Functional Safety Management The good, the bad and the ugly!

! Lessons learned while striving for compliance with IEC 61511.

By Michael Scott, PE, CFSE

An efficient functional safety management program encompasses engineering, maintenance, and operations personnel all working together for a common goal prevention of loss of containment. This may sound straight forward but requires multiple entities within an organization to align to achieve this common objective and can be difficult to implement within a complex organization. So what does a good functional safety management system look like?

Lessons Learned
First, lets discuss the evolution / awareness process an organization typically adopts on their road towards functional safety management. This evolution / awareness process is borne of the best intentions but, typically leads the end user to an intermediate undesirable position short of their ultimate end goal. This results in regret costs and schedule delays in achieving a fully compliant functional safety management system. Step 1 - Desire for IEC 61511 Functional Safety Safety Instrumented Systems for the process industry sector Corporate Alignment In this step, the organization identifies the desire for IEC 61511 compliance and champion(s) within the organization to convince management of the benefits of managing functional safety via a performance based methodology. Given full compliance with EIC 61511 requires multiple entities within an end users organization to align, a commitment from management is essential. This alignment change typically requires a significant paradigm shift within the end user organization. Thus, this first step is often the hardest. Step 2 Modify Process Safety Risk Ranking to Support SIL Selectio n In order to adopt IEC 61511, one needs to assign / calculate a required Safety Integrity Level for a given Safety Instrumented Function. Thus, the end user organization has to modify their current risk analysis methodology (i.e. Process Hazards Analysis (PHA)) to support Safety Integrity Level (SIL) selection (i.e. Layer of Protection Analysis (LOPA)). This task is typically owned by a corporate process safety department and multiple methods of Risk Analysis and SIL Selection currently exist and the process safety department has to make decision(s) on which methodology to adopt and which tool(s)
1

are they going use to support their overall risk analysis process. Most organizations are looking to implement solutions that are aligned with their current wo rk process as close as possible. Thus, requiring the least amount of changes in how they currently conduct their risk analysis efforts. This concept sounds reasonable and very practical but, ultimately is the first misstep made by most organizations. Step 3 Identification of Areas of Concern Once an organization has bought into the performance based risk concepts contained in IEC 61511, the first desire is to identify a work process to complete a risk analysis on all facilities within the organization. Many companies made the decision to focus on those unit operations that historically were deemed to have a higher risk than other units. Thus, a program would typically be developed to conduct a Risk Analysis / SIL Selection on some small sub-set than the entire portfolio of processes within the organization. Once again this concept sounds reasonable and very practical but, ultimately this is another common misstep if an overall holistic approach is not adopted by the organization. Step 4 Development of Initial Safety Instrumented Systems Deliverables Once the Risk Analysis / SIL Selection efforts for the high risk unit operations have been completed, the end user is often anxious to review how the existing instrumentation / controls fare from a performance based design review standpoint. Thus, Safety Instrumented System deliverables are immediately generated for those Safety Instrumented Functions (IPF) that were identified in the Risk Analysis / SIL Selection process. These deliverables typically consist of the following: IPF List Safety Requirements Specification Cause & Effects SIL Verification Calculations Functional Test Plans

Once again, this concept sounds reasonable and very practical but, ultimately this is once again a misstep if an overall holistic approach is not adopted by the organization. Step 5 Identification of Gaps With SIS deliverables completed, the organization wants to focus on Gaps. A Gap means the organization needs to develop a project to spend dollars to close the Gap. Gaps generally fall into three major categories from an end user standpoint: 1. Capital Project required to install instrumentation / controls t o achieve the required level of risk reduction for existing kit
2

2. Operations & Maintenance activities to begin testing SIFs and tracking of failures, demands, time in bypass, etc. 3. Incorporation of SIS work process into the everyday Management of Change (MOC) process Most organizations on the learning curve for IEC 61511 compliance immediately implement bullet 1 and testing of SIFs in bullet 2. Remainder of bullet 2 tracking of failures, demands, time in bypass, etc and all of bullet 3 incorporation of the SIS work process in everyday MOC process is tackled sometime in the future because the difficulties within the organization to be able to implement changes to achieve bullets 2 and 3. Once again this concept sounds reasonable and very practical but, ulti mately this is also a misstep if an overall holistic approach is not adopted by the organization. Step 6 Realization Data is Stagnant In most large organizations, completion of steps 1 through 5 above is a significant investment and takes multiple years to complete. However, because an overall holistic approach to IEC 61511 compliance was not developed / planned in the beginning and instead each department within the organization focused on implementation of a solution that impacted their department the least, the maintainability of the results of steps 1 through 5 is in most instances is not sustainable within the organization. Thus, the data used to develop the deliverables has become stagnant because the IEC 61511 compliance exercise used a snap shot of data at the beginning of the project and did not plan for an overall data management scheme for the life of the installation. For instance, project A was implemented in Unit B. Assume project A added 2 defined SIFs and deleted 1 existing SIF. In most organizations, the IEC 61511 compliance efforts did not address ongoing projects and their impacts to Safety Instrumented System deliverables. Thus, either project A developed standalone Safety Instrumented System deliverables or none at all. In both cases, a facility engineer cannot perform a simple task of generating a master SIF List of devices to be tested. The initial IEC 61511 compliance efforts may not have completed a review of all equipment (due to focusing on high risk areas) and / or the MOC process to maintain the SIS design basis in an evergreen fashion was not addressed during this interim period (several years). This realization results in regret costs as the organization begins to tackle the harder issues mandated by the overall holistic approach to IEC 61511 compliance. This implies an overall work process and associated functional safety management tool(s) to ensure the Risk Analysis / SIL Selection and associated SIS deliverables can be readily supported in an evergreen fashion by existing personnel.

Key Attributes to Success Functional Safety Management

Having discussed the typical work process and pointing out short comings that may not be obvious to an end user who has not lived through the above steps or is in middle of these steps, it is extremely important that the extent of these well intended misst eps be fully grasped by the reader. This will be accomplished by focusing on the attributes of what a good functional safety management system looks like as opposed to dwelling on the negatives achieved in some of the above key steps. Step 1 - Desire for IEC 61511 Functional Safety Safety Instrumented Systems for the process industry sector Corporate Alignment Best practice for an organization would be to properly plan for functional safety management activities and their impacts to the organization prior to implementation of IEC 61511. This planning would include the following: Survey of each business unit / facility to identify how they cur rently execute each phase of the safety lifecycle. Realization that an evergreen overall functional safety management program is mandatory and establish this requirement at the beginning of the IEC 61511 compliance project. Begin a functional safety management tool selection process that addresses key issues in the survey of each business unit / facility as well as the best practice attributes noted below in steps 2 through 5.

If the overall program level plan does not account for an evergreen work proce ss, the resultant data collected will become stagnant and will provide limited benefit to end users. This in turn will result in loss of confidence in the data by the end users and undermine the value of IEC 61511 compliance to the overall organization.

Step 2 Modify Process Safety Risk Ranking to Support SIL Selection Best practice for an organization would be to utilize a functional safety management tool that supports the following key criteria: Risk Analysis and SIL Selection methodology that is tightly integrated such that changes in the Risk Analysis (i.e. PHA) are automatically fed into the SIL Selection (i.e. LOPA) and vice versa. Development of a Risk Analysis and SIL Selection methodology that supports data extraction directly into a functional safety management engine to develop remainder of the SIS deliverables.

This will improve the overall quality of the data set by minimizing re -typing of the same information in multiple places. It also reduces the man-hour requirements to maintain a valid PHA / LOPA and the resultant transmittal of data to the tool(s) completing the remainder of the SIS deliverables. Step 3 Identification of Areas of Concern Best practice for an organization would be to utilize a functional safety management tool that supports the following key criteria: Risk Analysis and SIL Selection methodology that supports an evergreen work process. Thus, results from initial IEC 61511 compliance efforts, future project PHAs, and / or future Revalidation PHAs can be managed together as a single entity.

This will allow a facility engineer to review a list of critical protection layers that need to function to prevent loss of containment. Thus, the facility engineer would be able to conduct a risk analysis if pressure transmitter PT-100 needed to be removed from service on a temporary basis. The master evergreen risk analysis includes the facility siting results from Project B that occurred last year and added a new control room in close proximity to the unit of operation in question. Thus, the facility engineer does not need to review the latest PHA Revalidation / LOPA along with all individual capital projects that have occurred since the last PHA Revalidation / LOPA to perform an accurate assessment of risk associated with PT-100 being out of service.

Step 4 Development of Initial Safety Instrumented Systems Deliverables Best practice for an organization would be to utilize a functional safety management tool that supports the following key criteria: SIS deliverable methodology that supports an evergreen work process. Thus, results from initial IEC 61511 compliance efforts, future project PHAs, and / or future Revalidation PHAs can be managed together as a single entity. SIS deliverable engine supports use of templates and a library of deliverables SIS SIL Calculation engine that supports and stores what if calculations against a given SIF SIS SIL Calculation engine is capable of automatically generating the associated Cause & Effect Diagram Functional safety management tool has MOC capabilities within the tool itself Functional safety management tool be capable of developing and managing deliverables associated with IPLs Functional safety management tool should be viewable by a large audience within engineering, operations and maintenance

By maintaining the SIS deliverables in an evergreen fashion based upon latest project updates in concert with the latest Risk Analysis / SIL Selection updates, a facility engineer can review the proposed scope of project X to de bottle neck Unit K for potential impacts to SIFs and / or critical Instrumented Protection Layers (IPLs) (i.e. alarm with operator action). Thus identifying early in the project lifecycle the need to modify a safety instrumented system and associated tasks / deliverables that need to be generated by the project. This will greatly reduce regret costs / schedule impacts if this scope is defined late in the project. By making the functional safety management tool viewable by a large audience it helps facilitate the communication / awareness process for these critical SIFs and / or IPLs. The remainder of the other best practices bullets noted above are focused on reduction of man -hours to generate and maintain SIS deliverables. This is critical if the end user organization desires to minimize additions and/ or maintain current head count through the IEC 61511 adoption process. Step 5 Identification of Gaps

Best practice for an organization would be to utilize a functional safety management tool that supports the following key criteria: Gap Tracking functionality that supports an evergreen work process. Thus, results from initial IEC 61511 compliance efforts, future project PHAs, and / or future Revalidation PHAs can be managed together as a single entity to manage Gaps. These Gaps could be short falls in existing SIF designs that require additional field devices, installation of a new inherently design concept, addition of new IPLs, etc. Thus, the tool would communicate current as-is Risk Profile as well as the long term view of what the risk profile could be if project A, B and C are implemented. Ability to address operations and maintenance aspects of the safety lifecycle: o Collection and analysis of failure rate data results from functional testing in a paperless environment o Assignment / management of failure rate data in concert with an approved vendors list for instrumentation and controls associated with a Safety Instrumented System o Collection of failure rate data results from corrective work orders in a paperless environment o Collection and analysis of time a SIF or IPL is in bypass or mean time to repair o Collection of root cause analysis data and comparison to initiating causes / cause frequencies assumed in the Risk Analysis and SIL Selection methodology (PHA/ LOPA) in a paperless environment o Ability to conduct an override risk assessment o Ability to analyze impacts for deferred functional testing o Key Performance Indicator feedback on goodness of the functional management system components Ability to support the day to day MOC process at the facility. Thus, the tool has the ability to maintain risk analysis, SIS design basis and critical IPLs used in LOPA in an evergreen fashion.

Conclusion
If an organization does not properly plan for functional safety management and set specific goals for the program to ensure the data can be managed efficiently and effectively in an evergreen fashion, initial IEC 61511 compliance efforts will fall short of expectations. A successful implementation must include the following: Commitment by management
7

Recognition of the importance of an evergreen work process Identification of key stakeholders within engineering, operations and maintenance to support the paradigm shift of change required to implement an evergreen functional safety work process Selection of a functional safety management tool that supports the key attributes noted in this paper

One can successfully implement a fully IEC 61511 compliant functional safety lifecycle management tool that supports the attributes contained in this white paper with proper planning and due diligence.
About the Author

Michael Scott, PE, CFSE (mike.scott@aesolns.com) VP of Process Safety with aeSolutions who has executed multiple functional safety lifecycle management projects and developed a suite of functional safety lifecycle management tools aeShieldTM and aeFacilitatorTM to support these projects.