THE CURRENT implementation status of S84 is mixed. Some companies have embraced the new standard, while others have adopted varying degrees of it.
It appears for new projects, particularly those done by E&C contractors and outside consultants, that most companies are implementing at least parts of S84. The main parts being addressed appear to be safety integrity level (SIL) determination, SIL verification, safety requirements specification (SRS) development, and test plans. The record is spottier for other aspects, such as the safety instrumented system (SIS) safety-lifecycle management requirements, implementation of the safety lifecycle, equipment selection requirements, competence requirements, training and procedural requirements, downstream verification, and compliance auditing.
It seems many companies are managing SIS on a per-project basis. And some may not grasp the overall management and requirements required to consistently, successfully implement and sustain SISs and related systems.
For existing installations, progress appears somewhat less. While there is some increase in addressing existing systems, it appears to lag application of S84 to new projects. Some companies appear to be relying on the grandfather clause to help existing installations comply (see “The Grandfather Clause Is Not a Jolly Fat Man in a Red Suit,” by Angela E. Summers, PhD, PE, CONTROL, Aug. ’05, p. 68). Other firms are waiting until their systems are upgraded (with or without a plan), while some seem to be ignoring the issue out of ignorance or due to managerial decisions.
In the case of grandfathering, the problem is that some of these companies aren’t truly complying with the grandfather clause, either in S84 or PSM, which essentially have the same requirements, but differ somewhat in terminology and extent. For safety systems designed and constructed in accordance with codes, standards or practices before the standard or regulation was issued, both grandfather clauses require the owner/operator to determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.
It should be noted that this is not a passive statement. For example, grandfathering based solely on prior existence and operation of a safety system does not satisfy the grandfather clauses. Grandfathering requires that the safety systems be evaluated and documented, and that all requirements of the grandfathering (design, maintenance, inspection, testing, and safe operation) have been met. In addition, S84’s grandfather clause applies to only SISs, while PSM’s grandfather clause applies to SIS, identified non-SIS instrumented safety systems, mechanical safety layers of protection, and other process safety-related systems. If you don’t satisfy the grandfather clauses, then the safety systems have to meet PSM and current relevant standards.
Layer of Protection Analysis
The current S84 standard provides guidelines regarding risk assessment, including details of various methodologies contained in its Part 3. The most common form of risk assessment in the U.S. is some variation of layer of protection analysis (LOPA). In Europe, the risk graph has a larger following, though some people do use the LOPA technique. We’re going to assume that some form of LOPA has been used. If not, the concepts should apply to other risk assessment techniques. We’re using LOPA as a generic term to refer to its various varieties.
In the LOPA method, you evaluate the unmitigated risk (frequency and consequence), and determine the risk reduction required to decrease the risk to a tolerable level. This is commonly done with a risk matrix, which plots consequence against frequency to give the desired risk reduction. The required risk reduction is then balanced against the existing (or designed) identified independent layers of protection (IPL). The properties of an IPL are well defined. Traditionally they are independence, specificity, reliability and auditability, but management of change and security should be added as well.
Once this has been done, any residual risk must be handled by adding additional IPLs to further reduce the risk to the tolerable level.
When the IPL involved is a safety instrumented system (SIS), S84 has requirements designed to meet governmental regulations and industry practice. When the IPL involved is not a SIS, the water is somewhat murkier.
It’s clear that safety IPLs are covered by PSM and environmental IPLs by RMP regulations, which provide requirements, but how exactly this is to be done is well not detailed. On one hand, SIS requirements are well detailed, but other IPLs, which are byproducts of the SIS safety lifecycle, are not well defined. LOPA’s connection to non-SIS IPLs to the mechanical integrity or other management programs isn’t covered by any standard. For example, the assurance that changes to a non-SIS IPL that affect its integrity, availability, or any properties of an IPL is based on an evaluation of the effect on the IPLs identified for a particular hazard and in light of the originating LOPA.
This clearly indicates that a site must have a system to manage IPLs to assure their integrity, availability and their inherent properties. A common method for doing this in instrumented systems is the critical alarm list or the critical instrument list. However, “critical” often isn’t well defined, and you get a large list that includes safety, environmental, asset protection, operational or other “critical” defined criteria. There is an ISA technical report, TR-91.00.02, “Criticality Classification Guideline,” which provides some guidance in classifying loops. The difficulty is that there’s typically no direct connection between LOPA and the critical instrument list. Just because it’s on the critical instrument list doesn’t make it an IPL and vice versa. Also, it’s seldom identified in the list as an IPL, and may only be listed as critical and possibly what its criticality is. Simply being on a critical instrument list is not sufficient, without procedures and practices, to insure that all the requirements of an IPL are met and maintained throughout its life.
Hopefully, the way non-SIS mechanical IPLs are commonly handled is by placing them in the site’s mechanical integrity program. This is better than nothing, though integrity programs aren’t generally set up to handle IPLs and their requirements. Administrative IPLs usually are left up to plant personnel, and again have limited connection back to originating IPL requirements and the associated LOPA. More than likely, a lot of IPLs get lost in the shuffle.
It should be noted that ANSI/ISA 84.00.01 and the risk analysis techniques represent minimum standards practices and not maximum ones. The same applies to OSHA’s PSM, EPA’s RMP regulations, and to other industry standards. So, merely meeting the standards and regulations may not necessarily make a plant or facility safe.
What S84 Does and Doesn’t Cover
S84 covers safety instrumented systems (SISs). Indirectly, it can put requirements on identified layers of protection. However, it doesn’t have specific requirements of some other types of safety systems discussed below. It should be clear, however, that OSHA’s PSM and EPA’s RMP covers all associated safety and environmental systems.
Other Safety-Related Systems?
While ANSI/ISA 84.00.01-2004 provides comprehensive coverage for safety instrumented systems (SIS) and some minor coverage for independent layers of protection as part of its risk analysis, what about other safety-related systems that are covered by OSHA and EPA regulations? Some examples are facility/plant/unit/section manual emergency shutdown systems (ESDs), manually activated safety systems, and orphaned safety systems or layers of protection.
Facility/plant/unit/section manual ESDs are general-purpose, operator-initiated shutdown systems, commonly known as the “Big Red Button.” While these may be activated by detection of a known hazard, they’re typically a more general-purpose action of last resort (AOLR) against unidentified hazards, failure of all layers of protection for a hazard, an unexpected propagation path of a known hazard that bypasses existing layers of protection, or a catastrophic event. There are no industry standards that directly cover this type of system, though some people incorrectly assume that S84 applies to them (see ANSI/ISA 84.00.01-2004 Section 1(x)). This isn’t to say that some S84 principles and practices could or shouldn’t be applied to this type of system, but rather that the standard isn’t directly applicable.
What about other manually actuated safety systems, such as fire and gas and toxic detection systems? Some of these are automatically actuated, but many are manually actuated. Some may not even have a direct manual actuation of a safety system, and so the operator is expected to diagnose and solve the problem. These typically are actuated once the cat is out of the bag, and will hopefully to minimize the result of the hazard. If these are considered safety or environmental protection systems, then they’re covered as manual and operator-action systems under PSM and RMP.
What about orphaned safety systems or layers of protection? An orphaned safety system is an identified safety system or “layer of protection” that is shown not to be “required” by the risk analysis. It either currently exists or, for new systems, is a traditional safety system for that type of process. It also can be a safety system identified by the process designers or operators as desirable, or it even may be required by process design or company standards. These systems aren’t covered by S84, unless they’re identified as an SIS and they’re not IPLs because the risk analysis indicated they weren’t required.
These safety systems and similar ones are certainly covered by PSM and RMP in the facility’s mechanical integrity system. If you’ve got them, then they’re covered. This isn’t to encourage people to take out these systems, but to identify that they need to be managed.
One should remember that existing safety systems have evolved for many reasons based on accumulated operating experience (sort of a plant memory), and a spiffy engineering risk analysis doesn’t necessarily negate the need for such systems. Existing systems are based on experience (what has happened over time and what plant people worry about), while a risk analysis is based on personnel experience, engineering expertise and analysis (what has happened in the experience of the analysts present at the risk analysis, and what may happen by analysis and speculation based on engineering principles). Some companies designate these as SIL “A” or SIL “0,” and have specific requirements for these systems that use parts of S84 to meet PSM and RMP regulations.
All of these systems can be classified as functional safety systems (FSSs) that must be managed to insure that their integrity is maintained, and that they meet appropriate functional safety requirements, regulations and industry practices.
Functional Safety Management
Management of the SIS, identified layers of protection, and other identified safety systems that are engineered or are administrative protections come under the guise of the management of functional safety, and so are covered by requirements of OSHA’s PSM and EPA’s RMP as part of the management of process safety and the environment. ANSI/ISA 84.00.01 provides detailed guidance for SISs, but there is little the detailed guidance for managing other FSSs. Figure 1 below provides an overview of the management of functional safety.
Functional Safety in a Plant
Managing anything in a plant is sometimes difficult due to vested interest and politics, and management of functional safety is no different. This task is often given to a poor plant engineer with no stroke to get it accomplished with few resources. To successfully manage the functional safety process, the person responsible should report directly to the facility manager. There also needs to be an outside independent auditing authority. Each plant in a facility should have someone responsible for its functional safety systems, and that person should have a dotted-line connection to the facility-responsible authority.
Management and application of functional safety should be consistent within the facility, in the company and in the larger industry. Consistency comes from standardization and uniform application of the standards and techniques used, and from knowledge of industry practices. Engineers must know standards, but they also must know how similar units and facilities operate. Benchmarking of common process risk isn’t generally available. This can be developed internally, and should be to some extent. The common sources of industry practice are third-party consultants with plant-level and industry experience.
Functional safety-system competency is another area that should be addressed. S84 standard covers it in Section 184.108.40.206. It’s clear that management, implementation, and long-term support of functional safety requires competent personnel, and not just the next available engineer or employee.
SISs and other IPLs are mostly downstream protections. In short, the cat is almost out of the bag, and we’re trying to keep it from getting loose. Preventing the cat from even trying to get out of the bag by reducing the demand rate on the IPLs is an alternate but complementary approach. It certainly seems reasonable that initiating causes and process design for high-risk hazards should receive additional consideration in design, operation, and maintenance to minimize safety demands. This is analogous to a quality system where the IPLs are similar to the downstream measurement of quality, but the real success of a quality system is preventing the quality defect to begin with.
Intrinsic safe design of the process is a recognized approach to this need. It’s applicable to new units and projects, but is somewhat more limited for existing units. Reducing frequency of initiating causes of hazards (failures), consideration of human factors and systemic propagation of accidents, alarm rationalization, simplification (effective minimization of complexity), and a deeper consideration of abnormal conditions in process control design are also ways to reducing risk.
Some areas that need further work are standards or guidance covering the aspects of all functional safety systems, upfront reduction in risk, and a good look at process accident propagation. Accidents can consists of initiators, downstream events, human factors and systemic effects, including manpower reduction, reduction in experience levels, older plants, cultural effects and management policies. Work is also needed on risk benchmarking, overall evaluation of risk, and downstream analysis of the effectiveness of the S84 standard, its implementation, and related methodologies in reducing accidents or near misses.
There also must be an overall functional safety management plan to manage all aspects of functional safety in a facility or company. In addition, implementing such a plan requires the managing authority to have the stroke and resources to enforce its management plan. It’s not sufficient to let every plant in a facility manage its own functional safety, to make it a project-team responsibility, to assign it to a low-level engineer, or let it be subject to corporate guidelines with lax enforcement and implementation. The first case is the fox guarding the hen house; the second is a guard dog that’s only interested as long as it’s being fed; the third is equivalent to giving the task to a guard dog that is half the size of the fox; and the fourth is no guard dog at all.
All management of functional safety procedures and their implementation and operation should be audited for compliance by a third party. This should be either an independent, competent authority external to the facility but within the same company, or an outside consultant with the appropriate, plant-level experience and competence in the areas of managing functional safety. This level of auditing will help assure that apathy, political, and/or incestuous relationships in a facility don’t defeat the purpose of managing functional safety.
Though it’s a good start, it’s clear that ANSI/ISA 84.00.01 is just the tip of the iceberg toward management of functional safety. There still is much more to be done.
The Geneology of Safety
IN 1996, a major milestone in process safety was achieved when the requirements for safety instrumented systems (SISs), such as emergency shutdown systems, ESD, safety interlocks and safety systems, were codified in ANSI/ISA S84.01-1996, “Application of Safety Instrumented Systems for the Process Industry.”
In March 2000, OSHA officially recognized S84 as “recognized and generally accepted good engineering practice” for meeting the Process Safety Management (PSM) regulation CFR 1910.119 for safety instrumented systems.
During 1999-2002, the International Electrotechnical Commission (IEC) issued its standard 61508, “Functional safety of electrical/electronic/programmable electronic safety-related systems,” which provided an umbrella standard for safety systems for all types of industries.
In 2003-04, IEC 61511, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” was adopted as the international standard for safety instrumented systems in the process industries.
In 2004, ISA and subsequently ANSI adopted the IEC 61511 standard with the addition of a grandfather clause and some conversion of text to ANSI/ISA 84.00.01 from 61511 as the new version of ANSI/ISA 84.00.01-2004.
For brevity’s sake, the term S84 will be used in further text, unless it’s more appropriate to use the full name. The new S84 standard brought with it a much more comprehensive standard that covered many of the PSM requirements, as well as substantially more management and documentation requirements. It also mentions covering environmental requirements in Section 1 (j).
|About the Author|
William L. (Bill) Mostia Jr., PE, principal of WLM Engineering Co., has more than 25 years experience applying safety, instrumentation and control systems in process facilities. He can be reached at firstname.lastname@example.org.