Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?

Transcription

1 Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable? Michael Scott, PE, CFSE Exec VP - Global Process Safety Technology aesolutions Carolyn Presgraves, CFSP Senior Director of Software Products aesolutions KEYWORDS Safety Instrumented System, SIS, Safety Integrity Level, SIL, Safety Lifecycle, Database, ANSI/ISA 84, IEC61511, Process Hazards Analysis (PHA), Layer of Protection Analysis (LOPA), SIS Grandfathering, Leading / Lagging Indicators ABSTRACT IEC61511: Functional Safety Safety Instrumented Systems for the Process Industry Sector mandates end users comply with a performance based approach to managing risks to personnel and / or the environment through adoption of the safety lifecycle. Simplistically, the safety lifecycle embodies a three-step methodology to overall risk management, which can be summarized as follows: 1. Execute safety lifecycle documentation 2. Monitor leading/lagging process safety indicators 3. Sustain safe unit operations through corrective actions While the concept of execute, monitor and sustain seems straightforward, for a variety of reasons, most companies who have committed to the IEC61511 journey, are solely focused on the execution of safety lifecycle documentation. This myopic approach will result in their failure to realize the full benefits to their organization of a cost effective risk management program. In addition, without development of a holistic multi-year plan for safety lifecycle compliance, end user companies can expect to incur significant regret costs and schedule delays as they attempt to change the safety culture of their organization around adoption of IEC61511.

2 This paper will draw upon insight and more importantly critical lessons learned through the actual application of the safety lifecycle and from initial grandfathering through operations and maintenance ownership associated with numerous clients since aesolutions formation in A proven roadmap for efficient and cost effective safety lifecycle compliance and risk management will be defined, which emphasizes the use of an evergreen work process to support the concepts of execute, monitor and sustain. INTRODUCTION Compliance with the safety lifecycle at an existing facility can best be described as a journey. When an entire business unit desires to achieve compliance with the safety lifecycle, that journey can seem overwhelming. However, this need not be the case. To successfully reach the finish line of this journey, one simply needs to complete five tasks as noted below: Testing Capital Projects SIS Grandfathering Documentation Organizational Readiness Evergreen Execution These five steps have not been numbered. This is because within a given company many plant sites or even unit operations at the same plant site may have already started the safety lifecycle journey. Therefore, an assessment is typically required to determine the appropriate execution order based upon state of the union at each site or even unit operation. Thus, while the starting point may vary, the ending point is identical in all cases. All five tasks must be mastered at the end of the safety lifecycle journey to ensure cost effective compliance. This should be clear to the reader by the end of this paper but, to emphasize this point, consider these questions. If the company does not track the test results of its Safety Instrumented Functions, how is it selecting failure rate data for these instruments that represent their maintenance practices and clean or dirty service? If the company is not ensuring all capital projects are following an effective SIS workflow, how is it ensuring each new project does not upset the risk management status of the facility or business unit? An ineffective approach to the SIS execution requirements for capital projects also introduces regret costs by allowing the investment in initial SIS documentation for the project to be lost when the installed system is transferred to operations. If the company is not associating corrective work orders with potential worst case consequences (i.e. let s say a potential fatality), how does one ensure the pressure transmitter taps that plug on a monthly basis are correctly prioritized with regard to all other routine maintenance activities. Without the consequence association, how can one ensure a corrective action plan is implemented in a timely fashion to address the plugging

3 issue, as opposed to simply clearing the taps month after month when the problem arises again? If the company is not associating demands on SIFs as a potential near miss with potential worst case consequences (i.e. let s say a potential fatality), how does one ensure the pressure regulator that failed 3 times in the last year (versus the once every 10 year failure assumed in the risk analysis) is correctly prioritized with regard to all other routine maintenance activities? Thus, ensuring a corrective action plan is implemented in a timely fashion to address the regulator failure root cause instead of simply implementing a replacement in kind. The true benefit of the safety lifecycle is to raise awareness of bad acting protection layers whose unavailability poses a risk to the organization. In many instances, it is difficult prior to implementation of the safety lifecycle to recognize these bad actors. By making the invisible visible, we can significantly influence the process safety performance of a corporation. In addition to clarifying the tasks required to successfully complete the safety lifecycle journey, aesolutions has developed a proven roadmap on how to: Perform a site assessment against the five required tasks Develop a multi-year cost effective compliance program Utilize safety lifecycle software tools to simplify maintenance of process safety related documentation in an evergreen fashion Realize the benefits of leading / lagging indicators early in the program to improve the process safety performance of the facility / corporation One of the key findings is that without a proper roadmap, the spend on process safety related activities is not leveraged to its best benefit. Many of these activities need to be invested in due to compliance issues. The key question is will they be invested in and delivered in a format supporting ongoing use of the investment, or will it be a cost used to check a box in an audit or compliance log, but not used to increase improve the process safety performance of the facility and / or corporation. EXECUTE, MONITOR AND SUSTAIN The safety lifecycle can be restated simply through the concept of 1. Execute safety lifecycle documentation 2. Monitor leading/lagging process safety indicators 3. Sustain safe unit operations through corrective actions To readily achieve the above objectives, one needs to begin the journey of ensuring the five tasks noted below complement one another. Testing Capital Projects

4 SIS Grandfathering Documentation Organizational Readiness Evergreen Execution Each of these tasks will be described in more detail below. TESTING The safety lifecycle mandates that all instrumentation associated with a Safety Instrumented Function (SIF) be tested. Refer to: IEC Part 1 section The calculated probability of failure of each safety instrumented function due to hardware failures shall take into account: e) the diagnostic coverage of any periodic diagnostic tests (determined according to IEC ANSI/ISA Part 2 (IEC Mod) the associated diagnostic test interval and the reliability for the diagnostic facilities; f) the intervals at which proof tests are undertaken; The premise behind this requirement being dangerous undetected failures can only be found through testing or with an actual real world demand. Thus, by testing frequently enough we hope to uncover dangerous undetected failures before a real world demand discovers the unavailable SIF. Thus, it is our desire to keep all of our protection layers properly functioning at the assumed performance level included in the risk analysis. In this manner, we are keeping our risk to acceptable levels per the corporate targets, as well as, being a good steward to the employees, environment and shareholders. The IEC61511 also mandates that one collect and calculate failure rate data that is specific to a given installation, process conditions and maintenance practices. Refer to: IEC Part 1 section Procedures shall be implemented to evaluate the performance of the safety instrumented system against its safety requirements including procedures for: assessing whether dangerous failure rates of the safety instrumented system are in accordance with those assumed during the design; NOTE 1 Dangerous failures are revealed by means of proof testing, diagnostics or failure to operate on demand. Collection of statistically valid failure rate data could take years depending on the number of instruments with like manufacturer, model #, installation specifics, process conditions, and maintenance practices. As such, testing and collection of failure rate data should be one of the tasks begun early in the journey for safety lifecycle compliance. This will allow for establishment of an approved vendors list and prior use justification for said instrumentation. Refer to:

5 IEC Part 1 section Requirements for the selection of components and subsystems based on prior use Appropriate evidence shall be available that the components and subsystems are suitable for use in the safety instrumented system The evidence of suitability shall include the following: demonstration of the performance of the components or subsystems in similar operating profiles and physical environments; the volume of the operating experience. NOTE For field devices, information relating to operating experience is mainly recorded in the user s list of equipment approved for use in their facilities, based on an extensive history of successful performance in safety and non-safety applications, and on the elimination of equipment not performing in a satisfactory manner. The list of field devices may be used to support claims of experience in operation, provided that - the list is updated and monitored regularly; - field devices are only added when sufficient operating experience has been obtained; - field devices are removed when they show a history of not performing in a satisfactory manner; - the process application is included in the list where relevant. Testing is considered part of the monitor phase of safety lifecycle compliance. CAPITAL PROJECTS At a certain point in the safety life cycle compliance journey, a company will issue an edict that all capital projects from this time forth shall be compliant with IEC The rationale behind this statement is obvious. Eventually one desires capital projects begin to close IEC61511 compliance gaps and more importantly not create any new gaps. This sounds simplistic, but it is often problematic for most companies as IEC61511 work activities are not firmly engraved in the corporation s capital project execution workflow. This typically results in a learning curve and some initial regret costs, while changes are defined and adopted by the organization. Lack of SIS competency within the Engineering Procurement & Construction (EPCs) contractors and even some Safety PLC manufacturer s increases the severity of the learning curve and regret costs. This issue is further complicated by the types of capital projects that exist within a corporation. For instance, capital projects can be generically described as follows: Small projects executed by facility engineering Medium projects executed by an EPC with a support contract that runs for X years

6 Large projects executed by an EPC selected as part of the bidding process In most instances, the management team and team members are different for each of the three project groups above. This implies different priorities and rules of engagement. Thus, when issuing the edict that all capital projects be compliant with IEC61511, one needs to recognize the strengths and weaknesses of the various capital project execution groups within an organization. Again the concept of a journey is emphasized as most companies adopt an approach where the large projects are brought into compliance first, then the medium projects, and finally small projects. Depending upon the size of the organization, this could once again be an exercise lasting several years. IEC61511 mandates two tasks that are invaluable to capital project execution. The first is creation of the Safety Lifecycle Plan, and the second is execution of Functional Safety Assessments. IEC Part 1 section For all safety life-cycle phases, safety planning shall take place to define the criteria, techniques, measures and procedures to ensure that the SIS safety requirements are achieved for all relevant modes of the process; this includes both function and safety integrity requirements; ensure proper installation and commissioning of the safety instrumented system; ensure the safety integrity of the safety instrumented functions after installation; maintain the safety integrity during operation (for example, proof testing and failure analysis); manage the process hazards during maintenance activities on the safety instrumented system. IEC Part 1 section Functional safety assessment A procedure shall be defined and executed for a functional safety assessment in such a way that a judgment can be made as to the functional safety and safety integrity achieved by the safety instrumented system. The procedure shall require that an assessment team be appointed which includes the technical, application and operations expertise needed for the particular installation. Ensuring capital projects consistently deliver safety lifecycle compliant solutions is usually seen as an easy step and most companies begin tackling at least the large projects early in the safety lifecycle journey. Getting small projects to consistently deliver safety lifecycle compliant solutions is often deemed harder and is tackled later in the journey. The Safety Lifecycle Plan should assess competency of key team members on the project. Thus, if completed early in the project, competency issues can be identified, training programs and / or mentorships established to increase the integrity of the project team. In a similar manner, the Functional Safety Assessment will also review competency of the key team members, as well as, the validity of the PHA / LOPA and associated SIS documentation. Thus, by conducting Stage

7 1, 2 and 3 FSAs individually throughout the project, one can minimize far-reaching FSA findings that could derail the project from a budget and / or schedule standpoint. Capital project execution is considered part of the execution phase of safety lifecycle compliance. However, it must also deliver data automation to support generation of leading indicators that are critical in the monitor phase of the safety lifecycle. SIS GRANDFATHERING DOCUMENTATION Most companies start with the SIS Grandfathering Documentation as their first step on the safety lifecycle compliance journey. Many of the other tasks in the compliance journey described herein seem overwhelming and as such, the company simply wants to access IEC61511 gaps and begin planning for gap closure. SIS Grandfathering Documentation as defined in this paper consists of: 1. Conducting a PHA / LOPA 2. Selecting initial SILs for identified SIFs 3. Completion of an initial Safety Requirements Specification with C&E s 4. Completion of initial SIL Verification Calculations 5. Completion of initial Functional Test Plans Thus, one has baseline documentation in hand identifying how their existing installations fare against the requirements of IEC Gaps in compliance are identified and plans for gap closure via capital projects or other means can be formulated and implemented. This effort is often quite laborious at a brownfield installation. Often, it is tied to the existing PHA / LOPA revalidation cycle. Which, if a company is following a typical five-year PHA / LOPA revalidation cycle, could take longer than five years to establish the compliance baseline and then develop the subsequent gap closure mechanisms. The difficultly in execution of this task is that one needs to be able to easily assess baseline SIS Grandfathering Documentation gaps and simultaneously keep track of capital project changes / impacts to SIFs during this grandfathering time period. Failure to easily assimilate capital project modifications into the SIS Grandfathering Documentation will result in regret costs and possibly delay funding of future gap closure activities. Consider the following scenarios: A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering Documentation was completed on both trains. One compressor fails and the corporation makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need to be tested, performance tracked, and the I/O count for a new Safety PLC for the unit can be reduced reflective of the obsolete compressor train. In addition, these SIFs need to be deleted from the applicable safety lifecycle documentation. PHA made a recommendation to install redundant relief valves instead of multiple SIFs associated with overpressure of multiple vessels tied to the flare. When process

8 engineering completed their review of the installation and preliminary PSV calculations, it was determined that the second PSV was not feasible due to flare header sizing concerns and possible back pressure issues. Thus, the initial SIS Grandfathering Documentation needs to be updated to reflect the requirement for multiple new SIFs and their associated I/O count added to the potential new safety PLC project. A small capital project changes three switches to transmitters, on three different SIFs. Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS Grandfathering Documentation needs to be updated to reflect the additions, deletions and modification requirements for these SIFs and the adjusted I/O count reflected in potential new safety PLC project. All of the changes (small, medium and large) that occur in a brownfield facility over the course of the initial five years baseline development have the potential to create obsolete and stagnant SIS Grandfathering Documentation. This is especially true when one recognizes that these changes are occurring in parallel with the initial SIS Grandfathering Documentation efforts themselves. A safety lifecycle software tool to manage the SIS Grandfathering Documentation via a management of change work process is critical to success of this task. SIS Grandfather Documentation execution is considered part of the execution phase of safety lifecycle compliance. ORGANIZATIONAL READINESS With regards to this paper, organizational readiness refers to people whose job description includes references to maintaining compliance with the safety lifecycle. This implies job descriptions have been modified, training programs developed, corporate SIS procedures issued, and management at the top of the corporation is supportive of safety lifecycle compliance. Again, this sounds straightforward; however, this requires changes in the organization, which may be met with resistance. To further complicate the issue of organizational readiness is the fact that multiple groups within the organization need to align for this effort to be successful. For instance, let us assume the company is structured as follows: Operations tasked with developing and implementing a day to day operations strategy for running the facility safely with overarching production goals for sellable product Maintenance tasked with developing and implementing a day to day maintenance strategy that supports operations in a safe manner Process Safety functions in a support and auditing role to ensure operations and maintenance activities are safe Facility Engineering supports day to day trouble shooting of the plant and small projects Site Projects supports medium projects to increase production or significantly debottleneck a unit

9 Capital Projects supports large projects to increase production, significantly debottleneck a unit and design a new facility For the five tasks to be successfully implemented within an organization, all of the above groups must align to deliver a sustainable process safety culture. This culture has to be driven from the top of the organization downward throughout the various groups. As one reflects on his or her own organization, it is probably obvious that this cultural alignment may be slow to gain momentum. Once again, this could be a multi-year effort and should be factored into the overall planning for safety lifecycle compliance. Without personnel in the organization that are accountable for delivering a sustainable safety lifecycle process, the full benefits will not be realized. Organizational readiness execution is considered part of the execution, monitor and sustain phases of safety lifecycle compliance. As competent personnel are required throughout the organization to support these activities. EVERGREEN EXECUTION The concept of evergreen documentation associated with the safety lifecycle is critically important, however most companies do not even realize this is an issue they should be addressing. To better understand the concept of evergreen, let us consider the example from above: A facility has dual compressor trains and is thirty years old. Initial SIS Grandfathering Documentation was completed on both trains. One compressor fails and the corporation makes an economic decision not to replace the failed train. Thus, ten SIFs no longer need to be tested, performance tracked and the I/O count for a new Safety PLC for the unit can be reduced reflective of the obsolete compressor train. In addition, these SIFs need to be deleted from the applicable safety lifecycle documentation. PHA made a recommendation to install redundant relief valves instead of multiple SIFs associated with overpressure of multiple vessels tied to the flare. When process engineering completed their review of the installation and preliminary PSV calculations, it was determined that the second PSV was not feasible due to flare header sizing concerns and possible back pressure issues. Thus, the initial SIS Grandfathering Documentation needs to be updated to reflect the requirement for multiple new SIFs and their associated I/O count added to the potential new safety PLC project. Small capital project changes three switches to transmitters, on three different SIFs. Another small project adds two new SIFs and deletes four SIFs. Thus, the initial SIS Grandfathering Documentation needs to be updated to reflect the additions, deletions and modification requirements for these SIFs and the adjusted I/O count reflected in potential new safety PLC project.

10 Therefore, the facility in question completes the initial PHA / LOPA from scratch at time zero. The first project is as-built 6 months afterward, the second project as-built 9 months afterward and the final project is as-built 1 year later. What instrumentation needs to be included in the testing program 1 year after the initial base line PHA / LOPA has been executed? If one of the projects increased occupancy in the unit, what is the risk of bypassing PT-101? What SIF architectures need to be included in the SRS and associated SIL Calcs? Have we added or deleted Safety Rated Alarms? Have we changed set points with potential impacts to process safety time and overall safety operating limits for a piece of equipment? Given day-to-day changes that occur at a facility, it is imperative that an evergreen approach to the PHA / LOPA is adopted. With the PHA / LOPA maintained in an evergreen fashion, the normal typical Management of Change (MoC) process would ensure the associated changes to downstream deliverables would be maintained just like P&ID s are today. Maintaining the PHA / LOPA in an evergreen fashion can be readily achieved with new safety lifecycle software tools now available in the marketplace. Prior to the existence of these new safety lifecycle software tools, it was extremely difficult to maintain an evergreen PHA / LOPA, and as such, most companies did even attempt this approach. Another issue facing the use of the PHA / LOPA results to drive the facilities mechanical integrity program is the qualitative process used to access risk. This problem can be readily rectified and will be the subject of future papers. However, it will require the process safety organization and industry itself to recognize the need for change. Evergreen execution is considered part of the sustain phase of safety lifecycle compliance. PROCESS SAFETY ROADMAP To cost effectively tackle the five tasks noted below an overall roadmap for success needs to defined. Testing Capital Projects SIS Grandfathering Documentation Organizational Readiness Evergreen Execution This proven roadmap embodies how to: Perform a site assessment against the five required tasks Develop a multi-year cost effective compliance program

11 Utilize safety lifecycle software tools to simply maintenance of process safety related documentation in an evergreen fashion Realize the benefits of leading / lagging indicators early in the program to improve the process safety performance of the facility / corporation Each of these roadmap steps will be described in more detail below. SITE ASSESSMENT The best approach to determine where to start, or more typical what is the most efficient means to finish, the safety lifecycle compliance journey is to conduct a detailed site assessment. This assessment is comprised of documentation reviews, corporate and local site policy / procedure reviews, personnel competency interviews and walk down of SIFs at the site itself. It will document current work practices related to the safety lifecycle. It will also document a data flow diagram noting sources and quality of data required to support automation of the safety lifecycle. The assessment focuses on each of the five tasks: Testing Capital Projects SIS Grandfathering Documentation Organizational Readiness Evergreen Execution Each of these five tasks will be reviewed and assigned a grade of 0 to 100%. Short term, medium term and longer-term action plans will be created for each tasks. Thus, a site specific and / or overall business unit specific execution plan can be generated to ensure cost effective and efficient safety lifecycle compliance. Figure 1 below is an example on how one can depict the site assessment results graphically.

12 Figure 1 Typical Results of Site Assessment Site assessment execution is considered part of the execution phase of safety lifecycle compliance. PLANNING Once the site assessment has been completed, a multi-year plan can be systematically laid out that takes into account staffing, training, and workflow / work process coordination with the overarching goal of minimizing regret costs, while efficiently finishing the safety lifecycle compliance journey. Based upon site best practices, existing status of documentation and data, and current initiatives, unique plans may be required for different sites within a business unit as a whole. However, with a sound execution plan that recognizes the unique interactions between the five tasks, the initially overwhelming concept of safety lifecycle compliance can now be reduced simply to a project management issue. Assuming organizational support from the top down, safety lifecycle compliance should now be readily obtainable via a systematic approach that eats the elephant one bite at a time. Thus, through planning a very complex process can be broken down into small and readily measurable, and achievable, steps. The most important concept to recognize regardless of the site assessment results is that the scheduling of the five tasks is a finish-to-finish effort. The individual tasks may have initial staggered starts, but all tasks must finish together to minimize regret costs. Figure 2 below is a

13 sample milestone schedule that highlights the finish-to-finish requirements. Failure to recognize and address this fundamental scheduling issue in an organization could result in a never ending cycle of chasing ones tail in an effort to achieve steady state compliance with the safety lifecycle. Figure 2 High Level Milestone Schedule for Finishing the Safety Lifecycle Journey Planning execution is considered part of the execution phase of safety lifecycle compliance. LEADING / LAGGING INDICATORS Generation of meaningful leading / lagging indicators is ultimately how the compliance with the safety lifecycle increases the process safety performance of a facility and eventually the entire process industry. With measurement, one can now track performance versus requirements. It is through this cycle of monitoring and sustaining the facility via offensive instead of defensive corrective actions that truly positive changes can occur. The invisible becomes visible and more importantly actionable. The process industry has recognized the requirements for leading / lagging indicators through issuance of the Baker Report following the BP Texas City event, issuance of API 754 and ISA TR annex R. The UK s Health Safety Executive (HSE) has published guidance on benefits and requirements for leading / lagging indicators and so on and so on. So with the process industry recognizing the need for leading / lagging indicators, why is their use not common place? The answer is the data required to be measured is often scattered in multiple sources (some electronic and some in paper format only) within an organization and this data is

14 not typically readily usable as it stands today. This is further complicated, as discussed in the Organizational Readiness section, by the fact that multiple groups, working in distinct silos and often using different toolsets, are each responsible for pieces of the big picture. Thus, the greatest benefit of safety lifecycle compliance journey is typically the last step most companies undertake. With the generation of new safety lifecycle software tools and implementation of the compliance roadmap contained herein, generation of meaningful leading / lagging indicators is relatively straightforward. In fact depending on the site planning meaningful leading / lagging indicators can be generated very early in the compliance journey. Thus, one does not necessarily need to wait for years before compliance benefits can be measured. As an example, consider the following: PHA / LOPA assumes a pressure regulator fails once every ten years with a potential to rupture a vessel with a possibility for a vapor cloud explosion with potential fatalities. Actual demand tracking has indicated the pressure regulator has failed 3 times in the last 3 years. A SIF has been installed to protect the above vessel against pressure regulator failure. It consists of a pressure transmitter, safety PLC and on/off block valve. The SIL Verification calculations assumed the SIF would be tested annually. However, it has been 24 months and the SIF has not been tested. Bypass criteria has been established for the same SIF and was selected as 72 hours. By reviewing and aggregating bypass records, it is shown the over the last 3 years the SIF has been bypassed 12 times for a total of 300 hours. Generic data, which assumed a dangerous undetected failure rate of once every 50 years, was used in the initial SIL Verification calculation for the transmitter in the above SIF. Real world testing has yielded an actual failure rate of once every 5 years. Each of the four bullets above indicate potential problems with the performance of the SIF in question. By associating these issues to their PHA / LOPA scenario (i.e. potential fatality) such that the importance of this SIF being available is clearly demonstrated to operations, we can now ensure that resolution of these bad actor events is now prioritized above other day to day issues that occur. Thus, corrective work orders can be generated and aggressively worked to ensure the SIF performance is in line with the risk analysis assumptions. Using the risk based approach contained in the safety lifecycle, we have now positioned the facility to identify bad actors and correct them before a loss of containment event occurs. In many instances in the past, the above four bullets would be lost in the noise of multitudes of other bad actor events that occur on a daily basis. The multitudes of other noise contains events that impact product quality, commercial impacts to equipment, etc. plus a smaller scattering of events, which if ignored could lead to loss of containment. Thus, much the same way alarm rationalization assigns alarm priorities to communicate to operations the order of responding to alarms, process safety leading / lagging indicators allow operations and maintenance to prioritize resolution of possible loss of containment bad actors. Identification of process safety bad actors in the past might only have occurred as a result of a root cause analysis following a near miss or loss of containment event. This is where the invisible becomes visible and more importantly actionable.

15 Figure 3 Typical Leading / Lagging Indicator Dashboard Leading / Lagging Indicator execution is considered part of the monitor and sustain phases of safety lifecycle compliance. SAFETY LIFECYCLE SOFTWARE TOOLS The fundamental key to safety lifecycle compliance is it must be simple to maintain. This implies existing staff with training and awareness can readily maintain the safety lifecycle documentation in an evergreen fashion once the program is up and running. Note, it is assumed that outside assistance by a specialty process safety engineering firm is typically required to support the organization with execution of the initial site assessment, planning and starting the five tasks noted below: Testing Capital Projects SIS Grandfathering Documentation Organizational Readiness Evergreen Execution The reason being most corporations do not have the expertise and / or available labor to set up the safety lifecycle compliance program. Without safety lifecycle software tools that have been specifically designed to handle the work process contained in this paper, there will be nothing simple about the safety lifecycle compliance journey. Key functionality that is mandatory in the safety lifecycle software tools is as follows: Enterprise level tool Evergreen PHA / LOPA with ability to support multiple concurrent projects

16 PHA / LOPA results fed directly into SIS engine Evergreen SIS engine with ability to support multiple concurrent projects Evergreen SIS engine to generate all SIS documentation SIL Verification Calculations, Safety Requirements Specification, C&E s, Functional Test Plans, Protection Layer Requirements Specification, Protection Layer Test Plans Evergreen Gap Tracking module Override Risk Assessment Module tied to PHA / LOPA and SIL Verification Calculations Generation Leading / Lagging Indicators that expand / collapse as you move through the enterprise At the time of the writing of this paper, the authors are aware of at least one set of safety lifecycle software tools that meets all of the above criteria. Thus, simple safety lifecycle compliance is now readily available in the marketplace today. Here are some examples of why a comprehensive tool as described above is required: 1. While walking down P&ID s, it was discovered that an instrument tag # for a pressure transmitter was incorrect. If this change can be made in one place (i.e. the PHA) and then its use is automatically corrected in all downstream documentation (LOPA, SIL Calc, SRS, C&E, Functional Test Plan, etc. it would be simple to maintain. 2. The corporation changes the tolerable risk criteria associated with its risk matrix. If this change can be made in one place (i.e. the PHA) and then its use is automated corrected in all downstream documentation (LOPA, SIL Calc, SRS, C&E, Functional Test Plan, etc. it would be simple to maintain. 3. Failure data has been collected for a given family of pressure transmitters and a new dangerous undetected failure rate calculated that takes into account process service, installation specifics, make / model and maintenance practices. If the new failure rate data could be assigned in one place (i.e. the SIS engine) and the 500 SIL Calculations that use this type of pressure transmitter automatically updated, it would be simple to maintain. Safety Lifecycle Software tools are critical and considered part of the execution, monitor and sustain phases of safety lifecycle compliance. CONCLUSION Through living and breathing safety lifecycle compliance with numerous end user companies since aesolutions formation in 1998, we have developed a proven and simplified approach to cost effectively meeting the requirements of IEC61511: Functional Safety Safety Instrumented Systems for the Process Industry Sector. The roadmap as defined herein is as follows: 1. Conduct a site assessment focusing on the following five tasks:

17 Testing Capital Projects SIS Grandfathering Documentation Organizational Readiness Evergreen Execution 2. Complete planning of a multi-year compliance program based upon the site assessment results 3. Obtain a safety lifecycle software tool that meets the requirements contained in this paper 4. Begin a finish to finish project execution of the five tasks noted step 1 By adopting this roadmap one can cost effectively realize the benefits of the safety lifecycle, which can be summarized as follows: 1. Execute safety lifecycle documentation 2. Monitor leading process safety indicators 3. Sustain safe unit operations through corrective actions The purpose of IEC61511 is to ensure assumptions made in the risk analysis regarding availability of protection layers matches the actual real world performance as witnessed in the field. This real world data can also be leveraged increase availability of the process unit as a whole and make positive impacts on production itself. DISCLAIMER Although it is believed that the information in this paper is factual, no warranty or representation, expressed or implied, is made with respect to any or all of the content thereof, and no legal responsibility is assumed therefore. The examples shown are simply for illustration, and, as such, do not necessarily represent any company s guidelines. The reader should use data, methodology, formulas, and guidelines that are appropriate for their own particular situation. REFERENCES 1. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Safety-related Systems, Part 1-7, Geneva: International Electrotechnical Commission, IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Parts 1-3, Geneva: International Electrotechnical Commission, HSEG254, Developing Process Safety Indicators, Health Safety Executive, 2006

18 4. COMAH, Control of Major Accident Hazards, Process safety performance indicators, Health Safety Executive, API 754, Process Safety Performance Indicators for the Refining and Petrochemical Industries, American Petroleum Institute, ISA TR Part , Guidelines for the Implementation of ANSI/ISA (IEC Mod), International Society of Automation, 2011 ABBREVIATIONS AND DEFINITIONS API EPC HES IEC ISA LOPA PFDavg PHA RRF SIF SIL SIS American Petroleum Institute Engineering Procurement Construction Health Safety Executive International Electrotechnical Commission Internal Society of Automation Layer of Protection Analysis Average Probability of Failure on Demand Process Hazard Analysis Risk Reduction Factor Safety Instrumented Function Safety Integrity Level Safety Instrumented System