Grandfathering of safety instrumented systems (SISs) is no longer limited to the U.S. standard. ISA has accepted the 2nd edition of IEC 61511, “Functional Safety — Safety Instrumented Systems for the Process Industry Sector,” as the replacement for the current U.S. national standard, ANSI/ISA 84.00.01-2004. Unlike the previous edition, the latest U.S. and international versions don’t differ at all. This is good news for the process industry sector, which sources so many products and services internationally.
However, many U.S. processors may worry about what happened to the previous edition’s “grandfather clause” or ANSI/ISA 84.00.01-1 clause 1y:
“For existing SIS designed and constructed in accordance with code, standards, or practices prior to the issue of this standard the user shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”
It now appears in clause 5, which repositions the requirement as part of the implementing and monitoring activities of functional safety management (clause 5.2.5). This new location serves as a reminder that leaving an SIS “as is” demands a formal determination that the SIS is achieving the functional and safety integrity requirements in the operating environment. This determination must come from an assessment of the design, maintenance, inspection, testing and operating records for the installed system.
Let’s take a look at some IEC 61511 requirements you must consider in determining whether the SIS can be left “as is.”
Existing System Acceptability
The existing SIS can remain “as is” when the data and information gathered about the SIS performance proves that it is achieving the safety requirements.
The implementing and monitoring clause is part of functional safety management. The clause covers the last two phases — check and act — of the plan/do/check/act quality cycle. Clause 5.2.5 requires evaluation of the demand rate, reliability parameters and known systematic issues.
You must compare the demand rate on the safety functions with the risk analysis assumptions to ensure the claimed initiating event frequency and risk reduction for other layers are valid. A higher demand rate could result in the need to enhance the control system, improve operator response to abnormal operation through simulation training, or upgrade safety interlocks to higher-integrity ones. Staying ahead of latent conditions that present potential safety challenges and weaken protection layers requires continuous improvements .
In addition, you must closely monitor the SIS performance to assess whether the reliability parameters agree with the assumptions in the safety requirements specification. A successful program leverages existing work processes to collect quality data that drive improvements in safety and reliability . The reliability parameters of most interest are those associated with the SIS’s claimed probability of failure on demand and spurious trip rate as well as other contributors to unavailability, such as cumulative online bypass or repair time. Good, properly implemented metrics spur personnel to do the right thing . Root cause investigation can help identify systematic errors that need addressing with corrective action plans to minimize the potential that a similar error recurs.
You must follow up promptly to address any recommendations generated during the SIS life (clause 22.214.171.124). These can come from process safety management tasks, such as hazards and risk analysis, functional safety assessments (FSAs), audits, management of change, and incident investigations — but also can arise from quality assurance tasks, such as verifications, validations and automation asset integrity.
The existing SIS can remain ‘as is’ when the historical, or prior use, data proves that the SIS equipment achieves the safety requirements.
Over the long haul, the information and data collected during the operation and maintenance phase must substantiate the installed equipment is fit for purpose, fulfilling the functional and safety integrity requirements. The 2nd edition of IEC 61511 emphasizes the importance of understanding how the equipment behaves in the operating environment, which for the process industry sector often differs markedly from the manufacturer environment. Successful demonstration of prior use helps to provide a higher degree of certainty that the planned “design, inspection, testing, maintenance and operational practices” are adequate (IEC 61511 clause 3.2.51). Always keep in mind that operational and maintenance records can offer business value when they lead to actions that address negative findings.
Gathering sufficient data to demonstrate prior use involves implementing procedures to collect quality data, monitor the results for negative trends and act to close gaps. Experience after installation can reveal unexpected early failures, such as those related to operating environment, specification, storage, handling, installation and commissioning, that can necessitate changes to site practices. The operating environment, human factors management and the operation and maintenance culture of the site can impact in-service performance significantly. Understanding these systematic mechanisms is necessary to lower the risk consistently across a site.
Spending time with the data can help identify widespread or systematic issues that can increase overall site risk substantially. The same support personnel following similar procedures often take care of many process units; so, for example, mistakes in implementing a particular technology can occur in every application. Historical data prove site practices are achieving the desired performance from the equipment and site personnel understand how to properly design, maintain, inspect, test and operate them. Always remember that a site can change work processes and procedures to minimize recurrence of human error and modify installations to address human factors.