This Paper discusses the adoption of CAN/CSA 22.2 No. 61508, 61511 standards into CEC, Provincial enforcement/variances, adoption of CAN/CSA Z767.
Originally issued: April 13, 2021
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland)
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Process Hazard Assessments, A Cost Savings Measure
Process Hazard Assessments (PHA's) are often performed for reasons such as standard compliance or for due diligence reasons. These are all good reasons to perform a hazard assessment, however not all companies fully buy into the need for them and often try to minimize the time spent on this effort or avoid it altogether when possible. Have you ever considered that a well run PHA may actually save the company money in the long run? In addition to improved safety and environmental protection, this should be the goal. But first some context and why they are necessary. Let us consider an example of an application involving a pressure reduction of a flammable gas in an area that is normally unmanned and not located in an environmentally sensitive area as we consider the standard requirements and potential benefits of a PHA.
What are the requirements? Is my project exempt? Why should I bother?
The requirements may vary in each jurisdiction, however the core principles tend to be the same. Occupational Health and Safety standards specify a requirement to protect the public and workers from hazards posed by a company’s operations. In 2017, the National Standard of Canada CAN/CSA Z767-17 lays out a very broad definition on the usage of this standard in industrial applications. It states that the standard, “identifies the requirements for a Process Safety Management system for facilities and worksites handling or storing materials that are potentially hazardous, either due to an inherent chemical, biological, toxicological, or physical property of those materials, or due to the material’s potential or kinetic energy.” As you can see, there is virtually no industrial facility too small to be considered out of the scope of that definition and our pressure reduction example is no exception.
CAN/CSA Z767-17 and other National Standards may be used to assess the minimum threshold of process safety management due diligence in the event of court proceedings following an industrial accident. In 2004, Bill C-45 established a legal duty of care including serious penalties for violations of organizations, including corporations, their representatives and those who direct the work of others. Bill C-45 section 217.1 reads, “Everyone who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task.” With the addition of Bill C-45, the risks of not performing due diligence to protect workers or the public are high. This risk applies not only for the corporation but also for anyone with a duty for care including project engineers assigned responsibility for the PHA. The standards are intentionally not prescriptive in their hazard assessment requirements so that a user can apply different hazard assessment techniques to a variety of unique applications. Fortunately, there are a variety of hazard assessment methodologies to choose from which meet your technical and financial needs under the guidance of a competent risk management professional.
Getting the most from your Risk Assessments is about technique
Hazard assessments can be performed multiple times during a project and the technique may vary depending on the scope. At a minimum, a hazard assessment should be performed on the fully formed design. The advantage of performing additional hazard assessments early in design is that the ability for improvements (i.e., hazard elimination or substitution) is greater due to the low cost of changes at this stage. When identified late in design, the potential to make changes is lower and the cost impact is much higher.
The What-If analysis technique is pretty much how it sounds. The engineered drawings are broken into smaller systems and the facilitator asks questions framed by “What-If” about various components and processes to identify and analyze hazards. This and the other hazard assessments compare the scenario risk against the owner’s risk systems typically documented in a risk matrix to determine if existing safeguards are sufficient and when needed, identify opportunities for improvement. This format is less structured, less intensive, and therefore has less up-front cost than the more common HAZOP technique described below. It has similar inputs and outputs as the other techniques and is appropriate for projects in the feasibility phase or on low complexity systems. When used on a large project in the early stages of design involving hazardous processes, it should be followed by a more stringent hazard assessment technique closer to design conclusion.
A HAZard and OPerability (HAZOP) review is the most common process hazard assessment technique. It functions much like a, “What-If” but with more structure. The process under scrutiny is broken into manageable nodes and pre-defined guidewords are applied to identify and analyze hazards. This assessment will answer the question, “What consequence can be expected if our proposed pressure reduction control fails, and what safeguards are in place to protect the downstream equipment?”. This example is referred to as single jeopardy since only one failure needs to occur for the hazard to be realized (excluding safeguards). Using a qualitative approach for this example, it is likely that multiple safeguards would be required to drive the risk into an acceptable level due to the overpressure potential of this combustible product. In some cases, these additional protection layers may not have been considered in the original design and therefore may not have been budgeted for. Before making costly design changes, further analysis will help to remove conservatism and better quantify the level of risk reduction needed to avoid taking an overly conservative approach. This is where LOPA comes in.
The previously described techniques are qualitative and therefore in most instances should not be used for hazardous processes without a quantitative approach such as Layer of Protection Analysis (LOPA) to compliment them. CAN/CSA Z767-17 states that, “The hazard assessment should be quantitative in nature for scenarios that can result in large scale health, safety, or environmental consequences.” The most efficient way to conduct a hazard assessment with a LOPA is to use the qualitative processes described above as a sorting mechanism to identify high risk scenarios. The low risk scenarios are assessed using the HAZOP/”What-If”. The high risk scenarios are sent to LOPA to be analyzed with no further review needed in a HAZOP setting.
LOPA is a semi-quantitative hazard assessment technique with many similar input and outputs as the techniques listed above. Being more quantitative in nature, LOPA is more rigorous than HAZOP/”What-If” requiring more effort of stakeholders while allowing for removal of some conservatism built into qualitative techniques. The team can take partial credit for conditional factors (such as probability of occupancy, probability of ignition or time-at-risk) that would not be appropriate in a qualitative assessment. In our example, taking credit for a low occupancy level in the area would certainly be factored into the health and safety consequence discussions and may reduce the risk reduction requirements for the proposed safeguard(s). Reducing the assessment effort on low-risk scenarios and re-distributing the effort to high-risk scenarios removes conservatism and often results in less recommendations for costly changes, saving the project money.
LOPA also provides the ability to specify a high integrity function to provide multiple orders of magnitude of risk reduction in the form of a Safety Instrumented Function (SIF), rather than needing to design multiple protection layers to close risk gaps. In our example, the design team may exercise the option to consolidate multiple low-integrity safeguards into a single high-integrity safeguard, which could result in a cost savings.
Properly documented scenarios
Whichever hazard assessment technique is utilized, it is important that it be documented appropriately so the powerful information contained within can be put to good use. Avoid getting caught in the weeds documenting incomplete thoughts, missing important scenarios or spending exorbitant time on low-risk scenarios. Document the root concern taking into consideration the most severe credible outcomes. Assess risk without planned safeguards, so we can understand how many safeguards are necessary taking into consideration the fact that safeguards can fail. Consider “knock-on” consequences that occur when a safeguarding strategy transfers risk elsewhere (i.e. pressure relief device discharging toxic material into the atmosphere). Use the PHA to identify safety critical elements, then make sure these safeguards are properly deployed. Be specific when documenting safeguard tags, equipment tags and drawing references so they can be searched and kept up to date. Organize the report in a way that users can easily find important information and can clearly understand the hazards in the process.
Safeguard identification is one of the most common improperly documented components in a hazard assessment. For a safeguard to be effective it must be “Specific”, “Auditable”, “Independent”, and “Dependable”.
The safeguard must be “Specific” to the hazard and not rely upon an indirect measurement.
If a safeguard is not properly documented and “Auditable”, it is likely that it will not be properly designed, installed, and maintained to perform the intended function. A poor audit trial is harder to support due diligence should an accident occur.
Safeguards that are not “Independent” cannot be relied upon to act appropriately when common elements have failed causing the initial hazard. Logic solver independence requirements can be complicated and at times contentious. BPCS and SIS independence requirements are defined in detail in IEC 61511. Specific attention should be paid to BPCS independence with a corporate policy defined prior to performing a hazard assessment.
Credited safeguards must be “Dependable” in preventing the hazard under consideration. If the safeguard will only work sometimes, then risk should be assessed assuming the safeguard may not be reliable and a better safeguard should be considered.
Can a risk assessment pay for itself, or even save money?
Hazard assessments are almost always viewed under the lens of costing extra money, when they can certainly be viewed in a more nuanced way. There are some obvious costs associated with performing the hazard assessment. They include the cost of the hazard assessment proceedings itself and the cost of implementing recommendations for improvements that arise. These costs can be controlled by the team with guidance from a facilitator experienced with multiple hazard assessment techniques, and safeguarding design strategies. Competency in multiple assessment techniques breeds agility and efficiency. Safeguarding solution design competency also aids in applying the right solution for the application. The facilitator should have proven practical experience in complex safeguard design such as Safety Instrumented Systems (SIL rated instrumented safeguards) particularly for high-risk scenarios that will be evaluated in a LOPA.
The potential cost savings associated with a hazard assessment can be substantial and deserves consideration. Hazards are inherent to industrial processes and cannot be eliminated entirely, but they can be managed. We cannot manage what we do not measure, and hazard assessments are required to measure risk.
Using the ALARP principle (As Low As Reasonably Practicable), the decision on whether to invest in additional safeguards can be evaluated using a cost-benefit calculation. ALARP is a frequently used term which often is misunderstood and/or misapplied. Your hazard assessment should attempt to identify ways to reduce the risk further when the residual risk is above the low threshold. From a strictly fiscal perspective, one can annualize the cost of a fatality and then quantify the year over year benefits of reducing the frequency of a fatality. Using simplified calculations, consider our example where a fatality could cost a corporation $2,000,000, and the corporation had the opportunity to reduce the likelihood of a fatality from 1 in 100 per years to 1 in 10,000 per years using an additional safeguard. Without the benefit of mitigation from an additional safeguard, the annualized cost of a single fatality would be $20,000 (2,000,000/100). With mitigation provided by an additional safeguard, the annualized cost of a fatality would be $200 (2,000,000/10,000). Using our pressure reduction design example, if the annualized cost of additional mitigation (including lifecycle maintenance costs) is less than $19,800 per year, the company would see a financial benefit of proceeding with the implementation of the risk mitigation in addition to the obvious moral reasons for doing so. Performing this calculation provides the owner with a reasonable approach to these decisions, and shows due diligence when deciding to refrain from adding additional safeguarding equipment. Choosing not to install a device with an annualized cost of $15,000 would not meet the ALARP principle and the design may be found not to be reasonably adequate upon an investigation.
While process risk assessments may seem as though they are expensive and time-consuming, recognize that they are required and when they are conducted under the leadership of an experienced professional, the benefits should not be underestimated.
Revised with Updates: May 28, 2020
Originally issued: February 28, 2019
Shaun Williamson, P.L. Eng., CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
In Search of Clarity
Historically within Canada, there has been limited guidance in the form of regulations specifying mandatory process safety management requirements that must be followed. While on the surface this seems like it would allow more flexibility, in practice this has made it difficult for companies to understand their obligations relating to process safety management as they balance the potential costs of implementing such a program. The resulting confusion has left a wide gap between what activities are performed from one company to the next. In contrast, some countries including the United States have implemented process safety regulations that provide explicit mandatory requirements for activities that must be followed based on clearly defined criteria (OSHA 1910.119 and EPA 40 CFR Part 68).
Canadian national regulations and standards have been evolving in recent years in order to provide more clarity on mandatory requirements versus “Best Practices” for industry to follow. On February 20, 2017 CSA published the CAN/CSA Z767-17 Process Safety Management standard (referred to below as CSA Z767). The purpose of this document is to standardize performance requirements that companies should implement as part of a process safety management system. CSA Z767 has been confirmed as a National Standard of Canada giving the standard nation-wide recognition by industry and by the provinces and territories. CSA followed up on the issue of the CSA Z767 by adopting the following international IEC standards:
The 2018 Canadian electrical code (CEC) references these new CSA process safety standards making them mandatory and enforceable across Canada. Some provincial regulator authorities have taken exception to including these standards under an equipment safety standard that the CEC Part 2 safety standards were intended for. Alberta Municipal Affairs has since released a Standata (18-CEBC-2) dated December 2019 that IEC 61508-3 and IEC 61511 are not equipment standards and were listed in the Part 1 Standard in error. This means that these standards are not enforceable under the electrical code in this jurisdiction, but may still be enforced within others. While not enforced in certain jurisdictions as part of the electrical code, the CSA 61508 and 61511 series of standards remain "National Standards of Canada".
Regulation and Standards Explained
It is important to understand and take into consideration both regulatory requirements and best practices when developing a corporate process safety management plan. However, it is not always obvious when a standard is considered a mandatory requirement or instead considered a “Best Practice”. Questions often arise whether a “Best Practice” has to be followed, and whether there is any risk in ignoring a “Best Practice” in order to reduce costs.
Canadian Provincial Occupational Health and Safety (OHS) regulations place the responsibility on employers to protect the safety of their workers and the public from hazards posed by their operations through documented risk identification, assessment and control measures. Employers failing in this duty may face fines and, in some cases, criminal charges under Section 217.1 of the Canadian Criminal Code (also known as Bill C-45).
National Standards of Canada are developed by committees comprised of manufacturers, consumers, retailers, unions, professional organizations and governmental agencies. These standards are intended to promote nation-wide standardization and often are developed to adhere with similar internationally recognized standards. Many standards are considered “Best Practices” and therefore by this definition considered voluntary, while others become mandatory when referenced in regulations or adopted by local authorities having jurisdiction (AHJ). The Canadian electrical code (CEC) is an example of a National Standard of Canada adopted by the provincial authorities giving this standard the force of law.
Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)
In the US, OSHA has implemented a process that requires documented compliance to “Recognized and Generally Accepted Good Engineering Practices (RAGAGEP)”. RAGAGEP is based on established codes, standards, recommended practices, technical reports or similar documents. In the US, RAGAGEP is mandatory and audited for compliance. While the RAGAGEP term comes from U.S. regulations, the RAGAGEP principle applies in Canada not as a mandatory requirement but instead as a means to establish documented due diligence in fulfilling the duty to protect workers and the public. Under RAGAGEP, codes are used to establish minimum requirements and in the absence of applicable codes, consensus standards should be applied. When codes and consensus standards are not available or do not adequately address specific hazards, non-consensus documents may be applied on a case-by-case basis to establish RAGAGEP. Furthermore, an employers’ internal standards may serve as RAGAGEP when no published RAGAGEP exists or when available RAGAGEP needs to be supplemented in order to better control hazards. When used, internal standards must meet or exceed protective requirements from published RAGAGEP when they exist.
When a mandatory code is not applicable, companies have the right to choose to follow a standard other than the applicable national standard or implement their own standard. A common example of this is when an international company wishes to standardize their approach across the globe and adopts a more stringent international standard. For example, the U.S. process safety standard OSHA 1910.119 specifies among other things, mandatory requirements for when required activities of a process hazard analysis (PHA) must be performed including a 5-year revalidation requirement. It is important to remember that whichever standard is adopted, the company remains obligated to perform their duties under the OH&S regulations and therefore may be forced to defend their reasoning and actions in the event of an accident. Implementing a process that is less stringent than the applicable national standard is not advisable. Failing to take reasonable measures to properly protect the public and workers puts both the company and responsible individuals at risk (i.e. potential fines, imprisonment, court awards). The RAGAGEP principle is the most likely test that will be used to evaluate whether measures are “reasonable” within Canada.
Adopting National Standards can have the added benefit of ensuring customer confidence and may provide efficiencies through taking a standardized approach. Complying or failing to comply with standards may also effect insurability and/or insurance premiums.
There are many regulations and standards to be aware of which can be difficult for those that do not deal with them on a regular basis. Feel free to reach out to the author for more information on this topic, or process safety support services. Look for our coming White Paper “New CSA Codes for Process Safety Management” for important Instrumented Safety RAGAGEP all Canadian operating companies with hazardous process operations should be aware of.
Revised with Updates: May 28, 2020
Original Issue: March 4, 2019
Shaun Williamson, P.L. Eng., CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
Recommended reading: Before reading this white paper, it is highly recommended to first read our In Search of Clarity - Standards and Regulations white paper (originally issued February 28, 2019 and revised with updates March, 28, 2020) for a discussion of applicability and enforceability of codes and standards.
CSA 61511 and 61508 Adopted as part of Canadian Electrical Code (CEC)
Many Canadian companies are quite familiar with the international standards IEC 61508 and IEC 60511 which have been in use within Canada for many years as a “Best Practice” for implementation of Safety Instrumented Systems (SIS) within the process industry. Others may not have heard of these standards since they have not been enforced as a mandatory requirement within Canada. These standards together detail a lifecycle approach to managing the SIS lifecycle, required processes and documentation for proper implementation.
These standards long been a regulated requirement in other parts of the world. With recent changes to the Canadian Electrical code, the time has come for all companies to learn the requirements of these standards and how to implement them. The 2018 Canadian electrical code (CEC) has referenced CAN/CSA C22.2 No. 61508 and CAN/CSA C22.2 No. 61511 standards in the Part 1 standard making them a mandatory part of CEC. CEC is adopted by each province and occasionally includes some jurisdiction specific variances. Alberta Municipal Affairs has taken exception to these standards being referenced as part of equipment standards by issuing Standata 18-CEBC-2 (dated December 2019) and therefore will not be enforcing them as part of the CEC. It is unclear how other provinces will handle enforcement or whether the CEC will be modified in the next release. For jurisdictions such as Alberta that choose not to enforce these standards as part of the electrical code, it is important that companies understand that these CSA standards remain "National Standards of Canada".
Working with Performance Based Standards
CSA 61511 and CSA 61508 are performance-based standards as opposed to prescriptive standards like most of the other C22.2 standards. These standards detail a process for achieving tolerable risk through the application of electrical/electronic/programmable electronic safety-related systems, but do not cover hazards arising from the equipment itself (for example electric shock). These standards do not specify when an SIS must be used, but rather provide guidance on how to determine if it should be used and list the requirements for proper implementation. An SIS should not be the first hazard control measure considered, but in some cases may be the most cost-effective option available. Once it has been determined that an SIS will be used, these standards detail mandatory requirements for implementation. The 61511 Part 2 and 3 standards are informative sections that provide additional guidance on the use of SIS and should be consulted along with 61511 Part 1.
Enforcement of CSA 61511 and 61508
Many existing installations have been approved having met the electrical code requirements at the time of installation and inspection. While there does not seem to be a published document from provincial authorities to date on how enforcement of this new regulation will be handled, new CEC updates typically are not required to be implemented on existing installations that have been previously inspected against the "then current" version of the code unless serious safety risk is posed by not updating the installation. CEC changes that will require updates to existing installations and be enforced are specifically identified by the Provinces (not the case for these standards to date). Previously approved installations continue to be considered compliant until such time as the installation is modified. At that time, compliance with the latest codes and re-inspection is required. All new installations are required to meet the current code requirements at the time of installation.
Details have not yet been provided by provinces on what the inspection process might look like and to date do not appear to be taking place. Assuming inspections will eventually begin on, there will likely be a phase in period during which inspectors will need to be educated on the CSA 61511 standard. Since there are no physical requirements specified by the standard, a reasonable approach to how inspections would be conducted is in the form of an audit. The audit would check for evidence mandatory documentation and processes are in place to validate that the required lifecycle activities have been performed properly, an SIS was determined as required or not, and when implemented meets all of the requirements of the standard (i.e. PHA, SIL assessment, SIL verification calculations, Safety Requirement Specification, Proof Test Procedures, Functional Safety Assessments, Training etc.).
Adoption of this standard is intended to fulfill a company’s obligations for protection of the public and their workers under the OH&S act and as part of Recognized and Generally Accepted Good Engineering Practice (RAGAGEP). Added benefits of compliance can include meeting requirements for insurability and potential insurance premium reductions. The performance based nature of these standards supports prioritization of invested risk reduction resources towards the highest risk areas of the facility, and also reduced resources in low risk areas.
Implementation of CSA 61511
There are many activities required for full compliance with this standard. A few specific requirements to be aware of are highlighted below:
In the event a SIS is selected as part of the risk reduction strategy, the requirements of CSA 61511 shall be followed including the following highlighted activities:
CAN/CSA Z767-17 Adopted as a National Standard of Canada
CAN/CSA Z767 (also referred to within as CSA Z767) is a National Standard of Canada not yet adopted as regulation and therefore considered a “Best Practice”. As discussed in the In Search of Clarity - Standards & Regulations article, it is highly advisable to treat the elements of the CSA Z767 standard as a minimum requirement for compliance and use as RAGAGEP.
Section 4.2 describes the scope of this standard: “This standard defines the minimum requirements that shall be in place for a process safety management system (PSM) throughout the life cycle of the facility.” The standard describes accountability and responsibility for process safety management activities with Senior Management holding ultimate accountability (Section 5.1.1). Senior Management, Supervisors and Workers are all responsible for PSM with their roles further described in section 5.3.
This standard discusses requirements that many existing process facilities are deficient in. Unchecked, these have the potential to contribute to the initiation of, or failure to prevent a major accident. Issues covered include:
Maintenance of Safety Critical Documents - Many facilities do not have up to date engineering documents required to support the safe operation and maintenance of the facility. CSA Z767 addresses this issue by requiring this safety critical documentation to be maintained over the life of the facility. Safety critical documentation identified in the standard includes: Plot Plan, PFD’s with material balance, P&ID’s, control philosophies, shutdown keys, PSV sizing sheets, Electrical Area Classification drawings, PHA’s (Refer to section 6.1).
Process Hazard Assessments (PHA) – Many existing facilities have either never had a PHA or the PHA is no longer valid due to changes in design, operation, corporate risk systems or to the original assumptions used. CSA Z767 requires that a PHA (most commonly performed using HAZOP) must be revalidated every 5 years. Changes to the facility must be managed by a management of change process (MoC) with a PHA used to assess the changes. The 5-year revalidation is a good time to consolidate smaller PHA’s completed as part of the MoC process to cover the entire facility ensuring effects within all nodes are considered from the smaller sessions (refer to section 6.3 for details).
Alarm Management - Some facilities rely heavily upon alarms with operator action and in many cases have never performed alarm management activities. Most of these facilities experience alarm flooding and other nuisance alarms causing safety critical alarms to be ignored. Rarely is there an established process to prioritize an operator response to high criticality alarms. In many cases, operations can change alarm setpoints, disable, shelve or bypass alarms without any formal risk assessment, change management or approval processes. CSA Z767 requires the responsible organization to put in place an alarm management process to cover the identification and prioritization of critical alarms and interlocks. This process must ensure a procedure is in place to control changes to alarm setpoints and interlock systems and to perform regular testing of alarms, interlocks and other critical safeguards (refer to section 188.8.131.52 – 184.108.40.206).
Fire & Gas Detection – Fire and gas detection is often relied upon as the last line of defense in a safeguarding strategy, however most facilities have never validated that detector quantities and coverage are appropriate based on application specific risk. Typically, detector locations and quantities are arbitrarily chosen with no established philosophy. Final locations are selected by the electrician with little guidance provided in engineering packages on exact placement required or how to point / orient them, sensitivity settings or even what equipment they are intended to cover. Detectors and associated annunciation equipment (i.e. horn, strobes) are rarely maintained properly resulting in poor protection and a false sense of security. The ISA TR84.00.07 standard provides guidance for engineering and design of fire and gas detection systems. This “best practice” provides a detailed process that may be applied to comply with the CSA Z767 requirements for risk identification, assessment and control of fire and gas hazards. Written inspection, testing and maintenance procedures must be in place to ensure the ongoing integrity of the installed fire and gas protection systems (Refer to CSA Z767 7.3.1).
Competency – The integrity of the processes described within the standards are only as solid as the people implementing them. This is particularly true for safety critical and highly specialized engineering activities including: PHA facilitation, SIL Calculations, Fire and Gas detector placement, alarm rationalization / prioritization. Using an independent 3rd party can result in a less biased study and may benefit from perspective taken from other companies and applications within the industry. CSA Z767 section 7.1 describes the requirement that all personnel be competent to perform their functions and tasks safely and effectively. A system must be maintained to ensure documented competency of personnel by way of education, training and experience appropriate for the task an associated criticality of the task. Section 6.3.2 stresses the importance of competency regarding risk assessments and modeling activities.
Feel free to reach out to the author for more information on this topic, or process safety support services.
Watchmen Instrumented Safety Experts (WISE) is a Functional Safety Engineering company with specialized expertise in preventative and mitigative instrumented safety. Our expertise includes HAZOP & LOPA Facilitation, SIL / SIS Calculations and Consulting, Alarm Management, Fire and Gas Systems Engineering. Consult one of our experts for your instrumented safety project today.
Copyright © 2018 Watchmen Instrumented Safety Experts - All Rights Reserved.