In this paper we discuss the updated and relatively unknown BPCS independence requirements published in the 2016 version of IEC 61511. This includes some discussion on the "thorny" topic of what can be done with existing installations.
The intent of this paper is to raise awareness to the importance of the Managers role in implementing functional safety, and to discuss managements roles and responsibilities according to the standards.
This Paper discusses the adoption of CAN/CSA 22.2 No. 61508, 61511 standards into CEC, Provincial enforcement/variances, adoption of CAN/CSA Z767.
Originally issued: September 14, 2021
Shaun Williamson, P.L.(Eng.), CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
The Basic Process Control System (BPCS) is one of the most relied upon and credited safeguards in a Process Hazard Assessment (PHA) and Layer of Protection Analysis (LOPA) study. How much credit can reasonably be applied for this protection layer is a commonly debated topic. With the updates made to international standard IEC 61511 in 2016, the requirements clearly limit how much reliance can be placed on the BPCS category of safeguards including the level of independence needed. Part 1 of this series will discuss the BPCS independence requirements and Part 2 will review practical solutions to maximize independence and achieve IEC 61511 compliance. There will also be some discussion on how to handle reviews of existing facilities built under less stringent requirements.
History of the Dual BPCS Credits Debate
The level of independence required for dual BPCS credits has been a subject of debate for many years in the industry. The IEC 61511 international standard specifies the requirement for this topic, however the details on how to comply have been an area left with different interpretations.
IEC 61511 limits the reliance upon the BPCS to no more than two orders of magnitude when they are sufficiently independent from each other and the initiating event, unless designed as an SIS.
Early versions of IEC 61511 were considered by some to be vague when it comes to independence requirements and industry publications were relied upon to fill in some of the gaps. The 2001 CCPS book Layer of Protection Analysis – Simplified Process Risk Assessment described a process making use of dual BPCS credits within the same logic solver (Approach B), but with limited guidance under what circumstances this should be permitted.
As the IEC 61511 standard was being updated, CCPS released an updated publication in 2015 titled Guidelines for Initiating Events and Independent Protection Layers in LOPA. This update provided additional guidance necessary when taking dual BPCS credits from the same logic solver following Approach B. The updates highlight the necessity of performing engineering analysis and lifecycle management techniques to ensure the BPCS is properly designed and managed to support an estimated failure rate of ≤0.01/yr (reliability calculations, proof testing etc.). These activities are not unlike those required to manage an SIS. Based on current industry data not available at the time of the 2001 CCPS publication release, the new CCPS book points out that when properly implemented, it is unlikely that typical BPCS hardware (PLC, DCS) would meet the reliability requirements. Therefore, this approach would be appropriate primarily for use with SIL certified logic solvers and therefore inappropriate for the vast majority of BPCS applications. This CCPS publication also cautions readers that this process may be superseded with coming updates to IEC 61511, which occurred in the 2016 release of that standard.
The path for dual BPCS credit within a common logic solver described by these two CCPS publications has since been superseded with the release of the 2016 version of IEC 61511 which provided more clarity on BPCS requirements for independence. The IEC 61511 standard allows for up to two BPCS protection layers to be credited either as safeguards or as part of the initiating event only when fully independent (sensor, logic solver and final element). The details of these independence requirements will be described in more detail below.
Follow the Industry Publication or the Industry Standard?
The 2001 CCPS publication is now over 20 years old and was a key publication providing guidance on important concepts that led to international adoption of the LOPA process. The 2015 CCPS LOPA publication builds off the great content provided within the 2001 LOPA publication supporting users in becoming more proficient and improving the quality of analysis being performed. These and other books provide guidance based on requirements listed in industry standards at the time of their publication. Our industry knowledge continues to evolve and with this knowledge, so do our standards. This needs to be considered when relying upon publications that remain static.
It is also important to keep in mind that these industry publications are guidance documents only and their intent is to support implementation of industry standards or provide guidance where no standards exist. IEC 61511 is an international standard adopted in many jurisdictions around the globe. It has been labelled as Recognized and Generally Accepted Good Practice (RAGAGEP) with the U.S. and adopted by CSA within Canada as a National Standard of Canada. This standard will almost certainly be used as the bar for due diligence in any legal proceeding in North America and other jurisdictions in the event of an accident.
IEC 61511 Requirements for multiple BPCS credits
There are two ways to recognize two BPCS layers:
a) Two independent safeguards when the failure cause is not associated with the BPCS; or
b) One BPCS has failed as part of the initiating event and one BPCS safeguard is credited as a layer of protection.
For either case above to apply, both BPCS functions must be fully independent as per section 9.3.4 of IEC 61511. To ensure this independence requirement is very clear, the 2016 version of IEC 61511 included two figures in Part 2, section A.9.3.4 and A.9.3.5 (see below). These figures show a requirement for full independence of the sensing elements, logic solvers and final elements.
IEC 61511-1 Section 9.3.5 notes that “A hot backup controller is not considered to be independent of the primary controller because it is subject to common cause failures.”
IEC 61511 goes on to explain the reason that hot backup controller is not considered to be independent of the primary controller is that it contains common components that are subject to common cause failures. These components include the backplane, firmware, diagnostics, transfer mechanisms and undetected dangerous failures. The same would be true if one were to try to take credit for multiple protection layers out of the same BPCS. This leaves the system susceptible to failure of multiple protection layers from a single cause.
It could be said that the BPCS independence requirements in IEC 61511 have not necessarily changed. What is different is that the intent of the independence requirements was not necessarily clear in the previous versions of the standard. 3rd party guidance documents were published detailing an approach that could be considered less restrictive than the current requirements. With more clear direction on the intent of BPCS independence requirements with IEC 61511, there should be less confusion what is, and is not compliant.
That being said, what do we do with existing facilities built under less stringent requirements or at a time where the requirements were less clear? Since IEC 61511 does not allow for grandfathering, theoretically this would mean that compliance should be pursued at the earliest opportunity. While this standard likely would be used as a test for due diligence, it seems reasonable that some alternatives providing the needed risk reduction may be considered when the costs of a full upgrade are grossly disproportionate to the benefits. As with other risk mitigation efforts you can significantly reduce the risks with little effort when compared against doing nothing. Advancing towards full compliance in the future can be planned and budgeted for while the low hanging fruit can be picked in the short term.
An alternate approach to full compliance would require detailed engineering analysis and justification prior to formalizing the decision. This likely would require owners take all reasonable measures to mitigate risk and move towards compliance when reasonably practical. It is also reasonable to assume full compliance should be pursued for all new installations and modifications to existing facilities. This decision is one that deserves some consideration and should be documented properly for proof of due diligence. A decision not to upgrade to the latest requirements without any documented may leave the owner and responsible decision makers at risk of legal liability in the event of an accident. Since the level of risk tolerance is determined by the owner, ultimately the process that will be followed is chosen by the owner. The risk assessment team is tasked with participating and supporting the path that was selected. It is recommended that this discussion take place prior to any PHA efforts.
Contact an experienced and competent risk management professional with a background in automation to consult on the options regarding how best to approach these types of situations including alternative approaches that may be considered.
For more discussion on practical guidance on implementation of these BPCS independence requirements, look out for Part 2 in this BPCS Independence Requirements series (PHA-BLG-103).
IEC 61511-1:16: Functional safety - Safety instrumented systems for the
Process industry sector— Part1: Framework, definitions, system, hardware and application programming requirements
IEC 61511-2:16: Functional safety - Safety instrumented systems for the
Process industry sector— Part 2: Guidelines for the application of IEC 61511-1:2016
CCPS Layer of Protection Analysis - Simplified Process Risk Assessment published in 2001
CCPS Guidelines for Initiating Events and Independent Protection Layers in LOPA published in 2015
Originally issued: July 29, 2021
Shaun Williamson, P.L.(Eng.), CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
The intent of this paper is to raise awareness to the importance of the Managers role in implementing functional safety, and to discuss managements roles and responsibilities according to the standards. The term “Managers” is intended to cover those that direct the work of others and is not limited to a specific job title. In some companies, functional safety may not be a dedicated position, but rather may be shared by multiple people and may be a secondary responsibility. Those with management responsibilities regardless of the organizational structure, are responsible for setting the direction of the company including the safety culture that will be established. With proper buy-in from management who are genuine in their drive to accomplish a good safety record, the personnel closest to the job site are empowered to weigh safety matters high in their day-to-day decision making. When this is the case, functional safety activities are much more likely to be successful in the goal of effectively managing process risk. This paper will highlight some relevant process safety standards to be aware of including some discussion on the importance of standards compliance. There will be an explanation of the Integrated Protection Philosophy for safeguarding and discussion on some highlights that management should be aware of for effective functional safety management.
Operation of industrial facilities can come with many hazards that if not managed effectively, may result in catastrophic loss. We have had many learnings from past industrial accidents in which workers did not return home, companies were forced to cease operations or experienced a major hit to their brand reputation. Between 2007 - 2017, 128 people lost their lives in 56 process safety events according to IOGP Report 638. These unfortunate events have provided an opportunity for others to learn from mistakes commonly made by industry. For those willing to listen, there is an opportunity to advance our knowledge in pursuit of a safer means to achieve operational excellence. Global efforts have resulted in the development of instrumented safety standards to address these past failings. The goal of these standards is to reduce the risk of major industrial accidents with safe and effective safeguarding measures. It is important to note that these standards do not apply exclusively to certain industries but are intended to apply to industries and facilities of all sizes.
A common theme within these standards is a lifecycle approach to managing risk over the life of the system. The lifecycle approach theme is described in these standards by use of the Plan, Do, Check, Act model for quality management used by ISO. The idea of this model is to Plan your work, Do what you said you would (implement your plan), Check that your work was properly implemented according to your plan and then Act on any issues or failures discovered.
For functional safety to be effective, it is essential that safety regulations and Industry Standards established by industry be followed by each company. Management is identified in Occupational Health & Safety regulations as responsible for managing the risk posed by their operations which includes code and standards compliance. Industry standards are not typically subject to inspections, but and are often used in legal proceedings as a test for due diligence. Functional Safety can be a complex undertaking and can only work with effective leadership and the establishment of a healthy safety culture. The Managers role in all of this cannot be understated.
Instrumented Safety Standard Highlights
Some of the more notable instrumented safety standards in use come from the 61508 Safety Instrumented Systems (SIS) family of standards which includes 61511 for the Process Industry. These standards provide guidance for a lifecycle approach to implementing SIS using Safety Integrity Levels (SIL). These standards are referred to globally as IEC 61508/61511. The International Society of Automation (ISA) has consolidated their ISA84 standard with the IEC standards, and are commonly referring to in North America as ANSI/ISA 61508/61511 standards. CSA has also adopted these IEC standards as National Standards of Canada, referring to them as CAN/CSA C22.2 No. 61511/61508. In short, these standards have been adopted and are widely in use across North America and most of the globe.
Standards organizations often release guidance documents to supplement standards supporting their implementation and to provide guidance on engineering best practices where not otherwise covered by standards. Guidance documents are usually easy to read with practical examples showing how to meet the intent of the standards.
ISA has developed various Technical Reports under ISA84 to support proper implementation of the requirements within IEC 61508/61511. Technical Report 7 under ISA84 provides guidance on Fire and Gas Engineering for industrial facilities. ISA 18.2 provides guidance on Alarm Management practices to enhance operator effectiveness. Adoption of these various standards and technical guidance reports together create an effective integrated protection strategy.
Integrated Protection Philosophy
The figure below from 61511 provides a good visual of the typical safeguarding strategy in which multiple layers of protection work together to prevent or mitigate the effects of an industrial accident. What this image shows is the importance of taking an integrated philosophy to protective measures and avoiding an over reliance upon any single protection category which has the potential to fail.
The process is normally controlled and monitored within the normal operating limits using operator observation, basic process controls and process alarms (1st category of this model). If control cannot be maintained and measurement moves out of the normal operating range, preventative safeguards are relied upon (2nd category). If preventative measures fail, a loss of containment may occur in which case mitigative safeguards such as fire and gas detection and annunciation systems are relied upon to provide protection (3rd category). Plant Emergency Response procedures are used following loss of containment to minimize the impact to personnel or the environment (4th category). Community Emergency Response is then performed to protect the public when the affects of a release have the potential to extend past the plant limits (5th category). Instrumented safety is the primary focus of the first 3 categories establishing the foundations for an effective protection strategy. Not all events can be controlled using preventative safeguards. Mitigative safeguards are often overlooked during installation and may be poorly maintained meaning they may not be effective if not properly managed. Alarms are relied upon daily to keep the process in a safe and optimized state. However, alarms are often ineffective during upset conditions if not properly setup and maintained according to the standards. All these protection layers must work effectively over the life of the facility to avoid the need to initiate measures from the last two protection categories. Reliability of these instrumented safety protection layers is a primary focus of the industry standards described above.
Why Follow the Standards
There are many reasons why industry standards should be followed. Taking reasonable care to protect the environment, public and workers from risk posed by hazardous operations is both a legal and moral responsibility. In some jurisdictions, standards may be referenced by code and regulation giving it the force of law. Other jurisdictions may refer to the standards as “Best Practice” also known as “REGAGEP” which is used as a test for whether an organization has met their “Legal Duty of Care” in legal proceedings following an accident. In 2010, OSHA (USA) officially recognized ANSI/ISA84.01 (now referred to as ANSI/ISA 61511) as REGAGEP. Section 217.1 of the Criminal Code of Canada establishes legal duties for workplace health and safety imposing serious penalties for violations resulting in injuries or death. This code attributes criminal liability to organizations, including corporations, their representatives, and those that direct the work of others. The risk of not being able to establish due diligence comes with the potential for shutdown orders, heavy fines and possible imprisonment.
Effective risk management that is achieved through standards compliance can also come with financial benefit. Many of these standards result in similar safeguard implementation to a traditional approach including design, installation, maintenance and test practices. A key difference is the higher quality of components that are used and higher quality processes followed during manufacturing and over the lifecycle to maximize reliability. While this does come with an upfront cost, high quality hardware and software solutions are more reliable, less likely to cause issues and easier to troubleshoot. The improved performance of safeguards such as alarming not only increases effectiveness in responding to unsafe situations but will also support improved control of the process leading to higher quality product and increased uptime. The bottom line is that standards compliance is well worth the effort when done well.
Importance of Establishing a Good Safety Culture
A strong safety culture can only be established in an organization by the leadership team. Organizational safety performance is directly related to the policies implemented by management and by the commitment shown towards supporting, monitoring and enforcing these policies. This requires support in the form of training, development of corporate standards, and sufficient budget for quality engineering, products, processes and systems. Risk management must be embraced by the corporation starting with management to realize the financial, moral and reputational rewards available. The scale of these efforts must fit the size and scale of the operations. Some companies may be able to afford an army of functional safety professionals, while others are more likely to rely upon dedicated consultants. Regardless of size, risk exposure of poor safety culture can be significant if not managed. Intellectual honesty should be used when considering your risk exposure. To evaluate your risk exposure, consider whether your operation makes use of large quantities of stored energy, or processing of highly hazardous chemicals? Do you operate aging facilities relying upon protection from aging equipment? Do you maintain high occupancy levels in your facilities, or are you located in close proximity to the public or sensitive water bodies? Do you comply with all regulations and industry standards and monitor for continued compliance? Following the risk-based approach described in the standards should result in reduction measures being directed towards where risk is greatest. Higher risk facilities will require high integrity systems to manage their risk.
Stay tuned for additional Functional Safety Highlights for Managers papers in which we plan to dive deeper into specific Functional Safety Standards requirements.
IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61511 - Safety instrumented systems for the process industry sector
IEC 61882 – Hazard and operability studies – Application guide
CAN/CSA-Z767 – Process Safety Management
29.CFR.1910 – OSHA Occupational Health & Safety Standard
CAN/CSA-B149.3 – Code for the Field Approval of Fuel Related Components on Appliances and Equipment
NFPA 85 – Boiler and Combustion Systems Hazards Code
NFPA 87 – Standard for Ovens and Furnaces
NFPA 86 – Standard for Fluid Heaters
Originally issued: April 13, 2021
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland)
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Process Hazard Assessments, A Cost Savings Measure
Process Hazard Assessments (PHA's) are often performed for reasons such as standard compliance or for due diligence reasons. These are all good reasons to perform a hazard assessment, however not all companies fully buy into the need for them and often try to minimize the time spent on this effort or avoid it altogether when possible. Have you ever considered that a well run PHA may actually save the company money in the long run? In addition to improved safety and environmental protection, this should be the goal. But first some context and why they are necessary. Let us consider an example of an application involving a pressure reduction of a flammable gas in an area that is normally unmanned and not located in an environmentally sensitive area as we consider the standard requirements and potential benefits of a PHA.
What are the requirements? Is my project exempt? Why should I bother?
The requirements may vary in each jurisdiction, however the core principles tend to be the same. Occupational Health and Safety standards specify a requirement to protect the public and workers from hazards posed by a company’s operations. In 2017, the National Standard of Canada CAN/CSA Z767-17 lays out a very broad definition on the usage of this standard in industrial applications. It states that the standard, “identifies the requirements for a Process Safety Management system for facilities and worksites handling or storing materials that are potentially hazardous, either due to an inherent chemical, biological, toxicological, or physical property of those materials, or due to the material’s potential or kinetic energy.” As you can see, there is virtually no industrial facility too small to be considered out of the scope of that definition and our pressure reduction example is no exception.
CAN/CSA Z767-17 and other National Standards may be used to assess the minimum threshold of process safety management due diligence in the event of court proceedings following an industrial accident. In 2004, Bill C-45 established a legal duty of care including serious penalties for violations of organizations, including corporations, their representatives and those who direct the work of others. Bill C-45 section 217.1 reads, “Everyone who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task.” With the addition of Bill C-45, the risks of not performing due diligence to protect workers or the public are high. This risk applies not only for the corporation but also for anyone with a duty for care including project engineers assigned responsibility for the PHA. The standards are intentionally not prescriptive in their hazard assessment requirements so that a user can apply different hazard assessment techniques to a variety of unique applications. Fortunately, there are a variety of hazard assessment methodologies to choose from which meet your technical and financial needs under the guidance of a competent risk management professional.
Getting the most from your Risk Assessments is about technique
Hazard assessments can be performed multiple times during a project and the technique may vary depending on the scope. At a minimum, a hazard assessment should be performed on the fully formed design. The advantage of performing additional hazard assessments early in design is that the ability for improvements (i.e., hazard elimination or substitution) is greater due to the low cost of changes at this stage. When identified late in design, the potential to make changes is lower and the cost impact is much higher.
The What-If analysis technique is pretty much how it sounds. The engineered drawings are broken into smaller systems and the facilitator asks questions framed by “What-If” about various components and processes to identify and analyze hazards. This and the other hazard assessments compare the scenario risk against the owner’s risk systems typically documented in a risk matrix to determine if existing safeguards are sufficient and when needed, identify opportunities for improvement. This format is less structured, less intensive, and therefore has less up-front cost than the more common HAZOP technique described below. It has similar inputs and outputs as the other techniques and is appropriate for projects in the feasibility phase or on low complexity systems. When used on a large project in the early stages of design involving hazardous processes, it should be followed by a more stringent hazard assessment technique closer to design conclusion.
A HAZard and OPerability (HAZOP) review is the most common process hazard assessment technique. It functions much like a, “What-If” but with more structure. The process under scrutiny is broken into manageable nodes and pre-defined guidewords are applied to identify and analyze hazards. This assessment will answer the question, “What consequence can be expected if our proposed pressure reduction control fails, and what safeguards are in place to protect the downstream equipment?”. This example is referred to as single jeopardy since only one failure needs to occur for the hazard to be realized (excluding safeguards). Using a qualitative approach for this example, it is likely that multiple safeguards would be required to drive the risk into an acceptable level due to the overpressure potential of this combustible product. In some cases, these additional protection layers may not have been considered in the original design and therefore may not have been budgeted for. Before making costly design changes, further analysis will help to remove conservatism and better quantify the level of risk reduction needed to avoid taking an overly conservative approach. This is where LOPA comes in.
The previously described techniques are qualitative and therefore in most instances should not be used for hazardous processes without a quantitative approach such as Layer of Protection Analysis (LOPA) to compliment them. CAN/CSA Z767-17 states that, “The hazard assessment should be quantitative in nature for scenarios that can result in large scale health, safety, or environmental consequences.” The most efficient way to conduct a hazard assessment with a LOPA is to use the qualitative processes described above as a sorting mechanism to identify high risk scenarios. The low risk scenarios are assessed using the HAZOP/”What-If”. The high risk scenarios are sent to LOPA to be analyzed with no further review needed in a HAZOP setting.
LOPA is a semi-quantitative hazard assessment technique with many similar input and outputs as the techniques listed above. Being more quantitative in nature, LOPA is more rigorous than HAZOP/”What-If” requiring more effort of stakeholders while allowing for removal of some conservatism built into qualitative techniques. The team can take partial credit for conditional factors (such as probability of occupancy, probability of ignition or time-at-risk) that would not be appropriate in a qualitative assessment. In our example, taking credit for a low occupancy level in the area would certainly be factored into the health and safety consequence discussions and may reduce the risk reduction requirements for the proposed safeguard(s). Reducing the assessment effort on low-risk scenarios and re-distributing the effort to high-risk scenarios removes conservatism and often results in less recommendations for costly changes, saving the project money.
LOPA also provides the ability to specify a high integrity function to provide multiple orders of magnitude of risk reduction in the form of a Safety Instrumented Function (SIF), rather than needing to design multiple protection layers to close risk gaps. In our example, the design team may exercise the option to consolidate multiple low-integrity safeguards into a single high-integrity safeguard, which could result in a cost savings.
Properly documented scenarios
Whichever hazard assessment technique is utilized, it is important that it be documented appropriately so the powerful information contained within can be put to good use. Avoid getting caught in the weeds documenting incomplete thoughts, missing important scenarios or spending exorbitant time on low-risk scenarios. Document the root concern taking into consideration the most severe credible outcomes. Assess risk without planned safeguards, so we can understand how many safeguards are necessary taking into consideration the fact that safeguards can fail. Consider “knock-on” consequences that occur when a safeguarding strategy transfers risk elsewhere (i.e. pressure relief device discharging toxic material into the atmosphere). Use the PHA to identify safety critical elements, then make sure these safeguards are properly deployed. Be specific when documenting safeguard tags, equipment tags and drawing references so they can be searched and kept up to date. Organize the report in a way that users can easily find important information and can clearly understand the hazards in the process.
Safeguard identification is one of the most common improperly documented components in a hazard assessment. For a safeguard to be effective it must be “Specific”, “Auditable”, “Independent”, and “Dependable”.
The safeguard must be “Specific” to the hazard and not rely upon an indirect measurement.
If a safeguard is not properly documented and “Auditable”, it is likely that it will not be properly designed, installed, and maintained to perform the intended function. A poor audit trial is harder to support due diligence should an accident occur.
Safeguards that are not “Independent” cannot be relied upon to act appropriately when common elements have failed causing the initial hazard. Logic solver independence requirements can be complicated and at times contentious. BPCS and SIS independence requirements are defined in detail in IEC 61511. Specific attention should be paid to BPCS independence with a corporate policy defined prior to performing a hazard assessment.
Credited safeguards must be “Dependable” in preventing the hazard under consideration. If the safeguard will only work sometimes, then risk should be assessed assuming the safeguard may not be reliable and a better safeguard should be considered.
Can a risk assessment pay for itself, or even save money?
Hazard assessments are almost always viewed under the lens of costing extra money, when they can certainly be viewed in a more nuanced way. There are some obvious costs associated with performing the hazard assessment. They include the cost of the hazard assessment proceedings itself and the cost of implementing recommendations for improvements that arise. These costs can be controlled by the team with guidance from a facilitator experienced with multiple hazard assessment techniques, and safeguarding design strategies. Competency in multiple assessment techniques breeds agility and efficiency. Safeguarding solution design competency also aids in applying the right solution for the application. The facilitator should have proven practical experience in complex safeguard design such as Safety Instrumented Systems (SIL rated instrumented safeguards) particularly for high-risk scenarios that will be evaluated in a LOPA.
The potential cost savings associated with a hazard assessment can be substantial and deserves consideration. Hazards are inherent to industrial processes and cannot be eliminated entirely, but they can be managed. We cannot manage what we do not measure, and hazard assessments are required to measure risk.
Using the ALARP principle (As Low As Reasonably Practicable), the decision on whether to invest in additional safeguards can be evaluated using a cost-benefit calculation. ALARP is a frequently used term which often is misunderstood and/or misapplied. Your hazard assessment should attempt to identify ways to reduce the risk further when the residual risk is above the low threshold. From a strictly fiscal perspective, one can annualize the cost of a fatality and then quantify the year over year benefits of reducing the frequency of a fatality. Using simplified calculations, consider our example where a fatality could cost a corporation $2,000,000, and the corporation had the opportunity to reduce the likelihood of a fatality from 1 in 100 per years to 1 in 10,000 per years using an additional safeguard. Without the benefit of mitigation from an additional safeguard, the annualized cost of a single fatality would be $20,000 (2,000,000/100). With mitigation provided by an additional safeguard, the annualized cost of a fatality would be $200 (2,000,000/10,000). Using our pressure reduction design example, if the annualized cost of additional mitigation (including lifecycle maintenance costs) is less than $19,800 per year, the company would see a financial benefit of proceeding with the implementation of the risk mitigation in addition to the obvious moral reasons for doing so. Performing this calculation provides the owner with a reasonable approach to these decisions, and shows due diligence when deciding to refrain from adding additional safeguarding equipment. Choosing not to install a device with an annualized cost of $15,000 would not meet the ALARP principle and the design may be found not to be reasonably adequate upon an investigation.
While process risk assessments may seem as though they are expensive and time-consuming, recognize that they are required and when they are conducted under the leadership of an experienced professional, the benefits should not be underestimated.
Revised with Updates: May 28, 2020
Originally issued: February 28, 2019
Shaun Williamson, P.L. Eng., CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
In Search of Clarity
Historically within Canada, there has been limited guidance in the form of regulations specifying mandatory process safety management requirements that must be followed. While on the surface this seems like it would allow more flexibility, in practice this has made it difficult for companies to understand their obligations relating to process safety management as they balance the potential costs of implementing such a program. The resulting confusion has left a wide gap between what activities are performed from one company to the next. In contrast, some countries including the United States have implemented process safety regulations that provide explicit mandatory requirements for activities that must be followed based on clearly defined criteria (OSHA 1910.119 and EPA 40 CFR Part 68).
Canadian national regulations and standards have been evolving in recent years in order to provide more clarity on mandatory requirements versus “Best Practices” for industry to follow. On February 20, 2017 CSA published the CAN/CSA Z767-17 Process Safety Management standard (referred to below as CSA Z767). The purpose of this document is to standardize performance requirements that companies should implement as part of a process safety management system. CSA Z767 has been confirmed as a National Standard of Canada giving the standard nation-wide recognition by industry and by the provinces and territories. CSA followed up on the issue of the CSA Z767 by adopting the following international IEC standards:
The 2018 Canadian electrical code (CEC) references these new CSA process safety standards making them mandatory and enforceable across Canada. Some provincial regulator authorities have taken exception to including these standards under an equipment safety standard that the CEC Part 2 safety standards were intended for. Alberta Municipal Affairs has since released a Standata (18-CEBC-2) dated December 2019 that IEC 61508-3 and IEC 61511 are not equipment standards and were listed in the Part 1 Standard in error. This means that these standards are not enforceable under the electrical code in this jurisdiction, but may still be enforced within others. While not enforced in certain jurisdictions as part of the electrical code, the CSA 61508 and 61511 series of standards remain "National Standards of Canada".
Regulation and Standards Explained
It is important to understand and take into consideration both regulatory requirements and best practices when developing a corporate process safety management plan. However, it is not always obvious when a standard is considered a mandatory requirement or instead considered a “Best Practice”. Questions often arise whether a “Best Practice” has to be followed, and whether there is any risk in ignoring a “Best Practice” in order to reduce costs.
Canadian Provincial Occupational Health and Safety (OHS) regulations place the responsibility on employers to protect the safety of their workers and the public from hazards posed by their operations through documented risk identification, assessment and control measures. Employers failing in this duty may face fines and, in some cases, criminal charges under Section 217.1 of the Canadian Criminal Code (also known as Bill C-45).
National Standards of Canada are developed by committees comprised of manufacturers, consumers, retailers, unions, professional organizations and governmental agencies. These standards are intended to promote nation-wide standardization and often are developed to adhere with similar internationally recognized standards. Many standards are considered “Best Practices” and therefore by this definition considered voluntary, while others become mandatory when referenced in regulations or adopted by local authorities having jurisdiction (AHJ). The Canadian electrical code (CEC) is an example of a National Standard of Canada adopted by the provincial authorities giving this standard the force of law.
Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)
In the US, OSHA has implemented a process that requires documented compliance to “Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)”. RAGAGEP is based on established codes, standards, recommended practices, technical reports or similar documents. In the US, RAGAGEP is mandatory and audited for compliance. While the RAGAGEP term comes from U.S. regulations, the RAGAGEP principle applies in Canada not as a mandatory requirement but instead as a means to establish documented due diligence in fulfilling the duty to protect workers and the public. Under RAGAGEP, codes are used to establish minimum requirements and in the absence of applicable codes, consensus standards should be applied. When codes and consensus standards are not available or do not adequately address specific hazards, non-consensus documents may be applied on a case-by-case basis to establish RAGAGEP. Furthermore, an employers’ internal standards may serve as RAGAGEP when no published RAGAGEP exists or when available RAGAGEP needs to be supplemented in order to better control hazards. When used, internal standards must meet or exceed protective requirements from published RAGAGEP when they exist.
When a mandatory code is not applicable, companies have the right to choose to follow a standard other than the applicable national standard or implement their own standard. A common example of this is when an international company wishes to standardize their approach across the globe and adopts a more stringent international standard. For example, the U.S. process safety standard OSHA 1910.119 specifies among other things, mandatory requirements for when required activities of a process hazard analysis (PHA) must be performed including a 5-year revalidation requirement. It is important to remember that whichever standard is adopted, the company remains obligated to perform their duties under the OH&S regulations and therefore may be forced to defend their reasoning and actions in the event of an accident. Implementing a process that is less stringent than the applicable national standard is not advisable. Failing to take reasonable measures to properly protect the public and workers puts both the company and responsible individuals at risk (i.e. potential fines, imprisonment, court awards). The RAGAGEP principle is the most likely test that will be used to evaluate whether measures are “reasonable” within Canada.
Adopting National Standards can have the added benefit of ensuring customer confidence and may provide efficiencies through taking a standardized approach. Complying or failing to comply with standards may also effect insurability and/or insurance premiums.
There are many regulations and standards to be aware of which can be difficult for those that do not deal with them on a regular basis. Feel free to reach out to the author for more information on this topic, or process safety support services. Look for our coming White Paper “New CSA Codes for Process Safety Management” for important Instrumented Safety RAGAGEP all Canadian operating companies with hazardous process operations should be aware of.
Revised with Updates: May 28, 2020
Original Issue: March 4, 2019
Shaun Williamson, P.L. Eng., CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
Recommended reading: Before reading this white paper, it is highly recommended to first read our In Search of Clarity - Standards and Regulations white paper (originally issued February 28, 2019 and revised with updates March, 28, 2020) for a discussion of applicability and enforceability of codes and standards.
CSA 61511 and 61508 Adopted as part of Canadian Electrical Code (CEC)
Many Canadian companies are quite familiar with the international standards IEC 61508 and IEC 60511 which have been in use within Canada for many years as a “Best Practice” for implementation of Safety Instrumented Systems (SIS) within the process industry. Others may not have heard of these standards since they have not been enforced as a mandatory requirement within Canada. These standards together detail a lifecycle approach to managing the SIS lifecycle, required processes and documentation for proper implementation.
These standards long been a regulated requirement in other parts of the world. With recent changes to the Canadian Electrical code, the time has come for all companies to learn the requirements of these standards and how to implement them. The 2018 Canadian electrical code (CEC) has referenced CAN/CSA C22.2 No. 61508 and CAN/CSA C22.2 No. 61511 standards in the Part 1 standard making them a mandatory part of CEC. CEC is adopted by each province and occasionally includes some jurisdiction specific variances. Alberta Municipal Affairs has taken exception to these standards being referenced as part of equipment standards by issuing Standata 18-CEBC-2 (dated December 2019) and therefore will not be enforcing them as part of the CEC. It is unclear how other provinces will handle enforcement or whether the CEC will be modified in the next release. For jurisdictions such as Alberta that choose not to enforce these standards as part of the electrical code, it is important that companies understand that these CSA standards remain "National Standards of Canada".
Working with Performance Based Standards
CSA 61511 and CSA 61508 are performance-based standards as opposed to prescriptive standards like most of the other C22.2 standards. These standards detail a process for achieving tolerable risk through the application of electrical/electronic/programmable electronic safety-related systems, but do not cover hazards arising from the equipment itself (for example electric shock). These standards do not specify when an SIS must be used, but rather provide guidance on how to determine if it should be used and list the requirements for proper implementation. An SIS should not be the first hazard control measure considered, but in some cases may be the most cost-effective option available. Once it has been determined that an SIS will be used, these standards detail mandatory requirements for implementation. The 61511 Part 2 and 3 standards are informative sections that provide additional guidance on the use of SIS and should be consulted along with 61511 Part 1.
Enforcement of CSA 61511 and 61508
Many existing installations have been approved having met the electrical code requirements at the time of installation and inspection. While there does not seem to be a published document from provincial authorities to date on how enforcement of this new regulation will be handled, new CEC updates typically are not required to be implemented on existing installations that have been previously inspected against the "then current" version of the code unless serious safety risk is posed by not updating the installation. CEC changes that will require updates to existing installations and be enforced are specifically identified by the Provinces (not the case for these standards to date). Previously approved installations continue to be considered compliant until such time as the installation is modified. At that time, compliance with the latest codes and re-inspection is required. All new installations are required to meet the current code requirements at the time of installation.
Details have not yet been provided by provinces on what the inspection process might look like and to date do not appear to be taking place. Assuming inspections will eventually begin on, there will likely be a phase in period during which inspectors will need to be educated on the CSA 61511 standard. Since there are no physical requirements specified by the standard, a reasonable approach to how inspections would be conducted is in the form of an audit. The audit would check for evidence mandatory documentation and processes are in place to validate that the required lifecycle activities have been performed properly, an SIS was determined as required or not, and when implemented meets all of the requirements of the standard (i.e. PHA, SIL assessment, SIL verification calculations, Safety Requirement Specification, Proof Test Procedures, Functional Safety Assessments, Training etc.).
Adoption of this standard is intended to fulfill a company’s obligations for protection of the public and their workers under the OH&S act and as part of Recognized and Generally Accepted Good Engineering Practice (RAGAGEP). Added benefits of compliance can include meeting requirements for insurability and potential insurance premium reductions. The performance based nature of these standards supports prioritization of invested risk reduction resources towards the highest risk areas of the facility, and also reduced resources in low risk areas.
Implementation of CSA 61511
There are many activities required for full compliance with this standard. A few specific requirements to be aware of are highlighted below:
In the event a SIS is selected as part of the risk reduction strategy, the requirements of CSA 61511 shall be followed including the following highlighted activities:
CAN/CSA Z767-17 Adopted as a National Standard of Canada
CAN/CSA Z767 (also referred to within as CSA Z767) is a National Standard of Canada not yet adopted as regulation and therefore considered a “Best Practice”. As discussed in the In Search of Clarity - Standards & Regulations article, it is highly advisable to treat the elements of the CSA Z767 standard as a minimum requirement for compliance and use as RAGAGEP.
Section 4.2 describes the scope of this standard: “This standard defines the minimum requirements that shall be in place for a process safety management system (PSM) throughout the life cycle of the facility.” The standard describes accountability and responsibility for process safety management activities with Senior Management holding ultimate accountability (Section 5.1.1). Senior Management, Supervisors and Workers are all responsible for PSM with their roles further described in section 5.3.
This standard discusses requirements that many existing process facilities are deficient in. Unchecked, these have the potential to contribute to the initiation of, or failure to prevent a major accident. Issues covered include:
Maintenance of Safety Critical Documents - Many facilities do not have up to date engineering documents required to support the safe operation and maintenance of the facility. CSA Z767 addresses this issue by requiring this safety critical documentation to be maintained over the life of the facility. Safety critical documentation identified in the standard includes: Plot Plan, PFD’s with material balance, P&ID’s, control philosophies, shutdown keys, PSV sizing sheets, Electrical Area Classification drawings, PHA’s (Refer to section 6.1).
Process Hazard Assessments (PHA) – Many existing facilities have either never had a PHA or the PHA is no longer valid due to changes in design, operation, corporate risk systems or to the original assumptions used. CSA Z767 requires that a PHA (most commonly performed using HAZOP) must be revalidated every 5 years. Changes to the facility must be managed by a management of change process (MoC) with a PHA used to assess the changes. The 5-year revalidation is a good time to consolidate smaller PHA’s completed as part of the MoC process to cover the entire facility ensuring effects within all nodes are considered from the smaller sessions (refer to section 6.3 for details).
Alarm Management - Some facilities rely heavily upon alarms with operator action and in many cases have never performed alarm management activities. Most of these facilities experience alarm flooding and other nuisance alarms causing safety critical alarms to be ignored. Rarely is there an established process to prioritize an operator response to high criticality alarms. In many cases, operations can change alarm setpoints, disable, shelve or bypass alarms without any formal risk assessment, change management or approval processes. CSA Z767 requires the responsible organization to put in place an alarm management process to cover the identification and prioritization of critical alarms and interlocks. This process must ensure a procedure is in place to control changes to alarm setpoints and interlock systems and to perform regular testing of alarms, interlocks and other critical safeguards (refer to section 18.104.22.168 – 22.214.171.124).
Fire & Gas Detection – Fire and gas detection is often relied upon as the last line of defense in a safeguarding strategy, however most facilities have never validated that detector quantities and coverage are appropriate based on application specific risk. Typically, detector locations and quantities are arbitrarily chosen with no established philosophy. Final locations are selected by the electrician with little guidance provided in engineering packages on exact placement required or how to point / orient them, sensitivity settings or even what equipment they are intended to cover. Detectors and associated annunciation equipment (i.e. horn, strobes) are rarely maintained properly resulting in poor protection and a false sense of security. The ISA TR84.00.07 standard provides guidance for engineering and design of fire and gas detection systems. This “best practice” provides a detailed process that may be applied to comply with the CSA Z767 requirements for risk identification, assessment and control of fire and gas hazards. Written inspection, testing and maintenance procedures must be in place to ensure the ongoing integrity of the installed fire and gas protection systems (Refer to CSA Z767 7.3.1).
Competency – The integrity of the processes described within the standards are only as solid as the people implementing them. This is particularly true for safety critical and highly specialized engineering activities including: PHA facilitation, SIL Calculations, Fire and Gas detector placement, alarm rationalization / prioritization. Using an independent 3rd party can result in a less biased study and may benefit from perspective taken from other companies and applications within the industry. CSA Z767 section 7.1 describes the requirement that all personnel be competent to perform their functions and tasks safely and effectively. A system must be maintained to ensure documented competency of personnel by way of education, training and experience appropriate for the task an associated criticality of the task. Section 6.3.2 stresses the importance of competency regarding risk assessments and modeling activities.
Feel free to reach out to the author for more information on this topic, or process safety support services.
Watchmen Instrumented Safety Experts (WISE) is a Functional Safety Engineering company with specialized expertise in preventative and mitigative instrumented safety. Our expertise includes HAZOP & LOPA Facilitation, SIL / SIS Calculations and Consulting, Alarm Management, Fire and Gas Systems Engineering. Consult one of our experts for your instrumented safety project today.
Copyright © 2018 Watchmen Instrumented Safety Experts - All Rights Reserved.