to be implemented should
follow this document which is structured around the IEC 61511 Safety Lifecycle and the Shell Design and
Engineering Practice manual for the Management of Instrumented Protective Functions.

The very first deliverable for functional safety planning within a project should be the production of a
project specific management plan which details the following:

• Overall Objectives and Scope for the Project – be it as significant as the automation of a
pneumatic plant and the concurrent implementation of functional safety or the more specific
conversion of one or a few loops to safety instrumented functions
• Roles and Responsibilities – A meeting must be convened with all custodians and contributors
who must understand their roles within the functional safety management planning
• Detailed plans for each phase where the following are further clarified:
o Objectives for the particular phase
o Scope of works to be completed within the phase
o Roles and Responsibilities within this phase
o Required Inputs
o Specific actions which should be clear and measurable and designated to a named
action party with a realistic target completion date
o Procedures and Methods to be used
o Resources required (e.g. personnel, equipment, financial, etc.)
o Expected physical deliverables

The verification phase (Section

10
16 VERIFICATION ) is an overall process which runs in parallel with the planning process and as such
a chairperson (either the plan’s custodian or someone appointed by him/her) must be identified so that
progress review meetings can be initiated.

The verification process is also the vehicle by which recommendations for changes to this document
may be made.

Guidelines and success factors for each phase which are structured around the life-cycle shall now be
discussed in more detail. It should be noted however that the overall success of the plan is hinged upon
practical actions assigned to persons who have a sense of ownership towards the plan and so hold
themselves accountable.

7 DATA COLLECTION
Objective
To collect all data necessary for the different phases of the Functional Safety Management plan as
identified in Figure 1– Petrotrin Functional Safety Management Plan (modelled after the IEC 61511
Safety Life Cycle) on page 5

Scope and Timing

The scope of this data collection covers the data and drawings for the Risk Analysis, Safety Requirements
Specification development and the Design and Engineering phases.

It is highly recommended that all relevant data be collected before entering these phases.

Activities
Collect soft and hard copies of all relevant documents that will feed into the phases as identified in the
scope above.

Roles, Responsibilities & Deliverables

The persons responsible for the phases identified in the scope above shall be responsible for ensuring
that all data is collected and towards this end shall contact the following data custodians in Petrotrin:

• The Manager, Engineering Services who manages all engineering drawings and documents
• The Manager, Inspection Services who is accountable for all inspection records and
• The Manager, Technical Services who is accountable for all process engineering data

The deliverables are the respective documents and drawings as listed below in the subsection of the
RASCI matrix.

11
 Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step – Data Collection
Provide Piping and Instrumentation
R A
Diagrams (MECH)
Provide Process Flow Diagrams (MECH) R A
Provide Cause & Effect Diagrams (MECH) R S A
Provide Equipment Data Sheets (MECH) R A
Provide Plant Operating Procedures S R A
Provide Plant Incident Reports S R A
Provide Inspection Reports (INSP) R A
Provide Relief Valves Data (INSP) R A
Provide Process Control Narratives &
R A
Overview of Process
Provide Design Parameters R A
Provide MSDS for chemicals (including
R A
Products)
Provide Instrument Databases with Alarm
R A
Configuration (As applicable)
Provide Shutdown System Logic
Narratives and descriptions (As R A
applicable)
Provide Instrument Data Sheets (As
R A
applicable)
Provide Logic Solver specifications (As
R A
applicable)

Success Factors
In a plan such as this where there are many tasks and shared responsibilities, the ability of the
Production Unit Manager to take an over-arching ownership for the collection of all the data for his unit
will not only be an asset to the success of this phase but indeed benefit the overall objective of
functional safety.

12
8 RISK ANALYSIS & PROTECTION LAYER DESIGN
Objective
The overall objective is to review the process unit’s design for completeness of all risk reduction
measures required to protect against all hazards and hazardous events associated with the operations of
the unit. The hazard and risk assessment or analysis will thus verify that the various layers of protection
are performing suitably to reduce the risk inherent in the process.

Scope and Timing

The scope of this phase is limited to those analyses which determined a need for instrumented risk
reduction methods and are thus identified as SIFs or potential SIFs. In Petrotrin the Risk or Process
Hazard Analysis (PHA) is usually conducted by the department of Process and Safety Management on a
unit based schedule that is developed and coordinated by this department. From this full unit report,
the SIFs and potential SIFs will need to be extracted.

Petrotrin may choose to contract this scope out to an external consultant bearing in mind that if this is
done, the PHA report shall not be a full PHA of the process unit but rather one with a specific emphasis
on SIF identification.

Activities
Assemble a team to perform a risk analysis or HAZOP study to review the hazards and hazardous events
associated with the process and processing equipment and their associated risks.

According to DEP 32.80.10.12, as a minimum the review shall:

• Identify the hazards and hazardous events of the process and associated equipment
• Determine the sequence of events leading up to the hazardous events
• Identify the causes of each hazardous event (including fault conditions and any foreseeable
misuse)
• Identify the consequences of each hazardous event
• Determine the likelihood and hence risk associated with the hazardous events
• Determine the requirement for additional risk reduction
• Establish what risk reduction measures should be taken
• Record the assumptions used during the analysis, including demand rates, failure rates, human
intervention and operating conditions
• Generate the PHA report in such a way that there is traceability between the hazards identified
and the protections determined in subsequent phases

13
Roles and Responsibilities
The respective Asset Managers are the custodians for the risk analysis and are ultimately accountable
for the objective of this phase being fully met.

Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Senior Mgr.
Operations

Head, PSM
Lifecycle Step - Risk Analysis
Conduct PHA (HAZOP) and provide a
report on SIF’s identified S A S S S R

The HAZOP team usually comprises of the following persons on a full time basis:

• PSM Coordinator\Facilitator
• Plant Superintendent
• Senior Operations Personnel
• Process Engineer
• Maintenance Personnel

The following persons contribute on a demand or part time basis:

• HSE Personnel
• Inspection Personnel
• Instrument & Controls Engineer
• Electrical Engineer
• Mechanical Engineer

These roles are not all identified in the RASCI matrix but are called upon as required by the PSM
facilitator.

14
Inputs
The inputs of this phase are the deliverables of the Data Collection phase as identified below:

• Corporate Risk Tolerability Criteria (Petrotrin Risk Assessment Matrix)

• Piping and Instrumentation Diagrams (Updated)
• Process Flow Diagrams
• Operating Procedures
• Incident Reports
• Process Control Narratives & Overview of Process
• Design Parameters
• MSDS for chemicals (including Products)
• Equipment Data Sheets
• Inspection Reports
• Relief Valves Data
• Instrument Databases with Alarm Configuration
• Cause & Effect Diagrams
• Shutdown System Logic Narratives and descriptions

Deliverables
• HAZOP Report with Safeguarding or design recommendations
• Initial identification of SIFs and potential SIFs

Success Factors
The success of this phase is heavily dependent on accurate data and the use of experienced personnel.

15
9 ALLOCATION OF SAFETY FUNCTIONS TO PROTECTION LAYERS
Objective
To verify that the SIFs identified by the HAZOP team are indeed required by examining the other
protection layers and how much protection they offer. (NOTE: Any changes made or proposed in this
phase must be reviewed by the HAZOP team).

To allocate performance targets for the safety instrumented functions as agreed upon by the HAZOP
team and determine the Safety Integrity Level (SIL) of the SIF.

It should be noted that a SIF is typically never intended to be the only layer of protection and IEC 61511
encourages the use of “multiple safety layers” so as to avoid a harmful consequence due to the failure
of one layer.

Scope and Timing

The scope of this phase is limited to the determination of the required integrity level for each SIF
identified in the preceding risk analysis phase.

The LOPA shall directly follow the completion of the HAZOP exercise or be conducted within the HAZOP.

Activities
Assemble a team (which for consistency may be the same as the HAZOP team), to conduct a study that
shall:

1 Allocate safety functions to the layers of protection determined in the HAZOP taking into
account the potential reduction in effective protection due to common cause failure between
the safety layers and the BPCS using the LOPA methodology and the corporate HSE risk
tolerability criteria.
2 Determine the required safety integrity level (SIL)
3 Determine the probability of failure on demand (PFD) required by the SIL
4 Determine the proof test interval required to meet the PFD target for the SIL
5 Determine the requirement for dangerous failure robustness, taking into account the level of
complexity of the SIF sub-system, the SIL and the safe failure fraction

Roles and Responsibilities

The Production Unit Manager is ultimately accountable for this phase however it‘s execution is managed
by the department of Process Safety Management. The initial execution of this task for each process
unit shall be supported by a Certified Functional Safety Expert to ensure the initial quality of the
exercise.

16
 Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step - Allocation of Safety Functions to Protection Layers
Perform SIL determination via LOPA and
provide a report with target RRF for each
SIF identified S A S S S I R

Inputs
• HAZOP study
• Updated P&IDs
• Corporate Risk Tolerability Criteria (e.g. Petrotrin Risk Assessment Matrix and HSE assumptions)
• Instrument Data Sheets
• Safe and Dangerous failure rates for initiators and final elements
• Logic Solver Specifications

Deliverables
• LOPA report with SIF Classification Study including risk reduction factors, PFD Targets , Proof
Test Intervals and recommendations
• SIF Narratives
• Marked-up Cause & Effect Diagram

Success Factors
The success of this phase is heavily dependent on the robustness of the PHA report generated in the
previous phase, the use of experienced personnel and a competent facilitator.

It is important that a consistent interpretation of the risks and responses is maintained between this
phase and the prior one.

The practice of indexing and cross referencing the hazards to the identified SIFs which allows for
traceability will assist this consistency.

The deliverables of this phase are to be handed over to the Engineering Services department from the
department of Process Safety Management. Overall success for the entire plan can be guaranteed if a
verification check is performed at this interface.

17
10 SAFETY REQUIREMENTS SPECIFICATION
Objective
To define how the Safety Instrumented Functions are to be designed and integrated into a Safety
Instrumented System. The SRS provides the requirements of the safety instrumented functions. This
phase is critical for satisfying a documentation requirement of IEC 61511 and ANSI/ISA S84.01.2004.

Scope and Timing

The scope of this phase is limited to the hardware and software elements of the SIS. Work within this
phase should commence as soon as the SIF Classification Report is produced.

Activities
Prepare the Safety Requirements Specification which shall include the following according to the IEC
61511 standard:

• A description of all the safety instrumented functions necessary to achieve the required
functional safety requirements to identify and take account of common cause failures
• A definition of the safe state of the process for each identified safety instrumented function
• A definition of any individually safe process states which, when occurring concurrently, create a
separate hazard (for example, overload of emergency storage, multiple relief to flare system)
• The assumed sources of demand and demand rate on the safety instrumented function
• Requirement for proof-test intervals
• Response time requirements for the SIS to bring the process to a safe state
• The safety integrity level and mode of operation (demand/continuous) for each safety
instrumented function
• A description of SIS process measurements and their trip points
• A description of SIS process output actions and the criteria for successful operation, for
example, requirements for tight shut-off valves
• The functional relationship between process inputs and outputs, including logic, mathematical
functions and any required permissive
• Requirements for manual shutdown
• Requirements relating to energize or de-energize to trip
• Requirements for resetting the SIS after a shutdown
• Maximum allowable spurious trip rate
• Failure modes and desired response of the SIS (for example, alarms, automatic shut-down);
• Any specific requirements related to the procedures for starting up and restarting the SIS
• All interfaces between the SIS and any other system (including the BPCS and operators) paying
attention to BPCS-SIS independence
• A description of the modes of operation of the plant and identification of the safety
instrumented functions required to operate within each mode
• The application software safety requirements
• Requirements for overrides/inhibits/bypasses including how they will be cleared
• The specification of any action necessary to achieve or maintain a safe state in the event of
fault(s) being detected in the SIS. Any such action shall be determined taking account of all
relevant human factors

18
 • the mean time to repair which is feasible for the SIS, taking into account the travel time,
location, spares holding, service contracts, environmental constraints
• Identification of the dangerous combinations of output states of the SIS that need to be avoided
• The extremes of all environmental conditions that are likely to be encountered by the SIS shall
be identified. This may require consideration of the following: temperature, humidity,
contaminants, grounding, electromagnetic interference/radiofrequency interference (EMI/RFI),
shock/vibration, electrostatic discharge, electrical area classification, flooding, lightning, and
other related factors
• Identification to normal and abnormal modes for both the plant as a whole (for example, plant
start-up) and individual plant operational procedures (for example, equipment maintenance,
sensor calibration and/or repair). Additional safety instrumented functions may be required to
support these modes of operation
• definition of the requirements for any safety instrumented function necessary to survive a major
accident event, for example, time required for a valve to remain operational in the event of a
fire

Roles and Responsibilities

Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step - Safety Requirements Specification for SIS
Equipment Selections / Manuals /
Certificates R A C I
Prepare Safety Requirements
Specification (SRS) S A C R

The Manager Engineering Services (MES) is ultimately accountable for this phase. The responsibilities of
some key contributors are as follows:

Controls Engineer

• Shall source and provide the necessary data for the development of the SRS for submission to
the SIL expert

Functional Safety Expert\Specialist:

• Produce the SRS document using data provided from the I& C Engineer, the SIL Classification
Report and the HAZOP exercise

19
Inputs
• SIL Classification Report
• Final Cause and Effect Diagrams
• SIF Narratives
• Updated P&IDs
• HAZOP Report
• Decision on SIS technology

Deliverables
• Comprehensive SIS Safety Requirements Specification Report

Success Factors
The SRS Specification is the key design document for the Safety Instrumented System. It also represents
information as supplied from different departments and resource personnel. The most important
success factor for this phase is effective communication between disciplines and roles to manage issues
related to interpretation of the information or any changes that must be fed back to the teams and
responsible parties of previous phases.

20
11 SIS DESIGN AND ENGINEERING
Objective
To design the hardware and software of the Safety Instrumented System in accordance with the Safety
Requirements Specification from the preceding phase and in accordance with the company’s accepted
policies and guidelines (e.g. GEMS, PIPs and GFIs). .

Scope and Timing

The scope of this phase covers the complete detailed design, verification and validation of the Safety
Instrumented System from field device to logic solver and operator interface.

This phase closely follows the development of the SRS document.

Activities
Prepare the complete SIS Design and Engineering package which shall include:

• the design of all the SIF sub-systems hardware including transmitters, I.S. barriers, solenoid
tubing / voting configurations, field junction boxes, process connections, logic solver, valves,
interposing systems and associated HMI(s)
• the design, coding, validation and testing of the SIS application software
• overall testing of the SIS from the field to the operator display
• the development of the proof test procedures
• the verification and validation of the SIFs
• installation construction engineering
• Equipment procurement specifications

Roles and Responsibilities

Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM

Lifecycle Step - SIS Design and Engineering

Perform SIS / SIF detailed design A R
Perform Verification Report (Calculations) A R
Prepare Validation Test Procedures A C R
Procure Equipment R C C
Prepare Proof Test Procedures S A R
Prepare Installation Contract Package R
Perform Factory Acceptance Testing S A R

21
The responsibilities of identified contributors are as follows:

Controls Engineer

• Shall provide support to the Functional Safety Expert for the development of the SIS Design and
Engineering package which will guide the Automation constructor (s).
• Collect / Provide information on Company instrument and control philosophies, preferred
manufacturers and technologies

• Shall develop a scope of works which would include the functional safety design developed out
of the SRS and shall also consider the wiring requirements inclusive of I.S. barriers and solenoid
tubing / voting configurations and field junction boxes.

• engineering for functional safety which and engage the services of an automation contractor
who will provide the hardware and software consistent with the design as offered in the SRS
document
• Shall develop a scope of works and engage the services of an Instrument Contractor to handle
field related instrumentation works
• Provide coordination between the Automation and Instrument contractors (if no EPC is
involved)
• Attend Factory Acceptance Testing for SIS

Functional Safety Expert

• Develops a full design for the Safety Instrumented System from sensor to logic solver
• Provides support for installation of SIS
• Develop proof test procedures
• Perform verification calculations to ensure that the integrity as outlined by the SRS is being
maintained by the installation

Automation Constructor

• Shall design, code, validate and test the SIS application software
• Provide power and grounding drawings
• Provide equipment layout and installation drawings
• Provide cabinet integration drawings
• Provide communications wiring drawings
• Conduct Factory Acceptance Testing for SIS, covering all hardware and software validation tests
• Shall design and/or provide instrumentation to satisfy requirements of the SIS Design and
Engineering Package in the scope of works document.
• Provide wiring layouts /junction boxes, etc.
• Provide loop drawings and any information that may be needed by the Automation Contractor
• Develop maintenance procedures

22
Senior Operator or Operations Representative

• Shall witness Factory Acceptance Test

• Shall review graphics related to SIS design

EPC Contractor

An EPC Contractor may be engaged as is necessary to coordinate the efforts of the various different
vendors and contractors and to streamline the contributions of the different parties. Some of the
contributions attributed to the contractors above may be moved around or handled directly by the EPC.
Once an EPC is engaged, Petrotrin will not be dealing directly with the sub-contractors.

The decision to engage the services of an EPC is dependent on the quantity and complexity of the scope
of works and can be made after discussions between the Electrical, Instrument & Control Systems
Engineering department and the MES.

Inputs
• SIS Safety Requirements Specification
• Field device technology / voting
• Preferred manufacturer listing
• Additional requirements e.g. Sequence of Events Recording and HART connectivity to AMS

Deliverables
• SIS Hardware design complete with equipment layout and installation drawings
• SIF / SIL Verification Calculations
• A hard copy of the SIS logic
• Power and grounding drawings
• Cabinet integration drawings
• Communications wiring drawings
• Factory Acceptance Test signed off document
• Wiring layouts /junction boxes, etc.
• Loop drawings
• Maintenance procedures
• Proof test procedures

Success Factors
Good project management is critical to the Controls Engineer who would be the person ultimately
responsible for this phase and for collaborating the various vendors and consultants. A well-developed
SRS document is also an important success factor.

23
12 INSTALLATION, COMMISSIONING AND VALIDATION
Objectives
To install the safety instrumented system according to the specifications and drawings.
To commission the safety instrumented system so that it is ready for final system validation.

Scope and Timing

The scope of this phase is limited to the installation, commissioning and validation of the SIS on the
individual plants and includes works related to the initiating devices, the logic solver, final elements,
interconnections and tie-ins or modifications to existing installations.

This time of execution is to be determined by the Operations department and dependent on plant
availability. If the works are major or significant, plant shut down may be required and in some cases the
timing may be dependent on the turn-around schedule.

Activities
Prepare and execute a plan for installing, commissioning and validating the safety instrumented system
design. This shall include but not be limited to the following activities, towards the achievement of this
phase’s objectives:
• Development of a project plan and work flow chart
• Installation
• Inspection
• Functional testing
• Commissioning
• Change control procedures

Roles and Responsibilities

Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM

Lifecycle Step - Installation, Commissioning and Validation

Perform Inspection and Retain Test Records R S I
Perform Calibration and Retain Reports R S I
Maintain Equipment Manuals R C
Perform Validation Testing and Retain
Records S A S R
Update and Maintain Operating Procedures S R A

24
Key contributors include:

• I & C Engineer
• Automation Contractor
• Instrument Contractor
• EPC (if engaged)
• Operations department – to witness and sign-off on acceptance and validation tests

Inputs
• SIS Safety Requirements Specification
• SIS Detailed Design Documentation
• Signed off Factory Acceptance Test

Deliverables
• Installation and Commissioning plan and report
• Completed field instrumentation calibration forms
• Completed loop check test forms
• As built safety loop drawings
• As built Instrument database
• Signed and approved inspection and test records for all SIFs
• SIS Vendor Equipment Manuals handed over to I&C Engineering department from Automation
contractor
• Signed off Site Acceptance Test
• SIS application software handed over to I&C Engineering department from Automation
contractor
• Approved and validated proof test and maintenance procedures for hand over to Maintenance
department
• Approved operating procedures (falling under the responsibility of Operations Support)
• Complete hand over packages for Maintenance and Operations department

Success Factors
According to DEP 32.80.10.12, “Function testing during pre-commissioning and later commissioning
activities provides a good training ground for operational, maintenance and engineering personnel and
helps to build a sense of ownership at an early stage.”

Additionally good communication and close adherence to the change control procedures will allow for
effective feedback of information to the earlier phases of the management plan, should they need to be
revisited.

25
13 OPERATION AND MAINTENANCE
Objectives
To ensure that the safety instrumented functions meet the required SIL throughout their operational
life. IEC 61511 requires that the SIS be operated and maintained in such a way that the designed safety
function is preserved.

Scope and Timing

The scope of this phase is limited to the operation and maintenance of the related SIF components
including initiating devices, logic solver and final elements and all interconnections.

The scope as is applicable to the overall functional safety management planning is particularly relevant
here as the management of the human resource who must maintain the system is a critical component
within this phase.

This phase begins upon commissioning and the official hand over of the system to the Operations
department.

Activities
The activities which will promote the effective operation and maintenance of the installed safety
instrumented system include:

• Competence Management – personnel who are formally trained or sufficiently

experience form a key component for this phase
• Proof testing - the integrity of the various SIFs is maintained via correctly executed and
timed proof testing
• Preventative and predictive maintenance – where available diagnostic features shall
greatly enhance the reliability of the system components to ensure that the integrity is
maintained
• Corrective maintenance – the SRS document shall guide the procedures for the repair of
faulty or defective equipment
• Trip reporting – a procedure shall be in place to report trips following safe failure of SIS
components and data collected shall be used to review the ongoing validity of the
assumed demand rate and safe failure rate data
• Incident investigation – a procedure shall be in place to investigate reported trips to
determine immediate causes and system deficiencies and to make recommendations
for improvement
• Failure rate data collection – Safe and dangerous failure rates of components must be
collected for input into the SRS review
• Safety Requirements Specification (SRS) Review – The ongoing validity of the SRS
document is to be reviewed regularly

26
 • Auditing – This is an essential component of the plan’s verification process that
determines how effectively the SIF management activities are conducted to support the
operation and maintenance of the SIF

Typical targets for certain key activities are as follows:

• Trip Investigations – within 24 hours of trips

• Accident Investigations – within 72 hours of incident
• Review of SIS Safety Requirements Specification – annually
• Performance and Development Review of SIF – annually
• These typical targets may be used to inform the various procedures identified and required
above.

Roles and Responsibilities

Senior Mgr. Operations

Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM
Lifecycle Step - Operation and Maintenance
Prepare SIF activation investigation
reports S S S R I C
Managing SIF bypasses per MOC S S S R
Maintain Logic Solver and Records of
same I R
Perform SIF Proof Testing and Retain
Records S S I S S R C
Perform IPL Alarm Proof Tests and
Retain Records S S I S S R C
Maintain SIF Field devices and Records
of same S S I S S R C
Review SIF component performance
R S C
against SRS
.

27
Key contributors include:

Controls Engineering department personnel - shall be responsible for:

• maintenance of SIS logic solver

• investigating plant trips to uncover root causes and make recommendations to improve
• performing logic bypasses per the Management of Change process
• working with the Maintenance department to perform proof tests when necessary
• reviewing SIS Safety Requirements Specification paying particular attention to updating failure
and demand rate date and proof test intervals
• keeping a log of SIS initiated trips

Maintenance Department personnel - shall be responsible for

• keeping a log of the SIF Proof Testing

• preventative and corrective maintenance of field related components of the SIF
• working with the I & C Engineering department to perform proof tests when necessary
• performing bypasses in the field per the Management of Change process
• Updating the Maintenance system on SAP
• reviewing SIS Safety Requirements Specification paying particular attention to updating failure
and demand rate date and proof test intervals for field instrumentation

Operations department personnel – shall be responsible for

• the safe and proper operations of the SIFs

• reviewing SIS Safety Requirements Specification giving information on the performance of the
SIFs
• witnessing the SIF Proof Testing
• assisting Trip Investigation team with information on operations prior to and during trip
• generating reports to Maintenance or I&C Engineering for any malfunctioned SIF component

Inputs
• SIS Safety Requirements Specification
• Management of Change forms
• Hand Over Package complete with as-built drawings
• Approved and validated proof test procedures
• Approved and validated maintenance procedures

28
Deliverables
• Training program
• Maintenance records for SIF components
• Up to date Log Books for SIS to capture trips and bypasses etc.
• SIS Safety Requirements Specification: reviewed and updated on a frequency to be determined
• Proof Test reports
• Investigation reports for SIS related incidents
• Proposed audit schedule

Success Factors
Genuine commitment on the part of all the contributors is essential to the success of this phase which
for all intents and purposes represents the rest of the lifetime for the various SIFs.

Education, whether it be via awareness building on-site programs or class room type training sessions is
also another important success factor.

29
14 MODIFICATION AND DECOMMISSIONING
Objective
To ensure that any modification (including partial decommissioning) is properly planned, reviewed and
authorized while maintaining the required safety integrity level of the SIS.

Scope and Timing

This scope of this phase is limited to any change to the hardware or software of the SIF and its sub-
components whether the change is temporary or permanent or considered to be an upgrade. In this
context, software shall mean either application software written by the user, or operating system
software supplied by the manufacture in any sub-component of the SIF.

This phase is executed and completed during the operating life of the SIFs.

Activities
The approval to enter this phase must first come from a detailed risk analysis to substantiate either the
modification or the decommissioning of a SIF. If the change to be made does not include
decommissioning (i.e. a modification only with retention of the SIF) then the activities of the entire life
cycle must be revisited and all relevant documents updated.

Roles and Responsibilities

The Production Unit Manager is the custodian of the Functional Safety Management Plan subsequent to
installation and commissioning however once a work request is generated to Engineering Services, the
MES becomes responsible for the execution of the modification and is accountable for the objective of
the phase being fully met.
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Senior Mgr.
Operations

Head, PSM

Lifecycle Step - Modification and Decommissioning

Adhere to Management Of Change
Process S R A S S S
Perform SIF Modifications (As required) I I I S R A I C

30
Other key contributors are as follows:

The Plant Production Superintendent – shall be responsible for:

• Generating the plant change request\work order and getting it approved

• Coordinating with PSM to have the relevant risk analyses or HAZOP studies conducted for the
modification
• Requesting participants for the multi-disciplinary HAZOP exercise
• Assigning a senior Operations personnel with relevant and recent experience on the plant to the
HAZOP exercise
• Ensuring that assessment of hazards considers functional safety during the execution of the
modification and impact on adjacent operating units and facilities

The Process Engineer – shall be responsible for:

• Developing the Process Engineering Report (PER), if the change is process driven. The PER shall
detail the required change, instrument requirements, economic ramifications, and mark-ups to
DCS\BPCS graphics and P&IDs
• Providing updated process narratives for the affected process
• participating in the HAZOP exercise

The Controls Engineer – shall be responsible for:

• Participating in the HAZOP exercise

• Identifying which phases of the SIF safety life cycle would need to be revisited and the extent to
which they may need to be revisited
• Defining the work required to modify the SIF and any SIF sub-component
• Modifying the logic in the SIS if necessary
• Implementing changes to the DCS\BPCS graphics or control strategy as necessary
• Requesting independent re-verification if so identified in the risk analysis

Inputs
• Approved plant change request with work order
• Existing SIS Requirements Specification
• Petrotrin Functional Safety Management Plan
• Existing design drawings and documents
• Existing risk analysis & HAZOP studies

31
Deliverables
• Complete MOC documentation inclusive of HAZOP reports
• Updated SRS documentation
• Revised Functional Safety Management Plan (if revisions were necessary)
• Validation test reports to show modification was properly implemented and SIS performs as
expected (IEC 61511 requirement)
• Tests or reports to show change has not adversely affected parts of SIS that were not modified
(IEC 61511 requirement)
• Updated design drawings and documents
• Updated risk analysis studies

32
15 FUNCTIONAL SAFETY ASSESSMENT
Objective
To ensure that the level of integrity achieved by the SIS is known and maintained throughout its life
cycle

Scope and Timing

The Functional Safety Assessment scope covers all the SIF components, including initiators, logic solver,
final elements and all associated interfaces.

It is recommended that functional assessments should be conducted within the SIS Design and
Engineering and Operation and Maintenance phases. It is also recommended that it be conducted after
any modifications to the SIF.

It is required that a functional safety assessment be performed on the SIF after installation and prior to
handover of the SIF with sufficient time in the project schedule for the rectification of any deficiencies.

Activities
The activities of this phase cover:

• The development of a plan for the formal assessment of a SIF which would detail who
will be involved, the competence of the assessors and the degree of independence
required of the assessors.

The degree of independence of the assessors will depend on the highest SIL of the system under
assessment and shall be guided by the governing standards and best practices.

Roles and Responsibilities

Senior Mgr. Operations
Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Head, PSM

Lifecycle Step - Functional Safety Assessment (Audits)

Perform Functional Safety Audits at
S A S R
defined stages
Review SIF performance against SRS S S A S R

33
The Manager, Engineering Services is the custodian for the Functional Assessment phase and, as such, is
accountable for the objective of the phase being fully met.

These assessments or audits must be independent and objective and are to be carried out by corporate
personnel external to the executing or maintenance departments. A specialized consulting company
may be used.

Inputs
• SRS – Safety Requirements Specification
• Previous assessment or audit reports
• Maintenance and test records
• Management of Change records
• SIS Bypass logs
• Logs showing bypassed systems, records of the number and cause of process demands on the
SIS, nuisance trips if any, actual failure rates of SIS devices and their comparison to design
assumptions

Deliverables
• Independently prepared SIF Functional Assessment/Audit Report indicating suitability of SIF or
whether it has had to be rejected. This report will also detail if corrective action to lift the SIF to
the level of acceptance is required.

Success Factors
Proper records and documentation that are accessible to the assessors will greatly enhance the success
of this phase.

The competency and independence of the assessors are also important success factors.

34
16 VERIFICATION
This process is applied to determine the extent to which the Functional Safety Management plan has
been executed and how well it has been executed

Objectives
Verification aims to:

1. Track the overall progress of the functional safety management plan as applied to a specific
project
2. Ensure the accuracy and completeness of the deliverables from one phase to another and
particularly when this interface occurs across different departments
3. Audit the life-cycle to determine how effectively the Functional Safety Management plan’s
activities are being conducted
4. Update the functional safety management plan based on recommendations and findings from
the auditing process

Scope and Timing

This verification activity is limited to a regular review of the progress against targets and deliverables as
outlined within this plan. The assessment of whether the level of integrity for a SIF has been achieved is
not a part of this scope as that is to be provided by the functional assessments.

Progress review meetings will typically be executed in all the phases leading up to Operation and
Maintenance

A verification check is required between the phases for the Allocation of Safety functions to Protection
Layers and the Safety Requirement Specification which represents a handover from the Process Safety
Management department to the Engineering Services department.

Audits are conducted over the life cycle of a SIF that is after it has been commissioned and handed over
to the Operations department. The very first audit should occur within the first year of operation and
should be followed up consequently by bi-annual audits (i.e. every two years).

Activities
The activities of this step are limited to the objectives of this process:

Progress review meetings shall be conducted in the phases leading up to the commissioning of the SIF

Auditing –is to be conducted over the life-cycle of the SIF to determine:

• The level of compliance of the management plan and its various procedures (e.g.
checking that the proof testing is done according to the stipulated procedure and
schedule)
• The degree of competence of the various key contributors

35
 • The degree of adherence with proper change control procedures (i.e. the Management
of Change process)
• The quality of documentation and reporting
• That SIF operation and maintenance support the maintenance of the SIF’s integrity level
throughout its lifecycle
• That SIFs are not operated with permanently forced inputs or outputs
• The Safety Requirements Specification is sufficiently reviewed during the operation
phase
• General areas for improvement
• That the Functional Safety Management plan is appropriate and relevant

Functional Safety Management Plan review – depending on the findings of the audit program,
recommendations for the update of the document may be made. These recommendations must be
reviewed by a team that shall as a minimum contain the identified custodian and contributors for this
phase.

Roles and Responsibilities

Production Unit Mgr.

Training Coordinator

Functional safety Expert

VP Refining & Mktg
Discipline Engineer

Mgr., Eng. Services

Mgr., Insp Services
Controls Engineer
Process Engineer
Senior Operator

Inst Mtce Super

Mgr., Technical

Inst Technician
Senior Mgr.
Operations

Head, PSM
Lifecycle Step - Verification
Review the execution of the entire
S A S
management plan
Conduct audits S A S

The Manager, Engineering Services is the custodian of this activity and is responsible for engaging Audit
department at the appropriate intervals.

Inputs
• The Petrotrin Refinery Functional Safety Management Plan
• Human Resource department competency development program
• Previous assessment or audit reports
• Maintenance and test records
• Management of Change records
• SIS Bypass logs

36
 • Logs showing bypassed systems, records of the number and cause of process demands on the
SIS, nuisance trips if any, actual failure rates of SIS devices and their comparison to design
assumptions
• SIF Audit Reports
• Safety Requirements Specification Review report

Deliverables
• The Petrotrin Process Unit Functional Safety Management Plan Status report - this report
reviews the status of functional safety management within a process unit
• The Petrotrin Refinery Functional Safety Management Plan Status report - this report gives an
overall review of the status of functional safety management within the refinery
• Updated or re-approved Functional Safety Management plan
• Progress Review meeting minutes

Success Factors

According to the DEP 32.80.10.12 there are two main factors which will contribute towards the
successful achievement of this phase’s objectives. These are:

“Accountability – All action parties shall be responsible for the implementation of their actions and
accountable for the effectiveness of their actions”

“Follow-up – A single point coordinator for follow-up should be appointed [to] ensure that progress is
checked at the required intervals, that action parties are aware of their obligations and that progress
reports/charts are prepared and distributed.”

37