This post was authored by William Johnson, Richard R. Dunn, and Victor J. Maggioli.
Functional safety within the process sector has always been a priority. As the process sector moved into the computer age, new issues arose as manufacturing plants converted to computer control to replace electrical, pneumatic, and electronic controls. The process sector developed a variety of tools to address these problems, but safety performance did not always meet expectations. The need for improved understanding and harmonization of risk reduction approaches became evident with the occurrence of such major catastrophes as Seveso (Italy), Bhopal (India), Flixborough (U.K.), and Chernobyl (Ukraine). In response, OSHA developed and published OSHA 29 CFR, 1910.119-1992 (Final Rule: 24 February 1992), Process Safety Management of Highly Hazardous Chemicals, Explosives, and Blasting Agents; and the U.S. Environmental Protection Agency published EPA 40 CFR Part 68, Accidental Release Prevention Requirements: Risk Management Programs under the Clean Air Act (U.S. only). These regulations helped define areas that must be addressed in order to achieve a mandated level of functional safety performance in industry.
The International Society of Automation recognized the need for an improved approach in handling process sector functional safety issues. As a result, ISA established Standards Project 84 (SP84, now called ISA84) to address this issue.
ISA-84 scope
- To define terminology that is particular to Electrical/Electronic/Programmable Electronic Systems (E/E/PES) and high reliability.
- Establish criteria for, and means of assessing, reliability and availability in practical applications.
- Provide general specification guidelines that facilitate understanding.
- Provide guidelines for process safety applications requiring high reliability.
- Develop guidelines for specific hardware/software configurations that can meet varying levels of reliability/availability.
- This work does not apply to nuclear power safety-related systems.
ISA-84 purpose
To develop standards and technical reports for use in applying Electrical/Electronic/Programmable Electronic Systems (E/E/PES) for use in process safety applications. The full article outlines additional key elements of the ISA84 committee on process sector functional safety. It also provides a preview of the forthcoming 2nd edition of ANSI/ISA84.00.01 (IEC 61511 Mod).
Safety life cycle
The ISA84 committee set out to define the boundaries of its work by developing a safety instrumented system (SIS) safety life cycle (see Figure 1), which illustrated the activities involved when addressing process sector functional safety. ISA84 then selected those activities to be addressed in its proposed standard (i.e., ANSI/ISA-84.01-1996) as noted in Figure 1.
Concurrent with the work to develop ISA-84.01-1996, the committee undertook a review of global activities in the process sector functional safety arena. A 1993 AIChE Center for Chemical Process Safety (CCPS) book, "Guidelines for Safe Automation of Chemical Processes," served as a key reference for new issues (e.g., SIS, LOPA) related to the process hazards and risk analysis phase of the safety life cycle.
At about that time, the HSE of the U.K. issued a white paper on an approach utilizing programmable electronic (PE) equipment (i.e., software based) in safety applications. While this approach was already in use in parts of the U.S. process sector, having it validated by a third party such as HSE provided further confidence that consensus approaches to handling the design phases of the safety life cycle could be achieved.
ISA84 also became aware that the International Electrotechnical Commission (IEC) had initiated the development of a global functional safety standard (IEC 61508) for all industrial sectors.
ISA84 reviewed the IEC 61508 scope and purpose and recognized that it focused on equipment manufacturers' requirements for developing products that could be utilized in safety applications. IEC 61508 recognized the need for sector-specific standards while providing owner/user requirements for those sectors without a sector-specific standard. For example, IEC planned to develop a standards committee to address process sector functional safety (i.e., IEC 61511) once IEC 61508 was issued.
ISA84 quickly recognized the value for such an IEC standard and determined that, subsequent to publishing ANSI/ISA-84.01-1996, their future efforts should be to:
- support development of IEC 61508;
- support development of IEC 61511;
- replace U.S. national standard ISA-84.01-1996 with a U.S. approved version of IEC 61511; and
- provide the technical reports which support transition to this global approach.
ISA84 began pursuing these goals after publication of U.S. national standard ANSI/ISA-84.01-1996.
ISA84 recognized that the European Workshop for Industrial Computer Safety (EWICS) white paper submittals served as effective global vehicles for introducing new safety design concepts. EWICS and CCPS were especially helpful to ISA84 since each provided a view of alternate design approaches (a tool that is now also supplemented by the development of ISA technical reports [TRs] for inclusion in today's functional safety standards). EWICS and CCPS continue to play an important part in harmonizing new and improved design methods.
The impact of IEC 61508 on the safety life cycle is reflected in Figure 2. Note that IEC functional safety standards have an expanded scope that addresses all life cycle phases (i.e., from hazard and risk assessment (H&RA) through decommissioning). The clause numbers noted in the figure are based on ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), "Functional Safety Standard for the Process Industry Sector."
Initial issues
ISA84 recognized the need to address the impact of OSHA 1910.119, "Process Safety Management of Highly Hazardous Chemicals," on U.S. process sector owner/users. Accordingly, ANSI/ISA-91.00.01, Identification of Emergency Shutdown Systems and Controls that are Critical to Maintaining Safety in Process Industries, was developed, approved, and issued via a fast-track approach while ANSI/ISA-84.01-1996 was being developed.
Terminology for this effort required a strong commitment by ISA84 to introduce technical terms that would be globally accepted. The international membership of ISA84 and the terminology being developed for IEC 61508 were essential in identifying and reaching consensus on such terms as safety instrumented systems (SIS), safety integrity level (SIL), safety instrumented function (SIF), basic process control system (BPCS), and the like.
The standards development required the integration of both quantitative and qualitative measures to ensure SIS designs had the ability to achieve their projected performance. To address this need, ISA84 developed ISA-TR84.02-2002, which illustrated approaches using various modeling techniques. This TR served two essential purposes:
- It illustrated various quantitative and qualitative tools to validating application designs.
- It demonstrated how TR development was beneficial and key in developing consensus among ISA84 members.
Subsequent to the issue of the 1st edition of IEC 61508, Parts 1 through 7 (1998-2000), the IEC 61511 committee completed and issued the 1st edition of IEC 61511, Parts 1, 2, & 3 (2003). ISA84 reviewed this standard throughout its development and accepted it as a U.S. national standard, replacing ANSI/ISA-84.01-1996. The only modification to IEC 61511 for adoption as a U.S. standard (i.e., ANSI/ISA-84.00.01-2004 [IEC 61511-1 Mod]) was reference to the U.S. handling of legacy systems (i.e., the grandfather clause).
Cost
For new projects, compliance with the IEC 61511 safety life cycle typically has minimal impact on total project costs. It requires project and operations leaders to follow the safety life cycle phases through the design, installation, and operation of the SIS.
For existing SIS, the costs to comply will consist of engineering cost and, in most cases, hardware cost. The engineering cost will vary in accordance with the quality of the existing Process Hazards Analysis (PHA). If the PHA has established a tolerable risk for the events under review and determined the target risk reduction for the SIF, little additional engineering is required beyond normal instrument and control design. The PFD of the SIF at the current test frequency can be calculated and compared to the required SIL. If the existing PHA has not adequately defined the need for risk reduction (e.g., SIF design, SIL requirements), considerable engineering effort may be required to conform to the standard. The PHA must be updated to define these requirements for each identified SIF. The target SIL for the SIF will then be determined to obtain the risk reduction required to obtain the tolerable risk for the event. The PFD of the SIF can then be calculated to determine if the tolerable risk for the event is achieved. If the SIF cannot meet the target SIL, the test interval may have to be decreased or redundant equipment added.
Design impact example
If a site chooses to increase the test frequency to meet the target SIL, online testing may be required to avoid frequent process shutdowns. In many cases, at older sites, additional design and equipment will be required to allow online testing. The design impact for existing systems can be considerable depending on the SIL required for the SIF. The increased cost to allow online testing may be offset with the reduced need for future plant shutdowns. In addition, the ability to test the SIFs online removes the need for instrument mechanics (on overtime) during the plant shutdowns, since testing can be scheduled independent from shutdowns.
IEC 61511 1st edition
As described above, the U.S. national standard ANSI/ISA-84.00.01-2004 is the same as the international standard IEC 61511, with the addition of a grandfather clause to accommodate existing SIS installations. Several members of ISA84 are also members of the IEC 61511 committee. ISA84 has contributed a great deal of time and energy to ensure the IEC 61511 international standard meets the needs of the U.S. chemical industry. A major contribution was the introduction of LOPA to the global safety community. Since its introduction, LOPA has become a very popular tool for determining the required SIL for a SIF.
While ISA84 development of U.S. national process sector functional safety standards-and contributions to the development of IEC 61511-have been significant achievements, an equally remarkable achievement is the development and publication of ISA84 technical reports. The technical reports provide timely (i.e., prior to maintenance of IEC 61511) guidance and examples of owner/user implementation of IEC 61511. This includes:
- tools to assist in implementing IEC 61511 requirements;
- example implementation of the full SIS safety life cycle;
- alternate methods for implementation of safety life cycle phases;
- addressing special hazardous operations (e.g., fire and gas, burner management) with regard to SIS implementation;
- addressing non-SIS protection layers; and
- addressing new technology.
The technical reports have also provided valuable technical input to the next edition of IEC 61511 due to be published in 2014. Major issues addressed by the technical reports include:
- ISA-TR84.00.02, Safety Instrumented Systems (SIS)-Safety Integrity Level (SIL) Evaluation Techniques;
- ISA-TR84.00.03, Mechanical Integrity of Safety Instrumented Systems (SIS);
- ISA-TR84.00.04 - Part 1, Guidelines for the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod);
- ISA-TR84.00.04 - Part 2, Example Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod);
- ISA-TR84.00.05, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner Management Systems (BMS);
- ISA-TR84.00.06, Safety Fieldbus Design Considerations for Process Industry Sector Applications;
- ISA-TR84.00.07, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness; and
- ISA-TR91.00.02, Criticality Classification Guidelines.
The efforts outlined in this post are only as effective as the resources utilized to develop these projects. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards. There is no membership fee to serve on ISA84 or any ISA standards committee, nor a requirement to be an ISA member. Your input and participation are welcomed and needed. For more information, contact Charley Robinson of ISA Standards, crobinson@isa.org.
About the Author
William Johnson is a recognized expert in all phases of the IEC 61511/ANSI safety life cycle including process hazard analysis, layer of protection analysis (lopa), fault tree analysis, and probability of failure on demand calculations. Johnson rejoined DuPont Sustainable Solutions (DSS) following 44 years of continuous service with the DuPont Company in areas including operations technical support, process dynamic modeling, control, and safety interlock system design. He has been a leader in various aspects of Process Safety Management (PSM) at the local site, business, division, and corporate level. He is a qualified Process Hazards Analysis (PHA) leader, a qualified LOPA leader, and a qualified instructor for several PSM-related subjects. Currently chairman of ISA84, he is a U.S. expert on international safety committees IEC 61508 and IEC 61511. He holds a BChE from the University of Maryland, and an MChE from the Stevens Institute of Technology, and is a Professional Registered Engineer in New Jersey and Delaware.
About the Author
Richard R. Dunn is senior control systems consultant with DuPont and a member and editing chairman of the IEC 61511 Standard Committee (Functional Safety Instrumented Systems for the Process Industry Sector) maintenance team 2nd edition development. He serves on IEC 61508 and leads ISA84 WG91on identification of emergency shutdown systems and controls that are critical to maintaining safety in process industries. He is a CCPS book committee member on "Guidelines for Safe and Reliable Instrumented Protective Systems." He holds a BSME from Michigan Technological University, where he conducted graduate studies in control systems and manufacturing systems engineering.
About the Author
Victor J. Maggioli (1931-2016) was president of Feltronics Corp., and a retired DuPont engineer. He was an ISA Fellow and a member of ISA's Standards and Practices Board; co-Director of ISA84; a lifetime member of IEEE; member of the IEC 61508; member of the European Workshop for Industrial Computer Safety (EWICS); original committee member of IEC 61131; and convenor of IEC SC65A Maintenance Team 61511. He also served as a U.S. appointed expert to IEC SC65A on matters having to do with process sector functional safety.
A version of this article also was published at InTech magazine.