By Dr. Angela E. Summers, PhD, PE
IN SEPTEMBER 2004, the European Committee for Electrotechnical Standardization (CENELEC) and the American National Standards Institute (ANSI) accepted a new process sector standard. With its adoption, this standard becomes the primary driving force behind the work processes that should be followed to design and manage safety instrumented systems (SIS). These systems consist of the instrumentation and controls intended to achieve (or maintain) a safe state with respect to a specific process risk. This standard is IEC 61511, or EN IEC 61511, or ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod). This article concerns the United States version, which will be referred to as S84.01-2004.
S84.01-2004 is identical to IEC 61511 with one exception. The United States added a “grandfather clause” for existing SISs. The standard integrates the various process safety management approaches used successfully throughout the world. The SIS lifecycle provides a framework for the various activities that are considered essential to the assessment, design, maintenance, inspection, testing, and operation of SIS. A quality management system is also defined to minimize the systematic errors during major project phases, such as:
- Hazard assessment
- Engineering, Installation, Commissioning, and Validation
- Operating and Maintenance
- Change management
The standard uses a performance metric, the safety integrity level (SIL), to establish order of magnitude levels of analysis, design, diagnostics, testing, and management rigor. The SIL is related to the risk reduction allocated to the SIS to mitigate a specific process risk to a tolerable level.
A new technical report, ISA TR84.00.04, will soon be released by the SP84 committee, which is titled, “Guideline on the Implementation of ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod).” The technical report is divided into two parts. Part 1 provides the differences between S84.01-1996 and S84.01-2004 and addresses a variety of topics in a series of annexes. Part 2 is an example of the implementation of the new standard on a hypothetical SIS project. Some topics of particular interest in TR84.04 are:
- Evaluation of the applicability of the grandfather clause
- Management of functional safety (e.g., identification of worker roles and responsibilities)
- Selection of SIS devices
- Basic Process Control System and its relationship to the SIS
- Operator initiated safety function – human error considerations
This article will now focus on the grandfather clause and its implications to existing instrumentation and controls. S84.01-2004 should be incorporated into the design premise of any new or expanded process unit and into the design specification for the upgrade of existing SIS.
S84.01-2004 Part 1 Clause 1y is considered the “grandfather clause” and states the following:
“For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issuance of this standard (e.g. ANSI/ISA 84.01-1996), the owner/operator shall determine and document that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”
This grandfather clause is similar to the one contained in S84.01-1996, which was developed by the ISA SP84 committee to document the instrumentation and controls lifecycle associated with OSHA 1910.119 Process Safety Management. OSHA specifically requested that a grandfather clause be included when they reviewed S84.01-1996. After confirming its presence, OSHA issued a letter acknowledging the standard as representing good engineering practice.
However, making a claim that an existing system meets the intent of the grandfather clause should not be taken lightly. The Clean Air Act Amendments require owners/operators “to design and maintain a safe facility.” OSHA requires that owners/operators provide a place of employment that is “free from recognized hazards.” When investigating incidents, OSHA looks to current good engineering practices to benchmark the owner/operator design and management practices.
As an example, consider an OSHA citation issued 10/22/2004 to Formosa Plastics Corporation, Illiopolis, Ill. The citation was related to an April 23, 2004 explosion in which five workers died, three workers were seriously injured, and the facility was seriously damaged. Numerous items were cited, but three items are particularly notable.
First, citation 1 item 7a specifically referenced S84.01-1996 (accepted as an ANSI standard in 1997):
“…did not document that its PVC1 and Past programmable logic controllers (PLC) and distributed control systems (DCS), installed prior to 1997, complied with recognized generally accepted good engineering practices such as ANSI/ISA 84.01, ‘Application of Safety Instrumented Systems for the Process Industries,’ the current consensus safety standard for such systems in that the devices were not being maintained, inspected, tested and operated in a safe manner as no maintenance was being done on the units, no inspections or tests were done, and the access to them was not controlled.”
When an owner/operator has an incident, its practices are compared to published good engineering practices. It is the responsibility of the owner/operator:
- To determine that existing SISs meet the intent of the grandfather clause
- To document the operating, testing, inspection and maintenance conditions under which this will remain true.
It is important to recognize that the “grandfather clause” only addresses the SIS devices that were installed and commissioned prior to the issuance of S84.01-2004. It does not cover the management system aspects of the standard. The following requirements are applicable to all SIS whether existing, modified, or new:
- Documentation (e.g., the safety requirements specification)
- Procedures (e.g., operation, maintenance, bypassing, and testing)
- Failure tracking (e.g., process demands and dangerous failures)
- Management of change
Changes that potentially impact the SIS requirements should be evaluated through a management of change process. The need to make changes in the process, its control system, its non-SIS protection layers, and its SIS often defines when the “grandfather clause” is no longer applicable.
A second notable item in the OSHA citation is Item 8d, which made specific reference to determining “the required safety integrity levels, as per ANSI/ISA 84.01) of its PLCs and DCS, critical control and safety-instrumented systems.” The new standard includes specific requirements for the assessment of the instrumented systems used to mitigate process risk. A work process provides the key steps in defining the required functionality and risk reduction for the safety functions allocated to the safety instrumented system. The risk reduction requirements are compared to order of magnitude ranges provided in tables in S84.01-2004 to assign the safety integrity level (SIL) to the safety instrumented system.
The third citation related to this paper is Item 24, which concerned the company’s management of change process. The company was cited for not implementing a process “to address the technical impact, as well as the safety and health impact of … (b) Changes made in the staffing level of the plant in 2002 and 2003 to the maintenance staff as it impacted the ability to perform necessary inspections and tests to meet the requirements of the company’s mechanical integrity program.” S84.01-2004 includes a management system that requires, among other things, the identification of the resources responsible for carrying out each lifecycle phase, such as operation, testing, and maintenance.
Draft ISA TR84.00.04
According to draft ISA TR84.04 (expected to be released formally this year), there are two essential steps to determine the applicability of the grandfather clause:
- Confirm that a hazard and risk analysis has been done to determine qualitatively or quantitatively the level of risk reduction needed for each SIF in the SIS.
- Confirm that an assessment of the existing SIF has been performed to determine that it delivers the needed level of risk reduction.
TR84.04 states that, if the above activities have not been done, they should be scheduled for review at the next appropriate opportunity. The evaluation of the SIF should take into account various factors, such as device failure rates and associated design, operation, maintenance, testing, inspection and change management practices. TR84.04 Annex A provides examples of eight grandfather clause methods submitted by SP84 committee members.
The first step in addressing the grandfather clause is the development of a method for “determining and documenting” the applicability of the grandfather status of the SIS. Local regulations, applicable codes and insurance practices sometimes require that specific industrial standards be followed. In all cases, it is the owner/operator who is ultimately responsible for establishing the policies that support safe operation, including the evaluation of existing infrastructure against good engineering practices, such as S84.01-2004.
It is important that the method integrate with the existing process safety management (PSM) program. Management of change and process hazards analysis revalidations drive the re-evaluation of process risk and could challenge the appropriateness of a grandfather claim. Various study findings will require prioritization and actions plans. Work processes and procedures developed for PSM should be leveraged.
When deciding the priority of evaluations or the aggressiveness by which a facility is reviewed, it is important to consider, among other factors, the risk potential and anticipated gaps with the new standard. Those who complied with the intent of the 1996 version of the standard or with other recognized industrial standards should find very few gaps. Those who have not kept pace with their industrial peers may find significant gaps.
Once an owner/operator determines that the existing SIS does not meet the intent of the grandfather clause (i.e., “…the equipment is designed, maintained, inspected, tested, and operating in a safe manner”), there should be a defined decision making process to address the identified deviations. The resolution to the identified deviations should be directed at maintaining process safety. When there is a negative gap between the requirements and reality, these gaps must be addressed. Gaps are often managed based on the size of the gap and the nature of process risk (e.g., frequency and consequence) associated with the potential event. Many companies use a risk-ranking matrix to rank process hazards analysis recommendations. Similar work processes can be used to develop actions plans for closing the gaps.
The challenge facing many owner/operators is that they have not previously classified their automatically initiated shutdowns, so they do not know which ones fall under the umbrella of the standard and which ones do not. At many facilities, shutdowns are grouped under categories, such as emergency shutdown systems, interlocks, critical instruments, etc. No distinction is made between safety, environmental, asset, or business interruption risks.
However, S84.01-2004 applies to the mitigation of safety risks and catastrophic environmental events. Other instrumented systems are often installed to mitigate economic or asset risks, but these systems are generally implemented using management systems that are specific to them. In general, a large percentage of the automatically initiated shutdowns are for asset or economic protection. A hazard & risk analysis can be used to identify those functions that are required for safety and to define their functionality and risk reduction requirements. Once the SIF have been defined, the performance of the installed SIF can be compared to the requirements to identify gaps.
The grandfather clause of S84.01-2004 does not provide an indefinite shield against the requirements of the standard. It provides the essential criteria that should be considered in the evaluation of SIFs that mitigate process risk enabling the process to operate in a safe manner. Good engineering practice, as outlined in ISA TR84.00.04, requires that the following activities be conducted during the evaluation of the applicability of the grandfather clause to an existing SIF:
Determine the risk reduction required for each SIF in the SIS using hazard and risk analysis. Verify that the design and operating basis for the existing SIF delivers the required risk reduction.
Upgrading existing facilities to meet the intent of S84.01-2004 should be accelerated when existing devices are found to no longer meet the required risk reduction. This determination may be made through hazard and risk analysis, test and inspection findings and reports, operation reports of SIS demands and failures, and audits of the performance of personnel and systems against procedures and expectations. In existing facilities, the hazard and risk analysis often serves as the trigger for the periodic reevaluation of protection layer adequacy and conformance to the latest standard.
- “Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents,” 29 CFR Part 1910, OSHA, Washington (1992).
- “Application of Safety Instrumented Systems for the Process Industries,” ANSI/ISA 84.01-1996, Instrumentation, Systems, and Automation (ISA), Research Triangle Park, NC (1996).
- “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” International Electrotechnical Commission (IEC), IEC 61511 Geneva, Switzerland (2003).
- “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 mod), Instrumentation, Systems, and Automation (ISA), Research Triangle Park, NC (1996), Research Triangle Park, NC (2004).
U.S. Department of Labor, OSHA, Formosa Plastics Corporation, Inspection Number 305893679, Inspection Dates 4/24/2004 through 10/20/2004.
|About the Author|