Signed in as:
filler@godaddy.com
Originally issued: July 29, 2021
Author
Shaun Williamson, P.L.(Eng.), CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
Abstract
The intent of this paper is to raise awareness to the importance of the Managers role in implementing functional safety, and to discuss managements roles and responsibilities according to the standards. The term “Managers” is intended to cover those that direct the work of others and is not limited to a specific job title. In some companies, functional safety may not be a dedicated position, but rather may be shared by multiple people and may be a secondary responsibility. Those with management responsibilities regardless of the organizational structure, are responsible for setting the direction of the company including the safety culture that will be established. With proper buy-in from management who are genuine in their drive to accomplish a good safety record, the personnel closest to the job site are empowered to weigh safety matters high in their day-to-day decision making. When this is the case, functional safety activities are much more likely to be successful in the goal of effectively managing process risk. This paper will highlight some relevant process safety standards to be aware of including some discussion on the importance of standards compliance. There will be an explanation of the Integrated Protection Philosophy for safeguarding and discussion on some highlights that management should be aware of for effective functional safety management.
Background
Operation of industrial facilities can come with many hazards that if not managed effectively, may result in catastrophic loss. We have had many learnings from past industrial accidents in which workers did not return home, companies were forced to cease operations or experienced a major hit to their brand reputation. Between 2007 - 2017, 128 people lost their lives in 56 process safety events according to IOGP Report 638. These unfortunate events have provided an opportunity for others to learn from mistakes commonly made by industry. For those willing to listen, there is an opportunity to advance our knowledge in pursuit of a safer means to achieve operational excellence. Global efforts have resulted in the development of instrumented safety standards to address these past failings. The goal of these standards is to reduce the risk of major industrial accidents with safe and effective safeguarding measures. It is important to note that these standards do not apply exclusively to certain industries but are intended to apply to industries and facilities of all sizes.
A common theme within these standards is a lifecycle approach to managing risk over the life of the system. The lifecycle approach theme is described in these standards by use of the Plan, Do, Check, Act model for quality management used by ISO. The idea of this model is to Plan your work, Do what you said you would (implement your plan), Check that your work was properly implemented according to your plan and then Act on any issues or failures discovered.
For functional safety to be effective, it is essential that safety regulations and Industry Standards established by industry be followed by each company. Management is identified in Occupational Health & Safety regulations as responsible for managing the risk posed by their operations which includes code and standards compliance. Industry standards are not typically subject to inspections, but and are often used in legal proceedings as a test for due diligence. Functional Safety can be a complex undertaking and can only work with effective leadership and the establishment of a healthy safety culture. The Managers role in all of this cannot be understated.
Instrumented Safety Standard Highlights
Some of the more notable instrumented safety standards in use come from the 61508 Safety Instrumented Systems (SIS) family of standards which includes 61511 for the Process Industry. These standards provide guidance for a lifecycle approach to implementing SIS using Safety Integrity Levels (SIL). These standards are referred to globally as IEC 61508/61511. The International Society of Automation (ISA) has consolidated their ISA84 standard with the IEC standards, and are commonly referring to in North America as ANSI/ISA 61508/61511 standards. CSA has also adopted these IEC standards as National Standards of Canada, referring to them as CAN/CSA C22.2 No. 61511/61508. In short, these standards have been adopted and are widely in use across North America and most of the globe.
Standards organizations often release guidance documents to supplement standards supporting their implementation and to provide guidance on engineering best practices where not otherwise covered by standards. Guidance documents are usually easy to read with practical examples showing how to meet the intent of the standards.
ISA has developed various Technical Reports under ISA84 to support proper implementation of the requirements within IEC 61508/61511. Technical Report 7 under ISA84 provides guidance on Fire and Gas Engineering for industrial facilities. ISA 18.2 provides guidance on Alarm Management practices to enhance operator effectiveness. Adoption of these various standards and technical guidance reports together create an effective integrated protection strategy.
Integrated Protection Philosophy
The figure below from 61511 provides a good visual of the typical safeguarding strategy in which multiple layers of protection work together to prevent or mitigate the effects of an industrial accident. What this image shows is the importance of taking an integrated philosophy to protective measures and avoiding an over reliance upon any single protection category which has the potential to fail.
The process is normally controlled and monitored within the normal operating limits using operator observation, basic process controls and process alarms (1st category of this model). If control cannot be maintained and measurement moves out of the normal operating range, preventative safeguards are relied upon (2nd category). If preventative measures fail, a loss of containment may occur in which case mitigative safeguards such as fire and gas detection and annunciation systems are relied upon to provide protection (3rd category). Plant Emergency Response procedures are used following loss of containment to minimize the impact to personnel or the environment (4th category). Community Emergency Response is then performed to protect the public when the affects of a release have the potential to extend past the plant limits (5th category). Instrumented safety is the primary focus of the first 3 categories establishing the foundations for an effective protection strategy. Not all events can be controlled using preventative safeguards. Mitigative safeguards are often overlooked during installation and may be poorly maintained meaning they may not be effective if not properly managed. Alarms are relied upon daily to keep the process in a safe and optimized state. However, alarms are often ineffective during upset conditions if not properly setup and maintained according to the standards. All these protection layers must work effectively over the life of the facility to avoid the need to initiate measures from the last two protection categories. Reliability of these instrumented safety protection layers is a primary focus of the industry standards described above.
Why Follow the Standards
There are many reasons why industry standards should be followed. Taking reasonable care to protect the environment, public and workers from risk posed by hazardous operations is both a legal and moral responsibility. In some jurisdictions, standards may be referenced by code and regulation giving it the force of law. Other jurisdictions may refer to the standards as “Best Practice” also known as “REGAGEP” which is used as a test for whether an organization has met their “Legal Duty of Care” in legal proceedings following an accident. In 2010, OSHA (USA) officially recognized ANSI/ISA84.01 (now referred to as ANSI/ISA 61511) as REGAGEP. Section 217.1 of the Criminal Code of Canada establishes legal duties for workplace health and safety imposing serious penalties for violations resulting in injuries or death. This code attributes criminal liability to organizations, including corporations, their representatives, and those that direct the work of others. The risk of not being able to establish due diligence comes with the potential for shutdown orders, heavy fines and possible imprisonment.
Effective risk management that is achieved through standards compliance can also come with financial benefit. Many of these standards result in similar safeguard implementation to a traditional approach including design, installation, maintenance and test practices. A key difference is the higher quality of components that are used and higher quality processes followed during manufacturing and over the lifecycle to maximize reliability. While this does come with an upfront cost, high quality hardware and software solutions are more reliable, less likely to cause issues and easier to troubleshoot. The improved performance of safeguards such as alarming not only increases effectiveness in responding to unsafe situations but will also support improved control of the process leading to higher quality product and increased uptime. The bottom line is that standards compliance is well worth the effort when done well.
Importance of Establishing a Good Safety Culture
A strong safety culture can only be established in an organization by the leadership team. Organizational safety performance is directly related to the policies implemented by management and by the commitment shown towards supporting, monitoring and enforcing these policies. This requires support in the form of training, development of corporate standards, and sufficient budget for quality engineering, products, processes and systems. Risk management must be embraced by the corporation starting with management to realize the financial, moral and reputational rewards available. The scale of these efforts must fit the size and scale of the operations. Some companies may be able to afford an army of functional safety professionals, while others are more likely to rely upon dedicated consultants. Regardless of size, risk exposure of poor safety culture can be significant if not managed. Intellectual honesty should be used when considering your risk exposure. To evaluate your risk exposure, consider whether your operation makes use of large quantities of stored energy, or processing of highly hazardous chemicals? Do you operate aging facilities relying upon protection from aging equipment? Do you maintain high occupancy levels in your facilities, or are you located in close proximity to the public or sensitive water bodies? Do you comply with all regulations and industry standards and monitor for continued compliance? Following the risk-based approach described in the standards should result in reduction measures being directed towards where risk is greatest. Higher risk facilities will require high integrity systems to manage their risk.
Stay tuned for additional Functional Safety Highlights for Managers papers in which we plan to dive deeper into specific Functional Safety Standards requirements.
References
IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61511 - Safety instrumented systems for the process industry sector
IEC 61882 – Hazard and operability studies – Application guide
CAN/CSA-Z767 – Process Safety Management
29.CFR.1910 – OSHA Occupational Health & Safety Standard
CAN/CSA-B149.3 – Code for the Field Approval of Fuel Related Components on Appliances and Equipment
NFPA 85 – Boiler and Combustion Systems Hazards Code
NFPA 87 – Standard for Ovens and Furnaces
NFPA 86 – Standard for Fluid Heaters
Originally issued: January 5, 2022
Author
Shaun Williamson, P.L.(Eng.), CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
Abstract
This paper builds off discussion in an earlier Functional Safety Highlights for Managers paper (PSH-BLG-100) in which we discussed relevant industry standards and the importance of organizational safety culture supported by management.
The intent of this paper is to provide an introduction to SIL / SIS, an overview of the IEC 61511 safety lifecycle, discuss important activities that should be planned and discuss how management can support these activities. The last section includes some helpful tips to help fast track successful management of functional safety and how to avoid common pitfalls.
The description provided is intended to provide a high-level overview of functional safety management and will intentionally simplify many of the topics since the intended audience is not expected to become experts in this field, but rather to understand some of the terms and requirements involved with managing people and projects with a SIL / SIS component.
SIL / SIS Basics
The goal for a functional safety program should be to design out hazards and implement an inherently safe design whenever reasonably practical. In many cases, process risk cannot be eliminated and other layers of protection are required to manage process risk. One form of protection is mechanical systems such as relief valves. Another common form is based on Electric/Electronic/Programmable Electronic technology which are composed of sensing and final elements and a logic solver. These are broken into two common types:
· Basic Process Control System (BPCS)
· Safety Instrumented System (SIS)
To understand instrumented safety, it is important to understand a few terms and abbreviations.
BPCS is a system that performs basic process control functions and may also implement some safety interlocks and alarming functionality. Examples of BPCS include SCADA controllers, general use PLC and DCS controllers as well as modular self-contained controllers. A BPCS is differentiated from a Safety Instrumented System (SIS) by the lower comparative integrity that it provides which is defined as a risk reduction factor of 10 or less.
A SIS is a system that is required to provide a high level of risk reduction with a defined Risk Reduction Factor > 10. Theoretically, the components used for such a system may even be the same as the ones that would be considered for a BPCS. However, management under IEC 61511 is required in order to achieve sufficient integrity to provide a risk reduction factor higher than 10. An SIS loop composed of sensing/final elements and a logic solver are referred to as a Safety Instrumented Function (SIF) and their risk-based integrity targets are referred to as Safety Integrity Level (SIL). The SIL level represents an order of magnitude of risk reduction provided and can also be expressed as a more granular risk reduction factor (RRF) or average probability of failure on demand (PFDavg). The following table from IEC 61511 shows the relationship for SIL in a demand mode of operation.
A few things to point out relating to the table above:
· SIL 4 is extremely rare due to the extensive requirements to achieve this integrity.
· Demand mode is the most common form of SIF in which the system moves to a safe state in the event of a demand on the SIF (hazard is not continuously present). A Continuous Mode SIF is used to maintain the process in a safe state (hazard is always present) which uses a different table to define SIL. Most SIF are demand mode and therefore in most cases are based on the table above.
· Higher SIL can also have a corresponding need for higher fault tolerance (redundancy).
Safety Lifecycle Overview
IEC 61511 requires a full lifecycle approach to managing functional safety following the diagram from IEC below:
Box 1 – Begins with a process hazard assessment (PHA) on the proposed design to identify, analyze and assess risk. This is typically done starting with qualitative techniques such as HAZOP or What-If.
Box 2 - Higher process risk scenarios identified in Phase 1 are analyzed in more detail in a SIL Assessment in which SIF(s) may be defined and assigned a SIL target. The most common process for this in use is the Layer of Protection Analysis (LOPA).
The proposed SIF design is analyzed using SIL verification calculations to ensure the reliability targets (SIL), architectural constraints (fault tolerance), systematic capability and availability targets (for acceptable spurious trip rates) have been achieved. Reliability modeling is performed which takes into consideration the system voting architecture, component failure data, proof test coverage and frequency, life of the SIF (mission time), diagnostic coverage, common cause failures and many other factors. The system or variables affecting reliability can be modified until the design targets have been achieved allowing the design to move forward into the next phase. In some cases, this process may identify a need to modify hardware/software or add redundancy, so it is important that this exercise not be left for too late in the project.
Box 3 – Involves compiling the verified SIS design for all SIF(s) into a common document referred to as the Safety Requirement Specification (SRS). This document is the central repository for all information needed to design, install, test and maintain the SIF(s) so the designed integrity can be assured. This is a lifecycle document that must be kept current for the life of the SIF(s).
Box 4 – Involves using the details provided in the SRS to perform detailed design on the SIF(s) including procuring the equipment and developing loop wiring and installation drawings, commissioning & test plans and procedures. At this stage, proof test procedures are developed for each SIF which are used as part of commissioning and also regularly over the life of the SIF.
Box 5 – Is the part of the process in which the SIS and associated SIF are installed, commissioned and tested according to the engineering documents and plans from earlier phases.
Box 6 - This phase includes operational tasks for interfacing with SIS/SIF equipment including monitoring, responding to diagnostics alarms, bypass and maintenance or repair, and regular proof testing.
Box 7 – Covers any modifications to the SIF or SIS. Modifications require moving back to the earliest affected phase of the lifecycle to address the changes. Modifications need to be covered under a Management of Change (MoC) process and a need to move back to the earliest affected lifecycle stage.
Box 8 – Covers decommissioning of the SIF as the final stage of the lifecycle. When a SIF is removed from service, it must be properly decommissioned to ensure it does not have the potential to create an unsafe condition such as impairing another remaining SIF.
Box 9 – Verification is a process that is continuous to the lifecycle. The outputs from each phase must be tested and evaluated to ensure correctness and consistency relating to the inputs from each phase.
Box 10 – Functional safety management includes regular audits to ensure lifecycle requirements are being followed and to judge whether functional safety is being achieved.
Box 11 – Shows that planning is required for each stage to ensure lifecycle activities are performed properly to ensure functional safety is achieved.
Functional Safety Assessments (FSA) are needed at multiple stages. Stage 1 - occurs after the PHA has been completed, protection layers assigned and SRS developed. Stage 2 - is performed after the SIS has been designed. Stage 3 - is performed following SIS installation and commissioning completion with operating procedures in place prior to start-up. This is also considered the pre-start up safety review. Stage 4 - is completed regularly during the course of operations. This may be timed with the turnaround frequency and good practice is for this to be done within a 5 year frequency. Stage 5 - is completed following modifications or decommissioning of a SIF or the SIS. Stages 1-3 require at least one senior competent member of the FSA team to be independent, not having been involved in the project design. Stages 4, 5 require at least one senior competent member of the FSA team to be independent, not having been involve in the operation or maintenance of the SIS.
Management Role in the Safety Life Cycle
To receive the most benefit from the functional safety activities, it is necessary to ensure all requirements are met to the greatest extent possible. If the standard is treated as a box to check without embracing the objective of these activities, many steps are likely to be left out or not properly supported. The result may be a similar implementation cost but with many gaps in the installed system that could result in degraded reliability, a greater potential for spurious trips and a system that is more difficult to maintain. Here are some tips on how Management can influence the process to ensure the most value for your SIS investment.
Tip 1 – Apply good concepts consistently!
Develop corporate standards to ensure consistent application of functional safety processes across all facilities and projects regardless of the engineering team involved.
Tip 2 – Live or die by the plan!
Implement an SIS Lifecycle Management Plan. Plan activities not only for the design and construction phases but also for the operations and maintenance phases. One common issue observed is that companies go through the hard work of specifying, designing and installing SIF in compliance with IEC 61511 and then fail to put processes in place to maintain them once in operation.
Tip 3 – Competency is King!
Ensure there is sufficient functional safety competency for the entire lifecycle. This includes internal resources and partnerships with competent consultants.
One method to support proof of competency should include verifying safety certification is in place from recognized providers such as the Exida CFSE/CFSP program or with certificate programs such as ISA84 SIS Expert and FSP program or the TUV Rheinland FS program.
Another key factor when assessing competency is to consider whether personnel performing specialty activities are competent in all lifecycle phases affected by their work. The HAZOP facilitator must know how to properly structure their reports to support downstream activities such as LOPA, SIL Calculations, fire & gas systems assessments, and alarm management studies. A HAZOP facilitator that does not practice these services may document the report in ways that lead to missing information, rework, and failure to bring attention to safety critical elements so they can be effectively managed. It can also be advantageous to use the same team for all the lifecycle activities, maximizing efficiency and preventing errors due to misinterpretation caused by knowledge transfer. Consider requiring demonstrated experience with the full SIS lifecycle as part of pre-qualification for specialty activities.
Tip 4 – Audits are your friend!
Make use of regular audits to assess performance as a feedback loop for plans you put in place. Plans are only as good as the follow through. The message is sent to the organization if plans are not enforced that these plans are not important. SIF(s) are used to manage the highest risk process applications in the facility. These systems should be maintained with at least the same respect and rigor as the pressure safety valves in a facility.
Tip 5 – Safety critical systems are just that (Safety Critical)!
Define all SIS and fire and gas systems as safety critical. Ensure all safety critical systems are designed, installed, tested and maintained to achieve a high level of integrity. Even if some safety critical systems (such as fire & gas) are not required to be managed under IEC 61511, they should be managed using similar processes with the same rigor. Making use of SIL certified hardware and software will ensure the processes followed in the manufacturing process maximize reliability. Ensuring fit for purpose fire and gas detector coverage is in place following ISA TR84.00.07 is the most effective way to maximize fire and gas system reliability. HAZOP is not the best process to assess fire and gas detection risk and placement requirements.
Tip 6 (Canada only) – Become familiar with CSA Z767 for Process Safety Management
This National Standard of Canada compared to most standards is short and easy to digest. It provides good background on roles and responsibilities of the organization and management. It details required elements of a process safety management program.
References
IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61511 - Safety instrumented systems for the process industry sector
CAN/CSA-Z767 – Process Safety Management
Originally issued: April 6, 2022
Author: Carsten Acker, P.L.(Eng.), CFSE
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Abstract
The intent of this paper is build off of our previous two articles providing functional safety highlights for managers to consider. This article will attempt to break the narrative that increased safety provides a net negative cash flow. Safety enhancements are rarely recognized as providing monetary benefits and it is important to understand how to make risk work to your benefit. In this article, we will discuss some tools to managers who champion safety programs so that they are able to recognize and track their successes. Hopefully these successes are well articulated up the decision tree and more money flows back down to keep up the momentum for improvement.
Annualizing Incident Avoidance
In an ideal world, we would be able to eliminate hazards to personnel in the workplace. Statistically, this is an impossible feat however. One simply needs to find insurance actuary studies covering such things as asteroid strikes and other “acts of God” to recognize that ordinary daily life carries with it a certain amount of risk. Attempting to painstakingly eliminate every single potential hazard from a workplace would financially bankrupt any company. Throwing caution to the wind is no solution either. There is an engineering risk management term called, “As Low As Reasonably Practicable” (ALARP) which outlines that middle ground. A risk may be considered ALARP when the cost of implementing additional risk control measures is greatly disproportionate to the gain achieved by the control measures. This can be a contentious topic for obvious moral reasons. When deciding whether to implement additional safeguarding solutions, one can conduct an ALARP justification study. These are not complex in nature and should be integrated into the management approval process within an operating company environment. Strictly from a monetary vantage point, the full lifecycle costs of implementing a proposed safety enhancement is weighed against the benefits the organization will realize from the same safety enhancement. If the equation shows the company would benefit from the safety enhancement, or if the equation approaches neutrality, the organization should proceed with the proposed safety enhancement. For the purposes of keeping this discussing simple, we will discuss cost benefit without factoring in interest. The cost benefit equation is completed by annualizing the costs and benefits. Annualizing an incident is a way to recognize a year over year benefit. With similar but inverted logic, an accountant could, “write down” the value of an asset if they knew it would be worth $0 in the future. If an accountant had a $100,000,000 asset which would explode 100 years in the future, he could reasonably take a $1,000,000 write down each year for tax purposes. Conversely, if a safety enhancement decreases the chance of having a $1,000,000 incident which could reasonably occur 10 years in the future by a factor of 100, then the simplified benefit to an organization could be considered $1,000 year over year (($1,000,000 / 10) / 100). If a manger can annualize the benefits that flow out of a risk identification and risk management exercise, chances are that they will see that it had tangible cost benefit. A good understanding of risk and how to make educated decisions will allow your team to make risk work to your benefit. Accidents that occur in the absence of good risk management practices, are no accident!
Increased Uptime
Spurious trips are very costly, annoying, and deflating events for any operations team. Unfortunately, it is this history of spurious trips that can be a contributing factor in deciding not to proceed with safety enhancements. It is important for managers to recognize plant availability in their decisions on safety. When done right, this is another benefit to safety enhancements that should be recognized. With Safety Instrumented System (SIS) design, device failure data is quantified. While much of the focus is on the quantity of dangerous undetected failures, data is available which also quantifies the frequency for dangerous detected failures as well as safe failures which would lead to a spurious trip. Designing an SIS allows a user to have this crucial data and make determinations as to whether it is a good fit for implementation. This should be factored into any ALARP justification. Device voting is a common strategy to enhance the SIS diagnostic capability while reducing the quantity of spurious trips. Voting of the sensing elements is common approach to managing availability. Sensors can be arranged such that if one device has a spurious trip, the logic solver (PLC, DCS) will ignore this command if the other sensor(s) are satisfied thus reducing your frequency for spurious trips materializing into process disruptions.
