Can you safely grandfather your SIS?

Making a claim that an existing safety instrumented system satisfies a new ANSI standard should not be taken lightly. Before doing so, it is essential to assess several critical factors.

By Angela E. Summers, SIS-TECH Solutions, LP

2 of 2 1 | 2 > View on one page

Third, the agency faulted the company’s MOC process. Formosa was cited for not implementing a process “to address the technical impact, as well as the safety and health impact of… changes made in the staffing level of the plant in 2002 and 2003 to the maintenance staff as it impacted the ability to perform necessary inspections and tests to meet the requirements of the company’s mechanical integrity program.”

S84.01-2004 includes a management system that requires, among other things, the identification of the resources responsible for carrying out each lifecycle phase, such as operation, testing and maintenance.

The way forward
According to draft ISA TR84.04, there are two essential steps in assessing the applicability of the grandfather clause:

1. Confirm that a hazard and risk analysis has been done to determine qualitatively or quantitatively the level of risk reduction needed for each safety instrumented function (SIF) in the SIS.
2. Verify that an assessment of the existing SIF has been performed to establish that it delivers the needed level of risk reduction.

TR84.04 states that these activities, if not already done, should be scheduled for review at the next appropriate opportunity. The evaluation of the SIF should take into account factors such as device failure rates and associated design, operation, maintenance, testing, inspection and change-management practices. TR84.04 Annex A provides examples of eight grandfather clause methods submitted by SP84 committee members.

The first step in addressing the grandfather clause is the development of a method for “determining” the applicability of the grandfather status of the SIS. Local regulations, applicable codes and insurance practices sometimes require that specific standards be followed. In all cases, the owner/operator ultimately is responsible for establishing the policies that support safe operation, including the evaluation of existing infrastructure against good engineering practices such as S84.01-2004.

It is crucial that the method integrates with the existing PSM program. Work processes and procedures developed for PSM should be leveraged. MOC and process hazards analysis drive the evaluation of process risk and could challenge the appropriateness of a grandfather claim. Various study findings will require prioritization and actions plans.

When deciding the priority of evaluations or the aggressiveness of a facility review, it is important to consider, among other factors, the risk potential and anticipated gaps with the new standard. Companies which complied with the intent of the 1996 version of the standard or with other recognized standards should find very few gaps. However, firms which have not kept pace may identify significant deviations.

If an owner/operator determines that the existing SIS does not meet the intent of the grandfather clause (i.e., “…the equipment is designed, maintained, inspected, tested and operating in a safe manner”), a defined decision-making process should address the identified gaps between the requirements and reality. This often involves a risk-ranking matrix based on the size of the deviation and the nature of process risk (e.g., frequency and consequence) associated with the potential event. Similar work processes can be used to develop actions plans for closing the gaps.

The challenge
Many owner/operators have not previously classified their automatically initiated shutdowns, so they do not know which ones fall under the umbrella of the standard and which ones do not. At many facilities, shutdowns are grouped under categories such as emergency shutdown systems, interlocks, critical instruments, etc. No distinction is made between safety, environmental, asset or business-interruption risks. In general, asset and economic protection account for a large percentage of the automatically initiated shutdowns.

However, S84.01-2004 only applies to the mitigation of safety risks and catastrophic environmental events. It does not cover instrumented systems to mitigate economic or asset risks. A hazard and risk analysis can be used to identify those functions that are required for safety and to define their functionality and risk-reduction requirements. Once the SIFs have been defined, the performance of the installed SIFs can be compared to the requirements to identify gaps.

A safe approach
The grandfather clause of S84.01-2004 does not offer an indefinite shield against the requirements of the standard. It provides the essential criteria that should be considered in the evaluation of existing SIFs. Good engineering practice, as outlined in ISA TR84.00.04, requires two key actions for each SIF to establish the applicability of the grandfather clause:

1. Determine the risk reduction required in the SIS using hazard and risk analysis.
2. Verify that the design and operating basis used delivers the required risk reduction.

Upgrading existing facilities to meet the intent of S84.01-2004 should be accelerated when existing devices are found to no longer meet the required risk reduction. This determination may be made through hazard and risk analysis, test and inspection findings and reports, operation reports of SIS demands and failures, and audits of the performance of personnel and systems against procedures and expectations. In existing facilities, the hazard and risk analysis often serves as the trigger for the periodic re-evaluation of protection layer adequacy and conformance to the latest standard.

1.  “Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents,” 29 CFR Part 1910, OSHA, Washington, D.C. (1992).
2. “Application of Safety Instrumented Systems for the Process Industries,” ANSI/ISA 84.01-1996, Instrumentation, Systems, and Automation (ISA), Research Triangle Park, N.C. (1996).

3. “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” International Electrotechnical Commission (IEC), IEC 61511 Geneva, Switz. (2003).
4. “Functional Safety: Safety Instrumented Systems for the Process Industry Sector,” ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Mod), Instrumentation, Systems, and Automation (ISA), Research Triangle Park, N.C. (1996 and 2004).
5. U.S. Department of Labor, OSHA, Formosa Plastics Corp., Inspection No. 305893679, Inspection Dates 4/24/2004 through 10/20/2004 (2004).

Angela E. Summers, Ph.D., P.E., is president of SIS-TECH Solutions, LP Houston, Texas. She is the recipient of ISA’s 2005 Albert F. Sperry Award “for outstanding contributions and leadership in the specification, development, and implementation of safety instrumented systems for the process automation industry.”  E-mail her at

2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments