by Emily Henry, PE, CFSE
As best stated in the IEC 61511-2 standard, “the purpose of adopting a systematic safety lifecycle approach towards a safety instrumented system (SIS) is to ensure that all the activities necessary to achieve functional safety are carried out and that it can be demonstrated to others that they have been carried out in an appropriate order.” Conforming to the ISA84/IEC 61511 design and management requirements for a SIS throughout a process safety project requires attention to detail every step of the lifecycle, and a well-established site or corporate SIS guideline can help set a company up for success. This blog describes key considerations to developing SIS guidelines, with the SIS lifecycle generalized into three main sections: Concept Through Startup, Operations and Maintenance, and Management of Functional Safety and Lifecycle Planning.
Concept Through Startup
Concept Through Startup encompasses Phases 1 through 4 of the IEC 61511 standard which includes hazard and risk assessments, allocation of safety functions to protection layers, Safety Requirements Specification (SRS), and design of an SIS.
A hazard and risk assessment is the starting point since it sets the foundation of the overall hazard level at a site. The team should identify any significant hazards or concerns and establish the need for a SIS based on the plant design and operating system. The company’s risk tolerance is also a key consideration since a low hazard site with very tight risk tolerance may result in driving more need for a safety system than a high hazard site with a low risk tolerance.
It is also important to understand what categories of risk drive the need for the safety system. There are two risk drivers sites must consider at a minimum – the Occupational Safety and Health Administration (OSHA) requiring both onsite and offsite personnel safety and the Environmental Protection Agency (EPA) requiring environmental protections. Other risk drivers a facility may be concerned about are financial and reputational drivers.
Once hazards have been identified, the next step is to establish the safety system requirements. A conceptual specification can help provide an overall picture of the whole system before diving into the details of the individual protection layers involved. For example, a big picture concept is to differentiate between the basic control system and the safety system. Basic control systems are the first response to maintain continuous operation with the end goal of a profitable product; safety systems focus on operating the plant safely and are initiated if the control system does not return the process to a normal state, ideally without significantly impeding the operability or profitability of the site.
The Safety Requirements Specification (SRS) dives into the detailed requirements; a well-honed SRS includes the requirements for all the SIS lifecycle stages described in IEC 61511. Further details may be incorporated on how the basic process control system (BPCS) and SIS communicate (e.g., gateway, hardwired connections, etc.) as well as how the SIS interfaces with other systems. SIS design can encompass fine-tuned details that are not readily meaningful to an audience at large and may only be truly meaningful to those performing safety verification calculations. For this reason, a corporate SIS program ideally provides well-grounded templates, document samples, and guidance for creation of new documents. It also clearly defines what should be covered in the site or corporate SRS. The details should be understandable and not buried in other documents to maximize consistency and minimize human factors error.
Operations and Maintenance
Operations and Maintenance encompasses Phases 5 through 8 of the IEC 61511 standard, which includes safety system installation, commissioning and validation, operation and maintenance, modification, and decommissioning.
Once a process has been installed and commissioned, it needs to be actively operated and maintained. It takes a number of years of experience in operation of a safety system for a Functional Safety Assessment (FSA) to truly reveal trends of how the SIS responds to process deviations.
If a SIS needs to be modified or decommissioned, a Management of Change (MOC) is essential to flag whether the modification is Process Safety Management (PSM) oriented and if a Process Hazard Analysis (PHA) for the change is required. MOCs are a key consideration to reducing human factors errors during SIS modification since they help control system access and provide a vendor management list and/or an approved critical devices list. This allows anyone replacing SIS devices or doing maintenance work to recognize which devices are approved for use in critical safety service. Critical device lists are most effective when they are orderly, easy to interpret, and easy to access. Properly managing all the pieces and parts during decommissioning must be addressed as well. Sometimes only a portion of a SIS – such as a single loop – may be decommissioned, while other times the entire SIS may be decommissioned to upgrade to a newer system.
Management of Functional Safety and Lifecycle Planning
Management of Functional Safety and Lifecycle Planning encompasses Phases 9 through 11 of the IEC 61511 standard. These phases cover safety system verification, management of functional safety, FSAs and audits, and safety lifecycle structure and planning.
Clause 5.2.2 of Phase 10 describes the organizational structure necessary to ensure that roles dedicated throughout the SIS lifecycle are clearly defined and personnel have the skills for their respective responsibilities. It is key to know who will be involved in the safety system lifecycle including corporate leaders, site personnel, contractors, vendors, in addition to how they will be managed (e.g., training, extent of accountability, etc.). The SIS lifecycle management program should be defined in such a way that every person involved is aware of the importance of any decisions made around the SIS as well as their part within the process of making or implementing those decisions. Participants in safety lifecycle management must also understand what constitutes proper execution of duties to fulfill their lifecycle responsibility functions in a timely manner. The corporate or site SIS lifecycle management program should also minimize the possibility of a project team preference driving crucial safety decisions as opposed to IEC 61511 requirements.
Clause 220.127.116.11 of Phase 10 describes the SIS auditing process. Audits are required to assess the SIS over time to ensure it continues to meet the requirements of the IEC 61511 standard. As a SIS continues through each phase of the lifecycle, independent audits check for any potential safety risks or human error and ensure the people involved are properly trained and capable of competently fulfilling their duties.
Safety lifecycle structure and planning is covered in Phase 11. Some key planning considerations to prepare a SIS corporate or site standard are to define in advance an agreed upon safety lifecycle of the SIS which will be implemented, map out each phase and stage shown in Figure 8 of IEC 61511 with consideration to assumptions or information that may not be available until later phases, and identify the techniques needed in order to carry out each phase. After laying out a lifecycle roadmap, the agreed upon details – such as design parameter assumptions for SIL verification, failure rate data, effectiveness and approved type of proof test to be carried out – should be incorporated into the corporate or site SIS guidelines.
When planning how to implement the SIS application program, consideration should be given to device degradation. For example, will devices have internal diagnostics available? Will they output a fault signal under specific conditions? Will any kind of deviation alarming be implemented between devices? Could device faults be tripled, assuming there could be a hazardous state that the process is not protected against? Or will the operator be allowed time to identify the fault, correct it, and continue to run the process safely? When these decisions are made, other safeguards should be acknowledged as well. Such as the idea that sites may desire to allow the SIS to “ride through” a received fault signal if there are redundant field devices installed (unless it is the last protected device), or sites may desire not to allow the system to “ride through” a received fault signal if there are no redundant safeguards available.
Proper documentation control is absolutely critical to managing site or corporate SIS standards as well. The site or corporate SIS standards and any associated documents need to not only be easy to understand but also readily available and accessible to anyone who may need to reference them. Files should be saved in an intuitive and logical folder location and should not be stored exclusively on any vendor system.
Finally, timeliness is a key consideration to establishing corporate or site SIS standards. Critical decisions made after the PHA and before detailed SIS design have significant impacts later in the lifecycle – such as financial risk due to late discoveries on capital projects. Simply put, the sooner a standard is agreed upon and implemented, the better. If you want a consistent and meaningful approach, consider developing your site or corporate SIS standard before design has been completed. One caveat is the corporate or site SIS standard should be established with a full understanding of the SIS in advance. If you are new to PSM or SIS, consider selecting a process safety consultancy with deep experience and expertise to assist you in navigating the IEC 61511 safety lifecycle from hazard and risk assessment through design, commissioning, and operations. SIS lifecycle decisions can be extremely costly and unnecessary if reviewed through too conservative a lens, while other lifecycle decisions can be dangerous if not reviewed through enough of a conservative lens. The key is to find the right balance and level of detail appropriate to your facility to avoid unnecessary costs or unmitigated safety risk.
Keywords: ISA-61511 IEC 61511 SIS Corporate Standards Program Development Functional Safety Planning