HFL Consulting

What are you looking for?

Events Form

  • We reserve the right to accept or decline any application.

In the process industries, application of the functional safety standards BS EN 61508 and BS EN 61511 covering the design, installation, commissioning, testing and inspection of new safety instrumented systems (SIS) on high hazard sites is, in general, well understood and accepted. This is in contrast to guidance for legacy systems (i.e. SIS aligned to earlier standards such as DIN 19250, ISA 84 or HSE’s PES 1 and 2 guidance documents) where clear direction on verification of system performance in particular has been confusing at best, leaving many wondering what to do and what is expected of them by regulators.

But recent guidance published by the Chemical and Downstream Oil Industries Forum – CDOIF Guideline Functional Safety Management of Installed Safety Instrumented Systems – goes some way to addressing this issue. It forms the basis, in part, for the HSE’s approach to legacy systems when performing specialist inspections on the topic of functional safety. So, are HSE’s expectations being met and if not, why not?

Based on feedback from sites, in relation to legacy systems it has been found that there is generally a lack of:

  • Overall functional safety management
  • SIS design verification
  • SIS performance monitoring

These are discussed in turn.

Functional Safety Management

Industry evidence suggests that there is an absence of overall management of functional safety at relevant levels within many organisations.  Good functional safety management starts with the creation of a functional safety management plan, a mandatory element of BS EN 61511. It’s not surprising then that without a plan linkage between the SIS / SIF and safety integrity level (SIL) through essential hazard identification and SIL determination studies is found wanting in many cases.  For other sites, where SIL determination studies have been performed, they do not always link through to later lifecycle activities such as the generation of safety requirement specifications (SRS).

It would be easy to resolve these issues with bespoke pieces of work; however, the underlying cause here is the failure of the management system to recognise the issues through the use of performance metrics, audits and reviews.

For legacy / installed SIS, a suitable approach might be to perform a functional safety assessment stage 4 (FSA 4), to provide a root and branch review of all stages of the safety lifecycle for the SISs in place to deliver the safety instrumented functions (SIF).

Consider asking yourself the following questions:

  • Is there a list of all of the safety instrumented functions (SIF)?
  • Have all existing SIFs been assessed for their required safety integrity level (SIL)?
  • Do existing SIFs have a BS EN 61511 compliant safety requirement specification (SRS)?
  • Is there a functional safety management system (FSMS) or a functional safety management plan (FSMP) for the site’s SIFs?
  • Do the site’s current KPIs, audit schedules and review processes cater for the specific requirements of BS EN 61511?

SIS Design Realisation and Verification

For new systems, SIS design and verification are normally performed as part of the project and, as such, this is generally well understood within industry.  But for existing systems pre-dating current standards, the concept of a SIL will not necessarily have been considered at the time of installation. In such cases, sites are faced with SIL requirements for systems with no evidence of SIL performance.  In an effort to resolve this issue, the HSE now expects that for existing systems, sites can demonstrate that SIFs meet their SIL requirements by:

  • Verifying through reliability calculations that the probability of failure upon demand (PFDave) meets the SRS.
  • Verifying that the hardware fault tolerance (HFT) and systematic capability (SC) requirements are met.
  • Showing that other design requirements, in accordance with relevant BS EN 61511 clauses, are met.

SIS performance monitoring

Throughout the application of the safety lifecycle, there are numerous assumptions made which, if incorrect, could have a significant impact upon the residual risks at a given site. Early studies, such as SIL determination, make assumptions over initiating event frequencies, consequences and the PFDs of layers of protection.  Such assumptions are then carried forward into the design stages, where further assumptions are made relating to the failure rates of components which are present within the SIFs, combined with estimations of proof test coverage and further assumptions that the SIFs will remain as designed. To combat the cumulative effect of this, BS EN 61511 (2017) requires that during the operational and maintenance phases, activities are conducted to review the on-going performance of SIFs and consider if there are any trends emerging.  The implication is that operational sites are expected to collect the relevant demand and failure data which allows for a retrospective assessment of SIF performance. So how is industry performing in general?

The evidence is that many companies have not even begun to collect the performance data on SIFs and, where data collection and recording are occurring, the retrospective assessment of data is typically not performed. Furthermore, where changes to SIFs are made, a typical management of change system would not pick up the specific functional safety requirements with respect to impact assessments and functional safety assessment stage 5 (FSA 5).  Operators should therefore ask themselves the following:

  • Is there a system for the collection of demand rate and failure rate data for the SIF?
  • Is there a process for analysing such data, and relating it to the underlying assumptions present within SIL determination and SIL assessment studies?
  • Are plans in place to conduct an FSA 4?
  • Does the current management of change procedure include the specific functional safety requirements for an impact assessment and FSA 5?

Whether you are looking for guidance on how to manage instrumented systems to BS EN 61511, would like a review of your underlying hazard identification and risk assessment processes or to verify the design on an installed safety instrumented system, HFL Consulting can help.

Contact us today to find out more about our functional safety management services or visit our website to learn more about our training programmes here.

To keep up to date with our latest news and initiatives, please follow us.