Knowledge evolves over time. Real-world failures identify weaknesses in actual system performance. Hazard evaluation procedures5 used periodically throughout the equipment life pinpoint and evaluate significant events involving abnormal process operation. Analyze qualitatively or quantitatively the event risk to determine the causes and potential frequency of occurrence. Then implement independent protection layers to ensure that failures or errors don’t compromise safe operation. When the residual risk exceeds the owner/operator criteria, establish additional administrative and engineered safeguards to reduce the risk below the criteria.
Train personnel in the process safety information associated with their work activities. Personnel must have the necessary skills and knowledge to follow procedures and properly execute their tasks, so specify minimum levels for the job. When on-the-job training is required, the program should address how the skills and knowledge are developed in a timely and safe manner and how progress is measured2.
Finally, planning must consider security and management of change (MOC). Restrict physical and cyber access to the ISS using administrative procedures and physical means2. Independence assessments should consider data communication and human interface failures. Written procedures should address how to initiate, document, review and approve changes to ISS other than replacement in kind. Evaluate any change to the process and its equipment through a MOC process to identify and resolve any impact on the ISS requirements.
This phase implements the systems defined in the Plan phase. From a project perspective, detailed engineering is completed, yielding an ISS installation that conforms to the design basis. Detailed engineering includes sufficient information to ensure the ISS is properly specified, constructed, installed, commissioned, operated and maintained. Equipment installed in ISS should be proven to provide the required performance in similar operating environments.
Equipment classification also must consider the core attributes of protection layers, namely independence, functionality, integrity, reliability, auditability, MOC and access security. To counteract the unknown, owners/operators should rely on a defense-in-depth strategy of multiple independent protection layers to lower operational risk. An independent and separate safety instrumented system (SIS) is essential to ensuring safe and reliable operation. Defense-in-depth also seeks to minimize common cause, common mode and systematic errors that cause multiple layers to fail7,8. Detailed design should provide an ISS equipment list identifying the equipment by a unique designation (e.g., the tag number) and the required inspection and proof test interval.
Validation activities should include an input-to-output test of each new or modified ISS to demonstrate and document that the equipment is installed according to specification and operates as intended for each operating mode. It’s crucial to satisfactorily complete validation prior to the initiation of any operating mode where a hazardous event could occur.
Periodically conduct proof tests using a written procedure to demonstrate the successful operation of the ISS and to identify and correct deviations from the design basis and equipment specification. Train maintenance personnel on the procedures and make sure they understand equipment pass/fail criteria. Choose the proof test interval based on the relevant regulatory or insurance requirements, equipment history in a similar operating environment, manufacturer’s recommendations and risk reduction requirements.
Operating plans should consider the inspection and preventive maintenance requirements necessary to keep the equipment in “as good as new” condition. ISS proof tests should demonstrate that the mechanical integrity program maintains the required equipment performance. (Feed records forward into the Check phase for trending and metrics.) Operating procedures should cover the safe and approved methods for interacting with the safety equipment, such as bypassing, manual initiation and reset. Train and test operations personnel on the procedures as needed to ensure correct actions are taken. Record and periodically assess operator actions in response to abnormal operation.