Safety instrumented systems (SISs) — the instrumentation and controls intended for handling process risks — play a vital role in ensuring plant safety. In September 2004, the European Committee for Electrotechnical Standardization and the American National Standards Institute (ANSI) adopted a new standard related to such systems. This standard, called IEC 61511, EN IEC 61511 or ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod), now becomes the primary driving force behind the work processes that should be followed to design and manage SISs. It applies to any new or expanded process unit and to the upgrade of an existing SIS.
The U.S. version, which will be referred to as S84.01-2004, is identical to IEC 61511 with one exception. The United States added a “grandfather clause” for existing SISs.
The standard integrates the various process safety management (PSM) approaches used successfully throughout the world. The SIS lifecycle provides a framework for the various activities that are considered essential to the assessment, design, maintenance, inspection, testing and operation of SISs. A quality management system also is defined to minimize the systematic errors during major project phases, such as:
• hazard assessment;
• engineering, installation, commissioning and validation; and
• operations and maintenance.
The standard uses a performance metric, the safety integrity level (SIL), to indicate the risk reduction necessary to keep a specific process risk at a tolerable level. The SIL establishes order-of-magnitude bases for analysis, design, diagnostics, testing and management rigor.
The SP84 committee of Instrumentation, Systems and Automation (ISA), Research Triangle Park, N. C., will soon release a two-part technical report, ISA TR84.00.04, “Guideline on the Implementation of ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod).” Part 1 details the differences between the 1996 version of the standard, S84.01-1996, and S84.01-2004 and addresses a variety of topics in a series of annexes. Part 2 provides an example of the implementation of the new standard on a hypothetical SIS project.
Some topics of particular interest in TR84.04 are:
• evaluation of the applicability of the grandfather clause;
• management of functional safety (e.g., identification of worker roles and responsibilities);
• selection of SIS devices;
• relationship of the basic process control system to the SIS; and
• human error considerations.
This article focuses on the grandfather clause and its implications for existing instrumentation and controls.
The grandfather clause
S84.01-2004 Part 1 Clause 1y states:
“For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issuance of this standard (e.g., ANSI/ISA 84.01-1996), the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”
This grandfather clause is similar to the one contained in S84.01-1996, which was developed by the ISA SP84 committee to document the instrumentation-and-controls lifecycle associated with the U.S. Occupational Safety and Health Administration’s 1910.119 Process Safety Management regulation. OSHA specifically requested a grandfather clause be included in S84.01-1996.
However, making a claim that an existing system meets the intent of the grandfather clause should not be taken lightly. When investigating incidents, OSHA looks to current good engineering practices to benchmark the owner/operator’s design and management practices.
As an example, consider an OSHA citation issued on Oct. 22, 2004, to Formosa Plastics Corporation, Illiopolis, Ill. It relates to an April 23, 2004, explosion in which five workers were killed, three workers were seriously injured and the facility was heavily damaged. Numerous items were cited but three are particularly notable.
First, OSHA specifically cited the company for failing to document compliance to the S84.01-1996 standard, which the agency said represented “recognized generally accepted good engineering practices.”
When an owner/operator has an incident, its practices are compared to published good engineering practices. The owner/operator is responsible for determining that existing SISs meet the intent of the grandfather clause and documenting the operating, testing, inspection and maintenance conditions under which this will remain true.
It is important to recognize that the grandfather clause only addresses the SIS devices that were installed and commissioned prior to the issuance of S84.01-2004. It does not cover the management system aspects of the standard.
All SISs, whether existing, modified or new, require the following:
• documentation (e.g., the safety requirements specification);
• procedures (e.g., operation, maintenance, bypassing and testing);
• failure tracking (e.g., process demands and dangerous failures);
• management of change (MOC); and
Changes that potentially impact the SIS requirements should be evaluated through a MOC process. The need to make changes in the process, its control system, its non-SIS protection layers and its SIS often defines when the grandfather clause is no longer applicable.
Second, OSHA cited Formosa for failing to determine “the required safety integrity levels, as per ANSI/ISA 84.01, of its PLCs [programmable logic controllers] and DCS [distributed control systems], critical control and safety-instrumented systems.”
The new standard includes specific requirements for the assessment of the instrumented systems used to mitigate process risk. A work process provides the key steps in defining the required functionality and risk reduction for the safety functions allocated to the SIS. The risk reduction requirements are compared to order-of-magnitude ranges provided in tables in S84.01-2004 to assign the SIL to the SIS.