If you’re like me then you’ve been waiting for the new draft of IEC 61511 to be officially issued since its release has been delayed for some time. However, a draft has been released and can help in preparing end users for what’s to come. The question is “are you ready for what’s coming?”
There are several new requirements but one of the key changes from the 2003 standard is the mandatory compliance with the five (5) Functional Safety Assessments (FSAs). Currently, all five are recommended, but only FSA 3 is required and this is commonly referred to as the “Pre-Startup Safety Check.” The FSAs are defined as follows:
FSA 1 – conducted after the analysis phase has been completed and the SRS has been developed
FSA 2 – conducted after the SIS detailed design has been completed
FSA 3 – after the SIS has been installed and commissioned and prior to startup
FSA 4 – after gaining experience with operation and maintenance
FSA 5 - after any changes are made to the SIS and prior to decommissioning
The purpose of the FSA is to ensure that all the necessary steps within that stage of the Safety Lifecycle (SLC) have been carried out as defined. It is to help with reducing the likelihood of systematic failures. The current standard specifies at that least one FSA should be conducted and this is FSA 3. However, if you wait until FSA 3 to carry out your first FSA then you run the risk of delaying the startup of your system if discrepancies and/or non-compliances are discovered.
In our experience, we’ve found that most companies do not perform all 5 FSAs, which is a shame because, if done properly, then mistakes/omissions and problems (systematic issues) can be detected early on in the SLC, rather than waiting until startup to find out - where delays can be extremely costly. We here at exida often discover problems with the HAZOPs, LOPAs and SIL determination when performing SIL verification. Mostly this is because the HAZOP wasn’t facilitated by a “competent” person and/or hazard scenarios were missed; the team assigned wasn’t the plant’s most experienced people; the LOPA wasn’t performed correctly and either credit has been taken twice for Operator and BPCS protection layers or the protection layers do not meet the “Independence” requirement.
Performing a FSA after the SRS has been developed, again, by a competent, independent, third party, would potentially find problems and issues. The FSA would look specifically at whether the hazard and risk analysis has been carried out and whether any recommendations made had been addressed and/or resolved. This would then ensure that any Safety Instrumented Functions (SIFs) required for the SIS were properly defined, in terms of their functionality and their target integrity (SIL), as well as all other operating considerations to achieve the safe state. If FSA 1 is not conducted but FSA 2 is conducted then the risk here is that the identified SIFs may not achieve enough risk reduction or achieve too much (i.e. their target SILs may be too low or too high), which can lead to a potentially dangerous under-design or an expensive over-design. Also, once the SIS and its SIFs have been designed it is potentially more time consuming and expensive to have to go back and re-design.
There’s an old adage known as the 20, 20, 20 rule for system design, whereby it takes 20 weeks to design, 20 months to implement, and 20 years in operation. If we look at the SLC, the Operations and Maintenance phase is shown as one box (Clause 16) but this is where the SIS will spend over 90% of its time.
The IEC 61511 standard is different from previous standards since it is non-prescriptive and is based upon performance around a safety lifecycle (i.e. it tells you what you need to do but not how to do it). In this respect, the standard specifies that the end user should periodically assess the performance of its SIS, which means that keeping good maintenance records, undertaking proof tests at the correct interval according to the SRS, recording real and unintended (spurious) trips, failures, repair times, etc. is very important. The intent of FSA 4 is to ensure that the safety, operating, maintenance and emergency procedures pertaining to the SIS are in place and being followed; personnel are competent, adequate records are being kept and field failure data is available and used to verify the relevant SIFs still achieve their target integrity level (i.e. their PFDavg or PFH has not changed).
FSA 5 is intended to ensure that any proposed changes to the SIS and its SIFs are properly evaluated by a competent person to determine if there will be any impact on safety and if so to then return to the appropriate stage in the SLC. This may mean returning to the Hazard Analysis phase.
Therefore, the question “are you ready for what’s coming?” is relevant since this is what will be expected.