Grandfathering of safety instrumented systems (SISs) is no longer limited to the U.S. standard. ISA has accepted the 2nd edition of IEC 61511, “Functional Safety — Safety Instrumented Systems for the Process Industry Sector,” as the replacement for the current U.S. national standard, ANSI/ISA 84.00.01-2004. Unlike the previous edition, the latest U.S. and international versions don’t differ at all. This is good news for the process industry sector, which sources so many products and services internationally.
However, many U.S. processors may worry about what happened to the previous edition’s “grandfather clause” or ANSI/ISA 84.00.01-1 clause 1y:
“For existing SIS designed and constructed in accordance with code, standards, or practices prior to the issue of this standard the user shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”
It now appears in clause 5, which repositions the requirement as part of the implementing and monitoring activities of functional safety management (clause 5.2.5). This new location serves as a reminder that leaving an SIS “as is” demands a formal determination that the SIS is achieving the functional and safety integrity requirements in the operating environment. This determination must come from an assessment of the design, maintenance, inspection, testing and operating records for the installed system.
Let’s take a look at some IEC 61511 requirements you must consider in determining whether the SIS can be left “as is.”
Existing System Acceptability
The existing SIS can remain “as is” when the data and information gathered about the SIS performance proves that it is achieving the safety requirements.
The implementing and monitoring clause is part of functional safety management. The clause covers the last two phases — check and act — of the plan/do/check/act quality cycle. Clause 5.2.5 requires evaluation of the demand rate, reliability parameters and known systematic issues.
You must compare the demand rate on the safety functions with the risk analysis assumptions to ensure the claimed initiating event frequency and risk reduction for other layers are valid. A higher demand rate could result in the need to enhance the control system, improve operator response to abnormal operation through simulation training, or upgrade safety interlocks to higher-integrity ones. Staying ahead of latent conditions that present potential safety challenges and weaken protection layers requires continuous improvements .
In addition, you must closely monitor the SIS performance to assess whether the reliability parameters agree with the assumptions in the safety requirements specification. A successful program leverages existing work processes to collect quality data that drive improvements in safety and reliability . The reliability parameters of most interest are those associated with the SIS’s claimed probability of failure on demand and spurious trip rate as well as other contributors to unavailability, such as cumulative online bypass or repair time. Good, properly implemented metrics spur personnel to do the right thing . Root cause investigation can help identify systematic errors that need addressing with corrective action plans to minimize the potential that a similar error recurs.
You must follow up promptly to address any recommendations generated during the SIS life (clause 220.127.116.11). These can come from process safety management tasks, such as hazards and risk analysis, functional safety assessments (FSAs), audits, management of change, and incident investigations — but also can arise from quality assurance tasks, such as verifications, validations and automation asset integrity.
The existing SIS can remain ‘as is’ when the historical, or prior use, data proves that the SIS equipment achieves the safety requirements.
Over the long haul, the information and data collected during the operation and maintenance phase must substantiate the installed equipment is fit for purpose, fulfilling the functional and safety integrity requirements. The 2nd edition of IEC 61511 emphasizes the importance of understanding how the equipment behaves in the operating environment, which for the process industry sector often differs markedly from the manufacturer environment. Successful demonstration of prior use helps to provide a higher degree of certainty that the planned “design, inspection, testing, maintenance and operational practices” are adequate (IEC 61511 clause 3.2.51). Always keep in mind that operational and maintenance records can offer business value when they lead to actions that address negative findings.
Gathering sufficient data to demonstrate prior use involves implementing procedures to collect quality data, monitor the results for negative trends and act to close gaps. Experience after installation can reveal unexpected early failures, such as those related to operating environment, specification, storage, handling, installation and commissioning, that can necessitate changes to site practices. The operating environment, human factors management and the operation and maintenance culture of the site can impact in-service performance significantly. Understanding these systematic mechanisms is necessary to lower the risk consistently across a site.
Spending time with the data can help identify widespread or systematic issues that can increase overall site risk substantially. The same support personnel following similar procedures often take care of many process units; so, for example, mistakes in implementing a particular technology can occur in every application. Historical data prove site practices are achieving the desired performance from the equipment and site personnel understand how to properly design, maintain, inspect, test and operate them. Always remember that a site can change work processes and procedures to minimize recurrence of human error and modify installations to address human factors.
Understanding maintenance history is an essential part of demonstrating the adequacy of existing equipment. The number of service hours needed to gain confidence increases in line with the complexity of an installation. A worthwhile approach for assessments is to treat equipment using similar technology as one pool of instruments because they share the same types of failure mechanisms, failure modes and systematic errors. Pooling similar technologies increases the likelihood there’s a sufficient number of total operating hours to have confidence the assessment results are valid. Field device performance is similar in safety and non-safety applications; so, also use control device history to accumulate the operating experience needed to gain confidence.
Historical data can contribute to a database for calculating hardware failure rates for the different technologies. However, the amount of operational experience needed to gain credible statistical reliability data typically far exceeds that necessary to get evidence of prior use. Contributing data to industry organizations, such as the Instrument Reliability Network, the Process Equipment Reliability Database and SINTEF, can yield statistically sound data by accumulating datasets for multiple installations.
Most process facilities use historical data for high-level metrics, such as bad actor analysis, mean time between work orders or mean time between failures, rather than to calculate dangerous failure rates. A focus on high-level metrics is understandable because site culture and practices must react to identified problems rather than waiting for the rate to get bad. Regardless, operations and maintenance should strive to reduce the potential for failure to a level as low as reasonably practicable.
Functional Safety Assessment
The existing SIS can remain ‘as is’ when the Stage 4 FSA confirms that the SIS is fulfilling its safety requirements.
The SIS hardware, software and associated procedures may undergo change throughout the operation and maintenance phase. New clause 18.104.22.168.9 formally addresses what to do when making changes to an existing SIS. The FSA associated with the change must include what IEC 61511 calls an impact analysis (which probably is more commonly referred to as a risk assessment within the process safety community). The clause also requires that the FSA confirms the modification complies with IEC 61511.
FSAs ensure the SIS performance aligns with the claimed risk reduction and the work processes in place provide the needed rigor to sustain the performance. FSAs are performed at five different stages during the SIS life. Stages 1, 2 and 3 are integrated into the project execution process. New IEC 61511 clause 22.214.171.124 requires periodically conducting Stage 4 during the operations and maintenance phase. Stage 5 concerns any proposed change to the SIS or decommissioning.
The standard doesn’t prescribe how often to perform Stage 4. Common considerations in Stage 4 timing include local regulatory requirements, the frequency of organizational changes at the site, the quality of operating discipline and functional safety management systems existing prior to the installation, the number of safety control, alarm and interlock functions and their complexity, and the extent of changes to the process equipment or its control system .
Stage 4 evaluates the work processes and records to confirm the requirements for functional safety management and verification are being met. Stage 4 also examines the data and information about the installed SIS to determine whether the assumptions made during design can be supported. If the in-service performance is less than expected, then the likelihood of loss events can be greater than desired. Documented and audited work processes are essential to sustaining the SIS performance and preserving the intended return on investment in the SIS.
The Bottom Line
The concept of grandfathering is out of date. You must judge existing systems by the same performance measures used for new ones. The evidence supporting the claimed performance changes as an SIS goes from being a project concept to an installed system.
The project view of the SIS lifecycle starts with the hazards and risk analysis and ends with the startup of the process unit. The safety integrity level (SIL) is defined during the risk analysis, a failure model of the function is created during design, and a calculation is executed using reliability data to verify the SIL. The model assumptions and data quality limit the relevance of the calculated result to the actual installed SIS.
The SIS becomes existing once placed in service and current performance demonstrates its acceptability “as is.” The determination the equipment is designed, maintained, inspected, tested and operating in a safe manner relies on the collection of quality information and data by operations and maintenance. This data feedback is necessary for determining acceptability not only of the SIS under consideration but also other SISs that use similar hardware, software, procedures and operating environments.
Does Your SIS Comply?
The grandfather clause in the 1st edition of IEC 61511 only applied to the equipment, i.e., the installed hardware and software. Grandfathering never applied to implementing the requirements for functional safety management. Compliance demands embracing the work processes and activities of IEC 61511. This includes the requirements for the hazards and risk analysis, design through implementation, operation, maintenance, management of change, and documentation.
The 2nd edition of IEC 61511 clarifies that claiming the installed SIS is good enough “as is” requires the collection and analysis of in-service data and information. Formal monitoring processes are needed to identify negative trends and to take corrective action, sustaining the functional and safety integrity requirements.
ANGELA E. SUMMERS, PhD, PE, is president of SIS-TECH Solutions, Houston. Email her at [email protected].
1. Summers Angela E. and Hearn, William H., “Quality Assurance in Safe Automation,” Proc. Safety Progr., 27 (4), p. 323 (Dec. 2008).
2. Roche, Eloise, Hochleitner, Monica and Summers, Angela, “Introduction to Functional Safety Assessments of Safety Controls, Alarms, and Interlocks. How efficient are your functional safety projects?” Proc. Safety Progr., 36 (4), p. 392 (Dec. 2017).