Beruflich Dokumente
Kultur Dokumente
November 2006
Guidance Note
NI 524 DT R00 E
) # )! % "# ! " ! '' " ! " ' .3 " ' '3 ' "# ! " ! ' "" " '
! " "# $ $ %&# ' ( ) ' *"# + ! " ,- "# & '" % $ $ $ " '2 ' ' $ '" " ' " % "# ' "# . 2 % ' ' "2 4 $ 0 '"
!. % ! " ' *+/ . % ! " ',- % ' # $ ) . " !" % ' " $ $ " % " " 0 0 !# ' 2 ! 0$ " %"& % ' " "# ! 0$ . ! '! $ " "# " # ' !" " '
"# ' ! .. !" ) . # ' %" % " + ' ", & # "# . '1 " # 2 ) ) "# ! "
' "2 & # "# $ " . ! " " ' '. ' & "
0 ' 2 $ ". ' . ' 2 '!. '3 3
# ) ! %" 2 .. '3 3 2 %% # ' " .. " . " ' % ' " $
' ' % ' $ $ 2 "#
3 # ! " !! $ " ' $ ' . " % "# % '% 0 " ' . " " " )! & # !# &
'! .. 4 $ 0 '"2 ' "2 !# & .. #
'3 $ '" ' $ $ .' 2 0 '3 . 3 ' 0
' "$ ) % "# $ $ "# ! " & "# " " '!
"# & ! "# ! "
# ! " 5 3 . $ - *
• $ $ ' $ . # . % !. % ! " '2 6 '! 7 " ' "# ! 0 '" *+ . ,-8 * $ * 0 $, * $
• / " % ! " 2 "" " " ' ' $ " % .. & '3 " '" ) '" ' *+/ " % ! " ,-8 -
• $ . # 3 " - , * *4 -
%5 ,6 6 6 ( , 2 - - %5 6 6 ,6 6 6 (
# ! " . $ " ! $ " ' "# $ $ . ! " ' % 7 " ' . ' '" ' " ' . 3 . " ' *
" ' 2 ' $ "! . . 3 " ' % 0 %% '" 6 ) '0 '" # !" ) " # %"
$ * * $ 0 - ,
! .. !" ) . % " +/ " % ! " ',
, ,
# ! " ! ' . $ ) )! . " " / . % ! " ' ' / " % ! " ' !# # $ ' -
! 0$ ' % " 0 ' 3 0 '" ! " % ! " '8 # $ ' $ " ! " ! " % ! " '2 " ' '3 !" ) " 8 ..
9 .. !. 0 " $ '" " "# ! " ' & " '3 & "# ' "# 0 '"# % "# " & # ' "#
!" ) " ' " '! '" . "# " !# ! 0 '" " ' ' ' $ $ " '3 0 ' 2 %"& 2
)! & $$. * % . " - "# " & # ' "# ) '" & # !# . ' %& % " 1' & ' "
' " 0 '" " '2 0 0 '" 2 " " ' " . '
"# / . '"2 ' ' !. 0 & # !# ' " $ '" # .. 0 & ) ' . " .
# '" ) '" ' 0 '" ' ' 2 ' 9 % " + )! , # $ " ' :
" $ '" " ) 4 " '3 "# )! # ' %" % " "# +/ . '", 7
7 4 " % )! " ' & " '3
! " # $ % & $'( 7 . $ - 0
) # ! " ' "# ' 0 ' " ! ' ' ' & " 2 1 ' # $; . - - $ $ $ 8 , , 4
!# " '3 2 < $ " ' ' "; ) . " '2 / ' ." '3 '3 ' 2 / '" .. 2 7 ) . !# " !"2 ' % !" 2 5
# $ . 2 $ 2/# " # $ &' &# ' " . ) % ' % "# <$ 7 # !. 3 '" " "# ! '! ' ' " ' "# $ ) . ! "%! " 0 ' ) . '" .
0$ . .3 " ' "# '" ) '" ' % "# ! " "# " % %% !" % "# ' " ! !! '3 " = # ) !" " ! 0$ . '! & "# 9
# ) ' " !. > # '
/ . % ! " ' "# $ $ 0 '" 3 ) ' "# ! " % " / . '"2 " ! " ' " 2 % .. & '3 5
) " ) . '3 "# . ' $ !% ' " !. 9 ' # %" ' "# . ) . % 5 # )! % "# ! " 2 & # "# ! 0$ . " ' "2 ') .) "# $ 0 '" % % $ ' ! $"
! 0$ . '! % '" " " . $ " % "# 0 # $$ 0 '" $ '" !. '" % "# ') ! ' "# 0 0 '" % "# < $ ' '!
' "# / " % ! " ' $ ! .. " ' ! ' "# ! " ; 3 "
5 .# - *$ *
/ "%! " ' ! " "# ! " . '3 "# 0 .' " " ' " !. 9 ' -
# %" ' & "# % '! " "# $ $ . ! . 7 " ' . ' '" ' " ' . 3 . " ' " '
5 . + $ * . $
* + $ , $
+ $ $ $
ARTICLE 9
$ - $
# / . '" " 3 ) " "# ! " .. !! ' '% 0 " ' ' ! % "# $ % 0 '! % 9 # ! 0 '" ' " $ ) " $ $ "# ! " % " ) ! 2 ' "#
"# 4 " )! '% 0 " ' ) . . " "# ! " 2 " " ! '% '" . ? & ) 5
• / . '" # ) !! " "# " "# # ) $ ) " "# ! " ' 2 '3 "# $ %
!. % ! " ' % "# ' " % "# 02 " "# ! ' " '3 % ) $ " '
. , $ / ! " % ! " & # !# # ) '$ $ " ' "0 "# ! " % "# !. %! " ' % "# ' " 8
$ * / - • ! $ % "# ! 0 '" 0 ) . . % "# !. % ! " ' % "# '" ' % ) . . )
$ $ - $ $ " ! ' # ' ) " ' "# / . %! " ' ! " 0 % "# '" ' " ' .
* / ! " ' %/ . %! " ' ! " * / - '! % "# ' "; " ' % % !. 8
/ 00 "" ! ' " '3 % $ ' ." % 0 "# ' " ! '" " " "# ) . $ 0 '" % "# • "# " . " ) " "# ) . " ' % "# 3 " 2 " "# !. $ ' ' ' " "# ) " " %
! 0 '" "# ' " $ '" / !! '3 " "# ! " ' & 1 '3 . 8
. $ $ 0 $ $ • "# ! " % ! " 2 ! 0 '" ' '% 0 " ' . " ) " "# ' " !. & "# "# ! " 0
$1 ) & '3 / " ' !. $ ' % "# ! '! ' 3 ) '0 '" . '"
. # )! % "# ! " ! " $ % ' . ) !! '3 " "# / % 3 ) '0 '" . "# " % / " # ) '3 !" '
"# ! % "# 0 % "# '" ' " ' . ! " ' %/ . %! " ' ! " * / - # ! 0 '" ' " !" " % . 0 ' 3 0 '" $ . '
. $ - 2 $ *$ $ 6
$ - 2
6 ' . # "! 0 '3 ' "# $ % 0 '! % " )! "# ! " '3 % 0 '
) '" ' " ' . % . ' "# ! '" . % "# ! " # .. 0 ' ""
!# % ! '" !"
# ! " 2 !" '3 % '! " " . 5
• ) & "# ! ' " !" ' '3 0 '" % "# '" # & ' ' "# ! 0 '" $ '" "#
'! % ) 3 '3 $ ' ' '3 ) "& ' "# / . '" ' "# ! " ; ) 2 "#
/ . '"8
! " 0 3 ' " ' "# % " ) " "# 4 " % "# / . '"
• ! ' !" ) " "# $ . ! % "# ! ' " !" '8
• !. '" ' '" "# !. ' " 3 " 8 ( 3 0 '" % " !# ' ! . ' " "& ' "# / . '" ' "# ! " ! ' 0 ""
• ) $ ! .. "# ' " ' ) ! " ' " "# " "# 4 0 '" % "# 0 '" ' '! % !. "# ! " " "# )! % " ' ) / 00 ""
0 "
$ $ $ ( $ " ) "# )! ! " . 3 " ' % 6 ) '0 '" & "# ' "#
2 $ * - % 0 & 1 % "# $ $ . ! . 3 0 '" & "# "# " " 2 '" ' " ' . / ') '" ' ' ' " ' . .
) ( $ " '3 " % "# $ 0 '" % "# ! " ; ') ! "# / . '" 0 "" " "#
) . $ * * - / " % 7 '" 2 '!
* - $ * $ .# : $
) . *$ $ ) * 2 $ * * , *$ * , -
+ * 993 $ $ .
* $ * - *$ -
, $ - - $ / - - , * -,
/ , + , $ . : * - * - -
$ , * * * $ , 2 , , ,
2 $ $, , 2 # 0 ) ' & " '3 0 " . 3 0 '"
+ , -
# ') . " % ' 0 " $ . " ' % "# $ '" 6 ' . / ' " ' ' " %% !" "#
) . $ - + , ) . " % "# 0 ' '3 $ ) '
$ - , * - 2 * $
* , $ # %'" ' # ' " 1 $ ! '! ) ' %'" ' ) '3 "# 0 $ $ & # !#
0 $$ ' "# ! 0 '" "# ! "
GUIDANCE NOTE NI 524
SECTION 1 GENERAL
November 2006
Section 1 General
1 Introduction 5
1.1 General
2 Scope of work 5
2.1 HIPS system
2.2 Related standards
3 Definitions 7
3.1 Main definitions
4 Documentation to be submitted 7
4.1 Overall HIPS system
4.2 HIPS components
SECTION 1 GENERAL
Symbols
β : Common cause factor (fraction of undetected The Sec 4 describes the tasks to perform and the docu-
failures that have a common cause) ments to produce related to Software for the verification
λ : Failure rate of the HIPS system according to the requirements of the
present Rule Note.
λD : Dangerous failure rate
• Section 5: Tests Witnessing
λDD : Detected dangerous failure rate
The Sec 5 describes the tests that the Society is to wit-
λDU : Undetected dangerous failure rate
ness to validate the HIPS system before operation and
λS : Safe failure rate during operation.
CCF : Common cause failure
Note 1: The sections 2 to 5 are based on IEC 61508 and IEC 61511
DC : Diagnostic coverage requirements.
ESD : Emergency shutdown
FAT : Factory acceptance test 2 Scope of work
FMEA : Failure modes and effects analysis
HIPS : High integrity protection system 2.1 HIPS system
HIPPS : High integrity pressure protection system
2.1.1 A HIPS system (High Integrity Protection System) may
PFD : Probability of failure on demand be used to avoid the following hazards:
PLC : Programmable logic controller • over-pressure hazards
PSD : Process shutdown
• overheating hazards
RAMS : Reliability, availability, maintainability and
• overflow hazards
safety
• corrosive fluid hazards.
SDV : Shutdown valve
SFF : Safety failure fraction 2.1.2 The HIPS system is to be a protection system made of
SIL : Safety integrity level. multiple barriers:
• process shutdown system (PSD) and emergency shut-
1 Introduction down system (ESD) barriers
• one or more independent barriers, named HIPS system.
1.1 General
2.1.3 The HIPS system is to be independent of other pro-
1.1.1 Application cess systems.
The requirements of the present Rule Note apply to offshore 2.1.4 The HIPS system is to:
units as defined in Part A, Ch 1, Sec 1 [4] of the Rules for the
Classification of Offshore Units when the additional class • isolate the concerned equipment from the source of
notation HIPS is assigned. danger before the design conditions are exceeded
• mitigate the risk of the concerned equipment exposed to
1.1.2 The present Rule Note is subdivided into five Sec- hazard before the design conditions are exceeded by
tions: means appropriate to the nature of the risk.
• Section 1: General
2.1.5 HIPS system is generally made up with the following
• Section 2: Organizational Methods and Procedures components:
The Sec 2 describes the tasks to perform and the docu-
• inputs: transmitters such as pressure transmitters, level
ments to produce for the verification of the HIPS system
transmitters and temperature transmitters
according to the requirement of the present Rule Note.
• logic solver: solid state or PLC (programmable logic
• Section 3: Hardware Analyses
controller)
The Sec 3 describes the tasks to perform and the docu-
• outputs: solenoid valves and actuators and valves.
ments to produce related to Hardware for the verifica-
tion of the HIPS system according to the requirements of Note 1: The list of components is not exhaustive.
the present Rule Note. Note 2: HIPS system (High Integrity Protection System) may be
• Section 4: Software Analyses noted HIPPS system (High Integrity Pressure Protection System).
2.2 Related standards 2.2.2 HIPS system is to be compliant with CEI 61511 Stan-
dard:
2.2.1 HIPS system is to be compliant with EN/IEC 61508
• Part 1 - 2003-01, First edition
standard:
• Part 1 - 1998-12, 1st edition • Part 2 - 2, First edition
• Part 2 - 2000-05, 1st edition • Part 3 - 3-3, First edition
• Part 3 - 1998-12, 1st edition Note 1: To build a HIPS system with sub-system(s) certified accord-
• Part 4 - 1998-12, 1st edition ing IEC 61508 only is not a sufficient condition. The whole system is
• Part 5 - 1998-12, 1st edition to be certified. Moreover, a company standard is to be defined. Espe-
cially, the use of a certified subsystem is not sufficient to reach the
• Part 6 - 2000-04, 1st edition compliance with IEC 61508 standard, as the final validation has to
• Part 7 - 2000-03, 1st edition. be done in the same environment and for the overall safety function.
Table 1 : Definitions
Architecture Specific configuration of hardware and software elements in the HIPS system
Failure, which is the result of one or more events, causing coincident failures of two or more
Common cause failure (CCF)
separate channels in a multiple channel system, leading to system failure
Dangerous failure Failure which has the potential to put the HIPS system in a hazardous or fail-to-function state
Fractional decrease in the failure rate of dangerous hardware failures resulting from the
Diagnostic coverage (DC)
operation of the automatic diagnostic tests
Interval between on-line tests to detect faults in a safety-related system that have a specified
Diagnostic test interval
diagnostic coverage
In relation to hardware, detected by the diagnostic tests, proof tests, operator intervention (for
Detected
example physical inspection and manual tests), or through normal operation
E/E/PE Electric / Electronic / Programmable Electronic system
Abnormal state that may cause a reduction in, or loss of, the capability of a functional unit to
Fault
perform a required function
Use of techniques and procedures which aim to avoid the introduction of faults during any
Fault avoidance
phase of the safety life cycle of the HIPS system
Ability of a functional unit to continue to perform a required function in the presence of faults
Fault tolerance
or errors
Failure Termination of the ability of a functional unit to perform a required function
Hazard and operability analysis. Analysis lead to study a process and to identify hazards
HAZOP
linked to this process
Activity of determining the effect that a change to a function or component in a system will
Impact analysis
have to other functions or components in that system as well as to other systems
Periodic test performed to detect failures in a HIPS system so that, if necessary, the system can
Proof test
be restored to an "as new" condition or as close as practical to this condition
Mean unavailability of safety instrumented systems. It must be understood as the Probability
PFD
of not Functioning on Demand
The average, PFDAVG, of this parameter is used to define safety integrity targets and safety
PFDAVG
integrity levels (SIL). It is often expressed as an average frequency of failure per year
Existence of means, in addition to the means which would be sufficient for a functional unit to
Redundancy
perform a required function or for data to represent information
Average probability of a SIS satisfactorily performing the required safety instrumented
Safety integrity
function under all the stated conditions within a stated period of time
Discrete level (one out of a possible four) for specifying the safety integrity requirements of the
Safety integrity level (SIL) safety functions to be allocated to the HIPS systems, where safety integrity level 4 has the
highest level of safety integrity and safety integrity level 1 has the lowest
SIF Safety Instrumented Function
Implementation of one or more safety instrumented functions. A SIS is composed of any
combination of sensor(s), logic solver(s) and final element(s) (IEC 61511).
Safety instrumented system (SIS)
Example: Emergency shut down system, process shut down system. HIPS are particular case
of SIS
Failure which does not have the potential to put the HIPS system in a hazardous or fail-to-
Safe failure
function state
In relation to hardware, undetected by the diagnostic tests, proof tests, operator intervention
Undetected
(for example physical inspection and manual tests), or through normal operation
2.1.2 Each specific process mentioned in [2.1.1] is to be 3.3.2 The minimum SIL required for a HIPS system is to be
submitted and documented. SIL 3.
• maintenance procedures.
8 Maintenance process
3.3.4 Subsequent specifications of HIPS equipment are to
be defined and provided to Vendors/Sub-contractors. Com- 8.1
pliance to these specifications is to be reviewed during
"realization process" (See [5]). 8.1.1 Maintenance process has to:
• ensure that the safety level of the HIPS system is main-
4 Design and development process tained during operation and maintenance or to take
measures to ensure the same level or to describe all the
differences
4.1
• operate and maintain the HIPS system so that the
designed functional safety is maintained.
4.1.1 Design and Development process have to ensure that
the design and implementation of the Electric/Elec- 8.1.2 Maintenance process has to comply with all these
tronic/Programmable Electronic (E/E/PE) safety related sys- maintenance requirements:
tems meet the specified safety functions and safety integrity
requirements. • an operation and maintenance planning (dedicated to
the HIPS system) are defined and carried out
4.1.2 Design and development process are described in • the operators are trained on the function and operation
Sec 3 and Sec 4. All the requirements concerning this step of the HIPS system in their area: the operators have to
of the project are given in these Sections. understand how the HIPS system works, the hazards the
HIPS system is protecting against, the operation of all
bypass switches and under what circumstances these
5 Realization process bypasses are to be used, etc…
• written proof-test procedures are developed.
5.1
8.1.3 The operation and maintenance planning have to
5.1.1 Realization process has to create a HIPS system com- contain:
pliant with the HIPS system safety requirements. • routine and abnormal operation activities
5.1.2 Realization process is described in Sec 3 and Sec 4. • proof testing, preventive and corrective maintenance
All the requirements concerning this step of the project are activities
given in these Sections. • the persons in charge of the activities.
2.2.5 The HIPS system is to be tested periodically by two 2.2.10 For the HIPS system and for each sub-system, a fail-
means: ure modes and effects analysis (FMEA) is to be documented
• Diagnostic tests performed by the logic solver at fixed (refer to IEC 61508 Part II §.7.4.7.4).
frequency. These diagnostic tests can cover a part of the As an example, a FMEA can be documented by a table
HIPS system only divided into three man parts: FMEA, self-diagnostic and
• Proof-tests performed or started manually at regular proof-test. Each main parts of this table can be respectively
interval. These proof-tests have to cover the maximum detailed as defined in [2.2.11], [2.2.12] and [2.2.13].
components and failure modes of the HIPS system.
2.2.11 FMEA part
Note 1: The proof-tests described above are to be traced and docu- FMEA part of the table describes the failure modes and
mented in the operation and maintenance documentation. effects:
• Function: Description of the function performed by the
2.2.6 All failure modes that are not detected by a diagnos- component
tic test or proof test are to be described. Protective and pre-
ventive measures to control these modes are to be taken. • Component: Type of the component
• Code/Reference: Reference number of the component
2.2.7 A protective measure is to be taken when a failure is • Failure mode: Description of failure modes and distribu-
detected through a diagnostic test. All the "failure then detec- tion key, in %
tion then protection" scenarios are to be fully documented. • Cause: Description of failure cause
2.2.8 The diagnostic tests and proof-tests are to be • Effect: Description of failure effect
described in a document giving, in particular, the detection • Total Failure Rate λT: Failure rate of the component (all
percentage of each test (diagnostic coverage or DC). This failure modes included)
diagnostic coverage is to be reported in the failure mode • Failure rate per mode λ: Failure rate per failure mode
effect analysis (FMEA).
• Remarks: Remarks
Examples of diagnostic tests and associated DC are given in • Dangerous: 1 if the failure mode is dangerous (failure
IEC 61508 Part II Annex A. which has the potential to put the HIPS system in a haz-
2.2.9 The justifications of common cause failure (CCF) are ardous or fail-to-function state) and 0 if the failure mode
is safe.
subdivided into two axes:
• Axis 1: CCF management Note 1:
2.2.14 The failure rates indicated in this table are to be - the calculated failure rate
extracted from: - the minimum and maximum failure rates using a
• A failure rate databases such as OREDA 2002 and UTE confidence level of 90% (using per example, the
C 80810. If the components are not found in these data- Khi-square Law - χ2).
bases, other databases can be used such as OREDA
1997, Mil-HDBK 217F, IEEE STD 500, etc. 2.2.15 The average probability of failure on demand (PFD)
• Field experience. In the case of use of field experience, is to be calculated for the overall HIPS system.
a complete and documented study is to be available.
This study has to describe: 2.2.16 Two different calculations are to be performed:
- the component analysed (Type, reference, environ- • The first calculation is to calculate the average PFD with
ment) the evaluated
- the amount of components studied • The second calculation is to calculate the average PFD
with β =10%, to obtain a sensitivity calculation.
- the amount of failures and the type of failures
- the observation period The PFD calculation is to be submitted.
Unavailability of
the HIPS system
G2
Logic Solver
Common Causes Sensors Failures Valves Failures
Failures
G5 G6 G7 G5
1.8e-3
1.6e-3
1.4e-3
1.2e-3
1.0e-3
SIL 3
8.0e-4
6.0e-4
4.0e-4
2.0e-4
2.2.17 Fault trees are to be used to calculate the PFD over 2.2.21 Dynamic simulations are to be performed and docu-
the lifetime period of the HIPS system. mented to determine the needed response time of the system.
An example of fault tree and of calculation over the time is This response time is to be verified during the verification
given in Fig 2. and validation stages.
If the peak value is above the accepted limit, the time dura- 3.1.2 All the proof tests taken into account in the calcula-
tion above limit, in%, is to be given. tions are to be fully documented in the operation and main-
tenance documents.
2.2.19 The safe failure fraction (SFF) is to be calculated for
individual component only. The results of the FMEA is to be 3.1.3 Each modification is to be traced and analysed (See
used to calculate the SFF. Sec 2, [9]).
The safe failure fraction is to be equal to: Table 1 : SFF objectives/SIL level
SFF= (ΣλSD + ΣλSU + ΣλDD) / (ΣλSD + ΣλSU + ΣλDD + ΣλDU)
Hardware fault tolerance
where: Safe failure fraction
1
λSD, λSU, λDD, λDU: Defined in [2.2.12] SFF < 60% SIL 1
SFF ≥ 60% SIL 2
2.2.20 The SFF objectives linked to the SIL level are given
in Tab 1(refer to IEC 61508 Part II §7.4.3 for more details). SFF ≥ 90% SIL 3
This Section doesn't apply if there is no software used in the 2.2.2 The application software has to reach the maximum
HIPS system, such as in a Solid State. SIL between the targeted SIL of HIPS system and the tar-
Note 1: This Section is based on IEC 61508 Part III. If a doubt geted SIL of logic solver (if different).
occurs, IEC 61508 Part III is to be used.
2.2.3 Application software safety requirements (linked to
2 Software development methodology the risk analysis) are to be developed.
• test environment including tools, support software and (for example, includes application driven watch-dogs
configuration description and data range validation)
• test criteria on which the completion of the test will be • monitoring of other devices within the SIS
judged
(for example, sensors and final elements)
• physical location(s) and its consequences
• enabling periodic testing of safety instrumented func-
(for example, factory or site)
tions when the process is operational
• dependence on external functionality
• references to the input documents
• appropriate personnel
(for example, specification of the SIF, configuration or
(qualification and skills)
architecture of the SIS, hardware safety integrity require-
• non-conformances. ments of the SIS).
2.2.5 The application software safety requirements specifi- • functions that allow the SIS to be safely modified
cation has to provide information allowing proper equip- • interfaces to non-safety related functions
ment selection. The following is to be considered:
• capacity and response time performance, even when
• functions that enable the process to achieve or maintain the system is in the default state
a safe state
• the safety integrity levels for each of the above functions
• functions related to the detection, annunciation and
management of faults in sub-systems of the SIS • the evidences that the system is safe to be operated
using the following methods:
• functions related to the periodic testing of safety instru-
mented functions on-line - software errors and effects analysis (SEEA)
• functions related to the periodic testing of safety instru- - critical code review (CCR)
mented functions off-line - formal proof.
Possible
iteration Step 2 : On-shore tests
Possible
iteration Step 3 : Off-shore tests
During operation
3.1.5 A detailed "FAT plan" is to be written and submitted 4 Step 2: On-shore tests witnessing
to the Society before the beginning of the FAT sessions
including:
4.1 Description of step 2
• the references of the relevant documentation
4.1.1 On-shore tests are to be performed.
• the exact references of the component tested (Hardware
version and Software Version) 4.1.2 The Society is to be informed of on-shore tests session
• the type of tests to perform: functional tests, perfor- performed.
mance tests, environmental tests, interface tests,
degraded mode tests, etc. 4.1.3 Society is to witness only the part related to the HIPS
system. Society is to decide to witness 100% of the on-
• the description of the tests environment, the tool to use shore tests related to the HIPS or only a sample of the on-
and the dependence on other systems shore tests.
• the description of the functional tests to perform The sample depends on the confidence obtained by the
• the description of the performance tests to perform Society after the different reviews performed during design
according the project specifications and documentation and development and realization process (See other sec-
tions of the Rule Note).
• the verification of diagnostic tests and proof-tests
• the description of connection and communication tests 4.1.4 A detailed "on-shore tests plan" is to be written and
to perform submitted to the Society before the beginning of the On-
Shore tests sessions including:
• the description of the test acceptance criteria on which
the completion of the test is to be judged • the references of the relevant documentation
• the exact references of the component tested (hardware
• the description of the procedures for corrective action in
version and software version)
case of failure of a test
• the type of tests to perform: functional tests, perfor-
• the description of the personnel involved in the FAT ses-
mance tests, interface tests, degraded mode tests, etc.
sion.
• the description of the tests environment, the tool to use
3.1.6 A detailed "FAT report" is to be written and submitted and the dependence on other systems
by Society after each FAT session stating: • the description of the functional tests to perform
• the safety cases • the verification of diagnostic tests and proof-tests
• the FAT results for each test • the description of the test acceptance criteria on which
the completion of the test is to be judged
• whether the objectives of the acceptance criteria are
• the description of the procedures for corrective action in
met and the final acceptance of the results.
case of failure of a test
• the description of the personnel involved in the On-
3.2 Examples of FAT Shore session.
3.2.1 FAT session for transmitters: 4.1.5 A detailed "on-shore tests report" is to be written and
Functional tests, leakage tests, response time tests, etc. submitted to the Society after the session stating:
• the safety cases
3.2.2 FAT session for valves: • the results for each test
Functional tests, torque tests, hydrostatic tests, seat leakage • whether the objectives of the acceptance criteria are
test, etc. met and the final acceptance of the results.
4.2.4 To check 100% of the combinations for the voting • the description of the test acceptance criteria on which
functions: the completion of the test is to be judged
• valves • the description of the procedures for corrective action in
• to check partial or/and full stroking case of failure of a test
• to check opening and closing times • the description of the personnel involved in the off-
shore session.
• to check solenoid valves commands.
5.1.5 A detailed "off-shore tests report" is to be written and
4.2.5 Interlocks:
submitted to the Society after the session stating:
To check the interlocks.
• the safety cases
• the results for each test
5 Step 3: Off-shore tests witnessing
• whether the objectives of the acceptance criteria are
met and the final acceptance of the results.
5.1 Description of step 3
5.1.1 Off-shore tests are to be performed. 5.2 Example of off-shore tests
5.1.2 The Society is to be informed of off-shore tests session 5.2.1 General tests:
performed. • to check HIPS system/other systems communication
• to check of power supply redundancy for each cabinet
5.1.3 The Society is to witness only the part related to the
• to check high temperature alarm for cabinets
HIPS system. The Society is to decide to witness 100% of
the off-shore tests related to the HIPS or only a sample of • to check the behavior of the logic solver in replacing
the off-shore tests. cards for example.
The sample depends on the confidence obtained by the 5.2.2 Pressure transmitters:
Society after the different reviews performed during design
• to check the detection limits
and development and realization process (See other sec-
tions of the Rule Note). • to check the capability to be protected against false
operation.
5.1.4 A detailed "off-shore tests plan" is to be written and
submitted to the Society before the beginning of the off- 5.2.3 Voting and safety bars:
shore tests sessions including: • to check the shutdown sequence
• the references of the relevant documentation • to check 100% of the combinations for the voting func-
• the exact references of the component tested (hardware tions
version and software version) 5.2.4 Valves:
• the type of tests to perform: functional tests, perfor- • to check Partial or/and Full stroking
mance tests, interface tests, degraded mode tests, etc.
• to check opening and closing times
• the description of the tests environment, the tool to use
• to check solenoid valves commands.
and the dependence on other systems
• the description of the functional tests to perform 5.2.5 Interlocks:
• the verification of diagnostic tests and proof-tests To check the interlocks.