Is Cost Effective Compliance with the IEC61511 Safety Lifecycle ...

Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?

Michael Scott, PE, CFSE

Exec VP - Global Process

Safety Technology

aeSolutions

Carolyn Presgraves, CFSP

Senior Director of Software

Products

aeSolutions

KEYWORDS

Safety Instrumented System, SIS, Safety Integrity Level, SIL, Safety Lifecycle, Database,

ANSI/ISA 84, IEC61511, Process Hazards Analysis (PHA), Layer of Protection Analysis

(LOPA), SIS Grandfathering, Leading / Lagging Indicators

ABSTRACT

IEC61511: Functional Safety – Safety Instrumented Systems for the Process Industry Sector

mandates end users comply with a performance based approach to managing risks to personnel

and / or the environment through adoption of the safety lifecycle. Simplistically, the safety

lifecycle embodies a three-step methodology to overall risk management, which can be

summarized as follows:

1. Execute safety lifecycle documentation

2. Monitor leading/lagging process safety indicators

3. Sustain safe unit operations through corrective actions

While the concept of execute, monitor and sustain seems straightforward, for a variety of

reasons, most companies who have committed to the IEC61511 journey, are solely focused on

the execution of safety lifecycle documentation. This myopic approach will result in their failure

to realize the full benefits to their organization of a cost effective risk management program. In

addition, without development of a holistic multi-year plan for safety lifecycle compliance, end

user companies can expect to incur significant regret costs and schedule delays as they attempt to

change the safety culture of their organization around adoption of IEC61511.

This paper will draw upon insight and more importantly critical lessons learned through the

actual application of the safety lifecycle and from initial grandfathering through operations and

maintenance ownership associated with numerous clients since aeSolutions’ formation in 1998.

A proven roadmap for efficient and cost effective safety lifecycle compliance and risk

management will be defined, which emphasizes the use of an evergreen work process to support

the concepts of execute, monitor and sustain.

INTRODUCTION

Compliance with the safety lifecycle at an existing facility can best be described as a journey.

When an entire business unit desires to achieve compliance with the safety lifecycle, that journey

can seem overwhelming. However, this need not be the case. To successfully reach the finish

line of this journey, one simply needs to complete five tasks as noted below:

Testing

Capital Projects

SIS Grandfathering Documentation

Organizational Readiness

Evergreen Execution

These five steps have not been numbered. This is because within a given company many plant

sites or even unit operations at the same plant site may have already started the safety lifecycle

journey. Therefore, an assessment is typically required to determine the appropriate execution

order based upon “state of the union” at each site or even unit operation. Thus, while the starting

point may vary, the ending point is identical in all cases. All five tasks must be mastered at the

end of the safety lifecycle journey to ensure cost effective compliance. This should be clear to

the reader by the end of this paper but, to emphasize this point, consider these questions.

If the company does not track the test results of its Safety Instrumented Functions, how is

it selecting failure rate data for these instruments that represent their maintenance

practices and clean or dirty service?

If the company is not ensuring all capital projects are following an effective SIS

workflow, how is it ensuring each new project does not upset the risk management status

of the facility or business unit? An ineffective approach to the SIS execution

requirements for capital projects also introduces regret costs by allowing the investment

in initial SIS documentation for the project to be lost when the installed system is

transferred to operations.

If the company is not associating corrective work orders with potential worst case

consequences (i.e. let’s say a potential fatality), how does one ensure the pressure

transmitter taps that plug on a monthly basis are correctly prioritized with regard to all

other routine maintenance activities. Without the consequence association, how can one

ensure a corrective action plan is implemented in a timely fashion to address the plugging

issue, as opposed to simply clearing the taps month after month when the problem arises

again?

If the company is not associating demands on SIFs as a potential near miss with potential

worst case consequences (i.e. let’s say a potential fatality), how does one ensure the

pressure regulator that failed 3 times in the last year (versus the once every 10 year

failure assumed in the risk analysis) is correctly prioritized with regard to all other routine

maintenance activities? Thus, ensuring a corrective action plan is implemented in a

timely fashion to address the regulator failure root cause instead of simply implementing

a replacement in kind.

The true benefit of the safety lifecycle is to raise awareness of bad acting protection layers whose

unavailability poses a risk to the organization. In many instances, it is difficult prior to

implementation of the safety lifecycle to recognize these bad actors. By making the invisible

visible, we can significantly influence the process safety performance of a corporation.

In addition to clarifying the tasks required to successfully complete the safety lifecycle journey,

aeSolutions has developed a proven roadmap on how to:

Perform a site assessment against the five required tasks

Develop a multi-year cost effective compliance program

Utilize safety lifecycle software tools to “simplify” maintenance of process safety related

documentation in an evergreen fashion

Realize the benefits of leading / lagging indicators early in the program to improve the

process safety performance of the facility / corporation

One of the key findings is that without a proper roadmap, the spend on process safety related

activities is not leveraged to its best benefit. Many of these activities need to be invested in due

to compliance issues. The key question is will they be invested in and delivered in a format

supporting ongoing use of the investment, or will it be a cost used to check a box in an audit or

compliance log, but not used to increase improve the process safety performance of the facility

and / or corporation.

EXECUTE, MONITOR AND SUSTAIN

The safety lifecycle can be restated simply through the concept of


2. Monitor leading/lagging process safety indicators


To readily achieve the above objectives, one needs to begin the journey of ensuring the five tasks

noted below complement one another.

Testing

Capital Projects



Evergreen Execution

Each of these tasks will be described in more detail below.

TESTING

The safety lifecycle mandates that all instrumentation associated with a Safety Instrumented

Function (SIF) be tested. Refer to:

IEC 61511 Part 1 section 11.9.2 The calculated probability of failure of each safety

instrumented function due to hardware failures shall take into account:

e) the diagnostic coverage of any periodic diagnostic tests (determined according to IEC

61511-2 ANSI/ISA-84.00.01-2004 Part 2 (IEC 61511-2 Mod) the associated diagnostic

test interval and the reliability for the diagnostic facilities;

f) the intervals at which proof tests are undertaken;

The premise behind this requirement being dangerous undetected failures can only be found

through testing or with an actual real world demand. Thus, by testing frequently enough we

hope to uncover dangerous undetected failures before a real world demand discovers the

unavailable SIF. Thus, it is our desire to keep all of our protection layers properly functioning at

the assumed performance level included in the risk analysis. In this manner, we are keeping our

risk to acceptable levels per the corporate targets, as well as, being a good steward to the

employees, environment and shareholders.

The IEC61511 also mandates that one collect and calculate failure rate data that is specific to a

given installation, process conditions and maintenance practices. Refer to:

IEC 61511 Part 1 section 5.2.5.3 Procedures shall be implemented to evaluate the performance

of the safety instrumented system against its safety requirements including procedures for:

• assessing whether dangerous failure rates of the safety instrumented system are in

accordance with those assumed during the design;

NOTE 1 Dangerous failures are revealed by means of proof testing, diagnostics or

failure to operate on demand.

Collection of statistically valid failure rate data could take years depending on the number of

instruments with like manufacturer, model #, installation specifics, process conditions, and

maintenance practices. As such, testing and collection of failure rate data should be one of the

tasks begun early in the journey for safety lifecycle compliance. This will allow for

establishment of an approved vendors list and prior use justification for said instrumentation.

Refer to:

IEC 61511 Part 1 section 11.5.3 Requirements for the selection of components and

subsystems based on prior use

11.5.3.1 Appropriate evidence shall be available that the components and subsystems are

suitable for use in the safety instrumented system.

11.5.3.2 The evidence of suitability shall include the following:

• demonstration of the performance of the components or subsystems in similar operating

profiles and physical environments;

• the volume of the operating experience.

NOTE For field devices, information relating to operating experience is mainly recorded

in the user’s list of equipment approved for use in their facilities, based on an extensive

history of successful performance in safety and non-safety applications, and on the

elimination of equipment not performing in a satisfactory manner. The list of field devices

may be used to support claims of experience in operation, provided that

- the list is updated and monitored regularly;

- field devices are only added when sufficient operating experience has been obtained;

- field devices are removed when they show a history of not performing in a satisfactory

manner;

- the process application is included in the list where relevant.

Testing is considered part of the monitor phase of safety lifecycle compliance.

CAPITAL PROJECTS

At a certain point in the safety life cycle compliance journey, a company will issue an edict that

all capital projects from this time forth shall be compliant with IEC61511. The rationale behind

this statement is obvious. Eventually one desires capital projects begin to close IEC61511

compliance gaps and more importantly not create any new gaps. This sounds simplistic, but it is

often problematic for most companies as IEC61511 work activities are not firmly engraved in the

corporation’s capital project execution workflow. This typically results in a learning curve and

some initial regret costs, while changes are defined and adopted by the organization. Lack of

SIS competency within the Engineering Procurement & Construction (EPCs) contractors and

even some Safety PLC manufacturer’s increases the severity of the learning curve and regret

costs.

This issue is further complicated by the types of capital projects that exist within a corporation.

For instance, capital projects can be generically described as follows:

Small projects executed by facility engineering

Medium projects executed by an EPC with a support contract that runs for ‘X’ years

Large projects executed by an EPC selected as part of the bidding process

In most instances, the management team and team members are different for each of the three

project groups above. This implies different priorities and rules of engagement. Thus, when

issuing the edict that all capital projects be compliant with IEC61511, one needs to recognize the

strengths and weaknesses of the various capital project execution groups within an

organization. Again the concept of a journey is emphasized as most companies adopt an

approach where the large projects are brought into compliance first, then the medium projects,

and finally small projects. Depending upon the size of the organization, this could once again be

an exercise lasting several years.

IEC61511 mandates two tasks that are invaluable to capital project execution. The first is

creation of the Safety Lifecycle Plan, and the second is execution of Functional Safety

Assessments.

IEC 61511 Part 1 section 6.2.3 For all safety life-cycle phases, safety planning shall take place

to define the criteria, techniques, measures and procedures to

• ensure that the SIS safety requirements are achieved for all relevant modes of the

process; this includes both function and safety integrity requirements;

• ensure proper installation and commissioning of the safety instrumented system;

• ensure the safety integrity of the safety instrumented functions after installation;

• maintain the safety integrity during operation (for example, proof testing and failure

analysis);

• manage the process hazards during maintenance activities on the safety instrumented

system.

IEC 61511 Part 1 section 5.2.6.1 Functional safety assessment

5.2.6.1.1 A procedure shall be defined and executed for a functional safety assessment in such a

way that a judgment can be made as to the functional safety and safety integrity achieved by the

safety instrumented system. The procedure shall require that an assessment team be appointed

which includes the technical, application and operations expertise needed for the particular

installation.

Ensuring capital projects consistently deliver safety lifecycle compliant solutions is usually seen

as an easy step and most companies begin tackling at least the large projects early in the safety

lifecycle journey. Getting small projects to consistently deliver safety lifecycle compliant

solutions is often deemed harder and is tackled later in the journey.

The Safety Lifecycle Plan should assess competency of key team members on the project. Thus,

if completed early in the project, competency issues can be identified, training programs and / or

mentorships established to increase the integrity of the project team. In a similar manner, the

Functional Safety Assessment will also review competency of the key team members, as well as,

the validity of the PHA / LOPA and associated SIS documentation. Thus, by conducting Stage

1, 2 and 3 FSAs individually throughout the project, one can minimize far-reaching FSA findings

that could derail the project from a budget and / or schedule standpoint.

Capital project execution is considered part of the execution phase of safety lifecycle

compliance. However, it must also deliver data automation to support generation of leading

indicators that are critical in the monitor phase of the safety lifecycle.

SIS GRANDFATHERING DOCUMENTATION

Most companies start with the SIS Grandfathering Documentation as their first step on the safety

lifecycle compliance journey. Many of the other tasks in the compliance journey described

herein seem overwhelming and as such, the company simply wants to access IEC61511 gaps and

begin planning for gap closure. SIS Grandfathering Documentation as defined in this paper

consists of:

1. Conducting a PHA / LOPA

2. Selecting initial SILs for identified SIFs

3. Completion of an initial Safety Requirements Specification with C&E’s

4. Completion of initial SIL Verification Calculations

5. Completion of initial Functional Test Plans

Thus, one has baseline documentation in hand identifying how their existing installations fare

against the requirements of IEC61511. Gaps in compliance are identified and plans for gap

closure via capital projects or other means can be formulated and implemented.

This effort is often quite laborious at a brownfield installation. Often, it is tied to the existing

PHA / LOPA revalidation cycle. Which, if a company is following a typical five-year PHA /

LOPA revalidation cycle, could take longer than five years to establish the compliance baseline

and then develop the subsequent gap closure mechanisms.

The difficultly in execution of this task is that one needs to be able to easily assess baseline SIS

Grandfathering Documentation gaps and simultaneously keep track of capital project changes /

impacts to SIFs during this grandfathering time period. Failure to easily assimilate capital

project modifications into the SIS Grandfathering Documentation will result in regret costs and

possibly delay funding of future gap closure activities. Consider the following scenarios:

A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering

Documentation was completed on both trains. One compressor fails and the corporation

makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need

to be tested, performance tracked, and the I/O count for a new Safety PLC for the unit

can be reduced reflective of the obsolete compressor train. In addition, these SIFs need

to be deleted from the applicable safety lifecycle documentation.

PHA made a recommendation to install redundant relief valves instead of multiple SIFs

associated with overpressure of multiple vessels tied to the flare. When process

engineering completed their review of the installation and preliminary PSV calculations,

it was determined that the second PSV was not feasible due to flare header sizing

concerns and possible back pressure issues. Thus, the initial SIS Grandfathering

Documentation needs to be updated to reflect the requirement for multiple new SIFs and

their associated I/O count added to the potential new safety PLC project.

A small capital project changes three switches to transmitters, on three different SIFs.

Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS

Grandfathering Documentation needs to be updated to reflect the additions, deletions and

modification requirements for these SIFs and the adjusted I/O count reflected in potential

new safety PLC project.

All of the changes (small, medium and large) that occur in a brownfield facility over the course

of the initial five years baseline development have the potential to create obsolete and stagnant

SIS Grandfathering Documentation. This is especially true when one recognizes that these

changes are occurring in parallel with the initial SIS Grandfathering Documentation efforts

themselves. A safety lifecycle software tool to manage the SIS Grandfathering Documentation

via a management of change work process is critical to success of this task.

SIS Grandfather Documentation execution is considered part of the execution phase of safety

lifecycle compliance.

ORGANIZATIONAL READINESS

With regards to this paper, organizational readiness refers to people whose job description

includes references to maintaining compliance with the safety lifecycle. This implies job

descriptions have been modified, training programs developed, corporate SIS procedures issued,

and management at the top of the corporation is supportive of safety lifecycle compliance.

Again, this sounds straightforward; however, this requires changes in the organization, which

may be met with resistance. To further complicate the issue of organizational readiness is the

fact that multiple groups within the organization need to align for this effort to be successful.

For instance, let us assume the company is structured as follows:

Operations – tasked with developing and implementing a day to day operations strategy

for running the facility safely with overarching production goals for sellable product

Maintenance – tasked with developing and implementing a day to day maintenance

strategy that supports operations in a safe manner

Process Safety – functions in a support and auditing role to ensure operations and

maintenance activities are safe

Facility Engineering – supports day to day trouble shooting of the plant and small

projects

Site Projects – supports medium projects to increase production or significantly de-

bottleneck a unit

Capital Projects – supports large projects to increase production, significantly de-

bottleneck a unit and design a new facility

For the five tasks to be successfully implemented within an organization, all of the above groups

must align to deliver a sustainable process safety culture. This culture has to be driven from the

top of the organization downward throughout the various groups.

As one reflects on his or her own organization, it is probably obvious that this cultural alignment

may be slow to gain momentum. Once again, this could be a multi-year effort and should be

factored into the overall planning for safety lifecycle compliance. Without personnel in the

organization that are accountable for delivering a sustainable safety lifecycle process, the full

benefits will not be realized.

Organizational readiness execution is considered part of the execution, monitor and sustain

phases of safety lifecycle compliance. As competent personnel are required throughout the

organization to support these activities.

EVERGREEN EXECUTION

The concept of evergreen documentation associated with the safety lifecycle is critically

important, however most companies do not even realize this is an issue they should be

addressing. To better understand the concept of “evergreen”, let us consider the example from

above:

A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering

Documentation was completed on both trains. One compressor fails and the corporation

makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need

to be tested, performance tracked and the I/O count for a new Safety PLC for the unit can

be reduced reflective of the obsolete compressor train. In addition, these SIFs need to be

deleted from the applicable safety lifecycle documentation.

PHA made a recommendation to install redundant relief valves instead of multiple SIFs

associated with overpressure of multiple vessels tied to the flare. When process

engineering completed their review of the installation and preliminary PSV calculations,

it was determined that the second PSV was not feasible due to flare header sizing

concerns and possible back pressure issues. Thus, the initial SIS Grandfathering

Documentation needs to be updated to reflect the requirement for multiple new SIFs and

their associated I/O count added to the potential new safety PLC project.

Small capital project changes three switches to transmitters, on three different SIFs.

Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS

Grandfathering Documentation needs to be updated to reflect the additions, deletions and

modification requirements for these SIFs and the adjusted I/O count reflected in potential

new safety PLC project.

Therefore, the facility in question completes the initial PHA / LOPA from scratch at time zero.

The first project is as-built 6 months afterward, the second project as-built 9 months afterward

and the final project is as-built 1 year later.

What instrumentation needs to be included in the testing program 1 year after the initial base line

PHA / LOPA has been executed? If one of the projects increased occupancy in the unit, what is

the risk of bypassing PT-101? What SIF architectures need to be included in the SRS and

associated SIL Calcs? Have we added or deleted Safety Rated Alarms? Have we changed set

points with potential impacts to process safety time and overall safety operating limits for a piece

of equipment?

Given day-to-day changes that occur at a facility, it is imperative that an evergreen approach to

the PHA / LOPA is adopted. With the PHA / LOPA maintained in an evergreen fashion, the

normal typical Management of Change (MoC) process would ensure the associated changes to

downstream deliverables would be maintained just like P&ID’s are today.

Maintaining the PHA / LOPA in an evergreen fashion can be readily achieved with new safety

lifecycle software tools now available in the marketplace. Prior to the existence of these new

safety lifecycle software tools, it was extremely difficult to maintain an evergreen PHA / LOPA,

and as such, most companies did even attempt this approach.

Another issue facing the use of the PHA / LOPA results to drive the facilities mechanical

integrity program is the qualitative process used to access risk. This problem can be readily

rectified and will be the subject of future papers. However, it will require the process safety

organization and industry itself to recognize the need for change.

Evergreen execution is considered part of the sustain phase of safety lifecycle compliance.

PROCESS SAFETY ROADMAP

To cost effectively tackle the five tasks noted below an overall roadmap for success needs to

defined.

Testing

Capital Projects



Evergreen Execution

This proven roadmap embodies how to:

Perform a site assessment against the five required tasks

Develop a multi-year cost effective compliance program

Utilize safety lifecycle software tools to “simply” maintenance of process safety related

documentation in an evergreen fashion

Realize the benefits of leading / lagging indicators early in the program to improve the

process safety performance of the facility / corporation

Each of these roadmap steps will be described in more detail below.

SITE ASSESSMENT

The best approach to determine where to start, or more typical what is the most efficient means

to finish, the safety lifecycle compliance journey is to conduct a detailed site assessment. This

assessment is comprised of documentation reviews, corporate and local site policy / procedure

reviews, personnel competency interviews and walk down of SIFs at the site itself. It will

document current work practices related to the safety lifecycle. It will also document a data flow

diagram noting sources and quality of data required to support automation of the safety lifecycle.

The assessment focuses on each of the five tasks:

Testing

Capital Projects



Evergreen Execution

Each of these five tasks will be reviewed and assigned a grade of 0 to 100%. Short term,

medium term and longer-term action plans will be created for each tasks. Thus, a site specific

and / or overall business unit specific execution plan can be generated to ensure cost effective

and efficient safety lifecycle compliance. Figure 1 below is an example on how one can depict

the site assessment results graphically.

Figure 1 – Typical Results of Site Assessment

Site assessment execution is considered part of the execution phase of safety lifecycle

compliance.

PLANNING

Once the site assessment has been completed, a multi-year plan can be systematically laid out

that takes into account staffing, training, and workflow / work process coordination with the

overarching goal of minimizing regret costs, while efficiently finishing the safety lifecycle

compliance journey. Based upon site best practices, existing status of documentation and data,

and current initiatives, unique plans may be required for different sites within a business unit as a

whole.

However, with a sound execution plan that recognizes the unique interactions between the five

tasks, the initially overwhelming concept of safety lifecycle compliance can now be reduced

simply to a project management issue. Assuming organizational support from the top down,

safety lifecycle compliance should now be readily obtainable via a systematic approach that

“eats the elephant” one bite at a time. Thus, through planning a very complex process can be

broken down into small and readily measurable, and achievable, steps.

The most important concept to recognize regardless of the site assessment results is that the

scheduling of the five tasks is a finish-to-finish effort. The individual tasks may have initial

staggered starts, but all tasks must finish together to minimize regret costs. Figure 2 below is a

sample milestone schedule that highlights the finish-to-finish requirements. Failure to recognize

and address this fundamental scheduling issue in an organization could result in a never ending

“cycle of chasing ones tail” in an effort to achieve steady state compliance with the safety

lifecycle.

Figure 2 – High Level Milestone Schedule for Finishing the Safety Lifecycle Journey

Planning execution is considered part of the execution phase of safety lifecycle compliance.

LEADING / LAGGING INDICATORS

Generation of meaningful leading / lagging indicators is ultimately how the compliance with the

safety lifecycle increases the process safety performance of a facility and eventually the entire

process industry. With measurement, one can now track performance versus requirements. It is

through this cycle of monitoring and sustaining the facility via offensive instead of defensive

corrective actions that truly positive changes can occur. The invisible becomes visible and more

importantly actionable.

The process industry has recognized the requirements for leading / lagging indicators through

issuance of the Baker Report following the BP Texas City event, issuance of API 754 and ISA

TR84.00.04 annex R. The UK’s Health Safety Executive (HSE) has published guidance on

benefits and requirements for leading / lagging indicators and so on and so on. So with the

process industry recognizing the need for leading / lagging indicators, why is their use not

common place? The answer is the data required to be measured is often scattered in multiple

sources (some electronic and some in paper format only) within an organization and this data is

not typically readily usable as it stands today. This is further complicated, as discussed in the

Organizational Readiness section, by the fact that multiple groups, working in distinct silos and

often using different toolsets, are each responsible for pieces of the big picture. Thus, the greatest

benefit of safety lifecycle compliance journey is typically the last step most companies

undertake. With the generation of new safety lifecycle software tools and implementation of the

compliance roadmap contained herein, generation of meaningful leading / lagging indicators is

relatively straightforward. In fact depending on the site planning meaningful leading / lagging

indicators can be generated very early in the compliance journey. Thus, one does not necessarily

need to wait for years before compliance benefits can be measured. As an example, consider the

following:

PHA / LOPA assumes a pressure regulator fails once every ten years with a potential

to rupture a vessel with a possibility for a vapor cloud explosion with potential

fatalities. Actual demand tracking has indicated the pressure regulator has failed 3

times in the last 3 years.

A SIF has been installed to protect the above vessel against pressure regulator failure.

It consists of a pressure transmitter, safety PLC and on/off block valve. The SIL

Verification calculations assumed the SIF would be tested annually. However, it has

been 24 months and the SIF has not been tested.

Bypass criteria has been established for the same SIF and was selected as 72 hours.

By reviewing and aggregating bypass records, it is shown the over the last 3 years the

SIF has been bypassed 12 times for a total of 300 hours.

Generic data, which assumed a dangerous undetected failure rate of once every 50

years, was used in the initial SIL Verification calculation for the transmitter in the

above SIF. Real world testing has yielded an actual failure rate of once every 5 years.

Each of the four bullets above indicate potential problems with the performance of the SIF in

question. By associating these issues to their PHA / LOPA scenario (i.e. potential fatality) such

that the importance of this SIF being available is clearly demonstrated to operations, we can now

ensure that resolution of these bad actor events is now prioritized above other day to day issues

that occur. Thus, corrective work orders can be generated and aggressively worked to ensure the

SIF performance is in line with the risk analysis assumptions. Using the risk based approach

contained in the safety lifecycle, we have now positioned the facility to identify bad actors and

correct them before a loss of containment event occurs. In many instances in the past, the above

four bullets would be lost in the noise of multitudes of other bad actor events that occur on a

daily basis. The multitudes of other noise contains events that impact product quality,

commercial impacts to equipment, etc. plus a smaller scattering of events, which if ignored could

lead to loss of containment. Thus, much the same way alarm rationalization assigns alarm

priorities to communicate to operations the order of responding to alarms, process safety leading

/ lagging indicators allow operations and maintenance to prioritize resolution of possible loss of

containment bad actors. Identification of process safety bad actors in the past might only have

occurred as a result of a root cause analysis following a near miss or loss of containment event.

This is where the invisible becomes visible and more importantly actionable.

Figure 3 – Typical Leading / Lagging Indicator Dashboard

Leading / Lagging Indicator execution is considered part of the monitor and sustain phases of

safety lifecycle compliance.

SAFETY LIFECYCLE SOFTWARE TOOLS

The fundamental key to safety lifecycle compliance is it must be “simple” to maintain. This

implies existing staff with training and awareness can readily maintain the safety lifecycle

documentation in an evergreen fashion once the program is up and running. Note, it is assumed

that outside assistance by a specialty process safety engineering firm is typically required to

support the organization with execution of the initial site assessment, planning and starting the

five tasks noted below:

Testing

Capital Projects



Evergreen Execution

The reason being most corporations do not have the expertise and / or available labor to set up

the safety lifecycle compliance program. Without safety lifecycle software tools that have been

specifically designed to handle the work process contained in this paper, there will be nothing

“simple” about the safety lifecycle compliance journey. Key functionality that is mandatory in

the safety lifecycle software tools is as follows:

Enterprise level tool

Evergreen PHA / LOPA with ability to support multiple concurrent projects

PHA / LOPA results fed directly into SIS engine

Evergreen SIS engine with ability to support multiple concurrent projects

Evergreen SIS engine to generate all SIS documentation – SIL Verification Calculations,

Safety Requirements Specification, C&E’s, Functional Test Plans, Protection Layer

Requirements Specification, Protection Layer Test Plans

Evergreen Gap Tracking module

Override Risk Assessment Module tied to PHA / LOPA and SIL Verification

Calculations

Generation Leading / Lagging Indicators that expand / collapse as you move through the

enterprise

At the time of the writing of this paper, the authors are aware of at least one set of safety

lifecycle software tools that meets all of the above criteria. Thus, “simple” safety lifecycle

compliance is now readily available in the marketplace today.

Here are some examples of why a comprehensive tool as described above is required:

1. While walking down P&ID’s, it was discovered that an instrument tag # for a pressure

transmitter was incorrect. If this change can be made in one place (i.e. the PHA) and then

its use is automatically corrected in all downstream documentation (LOPA, SIL Calc,

SRS, C&E, Functional Test Plan, etc. it would be “simple” to maintain.

2. The corporation changes the tolerable risk criteria associated with its risk matrix. If this

change can be made in one place (i.e. the PHA) and then its use is automated corrected in

all downstream documentation (LOPA, SIL Calc, SRS, C&E, Functional Test Plan, etc. it

would be “simple” to maintain.

3. Failure data has been collected for a given family of pressure transmitters and a new

dangerous undetected failure rate calculated that takes into account process service,

installation specifics, make / model and maintenance practices. If the new failure rate

data could be assigned in one place (i.e. the SIS engine) and the 500 SIL Calculations that

use this type of pressure transmitter automatically updated, it would be “simple” to

maintain.

Safety Lifecycle Software tools are critical and considered part of the execution, monitor and

sustain phases of safety lifecycle compliance.

CONCLUSION

Through living and breathing safety lifecycle compliance with numerous end user companies

since aeSolutions formation in 1998, we have developed a proven and simplified approach to

cost effectively meeting the requirements of IEC61511: Functional Safety – Safety Instrumented

Systems for the Process Industry Sector. The roadmap as defined herein is as follows:

1. Conduct a site assessment focusing on the following five tasks:

Testing

Capital Projects



Evergreen Execution

2. Complete planning of a multi-year compliance program based upon the site assessment

results

3. Obtain a safety lifecycle software tool that meets the requirements contained in this paper

4. Begin a finish to finish project execution of the five tasks noted step 1

By adopting this roadmap one can cost effectively realize the benefits of the safety lifecycle,

which can be summarized as follows:


2. Monitor leading process safety indicators


The purpose of IEC61511 is to ensure assumptions made in the risk analysis regarding

availability of protection layers matches the actual real world performance as witnessed in the

field. This real world data can also be leveraged increase availability of the process unit as a

whole and make positive impacts on production itself.

DISCLAIMER

Although it is believed that the information in this paper is factual, no warranty or representation,

expressed or implied, is made with respect to any or all of the content thereof, and no legal

responsibility is assumed therefore. The examples shown are simply for illustration, and, as

such, do not necessarily represent any company’s guidelines. The reader should use data,

methodology, formulas, and guidelines that are appropriate for their own particular situation.

REFERENCES

1. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Safety-related Systems,

Part 1-7, Geneva: International Electrotechnical Commission, 1998.

2. IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector,

Parts 1-3, Geneva: International Electrotechnical Commission, 2003.

3. HSEG254, Developing Process Safety Indicators, Health Safety Executive, 2006

4. COMAH, Control of Major Accident Hazards, Process safety performance indicators,

Health Safety Executive, 2012

5. API 754, Process Safety Performance Indicators for the Refining and Petrochemical

Industries, American Petroleum Institute, 2010

6. ISA TR84.00.04 Part 1 – 2011, Guidelines for the Implementation of ANSI/ISA-84.00.01-

2004 (IEC 61511 Mod), International Society of Automation, 2011

ABBREVIATIONS AND DEFINITIONS

API American Petroleum Institute

EPC Engineering Procurement Construction

HES Health Safety Executive

IEC International Electrotechnical Commission

ISA Internal Society of Automation

LOPA Layer of Protection Analysis

PFDavg Average Probability of Failure on Demand

PHA Process Hazard Analysis

RRF Risk Reduction Factor

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

Is Cost Effective Compliance with the IEC61511 Safety Lifecycle ...

Documents

Transcript of Is Cost Effective Compliance with the IEC61511 Safety Lifecycle ...