By Tom Shephard and Dave Hansen
The Safety Instrumented System (SIS) standard, IEC 61511, is driving the need for new engineering tools and Project Execution Plans (PEPs). The standard is a lifecycle approach to defining, implementing and managing a safety instrumented system (SIS). Industry discussions tend to focus on the technical aspects of the standard, but project execution is proving to have an equal or perhaps greater impact on the quality and success of an IEC 61511 project. This article describes a few of the challenges from the EPC and MAC perspective, and suggests approaches to enhance IEC 61511 execution and technical outcomes.
Coordinating Project Execution and Functional Safety Plans
Figure 1 shows the elements commonly performed and supported by EPCs and MACs. The PEP defines the scope of work, roles and responsibilities, work processes and procedures, QA/QC plans, etc. A functional safety plan (FSP) is required by IEC 61511 and encompasses many of these PEP processes and procedures, but continues beyond the project to include the entire safety lifecycle through commissioning and operations. It also includes additional requirements that are specific to safety systems. The project team needs to coordinate and cross-reference both documents to ensure there are no conflicts or exclusions.
As indicated in Figure 1, the application of IEC 61511 increases the number of analysis and design steps that can lengthen SIS design cycle. The project must be well- planned, managed and correctly scheduled and resourced to keep the SIS design off of the project's critical path.
Layer of Projection Analysis (LOPA)
LOPA is a commonly accepted method for determining layers of protection and allocating safety functions. The PHA report is the LOPA starting point. For each PHA hazard and associated risk values, the LOPA team identifies and assigns one or more independent protection layers (IPL) until the risk is reduced to an acceptable level. If a risk remains after other preferred IPLs are applied, the remaining risk is typically reduced by a SIF. Like PHAs, LOPA reports are issued with recommendations and action items that may require further analysis and assessment. The report in this form is often handed off to the EPC or MAC to implement.
Once received, the EPC or MAC reviews the LOPA report to understand its content. A month or more may lapse before this step is completed. On closer examination, questions may arise and irregularities may become apparent. A process should be in place that allows the LOPA team to review the PHA and if necessary, make changes in the PHA if an error is confirmed.
The LOPA report does not typically provide the following information required to progress the SRS:
- SIF final elements.
- An answer to the question, "Does SIF activation create a new hazard?"
- Hazard process response times.
- Potential sources of common cause failure.
- Confirmation that the assessment addresses all modes of operation.
Often a proposed SIF final element creates a new hazard when it moves to its safe state or position. This triggers a one-off, unplanned hazard assessment that may require a revisit to the PHA or LOPA. Process response time is often difficult to define and provided by different disciplines and equipment specialists. A fast response time may trigger a new hazard that also requires further assessment. Identifying sources of common-cause failure often requires input from several disciplines. The additional time needed to assess hazards when operating in different operating modes is often overlooked.
Suggestions for improving PHA and LOPA outcomes:
- Provide the FSP before the project starts. It should clearly define the site or corporate approach, tools, processes and personnel required; and include a process to resolve problems that are not directly addressed in the PEP and FSP, as well as instructions on how to provide the analysis information missing in the LOPA report.
- Resist the temptation to shortcut or truncate the analysis phase to save money or reduce project schedule.
- Provide equipment- and risk-specific PHA and LOPA examples that show the expected application of the corporate and project tools, risk matrices and IPL rules.
- Align the PEP with the FSP. Revise the plan to address challenges unique to an IEC 61511 implementation.
- Increase training for PHA and LOPA teams on the correct use and application of the supplied tools, standards and procedures.
- Provide checklists that define the recommended steps to assess hazards for common equipment types.
- Provide a documented process to track, expedite and resolve PHA and LOPA recommendations and action items.
- Provide a quality assurance plan to confirm the requisite procedures are followed.
- Assign a team to verify and consolidate PHA and LOPA recommendations and replace "consider" recommendations and action items with actionable decisions.
- Have technical specialists conduct pre-assessments of specialty equipments.
- Insure teams include the necessary technical expertise.
Ensure that management-of-change procedures encompass all steps in the IEC 61511 process.
Safety Requirements Specification (SRS)
This phase begins the shift from analysis to SIS engineering and design. When compared to traditional SIS specifications, the SRS is a major expansion in both depth and breadth (Figure 2). It may contain one or more documents. The SRS is the master document, and referenced documents are subordinate to the SRS. How much time and effort are needed to fully specify individual SIFs can vary widely. On projects with a large number of SIFs, this may noticeably increase the SIS engineering effort, and EPCs and MACs must modify and adapt to this reality.