Functional Safety: Struggling with Legacy Systems?
In the process industries, application of the functional safety standards BS EN 61508 and BS EN 61511 covering the design, installation, commissioning, testing and inspection of new safety instrumented systems (SIS) on high hazard sites is, in general, well understood and accepted. This is in contrast to guidance for legacy systems (i.e. SIS aligned to earlier standards such as DIN 19250, ISA 84 or HSE’s PES 1 and 2 guidance documents) where clear direction on verification of system performance in particular has been confusing at best, leaving many wondering what to do and what is expected of them by regulators.
But recent guidance published by the Chemical and Downstream Oil Industries Forum – CDOIF Guideline Functional Safety Management of Installed Safety Instrumented Systems – goes some way to addressing this issue. It forms the basis, in part, for the HSE’s approach to legacy systems when performing specialist inspections on the topic of functional safety. So, are HSE’s expectations being met and if not, why not?
Based on feedback from sites, in relation to legacy systems it has been found that there is generally a lack of:
These are discussed in turn.
Functional Safety Management
Industry evidence suggests that there is an absence of overall management of functional safety at relevant levels within many organisations. Good functional safety management starts with the creation of a functional safety management plan, a mandatory element of BS EN 61511. It’s not surprising then that without a plan linkage between the SIS / SIF and safety integrity level (SIL) through essential hazard identification and SIL determination studies is found wanting in many cases. For other sites, where SIL determination studies have been performed, they do not always link through to later lifecycle activities such as the generation of safety requirement specifications (SRS).
It would be easy to resolve these issues with bespoke pieces of work; however, the underlying cause here is the failure of the management system to recognise the issues through the use of performance metrics, audits and reviews.
For legacy / installed SIS, a suitable approach might be to perform a functional safety assessment stage 4 (FSA 4), to provide a root and branch review of all stages of the safety lifecycle for the SISs in place to deliver the safety instrumented functions (SIF).
Consider asking yourself the following questions:
SIS Design Realisation and Verification
For new systems, SIS design and verification are normally performed as part of the project and, as such, this is generally well understood within industry. But for existing systems pre-dating current standards, the concept of a SIL will not necessarily have been considered at the time of installation. In such cases, sites are faced with SIL requirements for systems with no evidence of SIL performance. In an effort to resolve this issue, the HSE now expects that for existing systems, sites can demonstrate that SIFs meet their SIL requirements by:
SIS performance monitoring
Throughout the application of the safety lifecycle, there are numerous assumptions made which, if incorrect, could have a significant impact upon the residual risks at a given site. Early studies, such as SIL determination, make assumptions over initiating event frequencies, consequences and the PFDs of layers of protection. Such assumptions are then carried forward into the design stages, where further assumptions are made relating to the failure rates of components which are present within the SIFs, combined with estimations of proof test coverage and further assumptions that the SIFs will remain as designed. To combat the cumulative effect of this, BS EN 61511 (2017) requires that during the operational and maintenance phases, activities are conducted to review the on-going performance of SIFs and consider if there are any trends emerging. The implication is that operational sites are expected to collect the relevant demand and failure data which allows for a retrospective assessment of SIF performance. So how is industry performing in general?
The evidence is that many companies have not even begun to collect the performance data on SIFs and, where data collection and recording are occurring, the retrospective assessment of data is typically not performed. Furthermore, where changes to SIFs are made, a typical management of change system would not pick up the specific functional safety requirements with respect to impact assessments and functional safety assessment stage 5 (FSA 5). Operators should therefore ask themselves the following:
Whether you are looking for guidance on how to manage instrumented systems to BS EN 61511, would like a review of your underlying hazard identification and risk assessment processes or to verify the design on an installed safety instrumented system, HFL Consulting can help.
To keep up to date with our latest news and initiatives, please follow us.