Print page

Email page

To safety standards and beyond!

ControlGlobal.com

In 2004, ISA adopted the most recent safety standard, ANSI/ISA 84.00.01. And though it’s a good start, it’s clear that S84 is just the tip of the iceberg toward management of functional safety.

THE CURRENT implementation status of S84 is mixed. Some companies have embraced the new standard, while others have adopted varying degrees of it.

It appears for new projects, particularly those done by E&C contractors and outside consultants, that most companies are implementing at least parts of S84. The main parts being addressed appear to be safety integrity level (SIL) determination, SIL verification, safety requirements specification (SRS) development, and test plans. The record is spottier for other aspects, such as the safety instrumented system (SIS) safety-lifecycle management requirements, implementation of the safety lifecycle, equipment selection requirements, competence requirements, training and procedural requirements, downstream verification, and compliance auditing.

It seems many companies are managing SIS on a per-project basis. And some may not grasp the overall management and requirements required to consistently, successfully implement and sustain SISs and related systems.

For existing installations, progress appears somewhat less. While there is some increase in addressing existing systems, it appears to lag application of S84 to new projects. Some companies appear to be relying on the grandfather clause to help existing installations comply (see “The Grandfather Clause Is Not a Jolly Fat Man in a Red Suit,” by Angela E. Summers, PhD, PE, CONTROL, Aug. ’05, p. 68). Other firms are waiting until their systems are upgraded (with or without a plan), while some seem to be ignoring the issue out of ignorance or due to managerial decisions.

In the case of grandfathering, the problem is that some of these companies aren’t truly complying with the grandfather clause, either in S84 or PSM, which  essentially have the same requirements, but differ somewhat in terminology and extent. For safety systems designed and constructed in accordance with codes, standards or practices before the standard or regulation was issued, both grandfather clauses require the owner/operator to determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.

It should be noted that this is not a passive statement. For example, grandfathering based solely on prior existence and operation of a safety system does not satisfy the grandfather clauses. Grandfathering requires that the safety systems be evaluated and documented, and that all requirements of the grandfathering (design, maintenance, inspection, testing, and safe operation) have been met. In addition, S84’s grandfather clause applies to only SISs, while PSM’s grandfather clause applies to SIS, identified non-SIS instrumented safety systems, mechanical safety layers of protection, and other process safety-related systems. If you don’t satisfy the grandfather clauses, then the safety systems have to meet PSM and current relevant standards.

Layer of Protection Analysis
The current S84 standard provides guidelines regarding risk assessment, including details of various methodologies contained in its Part 3. The most common form of risk assessment in the U.S. is some variation of layer of protection analysis (LOPA). In Europe, the risk graph has a larger following, though some people do use the LOPA technique. We’re going to assume that some form of LOPA has been used. If not, the concepts should apply to other risk assessment techniques. We’re using LOPA as a generic term to refer to its various varieties.

In the LOPA method, you evaluate the unmitigated risk (frequency and consequence), and determine the risk reduction required to decrease the risk to a tolerable level. This is commonly done with a risk matrix, which plots consequence against frequency to give the desired risk reduction. The required risk reduction is then balanced against the existing (or designed) identified independent layers of protection (IPL). The properties of an IPL are well defined. Traditionally they are independence, specificity, reliability and auditability, but management of change and security should be added as well.

Once this has been done, any residual risk must be handled by adding additional IPLs to further reduce the risk to the tolerable level.

When the IPL involved is a safety instrumented system (SIS), S84 has requirements designed to meet governmental regulations and industry practice. When the IPL involved is not a SIS, the water is somewhat murkier.

It’s clear that safety IPLs are covered by PSM and environmental IPLs by RMP regulations, which provide requirements, but how exactly this is to be done is well not detailed. On one hand, SIS requirements are well detailed, but other IPLs, which are byproducts of the SIS safety lifecycle, are not well defined. LOPA’s connection to non-SIS IPLs to the mechanical integrity or other management programs isn’t covered by any standard. For example, the assurance that changes to a non-SIS IPL that affect its integrity, availability, or any properties of an IPL is based on an evaluation of the effect on the IPLs identified for a particular hazard and in light of the originating LOPA.

This clearly indicates that a site must have a system to manage IPLs to assure their integrity, availability and their inherent properties. A common method for doing this in instrumented systems is the critical alarm list or the critical instrument list. However, “critical” often isn’t well defined, and you get a large list that includes safety, environmental, asset protection, operational or other “critical” defined criteria. There is an ISA technical report, TR-91.00.02, “Criticality Classification Guideline,” which provides some guidance in classifying loops. The difficulty is that there’s typically no direct connection between LOPA and the critical instrument list. Just because it’s on the critical instrument list doesn’t make it an IPL and vice versa. Also, it’s seldom identified in the list as an IPL, and may only be listed as critical and possibly what its criticality is. Simply being on a critical instrument list is not sufficient, without procedures and practices, to insure that all the requirements of an IPL are met and maintained throughout its life.