Basics of Safety Lifecycle

This is a first in a series of six articles supported by webinars which are run in partnership with the Safety and Reliability Society on the Basics of Risk Management. I hope you enjoy the content as always. Definitions, disclaimer and references can be found at the end of the article.

Introduction

The Safety Life Cycle of a facility details the journey from concept selection to decommissioning which is taken to ensure the safe design, commissioning, operation, maintenance, modification and decommissioning given the hazards identified. It is important to note the duration of the safety life cycle and that the portion of time where there is most influence (concept selection and design) is likely only 10% of the entire lifecycle. The latter 90% of the lifecycle is also the period of time when the hazards can actually be realised.

There are a series of standards associated with the Safety Lifecycle. The main governing standard is BS EN 61508 and then there are supporting standards depending on what industry you are in:

BS EN 61511 Process Industry Sector

BS EN 61513 Nuclear Sector

BS EN 62061 Machinery Sector

BS EN 26262 Automotive Sector

For the purposes of this article I will discuss only 61511 with some reference to 61508.

As mentioned, the standards outline the processes and the goals of these processes to allow management of the risks of the project. This is a systematic approach and it would be difficult and time consuming to complete the steps out of sequence. Although each standard comes in several parts it is Part 1 which provides the general requirements and the remaining parts which provide guidance on how to. These standards are mandated in some countries however they are seen as best industrial practice.

As with previous articles this is not meant to replace the standard or provide you detailed knowledge on the subject but to provide an awareness so that you can take action to develop yourself further as required. The standards are a good place to start however I found that the training I completed online with Exida (FS001 and FS002) were very helpful at explaining the why of the standards helping to embed the learnings.

Overarching Principals

There has recently (2018) been an update to the standards which have more focus on competence including the competence of subcontractors at all stages of the lifecycle. The governing principles for the standards are:

• Competence – everyone who needs to be is competent in the way they need to be competent. That is the maintenance person does not need to know what response is to be taken on activation of the alarm he is maintaining but he does need to know how to maintain it and determine if it is working effectively.
• Risk based – This standard does not tell you the answer. It is up to the user to assess their risks and determine based on the guidance and requirements in the standards what level of safeguards are required. This risk based approach also helps structure assurance levels.
• Throughout lifecycle – This is not a once installed job done standard. It continues to support operations especially through the management of change.

What is the Lifecycle 

This section details the stages of the lifecycle and how they differ in 61511 and 61508.

For those of you that have worked in projects or on management of change proposals will recognise the lifecycles above even if you were not specifically aware that they were related to the above standards. All good project development is based on risk management. Even if a change is to increase production it should be done in a way which increases the risk as little as possible or actually reduces the risk of the facility. This can range from ensuring that the velocity of the fluids in the pipework are not overtly high which can lead to erosion in a relatively short time to ensuring that the velocity of the fluids through the separation vessels is not too fast to ensure that phase separation occurs. If one understands the risks associated with a project well the project can be developed in a way that minimises risk. If the risk evaluation is completed as a tick box this is a missed opportunity and generally results in higher risk facilities for the operating life, high level of change after start up or worst an incident which impacts people, the environment and or the asset.

Therefore, as described above the first step in the process is hazard and risk assessment. This may be completed in a two-stage process, for example it may be an early HAZID which identifies the high level hazards associated with the project which are then matured by the relevant disciplines. Then this may progress into a HAZOP where a multidisciplinary team evaluate the hazard again and look into the safeguards to determine if additional action should be taken. 

For the highest risk items further evaluation as indicated by the lifecycle is required. This will be completed in the form of a LOPA or a SIL study. It is important in these assessments not to be overly optimistic or overly pessimistic. One must consider robust independent levels of protection (which may not be instrumented) as these can reduce the safety requirements for the instrument. Having the correct level of instrumented protection is important to ensure that the plant is not overly complicated (which can lead to increased instrument or system faults) or overly simplified (which can lead to a high reliance on human controls or a complete misunderstanding of the risk in the facility).

The output of the above work will be the safety requirement specification (SRS). This is an important document as it contains the requirements for the safety instrumented function against which the hardware will be purchased, installed and operated. The standard includes requirements for the SRS (section 10) as well as a detailed list of requirements (section 10.3) for the SRS. Significant effort should be placed in ensuring the requirements for the SIS are adequately communicated as normally the team who complete the following stage (the design) are a different team to that who developed the SRS.

Once the system has been designed the instrumented functions will be installed and commissioned. This is not simply making sure that the item performs the function however it includes checking that it completes it at the right time, in the right time and that if a fault occurs it fails safely. This time in a project is often when there are significant time pressures on the team.  However, the importance of this step should not be underestimated as a mistake here can be left unrevealed for many years in the plant, sometimes until an incident occurs.

Once the plant has been commissioned it enters the longest phase of its life, operations and maintenance. The project team should hand over well-constructed operating and maintenance manuals which inform the new team how to operate and maintain the facility particularly the importance of each SIS. In many cases due to time pressures the manuals are written by the incoming operations or maintenance team. This misses a real opportunity for the design to be communicated to the operations team as well as the safety aspects of operating. In addition, as the manuals were not written by the designers who knew how the facility was to be operated, they can often actually be inadequate for operation and result in ‘work arounds’ being developed by the operations team especially during start up.

During the operations phase there are inevitably changes which will occur with the plant. These need to be adequately assessed (as required in the standard) and documents are to be updated accordingly. In so many cases (see my article on Engineering Management of Change) this process is not adequately designed, implemented or assured and incidents occur.

The final phase of the project lifecycle is decommissioning. This normally happens at the end of the facility life however sometimes especially for long life facilities it can happen in part during the operating phase. Sufficient attention should be given to this phase. It can leave dangerous situations waiting to be revealed if decommissioning is not completed effectively. For example, if all instrument connections are not terminated correctly, they can cause spurious trips. This is of particular importance offshore where these trips can lead to muster and restart which carry their own hazards. Another example is complete isolation of the instrumented functions but inadequate isolation or disconnection of the process equipment. This can leave large sections of the facility inadvertently pressurised in the event of an emergency leading to increased risk to personnel in the area due to the potential for escalation.

In summary

The application of this standard effectively can lead to a cost effective and safe design in all project phases. This standard is not easy to apply as it requires the engineering team to work together and really understand the process, the hazards and the mitigations. However, if you think about it, is that not what you want your team to be doing anyway? It requires a level of vigilance on the competence of not only your staff but that of your subcontractors and their subcontractors. It is a recipe for successful design, installation, construction, operations, maintenance and decommissioning of a high hazard facility which can deliver large rewards if attention is paid to the detail.

Keep up to date with what's coming by visiting louisewhiting.online.

Then what’s coming up:

• Warning signs (1, 2, 3 and 4)
• Examples of how things go wrong if you miss a step or don’t do it well (1, 2, 3 and 4)
• Auditing (Health Check) (1, 2, 3)
• Worked example (SARS webinar)

Warning signs examples

How things go wrong?

Audit tips

Disclaimer: My articles are based on my engineering experience in two major operators over 11 years. They do not reflect the processes of either and are not endorsed by either nor the Safety and Relaibility Society. If you find an error in the text please feel free to correct me as I too am prone to human error (although I like to think at a lower than average frequency). The intent of these articles are to educate. From beginners to experienced engineers. I hope that through the article or reference material you all get something from it. If you find the content too basic or too advanced again get in touch. Any improvement suggestions welcome.

References:

BS EN 61511-0 to 3:2017 Functional Safety – Safety Instrumented Systems for the Process Industry Sector

BS EN 61508-0 to 7:2010 Functional Safety of electrical/programmable electronic safety-related systems

Key Definitions:

HAZID – Hazard Identification Study

HAZOP – Hazard and Operability Study (see article)

LOPA – Layer of Protection Analysis

SIL – Safety Integrity Level

SRS – Safety Requirements Specification