Is Cost Effective Compliance with the IEC61511 Safety Lifecycle ...
Transcript of Is Cost Effective Compliance with the IEC61511 Safety Lifecycle ...
Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?
Michael Scott, PE, CFSE
Exec VP - Global Process
Safety Technology
aeSolutions
Carolyn Presgraves, CFSP
Senior Director of Software
Products
aeSolutions
KEYWORDS
Safety Instrumented System, SIS, Safety Integrity Level, SIL, Safety Lifecycle, Database,
ANSI/ISA 84, IEC61511, Process Hazards Analysis (PHA), Layer of Protection Analysis
(LOPA), SIS Grandfathering, Leading / Lagging Indicators
ABSTRACT
IEC61511: Functional Safety – Safety Instrumented Systems for the Process Industry Sector
mandates end users comply with a performance based approach to managing risks to personnel
and / or the environment through adoption of the safety lifecycle. Simplistically, the safety
lifecycle embodies a three-step methodology to overall risk management, which can be
summarized as follows:
1. Execute safety lifecycle documentation
2. Monitor leading/lagging process safety indicators
3. Sustain safe unit operations through corrective actions
While the concept of execute, monitor and sustain seems straightforward, for a variety of
reasons, most companies who have committed to the IEC61511 journey, are solely focused on
the execution of safety lifecycle documentation. This myopic approach will result in their failure
to realize the full benefits to their organization of a cost effective risk management program. In
addition, without development of a holistic multi-year plan for safety lifecycle compliance, end
user companies can expect to incur significant regret costs and schedule delays as they attempt to
change the safety culture of their organization around adoption of IEC61511.
This paper will draw upon insight and more importantly critical lessons learned through the
actual application of the safety lifecycle and from initial grandfathering through operations and
maintenance ownership associated with numerous clients since aeSolutions’ formation in 1998.
A proven roadmap for efficient and cost effective safety lifecycle compliance and risk
management will be defined, which emphasizes the use of an evergreen work process to support
the concepts of execute, monitor and sustain.
INTRODUCTION
Compliance with the safety lifecycle at an existing facility can best be described as a journey.
When an entire business unit desires to achieve compliance with the safety lifecycle, that journey
can seem overwhelming. However, this need not be the case. To successfully reach the finish
line of this journey, one simply needs to complete five tasks as noted below:
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
These five steps have not been numbered. This is because within a given company many plant
sites or even unit operations at the same plant site may have already started the safety lifecycle
journey. Therefore, an assessment is typically required to determine the appropriate execution
order based upon “state of the union” at each site or even unit operation. Thus, while the starting
point may vary, the ending point is identical in all cases. All five tasks must be mastered at the
end of the safety lifecycle journey to ensure cost effective compliance. This should be clear to
the reader by the end of this paper but, to emphasize this point, consider these questions.
If the company does not track the test results of its Safety Instrumented Functions, how is
it selecting failure rate data for these instruments that represent their maintenance
practices and clean or dirty service?
If the company is not ensuring all capital projects are following an effective SIS
workflow, how is it ensuring each new project does not upset the risk management status
of the facility or business unit? An ineffective approach to the SIS execution
requirements for capital projects also introduces regret costs by allowing the investment
in initial SIS documentation for the project to be lost when the installed system is
transferred to operations.
If the company is not associating corrective work orders with potential worst case
consequences (i.e. let’s say a potential fatality), how does one ensure the pressure
transmitter taps that plug on a monthly basis are correctly prioritized with regard to all
other routine maintenance activities. Without the consequence association, how can one
ensure a corrective action plan is implemented in a timely fashion to address the plugging
issue, as opposed to simply clearing the taps month after month when the problem arises
again?
If the company is not associating demands on SIFs as a potential near miss with potential
worst case consequences (i.e. let’s say a potential fatality), how does one ensure the
pressure regulator that failed 3 times in the last year (versus the once every 10 year
failure assumed in the risk analysis) is correctly prioritized with regard to all other routine
maintenance activities? Thus, ensuring a corrective action plan is implemented in a
timely fashion to address the regulator failure root cause instead of simply implementing
a replacement in kind.
The true benefit of the safety lifecycle is to raise awareness of bad acting protection layers whose
unavailability poses a risk to the organization. In many instances, it is difficult prior to
implementation of the safety lifecycle to recognize these bad actors. By making the invisible
visible, we can significantly influence the process safety performance of a corporation.
In addition to clarifying the tasks required to successfully complete the safety lifecycle journey,
aeSolutions has developed a proven roadmap on how to:
Perform a site assessment against the five required tasks
Develop a multi-year cost effective compliance program
Utilize safety lifecycle software tools to “simplify” maintenance of process safety related
documentation in an evergreen fashion
Realize the benefits of leading / lagging indicators early in the program to improve the
process safety performance of the facility / corporation
One of the key findings is that without a proper roadmap, the spend on process safety related
activities is not leveraged to its best benefit. Many of these activities need to be invested in due
to compliance issues. The key question is will they be invested in and delivered in a format
supporting ongoing use of the investment, or will it be a cost used to check a box in an audit or
compliance log, but not used to increase improve the process safety performance of the facility
and / or corporation.
EXECUTE, MONITOR AND SUSTAIN
The safety lifecycle can be restated simply through the concept of
1. Execute safety lifecycle documentation
2. Monitor leading/lagging process safety indicators
3. Sustain safe unit operations through corrective actions
To readily achieve the above objectives, one needs to begin the journey of ensuring the five tasks
noted below complement one another.
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
Each of these tasks will be described in more detail below.
TESTING
The safety lifecycle mandates that all instrumentation associated with a Safety Instrumented
Function (SIF) be tested. Refer to:
IEC 61511 Part 1 section 11.9.2 The calculated probability of failure of each safety
instrumented function due to hardware failures shall take into account:
e) the diagnostic coverage of any periodic diagnostic tests (determined according to IEC
61511-2 ANSI/ISA-84.00.01-2004 Part 2 (IEC 61511-2 Mod) the associated diagnostic
test interval and the reliability for the diagnostic facilities;
f) the intervals at which proof tests are undertaken;
The premise behind this requirement being dangerous undetected failures can only be found
through testing or with an actual real world demand. Thus, by testing frequently enough we
hope to uncover dangerous undetected failures before a real world demand discovers the
unavailable SIF. Thus, it is our desire to keep all of our protection layers properly functioning at
the assumed performance level included in the risk analysis. In this manner, we are keeping our
risk to acceptable levels per the corporate targets, as well as, being a good steward to the
employees, environment and shareholders.
The IEC61511 also mandates that one collect and calculate failure rate data that is specific to a
given installation, process conditions and maintenance practices. Refer to:
IEC 61511 Part 1 section 5.2.5.3 Procedures shall be implemented to evaluate the performance
of the safety instrumented system against its safety requirements including procedures for:
• assessing whether dangerous failure rates of the safety instrumented system are in
accordance with those assumed during the design;
NOTE 1 Dangerous failures are revealed by means of proof testing, diagnostics or
failure to operate on demand.
Collection of statistically valid failure rate data could take years depending on the number of
instruments with like manufacturer, model #, installation specifics, process conditions, and
maintenance practices. As such, testing and collection of failure rate data should be one of the
tasks begun early in the journey for safety lifecycle compliance. This will allow for
establishment of an approved vendors list and prior use justification for said instrumentation.
Refer to:
IEC 61511 Part 1 section 11.5.3 Requirements for the selection of components and
subsystems based on prior use
11.5.3.1 Appropriate evidence shall be available that the components and subsystems are
suitable for use in the safety instrumented system.
11.5.3.2 The evidence of suitability shall include the following:
• demonstration of the performance of the components or subsystems in similar operating
profiles and physical environments;
• the volume of the operating experience.
NOTE For field devices, information relating to operating experience is mainly recorded
in the user’s list of equipment approved for use in their facilities, based on an extensive
history of successful performance in safety and non-safety applications, and on the
elimination of equipment not performing in a satisfactory manner. The list of field devices
may be used to support claims of experience in operation, provided that
- the list is updated and monitored regularly;
- field devices are only added when sufficient operating experience has been obtained;
- field devices are removed when they show a history of not performing in a satisfactory
manner;
- the process application is included in the list where relevant.
Testing is considered part of the monitor phase of safety lifecycle compliance.
CAPITAL PROJECTS
At a certain point in the safety life cycle compliance journey, a company will issue an edict that
all capital projects from this time forth shall be compliant with IEC61511. The rationale behind
this statement is obvious. Eventually one desires capital projects begin to close IEC61511
compliance gaps and more importantly not create any new gaps. This sounds simplistic, but it is
often problematic for most companies as IEC61511 work activities are not firmly engraved in the
corporation’s capital project execution workflow. This typically results in a learning curve and
some initial regret costs, while changes are defined and adopted by the organization. Lack of
SIS competency within the Engineering Procurement & Construction (EPCs) contractors and
even some Safety PLC manufacturer’s increases the severity of the learning curve and regret
costs.
This issue is further complicated by the types of capital projects that exist within a corporation.
For instance, capital projects can be generically described as follows:
Small projects executed by facility engineering
Medium projects executed by an EPC with a support contract that runs for ‘X’ years
Large projects executed by an EPC selected as part of the bidding process
In most instances, the management team and team members are different for each of the three
project groups above. This implies different priorities and rules of engagement. Thus, when
issuing the edict that all capital projects be compliant with IEC61511, one needs to recognize the
strengths and weaknesses of the various capital project execution groups within an
organization. Again the concept of a journey is emphasized as most companies adopt an
approach where the large projects are brought into compliance first, then the medium projects,
and finally small projects. Depending upon the size of the organization, this could once again be
an exercise lasting several years.
IEC61511 mandates two tasks that are invaluable to capital project execution. The first is
creation of the Safety Lifecycle Plan, and the second is execution of Functional Safety
Assessments.
IEC 61511 Part 1 section 6.2.3 For all safety life-cycle phases, safety planning shall take place
to define the criteria, techniques, measures and procedures to
• ensure that the SIS safety requirements are achieved for all relevant modes of the
process; this includes both function and safety integrity requirements;
• ensure proper installation and commissioning of the safety instrumented system;
• ensure the safety integrity of the safety instrumented functions after installation;
• maintain the safety integrity during operation (for example, proof testing and failure
analysis);
• manage the process hazards during maintenance activities on the safety instrumented
system.
IEC 61511 Part 1 section 5.2.6.1 Functional safety assessment
5.2.6.1.1 A procedure shall be defined and executed for a functional safety assessment in such a
way that a judgment can be made as to the functional safety and safety integrity achieved by the
safety instrumented system. The procedure shall require that an assessment team be appointed
which includes the technical, application and operations expertise needed for the particular
installation.
Ensuring capital projects consistently deliver safety lifecycle compliant solutions is usually seen
as an easy step and most companies begin tackling at least the large projects early in the safety
lifecycle journey. Getting small projects to consistently deliver safety lifecycle compliant
solutions is often deemed harder and is tackled later in the journey.
The Safety Lifecycle Plan should assess competency of key team members on the project. Thus,
if completed early in the project, competency issues can be identified, training programs and / or
mentorships established to increase the integrity of the project team. In a similar manner, the
Functional Safety Assessment will also review competency of the key team members, as well as,
the validity of the PHA / LOPA and associated SIS documentation. Thus, by conducting Stage
1, 2 and 3 FSAs individually throughout the project, one can minimize far-reaching FSA findings
that could derail the project from a budget and / or schedule standpoint.
Capital project execution is considered part of the execution phase of safety lifecycle
compliance. However, it must also deliver data automation to support generation of leading
indicators that are critical in the monitor phase of the safety lifecycle.
SIS GRANDFATHERING DOCUMENTATION
Most companies start with the SIS Grandfathering Documentation as their first step on the safety
lifecycle compliance journey. Many of the other tasks in the compliance journey described
herein seem overwhelming and as such, the company simply wants to access IEC61511 gaps and
begin planning for gap closure. SIS Grandfathering Documentation as defined in this paper
consists of:
1. Conducting a PHA / LOPA
2. Selecting initial SILs for identified SIFs
3. Completion of an initial Safety Requirements Specification with C&E’s
4. Completion of initial SIL Verification Calculations
5. Completion of initial Functional Test Plans
Thus, one has baseline documentation in hand identifying how their existing installations fare
against the requirements of IEC61511. Gaps in compliance are identified and plans for gap
closure via capital projects or other means can be formulated and implemented.
This effort is often quite laborious at a brownfield installation. Often, it is tied to the existing
PHA / LOPA revalidation cycle. Which, if a company is following a typical five-year PHA /
LOPA revalidation cycle, could take longer than five years to establish the compliance baseline
and then develop the subsequent gap closure mechanisms.
The difficultly in execution of this task is that one needs to be able to easily assess baseline SIS
Grandfathering Documentation gaps and simultaneously keep track of capital project changes /
impacts to SIFs during this grandfathering time period. Failure to easily assimilate capital
project modifications into the SIS Grandfathering Documentation will result in regret costs and
possibly delay funding of future gap closure activities. Consider the following scenarios:
A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering
Documentation was completed on both trains. One compressor fails and the corporation
makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need
to be tested, performance tracked, and the I/O count for a new Safety PLC for the unit
can be reduced reflective of the obsolete compressor train. In addition, these SIFs need
to be deleted from the applicable safety lifecycle documentation.
PHA made a recommendation to install redundant relief valves instead of multiple SIFs
associated with overpressure of multiple vessels tied to the flare. When process
engineering completed their review of the installation and preliminary PSV calculations,
it was determined that the second PSV was not feasible due to flare header sizing
concerns and possible back pressure issues. Thus, the initial SIS Grandfathering
Documentation needs to be updated to reflect the requirement for multiple new SIFs and
their associated I/O count added to the potential new safety PLC project.
A small capital project changes three switches to transmitters, on three different SIFs.
Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS
Grandfathering Documentation needs to be updated to reflect the additions, deletions and
modification requirements for these SIFs and the adjusted I/O count reflected in potential
new safety PLC project.
All of the changes (small, medium and large) that occur in a brownfield facility over the course
of the initial five years baseline development have the potential to create obsolete and stagnant
SIS Grandfathering Documentation. This is especially true when one recognizes that these
changes are occurring in parallel with the initial SIS Grandfathering Documentation efforts
themselves. A safety lifecycle software tool to manage the SIS Grandfathering Documentation
via a management of change work process is critical to success of this task.
SIS Grandfather Documentation execution is considered part of the execution phase of safety
lifecycle compliance.
ORGANIZATIONAL READINESS
With regards to this paper, organizational readiness refers to people whose job description
includes references to maintaining compliance with the safety lifecycle. This implies job
descriptions have been modified, training programs developed, corporate SIS procedures issued,
and management at the top of the corporation is supportive of safety lifecycle compliance.
Again, this sounds straightforward; however, this requires changes in the organization, which
may be met with resistance. To further complicate the issue of organizational readiness is the
fact that multiple groups within the organization need to align for this effort to be successful.
For instance, let us assume the company is structured as follows:
Operations – tasked with developing and implementing a day to day operations strategy
for running the facility safely with overarching production goals for sellable product
Maintenance – tasked with developing and implementing a day to day maintenance
strategy that supports operations in a safe manner
Process Safety – functions in a support and auditing role to ensure operations and
maintenance activities are safe
Facility Engineering – supports day to day trouble shooting of the plant and small
projects
Site Projects – supports medium projects to increase production or significantly de-
bottleneck a unit
Capital Projects – supports large projects to increase production, significantly de-
bottleneck a unit and design a new facility
For the five tasks to be successfully implemented within an organization, all of the above groups
must align to deliver a sustainable process safety culture. This culture has to be driven from the
top of the organization downward throughout the various groups.
As one reflects on his or her own organization, it is probably obvious that this cultural alignment
may be slow to gain momentum. Once again, this could be a multi-year effort and should be
factored into the overall planning for safety lifecycle compliance. Without personnel in the
organization that are accountable for delivering a sustainable safety lifecycle process, the full
benefits will not be realized.
Organizational readiness execution is considered part of the execution, monitor and sustain
phases of safety lifecycle compliance. As competent personnel are required throughout the
organization to support these activities.
EVERGREEN EXECUTION
The concept of evergreen documentation associated with the safety lifecycle is critically
important, however most companies do not even realize this is an issue they should be
addressing. To better understand the concept of “evergreen”, let us consider the example from
above:
A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering
Documentation was completed on both trains. One compressor fails and the corporation
makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need
to be tested, performance tracked and the I/O count for a new Safety PLC for the unit can
be reduced reflective of the obsolete compressor train. In addition, these SIFs need to be
deleted from the applicable safety lifecycle documentation.
PHA made a recommendation to install redundant relief valves instead of multiple SIFs
associated with overpressure of multiple vessels tied to the flare. When process
engineering completed their review of the installation and preliminary PSV calculations,
it was determined that the second PSV was not feasible due to flare header sizing
concerns and possible back pressure issues. Thus, the initial SIS Grandfathering
Documentation needs to be updated to reflect the requirement for multiple new SIFs and
their associated I/O count added to the potential new safety PLC project.
Small capital project changes three switches to transmitters, on three different SIFs.
Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS
Grandfathering Documentation needs to be updated to reflect the additions, deletions and
modification requirements for these SIFs and the adjusted I/O count reflected in potential
new safety PLC project.
Therefore, the facility in question completes the initial PHA / LOPA from scratch at time zero.
The first project is as-built 6 months afterward, the second project as-built 9 months afterward
and the final project is as-built 1 year later.
What instrumentation needs to be included in the testing program 1 year after the initial base line
PHA / LOPA has been executed? If one of the projects increased occupancy in the unit, what is
the risk of bypassing PT-101? What SIF architectures need to be included in the SRS and
associated SIL Calcs? Have we added or deleted Safety Rated Alarms? Have we changed set
points with potential impacts to process safety time and overall safety operating limits for a piece
of equipment?
Given day-to-day changes that occur at a facility, it is imperative that an evergreen approach to
the PHA / LOPA is adopted. With the PHA / LOPA maintained in an evergreen fashion, the
normal typical Management of Change (MoC) process would ensure the associated changes to
downstream deliverables would be maintained just like P&ID’s are today.
Maintaining the PHA / LOPA in an evergreen fashion can be readily achieved with new safety
lifecycle software tools now available in the marketplace. Prior to the existence of these new
safety lifecycle software tools, it was extremely difficult to maintain an evergreen PHA / LOPA,
and as such, most companies did even attempt this approach.
Another issue facing the use of the PHA / LOPA results to drive the facilities mechanical
integrity program is the qualitative process used to access risk. This problem can be readily
rectified and will be the subject of future papers. However, it will require the process safety
organization and industry itself to recognize the need for change.
Evergreen execution is considered part of the sustain phase of safety lifecycle compliance.
PROCESS SAFETY ROADMAP
To cost effectively tackle the five tasks noted below an overall roadmap for success needs to
defined.
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
This proven roadmap embodies how to:
Perform a site assessment against the five required tasks
Develop a multi-year cost effective compliance program
Utilize safety lifecycle software tools to “simply” maintenance of process safety related
documentation in an evergreen fashion
Realize the benefits of leading / lagging indicators early in the program to improve the
process safety performance of the facility / corporation
Each of these roadmap steps will be described in more detail below.
SITE ASSESSMENT
The best approach to determine where to start, or more typical what is the most efficient means
to finish, the safety lifecycle compliance journey is to conduct a detailed site assessment. This
assessment is comprised of documentation reviews, corporate and local site policy / procedure
reviews, personnel competency interviews and walk down of SIFs at the site itself. It will
document current work practices related to the safety lifecycle. It will also document a data flow
diagram noting sources and quality of data required to support automation of the safety lifecycle.
The assessment focuses on each of the five tasks:
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
Each of these five tasks will be reviewed and assigned a grade of 0 to 100%. Short term,
medium term and longer-term action plans will be created for each tasks. Thus, a site specific
and / or overall business unit specific execution plan can be generated to ensure cost effective
and efficient safety lifecycle compliance. Figure 1 below is an example on how one can depict
the site assessment results graphically.
Figure 1 – Typical Results of Site Assessment
Site assessment execution is considered part of the execution phase of safety lifecycle
compliance.
PLANNING
Once the site assessment has been completed, a multi-year plan can be systematically laid out
that takes into account staffing, training, and workflow / work process coordination with the
overarching goal of minimizing regret costs, while efficiently finishing the safety lifecycle
compliance journey. Based upon site best practices, existing status of documentation and data,
and current initiatives, unique plans may be required for different sites within a business unit as a
whole.
However, with a sound execution plan that recognizes the unique interactions between the five
tasks, the initially overwhelming concept of safety lifecycle compliance can now be reduced
simply to a project management issue. Assuming organizational support from the top down,
safety lifecycle compliance should now be readily obtainable via a systematic approach that
“eats the elephant” one bite at a time. Thus, through planning a very complex process can be
broken down into small and readily measurable, and achievable, steps.
The most important concept to recognize regardless of the site assessment results is that the
scheduling of the five tasks is a finish-to-finish effort. The individual tasks may have initial
staggered starts, but all tasks must finish together to minimize regret costs. Figure 2 below is a
sample milestone schedule that highlights the finish-to-finish requirements. Failure to recognize
and address this fundamental scheduling issue in an organization could result in a never ending
“cycle of chasing ones tail” in an effort to achieve steady state compliance with the safety
lifecycle.
Figure 2 – High Level Milestone Schedule for Finishing the Safety Lifecycle Journey
Planning execution is considered part of the execution phase of safety lifecycle compliance.
LEADING / LAGGING INDICATORS
Generation of meaningful leading / lagging indicators is ultimately how the compliance with the
safety lifecycle increases the process safety performance of a facility and eventually the entire
process industry. With measurement, one can now track performance versus requirements. It is
through this cycle of monitoring and sustaining the facility via offensive instead of defensive
corrective actions that truly positive changes can occur. The invisible becomes visible and more
importantly actionable.
The process industry has recognized the requirements for leading / lagging indicators through
issuance of the Baker Report following the BP Texas City event, issuance of API 754 and ISA
TR84.00.04 annex R. The UK’s Health Safety Executive (HSE) has published guidance on
benefits and requirements for leading / lagging indicators and so on and so on. So with the
process industry recognizing the need for leading / lagging indicators, why is their use not
common place? The answer is the data required to be measured is often scattered in multiple
sources (some electronic and some in paper format only) within an organization and this data is
not typically readily usable as it stands today. This is further complicated, as discussed in the
Organizational Readiness section, by the fact that multiple groups, working in distinct silos and
often using different toolsets, are each responsible for pieces of the big picture. Thus, the greatest
benefit of safety lifecycle compliance journey is typically the last step most companies
undertake. With the generation of new safety lifecycle software tools and implementation of the
compliance roadmap contained herein, generation of meaningful leading / lagging indicators is
relatively straightforward. In fact depending on the site planning meaningful leading / lagging
indicators can be generated very early in the compliance journey. Thus, one does not necessarily
need to wait for years before compliance benefits can be measured. As an example, consider the
following:
PHA / LOPA assumes a pressure regulator fails once every ten years with a potential
to rupture a vessel with a possibility for a vapor cloud explosion with potential
fatalities. Actual demand tracking has indicated the pressure regulator has failed 3
times in the last 3 years.
A SIF has been installed to protect the above vessel against pressure regulator failure.
It consists of a pressure transmitter, safety PLC and on/off block valve. The SIL
Verification calculations assumed the SIF would be tested annually. However, it has
been 24 months and the SIF has not been tested.
Bypass criteria has been established for the same SIF and was selected as 72 hours.
By reviewing and aggregating bypass records, it is shown the over the last 3 years the
SIF has been bypassed 12 times for a total of 300 hours.
Generic data, which assumed a dangerous undetected failure rate of once every 50
years, was used in the initial SIL Verification calculation for the transmitter in the
above SIF. Real world testing has yielded an actual failure rate of once every 5 years.
Each of the four bullets above indicate potential problems with the performance of the SIF in
question. By associating these issues to their PHA / LOPA scenario (i.e. potential fatality) such
that the importance of this SIF being available is clearly demonstrated to operations, we can now
ensure that resolution of these bad actor events is now prioritized above other day to day issues
that occur. Thus, corrective work orders can be generated and aggressively worked to ensure the
SIF performance is in line with the risk analysis assumptions. Using the risk based approach
contained in the safety lifecycle, we have now positioned the facility to identify bad actors and
correct them before a loss of containment event occurs. In many instances in the past, the above
four bullets would be lost in the noise of multitudes of other bad actor events that occur on a
daily basis. The multitudes of other noise contains events that impact product quality,
commercial impacts to equipment, etc. plus a smaller scattering of events, which if ignored could
lead to loss of containment. Thus, much the same way alarm rationalization assigns alarm
priorities to communicate to operations the order of responding to alarms, process safety leading
/ lagging indicators allow operations and maintenance to prioritize resolution of possible loss of
containment bad actors. Identification of process safety bad actors in the past might only have
occurred as a result of a root cause analysis following a near miss or loss of containment event.
This is where the invisible becomes visible and more importantly actionable.
Figure 3 – Typical Leading / Lagging Indicator Dashboard
Leading / Lagging Indicator execution is considered part of the monitor and sustain phases of
safety lifecycle compliance.
SAFETY LIFECYCLE SOFTWARE TOOLS
The fundamental key to safety lifecycle compliance is it must be “simple” to maintain. This
implies existing staff with training and awareness can readily maintain the safety lifecycle
documentation in an evergreen fashion once the program is up and running. Note, it is assumed
that outside assistance by a specialty process safety engineering firm is typically required to
support the organization with execution of the initial site assessment, planning and starting the
five tasks noted below:
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
The reason being most corporations do not have the expertise and / or available labor to set up
the safety lifecycle compliance program. Without safety lifecycle software tools that have been
specifically designed to handle the work process contained in this paper, there will be nothing
“simple” about the safety lifecycle compliance journey. Key functionality that is mandatory in
the safety lifecycle software tools is as follows:
Enterprise level tool
Evergreen PHA / LOPA with ability to support multiple concurrent projects
PHA / LOPA results fed directly into SIS engine
Evergreen SIS engine with ability to support multiple concurrent projects
Evergreen SIS engine to generate all SIS documentation – SIL Verification Calculations,
Safety Requirements Specification, C&E’s, Functional Test Plans, Protection Layer
Requirements Specification, Protection Layer Test Plans
Evergreen Gap Tracking module
Override Risk Assessment Module tied to PHA / LOPA and SIL Verification
Calculations
Generation Leading / Lagging Indicators that expand / collapse as you move through the
enterprise
At the time of the writing of this paper, the authors are aware of at least one set of safety
lifecycle software tools that meets all of the above criteria. Thus, “simple” safety lifecycle
compliance is now readily available in the marketplace today.
Here are some examples of why a comprehensive tool as described above is required:
1. While walking down P&ID’s, it was discovered that an instrument tag # for a pressure
transmitter was incorrect. If this change can be made in one place (i.e. the PHA) and then
its use is automatically corrected in all downstream documentation (LOPA, SIL Calc,
SRS, C&E, Functional Test Plan, etc. it would be “simple” to maintain.
2. The corporation changes the tolerable risk criteria associated with its risk matrix. If this
change can be made in one place (i.e. the PHA) and then its use is automated corrected in
all downstream documentation (LOPA, SIL Calc, SRS, C&E, Functional Test Plan, etc. it
would be “simple” to maintain.
3. Failure data has been collected for a given family of pressure transmitters and a new
dangerous undetected failure rate calculated that takes into account process service,
installation specifics, make / model and maintenance practices. If the new failure rate
data could be assigned in one place (i.e. the SIS engine) and the 500 SIL Calculations that
use this type of pressure transmitter automatically updated, it would be “simple” to
maintain.
Safety Lifecycle Software tools are critical and considered part of the execution, monitor and
sustain phases of safety lifecycle compliance.
CONCLUSION
Through living and breathing safety lifecycle compliance with numerous end user companies
since aeSolutions formation in 1998, we have developed a proven and simplified approach to
cost effectively meeting the requirements of IEC61511: Functional Safety – Safety Instrumented
Systems for the Process Industry Sector. The roadmap as defined herein is as follows:
1. Conduct a site assessment focusing on the following five tasks:
Testing
Capital Projects
SIS Grandfathering Documentation
Organizational Readiness
Evergreen Execution
2. Complete planning of a multi-year compliance program based upon the site assessment
results
3. Obtain a safety lifecycle software tool that meets the requirements contained in this paper
4. Begin a finish to finish project execution of the five tasks noted step 1
By adopting this roadmap one can cost effectively realize the benefits of the safety lifecycle,
which can be summarized as follows:
1. Execute safety lifecycle documentation
2. Monitor leading process safety indicators
3. Sustain safe unit operations through corrective actions
The purpose of IEC61511 is to ensure assumptions made in the risk analysis regarding
availability of protection layers matches the actual real world performance as witnessed in the
field. This real world data can also be leveraged increase availability of the process unit as a
whole and make positive impacts on production itself.
DISCLAIMER
Although it is believed that the information in this paper is factual, no warranty or representation,
expressed or implied, is made with respect to any or all of the content thereof, and no legal
responsibility is assumed therefore. The examples shown are simply for illustration, and, as
such, do not necessarily represent any company’s guidelines. The reader should use data,
methodology, formulas, and guidelines that are appropriate for their own particular situation.
REFERENCES
1. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Safety-related Systems,
Part 1-7, Geneva: International Electrotechnical Commission, 1998.
2. IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector,
Parts 1-3, Geneva: International Electrotechnical Commission, 2003.
3. HSEG254, Developing Process Safety Indicators, Health Safety Executive, 2006
4. COMAH, Control of Major Accident Hazards, Process safety performance indicators,
Health Safety Executive, 2012
5. API 754, Process Safety Performance Indicators for the Refining and Petrochemical
Industries, American Petroleum Institute, 2010
6. ISA TR84.00.04 Part 1 – 2011, Guidelines for the Implementation of ANSI/ISA-84.00.01-
2004 (IEC 61511 Mod), International Society of Automation, 2011
ABBREVIATIONS AND DEFINITIONS
API American Petroleum Institute
EPC Engineering Procurement Construction
HES Health Safety Executive
IEC International Electrotechnical Commission
ISA Internal Society of Automation
LOPA Layer of Protection Analysis
PFDavg Average Probability of Failure on Demand
PHA Process Hazard Analysis
RRF Risk Reduction Factor
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System