Codes & Standards Articles

Revised with Updates: May 28, 2020

Originally issued: February 28, 2019

Author

Shaun Williamson, P.L. Eng., CFSE

Director of Engineering

Watchmen Instrumented Safety Experts Ltd.

swilliamson@watchmenise.com

https://watchmenise.com

In Search of Clarity

Historically within Canada, there has been limited guidance in the form of regulations specifying mandatory process safety management requirements that must be followed. While on the surface this seems like it would allow more flexibility, in practice this has made it difficult for companies to understand their obligations relating to process safety management as they balance the potential costs of implementing such a program. The resulting confusion has left a wide gap between what activities are performed from one company to the next. In contrast, some countries including the United States have implemented process safety regulations that provide explicit mandatory requirements for activities that must be followed based on clearly defined criteria (OSHA 1910.119 and EPA 40 CFR Part 68). 

Canadian national regulations and standards have been evolving in recent years in order to provide more clarity on mandatory requirements versus “Best Practices” for industry to follow. On February 20, 2017 CSA published the CAN/CSA Z767-17 Process Safety Management standard (referred to below as CSA Z767). The purpose of this document is to standardize performance requirements that companies should implement as part of a process safety management system. CSA Z767 has been confirmed as a National Standard of Canada giving the standard nation-wide recognition by industry and by the provinces and territories. CSA followed up on the issue of the CSA Z767 by adopting the following international IEC standards:

• CAN/CSA C22.2 No. 61508 Parts 1, 2, 3 (2017) - Functional safety of electrical/ electronic/ programmable Electronic safety-related systems (also referred to within as CSA 61508)
• CAN/CSA C22.2 No. 61511 Part 1 (2017) - Safety Instrumented Systems for the Process industry sector (also referred to within as CSA 61511)

The 2018 Canadian electrical code (CEC) references these new CSA process safety standards making them mandatory and enforceable across Canada.  Some provincial regulator authorities have taken exception to including these standards under an equipment safety standard that the CEC Part 2 safety standards were intended for.  Alberta Municipal Affairs has since released a Standata (18-CEBC-2) dated December 2019 that IEC 61508-3 and IEC 61511 are not equipment standards and were listed in the Part 1 Standard in error.  This means that these standards are not enforceable under the electrical code in this jurisdiction, but may still be enforced within others. While not enforced in certain jurisdictions as part of the electrical code, the CSA 61508 and 61511 series of standards remain "National Standards of Canada".

Regulation and Standards Explained

It is important to understand and take into consideration both regulatory requirements and best practices when developing a corporate process safety management plan. However, it is not always obvious when a standard is considered a mandatory requirement or instead considered a “Best Practice”. Questions often arise whether a “Best Practice” has to be followed, and whether there is any risk in ignoring a “Best Practice” in order to reduce costs. 

Canadian Provincial Occupational Health and Safety (OHS) regulations place the responsibility on employers to protect the safety of their workers and the public from hazards posed by their operations through documented risk identification, assessment and control measures. Employers failing in this duty may face fines and, in some cases, criminal charges under Section 217.1 of the Canadian Criminal Code (also known as Bill C-45).

National Standards of Canada are developed by committees comprised of manufacturers, consumers, retailers, unions, professional organizations and governmental agencies. These standards are intended to promote nation-wide standardization and often are developed to adhere with similar internationally recognized standards. Many standards are considered “Best Practices” and therefore by this definition considered voluntary, while others become mandatory when referenced in regulations or adopted by local authorities having jurisdiction (AHJ). The Canadian electrical code (CEC) is an example of a National Standard of Canada adopted by the provincial authorities giving this standard the force of law.

Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)

In the US, OSHA has implemented a process that requires documented compliance to “Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)”. RAGAGEP is based on established codes, standards, recommended practices, technical reports or similar documents. In the US, RAGAGEP is mandatory and audited for compliance. While the RAGAGEP term comes from U.S. regulations, the RAGAGEP principle applies in Canada not as a mandatory requirement but instead as a means to establish documented due diligence in fulfilling the duty to protect workers and the public. Under RAGAGEP, codes are used to establish minimum requirements and in the absence of applicable codes, consensus standards should be applied. When codes and consensus standards are not available or do not adequately address specific hazards, non-consensus documents may be applied on a case-by-case basis to establish RAGAGEP. Furthermore, an employers’ internal standards may serve as RAGAGEP when no published RAGAGEP exists or when available RAGAGEP needs to be supplemented in order to better control hazards. When used, internal standards must meet or exceed protective requirements from published RAGAGEP when they exist.

When a mandatory code is not applicable, companies have the right to choose to follow a standard other than the applicable national standard or implement their own standard. A common example of this is when an international company wishes to standardize their approach across the globe and adopts a more stringent international standard. For example, the U.S. process safety standard OSHA 1910.119 specifies among other things, mandatory requirements for when required activities of a process hazard analysis (PHA) must be performed including a 5-year revalidation requirement. It is important to remember that whichever standard is adopted, the company remains obligated to perform their duties under the OH&S regulations and therefore may be forced to defend their reasoning and actions in the event of an accident. Implementing a process that is less stringent than the applicable national standard is not advisable. Failing to take reasonable measures to properly protect the public and workers puts both the company and responsible individuals at risk (i.e. potential fines, imprisonment, court awards). The RAGAGEP principle is the most likely test that will be used to evaluate whether measures are “reasonable” within Canada.

Adopting National Standards can have the added benefit of ensuring customer confidence and may provide efficiencies through taking a standardized approach. Complying or failing to comply with standards may also effect insurability and/or insurance premiums.

There are many regulations and standards to be aware of which can be difficult for those that do not deal with them on a regular basis. Feel free to reach out to the author for more information on this topic, or process safety support services. Look for our coming White Paper “New CSA Codes for Process Safety Management” for important Instrumented Safety RAGAGEP all Canadian operating companies with hazardous process operations should be aware of.

References:

• CAN/CSA Z767-17: Process Safety Management Standard
• CSA C22.1-18: Canadian Electrical Code
• CAN/CSA C22.2 No. 61511-1:17: Functional safety - Safety instrumented systems for the Process industry sector— Part1: Framework, definitions, system, hardware and application programming requirements
• CAN/CSA C22.2 No. 61508-1:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part1: General Requirements
• CAN/CSA C22.2 No. 61508-2:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part2: Requirements or electrical/electronic/programmable electronic safety-related systems
• CAN/CSA C22.2 No. 61508-3:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part3: Software requirements
• OSHA 29 CFR 1910.119: Occupational Safety and Health Administration; Process Safety Management of Highly Hazardous Chemicals

Revised with Updates: May 28, 2020

Original Issue: March 4, 2019

Author

Shaun Williamson, P.L. Eng., CFSE

Director of Engineering

Watchmen Instrumented Safety Experts Ltd.

swilliamson@watchmenise.com

https://watchmenise.com

Recommended reading: Before reading this white paper, it is highly recommended to first read our In Search of Clarity - Standards and Regulations  white paper (originally issued February 28, 2019 and revised with updates March, 28, 2020) for a discussion of applicability and enforceability of codes and standards.

CSA 61511 and 61508 Adopted as part of Canadian Electrical Code (CEC)

Many Canadian companies are quite familiar with the international standards IEC 61508 and IEC 60511 which have been in use within Canada for many years as a “Best Practice” for implementation of Safety Instrumented Systems (SIS) within the process industry. Others may not have heard of these standards since they have not been enforced as a mandatory requirement within Canada.  These standards together detail a lifecycle approach to managing the SIS lifecycle, required processes and documentation for proper implementation.

These standards long been a regulated requirement in other parts of the world.  With recent changes to the Canadian Electrical code, the time has come for all companies to learn the requirements of these standards and how to implement them. The 2018 Canadian electrical code (CEC) has referenced CAN/CSA C22.2 No. 61508 and CAN/CSA C22.2 No. 61511 standards in the Part 1 standard making them a mandatory part of CEC.  CEC is adopted by each province and occasionally includes some jurisdiction specific variances.  Alberta Municipal Affairs has taken exception to these standards being referenced as part of equipment standards by issuing Standata 18-CEBC-2 (dated December 2019) and therefore will not be enforcing them as part of the CEC.  It is unclear how other provinces will handle enforcement or whether the CEC will be modified in the next release.  For jurisdictions such as Alberta that choose not to enforce these standards as part of the electrical code, it is important that companies understand that these CSA standards remain "National Standards of Canada". 

Working with Performance Based Standards

CSA 61511 and CSA 61508 are performance-based standards as opposed to prescriptive standards like most of the other C22.2 standards. These standards detail a process for achieving tolerable risk through the application of electrical/electronic/programmable electronic safety-related systems, but do not cover hazards arising from the equipment itself (for example electric shock). These standards do not specify when an SIS must be used, but rather provide guidance on how to determine if it should be used and list the requirements for proper implementation. An SIS should not be the first hazard control measure considered, but in some cases may be the most cost-effective option available. Once it has been determined that an SIS will be used, these standards detail mandatory requirements for implementation. The 61511 Part 2 and 3 standards are informative sections that provide additional guidance on the use of SIS and should be consulted along with 61511 Part 1.

Enforcement of CSA 61511 and 61508

Many existing installations have been approved having met the electrical code requirements at the time of installation and inspection. While there does not seem to be a published document from provincial authorities to date on how enforcement of this new regulation will be handled, new CEC updates typically are not required to be implemented on existing installations that have been previously inspected against the "then current" version of the code unless serious safety risk is posed by not updating the installation. CEC changes that will require updates to existing installations and be enforced are specifically identified by the Provinces (not the case for these standards to date).  Previously approved installations continue to be considered compliant until such time as the installation is modified. At that time, compliance with the latest codes and re-inspection is required.  All new installations are required to meet the current code requirements at the time of installation.

Details have not yet been provided by provinces on what the inspection process might look like and to date do not appear to be taking place. Assuming inspections will eventually begin on, there will likely be a phase in period during which inspectors will need to be educated on the CSA 61511 standard. Since there are no physical requirements specified by the standard, a reasonable approach to how inspections would be conducted is in the form of an audit.  The audit would check for evidence mandatory documentation and processes are in place to validate that the required lifecycle activities have been performed properly, an SIS was determined as required or not, and when implemented meets all of the requirements of the standard (i.e. PHA, SIL assessment, SIL verification calculations, Safety Requirement Specification, Proof Test Procedures, Functional Safety Assessments, Training etc.). 

Adoption of this standard is intended to fulfill a company’s obligations for protection of the public and their workers under the OH&S act and as part of Recognized and Generally Accepted Good Engineering Practice (RAGAGEP). Added benefits of compliance can include meeting requirements for insurability and potential insurance premium reductions. The performance based nature of these standards supports prioritization of invested risk reduction resources towards the highest risk areas of the facility, and also reduced resources in low risk areas.

Implementation of CSA 61511

 There are many activities required for full compliance with this standard.  A few specific requirements to be aware of are highlighted below: 

• Establish or update existing process risk assessment processes to include tolerability criteria benchmarked against established industry tolerable frequencies. Some Authorities Having Jurisdiction (AHJ) may set minimum requirements that must be met. 
• Perform risk assessments to identify and assess risk to personnel and the environment. A qualitative risk assessment is most commonly performed in the form of a Hazard and Operability Review (HAZOP), What-If or Checklist. 
• Perform a SIL assessment on high risk scenarios identified in the risk assessment. A common method used is the Layer of Protection Analysis (LOPA).  This process is used to determine if a Safety Instrumented Function (SIF) is required and identify the Safety Integrity Level (SIL) that it must be designed to provide. 

In the event a SIS is selected as part of the risk reduction strategy, the requirements of CSA 61511 shall be followed including the following highlighted activities:

• SIL certified hardware (CSA 61508) shall be used or a proven in use justification performed for non-certified hardware used.
• SIL verification calculations performed to show the design meets the integrity target required by the LOPA and to establish the frequency proof testing must be performed.
• A Safety Requirement Specification (SRS) shall be developed to detail requirements that must be included in the design, implementation, operations and maintenance of the SIF.
• Proof test procedures must be developed to detail the activities that must be performed
• A Functional Safety Assessment is required before the SIF is placed into service and the hazard present (including following modifications or decommissioning).

CAN/CSA Z767-17 Adopted as a National Standard of Canada

CAN/CSA Z767 (also referred to within as CSA Z767) is a National Standard of Canada not yet adopted as regulation and therefore considered a “Best Practice”. As discussed in the In Search of Clarity - Standards & Regulations article, it is highly advisable to treat the elements of the CSA Z767 standard as a minimum requirement for compliance and use as RAGAGEP. 

Section 4.2 describes the scope of this standard: “This standard defines the minimum requirements that shall be in place for a process safety management system (PSM) throughout the life cycle of the facility.” The standard describes accountability and responsibility for process safety management activities with Senior Management holding ultimate accountability (Section 5.1.1).  Senior Management, Supervisors and Workers are all responsible for PSM with their roles further described in section 5.3.

This standard discusses requirements that many existing process facilities are deficient in.  Unchecked, these have the potential to contribute to the initiation of, or failure to prevent a major accident.  Issues covered include:

Maintenance of Safety Critical Documents - Many facilities do not have up to date engineering documents required to support the safe operation and maintenance of the facility. CSA Z767 addresses this issue by requiring this safety critical documentation to be maintained over the life of the facility. Safety critical documentation identified in the standard includes: Plot Plan, PFD’s with material balance, P&ID’s, control philosophies, shutdown keys, PSV sizing sheets, Electrical Area Classification drawings, PHA’s (Refer to section 6.1).

Process Hazard Assessments (PHA) – Many existing facilities have either never had a PHA or the PHA is no longer valid due to changes in design, operation, corporate risk systems or to the original assumptions used. CSA Z767 requires that a PHA (most commonly performed using HAZOP) must be revalidated every 5 years. Changes to the facility must be managed by a management of change process (MoC) with a PHA used to assess the changes. The 5-year revalidation is a good time to consolidate smaller PHA’s completed as part of the MoC process to cover the entire facility ensuring effects within all nodes are considered from the smaller sessions (refer to section 6.3 for details).

Alarm Management - Some facilities rely heavily upon alarms with operator action and in many cases have never performed alarm management activities. Most of these facilities experience alarm flooding and other nuisance alarms causing safety critical alarms to be ignored. Rarely is there an established process to prioritize an operator response to high criticality alarms. In many cases, operations can change alarm setpoints, disable, shelve or bypass alarms without any formal risk assessment, change management or approval processes. CSA Z767 requires the responsible organization to put in place an alarm management process to cover the identification and prioritization of critical alarms and interlocks. This process must ensure a procedure is in place to control changes to alarm setpoints and interlock systems and to perform regular testing of alarms, interlocks and other critical safeguards (refer to section 7.3.5.1 – 7.3.5.2). 

Fire & Gas Detection – Fire and gas detection is often relied upon as the last line of defense in a safeguarding strategy, however most facilities have never validated that detector quantities and coverage are appropriate based on application specific risk. Typically, detector locations and quantities are arbitrarily chosen with no established philosophy. Final locations are selected by the electrician with little guidance provided in engineering packages on exact placement required or how to point / orient them, sensitivity settings or even what equipment they are intended to cover. Detectors and associated annunciation equipment (i.e. horn, strobes) are rarely maintained properly resulting in poor protection and a false sense of security. The ISA TR84.00.07 standard provides guidance for engineering and design of fire and gas detection systems. This “best practice” provides a detailed process that may be applied to comply with the CSA Z767 requirements for risk identification, assessment and control of fire and gas hazards. Written inspection, testing and maintenance procedures must be in place to ensure the ongoing integrity of the installed fire and gas protection systems (Refer to CSA Z767 7.3.1).

Competency – The integrity of the processes described within the standards are only as solid as the people implementing them. This is particularly true for safety critical and highly specialized engineering activities including: PHA facilitation, SIL Calculations, Fire and Gas detector placement, alarm rationalization / prioritization. Using an independent 3rd party can result in a less biased study and may benefit from perspective taken from other companies and applications within the industry. CSA Z767 section 7.1 describes the requirement that all personnel be competent to perform their functions and tasks safely and effectively. A system must be maintained to ensure documented competency of personnel by way of education, training and experience appropriate for the task an associated criticality of the task. Section 6.3.2 stresses the importance of competency regarding risk assessments and modeling activities.

Feel free to reach out to the author for more information on this topic, or process safety support services.

References:

• CAN/CSA Z767-17: Process Safety Management Standard
• CSA C22.1-18: Canadian Electrical Code
• CAN/CSA C22.2 No. 61511-1:17: Functional safety - Safety instrumented systems for the Process industry sector— Part1: Framework, definitions, system, hardware and application programming requirements
• CAN/CSA C22.2 No. 61508-1:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part1: General Requirements
• CAN/CSA C22.2 No. 61508-2:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part2: Requirements or electrical/electronic/programmable electronic safety-related systems
• CAN/CSA C22.2 No. 61508-3:17: Functional safety of electrical/electronic/programmable Electronic safety-related systems—Part3: Software Requirements
• ISA TR84.00.07-2018: Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness
• ISA 18.2: Management of Alarm Systems for the Process Industries
• Alberta Municipal Affairs: Standata 18-CEBC-2 (dated December 2019)