Functional Safety Highlights for Managers - Part 2

Abstract

This paper builds off discussion in an earlier Functional Safety Highlights for Managers paper (PSH-BLG-100) in which we discussed relevant industry standards and the importance of organizational safety culture supported by management.

The intent of this paper is to provide an introduction to SIL / SIS, an overview of the IEC 61511 safety lifecycle, discuss important activities that should be planned and discuss how management can support these activities.?The last section includes some helpful tips to help fast track successful management of functional safety and how to avoid common pitfalls.

The description provided is intended to provide a high-level overview of functional safety management and will intentionally simplify many of the topics since the intended audience is not expected to become experts in this field, but rather to understand some of the terms and requirements involved with managing people and projects with a SIL / SIS component.

SIL / SIS Basics

The goal for a functional safety program should be to design out hazards and implement an inherently safe design whenever reasonably practical.?In many cases, process risk cannot be eliminated and other layers of protection are required to manage process risk.?One form of protection is mechanical systems such as relief valves.?Another common form is based on Electric/Electronic/Programmable Electronic technology which are composed of sensing and final elements and a logic solver.?These are broken into two common types:

·????????Basic Process Control System (BPCS)

·????????Safety Instrumented System (SIS)

To understand instrumented safety, it is important to understand a few terms and abbreviations.?

BPCS is a system that performs basic process control functions and may also implement some safety interlocks and alarming functionality.?Examples of BPCS include SCADA controllers, general use PLC and DCS controllers as well as modular self-contained controllers.?A BPCS is differentiated from a Safety Instrumented System (SIS) by the lower comparative integrity that it provides which is defined as a risk reduction factor of 10 or less.

A SIS is a system that is required to provide a high level of risk reduction with a defined Risk Reduction Factor > 10.?Theoretically, the components used for such a system may even be the same as the ones that would be considered for a BPCS.?However, management under IEC 61511 is required in order to achieve sufficient integrity to provide a risk reduction factor higher than 10.?An SIS loop composed of sensing/final elements and a logic solver are referred to as a Safety Instrumented Function (SIF) and their risk-based integrity targets are referred to as Safety Integrity Level (SIL).?The SIL level represents an order of magnitude of risk reduction provided and can also be expressed as a more granular risk reduction factor (RRF) or average probability of failure on demand (PFDavg).?The following table from IEC 61511 shows the relationship for SIL in a demand mode of operation.?

A few things to point out relating to the table above:

·????????SIL 4 is extremely rare due to the extensive requirements to achieve this integrity.

·????????Demand mode is the most common form of SIF in which the system moves to a safe state in the event of a demand on the SIF (hazard is not continuously present).?A Continuous Mode SIF is used to maintain the process in a safe state (hazard is always present) which uses a different table to define SIL. ?Most SIF are demand mode and therefore in most cases are based on the table above.

·????????Higher SIL can also have a corresponding need for higher fault tolerance (redundancy).

Safety Lifecycle Overview

IEC 61511 requires a full lifecycle approach to managing functional safety following the diagram from IEC below:

Box 1 – Begins with a process hazard assessment (PHA) on the proposed design to identify, analyze and assess risk.?This is typically done starting with qualitative techniques such as HAZOP or What-If.?

Box 2 - Higher process risk scenarios identified in Phase 1 are analyzed in more detail in a SIL Assessment in which SIF(s) may be defined and assigned a SIL target. ?The most common process for this in use is the Layer of Protection Analysis (LOPA). ?

The proposed SIF design is analyzed using SIL verification calculations to ensure the reliability targets (SIL), architectural constraints (fault tolerance), systematic capability and availability targets (for acceptable spurious trip rates) have been achieved.?Reliability modeling is performed which takes into consideration the system voting architecture, component failure data, proof test coverage and frequency, life of the SIF (mission time), diagnostic coverage, common cause failures and many other factors.?The system or variables affecting reliability can be modified until the design targets have been achieved allowing the design to move forward into the next phase.?In some cases, this process may identify a need to modify hardware/software or add redundancy, so it is important that this exercise not be left for too late in the project.

Box 3 – Involves compiling the verified SIS design for all SIF(s) into a common document referred to as the Safety Requirement Specification (SRS).?This document is the central repository for all information needed to design, install, test and maintain the SIF(s) so the designed integrity can be assured.?This is a lifecycle document that must be kept current for the life of the SIF(s).

Box 4 – Involves using the details provided in the SRS to perform detailed design on the SIF(s) including procuring the equipment and developing loop wiring and installation drawings, commissioning & test plans and procedures.?At this stage, proof test procedures are developed for each SIF which are used as part of commissioning and also regularly over the life of the SIF.

Box 5 – Is the part of the process in which the SIS and associated SIF are installed, commissioned and tested according to the engineering documents and plans from earlier phases.

Box 6 - This phase includes operational tasks for interfacing with SIS/SIF equipment including monitoring, responding to diagnostics alarms, bypass and maintenance or repair, and regular proof testing.

Box 7 – Covers any modifications to the SIF or SIS.?Modifications require moving back to the earliest affected phase of the lifecycle to address the changes.?Modifications need to be covered under a Management of Change (MoC) process and a need to move back to the earliest affected lifecycle stage.

Box 8 – Covers decommissioning of the SIF as the final stage of the lifecycle.?When a SIF is removed from service, it must be properly decommissioned to ensure it does not have the potential to create an unsafe condition such as impairing another remaining SIF.

Box 9 – Verification is a process that is continuous to the lifecycle.?The outputs from each phase must be tested and evaluated to ensure correctness and consistency relating to the inputs from each phase.

Box 10 – Functional safety management includes regular audits to ensure lifecycle requirements are being followed and to judge whether functional safety is being achieved.

Box 11 – Shows that planning is required for each stage to ensure lifecycle activities are performed properly to ensure functional safety is achieved.

Functional Safety Assessments (FSA) are needed at multiple stages.?Stage 1 - occurs after the PHA has been completed, protection layers assigned and SRS developed.?Stage 2 - is performed after the SIS has been designed.?Stage 3 - is performed following SIS installation and commissioning completion with operating procedures in place prior to start-up.?This is also considered the pre-start up safety review.?Stage 4 - is completed regularly during the course of operations.?This may be timed with the turnaround frequency and good practice is for this to be done within a 5 year frequency.?Stage 5 - is completed following modifications or decommissioning of a SIF or the SIS.?Stages 1-3 require at least one senior competent member of the FSA team to be independent, not having been involved in the project design.?Stages 4, 5 require at least one senior competent member of the FSA team to be independent, not having been involve in the operation or maintenance of the SIS.

Management Role in the Safety Life Cycle

To receive the most benefit from the functional safety activities, it is necessary to ensure all requirements are met to the greatest extent possible.?If the standard is treated as a box to check without embracing the objective of these activities, many steps are likely to be left out or not properly supported.?The result may be a similar implementation cost but with many gaps in the installed system that could result in degraded reliability, a greater potential for spurious trips and a system that is more difficult to maintain.?Here are some tips on how Management can influence the process to ensure the most value for your SIS investment.?

Tip 1 – Apply good concepts consistently!

Develop corporate standards to ensure consistent application of functional safety processes across all facilities and projects regardless of the engineering team involved.

Tip 2 – Live or die by the plan!

Implement an SIS Lifecycle Management Plan.?Plan activities not only for the design and construction phases but also for the operations and maintenance phases.?One common issue observed is that companies go through the hard work of specifying, designing and installing SIF in compliance with IEC 61511 and then fail to put processes in place to maintain them once in operation.

Tip 3 – Competency is King!

Ensure there is sufficient functional safety competency for the entire lifecycle.?This includes internal resources and partnerships with competent consultants.?

One method to support proof of competency should include verifying safety certification is in place from recognized providers such as the Exida CFSE/CFSP program or with certificate programs such as ISA84 SIS Expert and FSP program or the TUV Rheinland FS program.?

Another key factor when assessing competency is to consider whether personnel performing specialty activities are competent in all lifecycle phases affected by their work.?The HAZOP facilitator must know how to properly structure their reports to support downstream activities such as LOPA, SIL Calculations, fire & gas systems assessments, and alarm management studies.?A HAZOP facilitator that does not practice these services may document the report in ways that lead to missing information, rework, and failure to bring attention to safety critical elements so they can be effectively managed.?It can also be advantageous to use the same team for all the lifecycle activities, maximizing efficiency and preventing errors due to misinterpretation caused by knowledge transfer.?Consider requiring demonstrated experience with the full SIS lifecycle as part of pre-qualification for specialty activities.

Tip 4 – Audits are your friend!

Make use of regular audits to assess performance as a feedback loop for plans you put in place.?Plans are only as good as the follow through.?The message is sent to the organization if plans are not enforced that these plans are not important.?SIF(s) are used to manage the highest risk process applications in the facility.?These systems should be maintained with at least the same respect and rigor as the pressure safety valves in a facility.?

Tip 5 – Safety critical systems are just that (Safety Critical)!

Define all SIS and fire and gas systems as safety critical. Ensure all safety critical systems are designed, installed, tested and maintained to achieve a high level of integrity. Even if some safety critical systems (such as fire & gas) are not required to be managed under IEC 61511, they should be managed using similar processes with the same rigor. Making use of SIL certified hardware and software will ensure the processes followed in the manufacturing process maximize reliability. Ensuring fit for purpose fire and gas detector coverage is in place following ISA TR84.00.07 is the most effective way to maximize fire and gas system reliability.?HAZOP is not the best process to assess fire and gas detection risk and placement requirements

Tip 6 (Canada only) – Become familiar with CSA Z767 for Process Safety Management

This National Standard of Canada compared to most standards is short and easy to digest.?It provides good background on roles and responsibilities of the organization and management.?It details required elements of a process safety management program.

References

IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems

IEC 61511 - Safety instrumented systems for the process industry sector

CAN/CSA-Z767 – Process Safety Management