Inspired by “Conducting an Effective Functional Safety Assessment” presented at 2019 ISA PIC 2019—Process Industry Conference.
by Greg Hardin
The ISA/IEC 61511 standard defines a functional safety assessment as [an] “investigation, based on evidence, to judge the functional safety achieved by one or more safety instrumented systems and/or other protection layers.” The standard describes five stages where functional safety assessments may be performed:
After the hazard and risk assessment has been carried out, the required protection layers have been identified and the safety requirements specification has been developed.
After the safety instrumented system has been designed.
After the installation, pre-commissioning and final validation of the safety instrumented system has been completed and operation and maintenance procedures have been developed.
After gaining experience in operating and maintenance.
After modification and prior to decommissioning of a safety instrumented system.
The earlier the assessments are done, the sooner potential problems may be identified, and the quicker, easier, and cheaper it will be to implement any potential changes. After all, it’s easier and cheaper to fix things on paper rather than after the system is built. The first edition of the standard mandated an assessment only at stage 3. That’s simply too late to achieve any real benefit. The second edition also mandated stage 4. Stage 4 was added to ensure that assumptions made in the design phase were not unrealistic (as experience has shown they often have been). This also misses the potential benefits that could be achieved in performing stage 1 and/or 2 assessments.
But what about a stage 0 assessment? While not covered in the standard, a stage 0 assessment could be used to identify problems even earlier. Stage 0 would be after clause 9 “allocation of safety functions to protection layers”. This would be after safety functions have been identified and SIL targets have been set, yet before detailed specification and design begins. A stage 0 assessment could identify where frequency and/or severity assignments may have been too conservative resulting in the over-specification of safety instrumented functions. One example would be the specification of unusually high safety integrity level (e.g., SIL 3) burner management system purge functions. Similarly, if too much credit were taken for non-instrumented protection layers, the performance of the associated instrumented functions may be understated. A stage 0 assessment could prevent people from avoiding even entering the proverbial rabbit-hole (i.e., starting with an incorrect design) altogether!