Functional Safety Delivery

Five areas of focus

2

Introduction

Owning and operating hazardous process plants, particularly those that fall under the COMAH1 regulations requires compliance with a number of regulations, standards, and associated guidance documents.

Health, safety, and environmental (HS&E), operational and engineering managers are responsible for COMAH compliance and submitting COMAH Safety Reports. COMAH reports require evidence that your systems are compliant, and managed, tested, and maintained correctly. If you are unable to demonstrate compliance, the Competent Authority2 (CA) is likely to increase monitoring and intervene more frequently at your site, increasing the time and money you spend on demonstrating robust management systems.

The new Electrical, Control and Instrumentation (EC&I) operational delivery guide produced by the CA describes the approach that it follows for inspecting EC&I systems at COMAH establishments. This guide specifies the benchmark standards used to assess the management of risks by the operators of COMAH sites.

Schedule 4 of the regulations specifically references the need to provide sufficient information to the CA to demonstrate your compliance with the regulations. This includes design, construction, operation and maintenance of equipment linked to major accident hazards. Failure to demonstrate compliance can lead to an improvement notice, a prohibition notice, or prosecution.

Three priority topics for EC&I systems are covered:

• Functional Safety

• Explosive Atmospheres (Hazardous Areas)

• Electrical Systems

In this paper, we will focus on the Functional Safety topic, with an overview of the five main elements of a robust, compliant approach:

1. The Safety Lifecycle

2. Hazard Identification and Quantification

3. Engineering and Design

4. Commissioning, Operation and Maintenance

5. Competence

For further information on the COMAH regulations more broadly, read our Guide to Achieving and Maintaining COMAH Compliance.

More details of the regulations themselves can be found on the links below:

http://www.hse.gov.uk/eci/index.htm

http://www.legislation.gov.uk/uksi/1999/743/contents/made

1 Control of Major Accident Hazards

2 COMAH is enforced in Great Britain by the competent authority comprising a number of public bodies including the Environment Agency (EA); the Scottish Environmental Protection Agency (SEPA); Natural Resources Wales (NRW) and the Health & Safety Executive (HSE)

3

Functional Safety – Scope and Definition

Competent Authority inspections for Functional Safety are concerned with the management, design, installation, operation and maintenance of instrumented process safety systems that reduce the risk of a major accident. The benchmark standard for these activities is given in BS EN 61511 Functional safety - Safety instrumented systems for the process industry sector.

Often, companies focus on identifying the required Safety Integrity Levels (SIL) and designing systems with appropriate Safety Instrumented Function (SIF) to achieve the required level of risk reduction.

The SIF is only one of several layers of protection, however. Other systems also play a key role in achieving the overall risk reduction requirements. The process control system, when it is working optimally, will respond and maintain a safe and efficient operating envelope for the process plant or unit. A failure of this system will lead to a demand on the next layer – perhaps the process alarm.

The operator needs to respond to the alarm in a timely manner to mitigate the escalation of the event. Failure or inability to do this will lead to a demand on the next layer, the SIF. All of these affect the demand frequency and required risk reduction of the SIF.

Other protection layers, such as mechanical devices (e.g., relief valves) can also be included in the risk quantification. Mitigation layers, like bunds, are an important element of many plant safety strategies, but these are not normally included in the quantification of risk, as they serve only to reduce the impact of a hazard once it has occurred.

4

1. The Safety Lifecycle

IEC 61508 and 61511 describe the overall functional safety lifecycle from concept, through hazard analysis, requirements, realisation and operation to end of life decommissioning.

Safety Requirement SpecificationA key foundation of functional safety is the Safety Requirement Specification (SRS). Although this comes after hazard analysis in the standard lifecycle model, companies should begin the development of the SRS at the concept stage, and build its detail as their scope and hazard assessments progress.

The standards give detailed requirements for the SRS, but companies have considerable freedom to determine how it will be delivered. The most appropriate form will depend on the organisation’s existing systems for documentation, but the CA will want to see that the organisation has a clear and consistently applied SRS. For this reason, it is good practice to create a single document containing all the core information with appropriate mapping to other managed documents. For example, the SRS will contain details of all current SIFs, including a demonstration of the risk reduction achieved. The SIL demonstration calculations may be kept in a separate system, provided it is easy for the CA to follow the full audit trail. It can also be useful to provide a link back to the main process hazard tables to identify the hazard basis for each SIF used in the plant.

The SRS in engineering and designAt system design stage, the SRS sets out base requirements, including acceptable spurious trip rates and operational constraints such as the frequency of shutdown testing or differences between process streams. It also details the approach required for manual shutdowns, emergency stops, overrides, operator resets and any allowable auto-resets. The SRS should also set out the requirements for system testing, including proof test intervals and the process conditions required for these.

Documenting these requirements in the SRS helps ensure that the design and delivery of the Safety Instrumented System (SIS) and its functions will be consistent and comprehensive. That design will also need to include related safety layers, such as alarms, operators and control functions. This includes careful consideration and design of ancillary services, interfaces and the architecture used for overall system communication. The final design should be coherent and offer the best possible human machine interface.

A compliant and comprehensive SRS has value that goes far beyond CA inspections. It becomes a benchmark for the organisation’s SIS that allows the performance of the system to be objectively assessed. It also helps companies take a consistent approach to changes as they upgrade and improve the plant and its safety systems.

5

The identification of hazards considers a number of categories including hazard to personnel leading to injury, damage to the environment, financial and societal hazards.

There are a number of recognised approaches to hazard identification. These need to be formally and fully documented to a corporate procedure. Often such methods include review by teams, applying judgement and experience when looking at the risks. These judgements need to be fully and clearly documented, both for evidence of application of an appropriate process and to assist in future reviews.

The consequences of identified hazards should be according to documented corporate standards. The ultimate aim of the process should be the identification of the required level of risk reduction that the SIF is expected to fulfil.

Risk quantificationCompanies can use various approaches to determine the required level of risk reduction for a given hazard. These can broadly be divided into qualitative or quantitative categories. An example of a qualitative approach would be a risk graph or matrix where the output is given as an order of scale. While relatively simple to apply, this approach is conservative and may lead to over-specification in design.

The most frequently used quantitative approach is Layers of Protection Analysis (LOPA). LOPA studies produce a target risk reduction expressed as the required probability of failure on demand (PFD) of the safety instrumented function. While the output of the LOPA approach is definitive, it is still subjective and relies on the experience and knowledge of the team applying the method.

2. Hazard Identification and Quantification

6

The CA will look for evidence that sufficient effort has been put into the SIF engineering and design process. It is important that a company has not only completed work to the right standard, but that it can provide documentary evidence that it has done so. This documentation should record:

• How the design achieves the Safety Requirement Specification

• Which components will be used within the safety circuits

• How the circuits will be designed, built and commissioned

• The design basis and programming conventions for the software used to program the logic solver or safety PLC

• The competence of contributors to the design

This phase of the lifecycle needs to demonstrate that the design meets the SRS, including the required level of risk reduction. Calculation of the SIL required to deliver the appropriate PFD is only part of the requirements of IEC61511, however. The design also has to demonstrate the required level of Hardware Fault Tolerance3 (HFT) for the desired SIL.

Test frequencyThe SIF test frequency can be adjusted in the calculation to ensure that the target risk reduction is met, but designers need to ensure that the proof test is achievable in both frequency and method, for example by taking into account periods between plant shutdowns for offline testing. The test methods should also consider the requirements of the equipment safety data sheet, for example the need to power cycle instruments if required for diagnostic tests.

Proprietary tools are available to assist with SIL level calculation, and such tools offer many advantages, including certified calculation engines to remove the risk of manual errors, and access to managed databases of component reliability and failure rates. Some such tools offer additional design support, for example showing the components in the design that are the biggest contributors to failures or spurious trip rates.

3. Engineering and Design

3 The maximum number of hardware faults that will not lead to a dangerous failure

7

A company must be able to demonstrate comprehensive testing prior to introducing the hazard relating to the SIF.

Fully traceable and documented change management control needs to be in place for all of these pre-service testing phases, this should cover all faults logged and result in corrective action and suitable retest.

In-service testing

Once the SIF is in service, the organisation needs a clear and documented regime to ensure it achieves the required integrity level over its operating life.

Test frequencies are set as part of the PFD calculation – the management of the testing must ensure tests are called and completed in time. Test methods must be clear, comprehensive and adequate for the ‘competent’ technician to complete. The engineering design also needs to have considered testing as part of the PFD calculation; this should include the ability to test with the stated plant conditions (online tests using overrides, for example).

The in-service proof testing regime should also include inspection of hardware to ensure that it is in good condition and meets ATEX requirement where necessary. This requires suitable systems for Hazardous Area inspections, equipment condition inspection, and predictive & preventative maintenance procedures.

All tests need to record faults and successful results. Faults should be repaired and all failures should be logged and recorded even if the repair was simple, for example a small calibration error. Fault record systems need to contain all historical records, ideally the system should be able to look for systemic faults and repeat errors by equipment type, duty or service.

Missed tests

It may not be possible to do a test when scheduled. If this is the case, the company must be able to demonstrate that deferred testing is controlled with approved authorisations and valid reasons to defer.

Test scope

Testing regimes also need to consider equipment outside dedicated safety functions, including instruments that are part of the plant’s layers of protection but not in the SIF, such as the control loops, operator alarms and operator responses.

Management

Supporting these processes should be a clear set of management procedures including: management of change, management audit of testing, HR competency management and engineering line management.

4 Validation of a system’s ability to allocate extra resource or to move operations to back-up systems in the event of a primary failure

Commissioning

4. Commissioning, Operation and Maintenance

Factory acceptance testing

• Should include a definitive design freeze date

• Must be designed to include extensive negative testing (testing that shouldn’t happen)

• Should be to a definitive test script against an approved cause and effect logic

Site acceptance testing

• Should include integrated function tests that include full system architecture performance testing4

• Should also test services, e.g., power and air supplies; failover testing and UPS autonomy

Final proof testing

• Should cover full end-to-end loop testing including settings, parameters and trip points

• Failed tests should be rectified and fully proof tested again

8

5. Competence

The whole safety lifecycle relies on the application of people with the right skills to the relevant tasks. The CA will look for evidence that an organisation has appropriate competence management systems in place to ensure this is the case. The benchmark document used in the HSE Competent Authority guide is HSE Human Factors Guides –. Managing competence for safety-related systems5

This two-part guide provides a comprehensive framework consisting of four phases and 15 principles that an organisation’s internal competence management systems and processes should follow in order to gather the right evidence of staff competence.

5 http://www.hse.gov.uk/humanfactors/topics/mancomppt1.pdf and http://www.hse.gov.uk/humanfactors/topics/mancomppt2.pdf

Engineers and senior technical staff

• Can demonstrate competence through related higher education courses such as Degrees, Professional membership, and continuing professional development

• Should have a good statutory awareness of laws and regulations including training in local procedures and company standards

• Should have a clear responsibility and level of authority to sign-off or approve key processes such as change management, deferrals, and test procedures

Technicians

• Competence can be based on experience, backed up with training evidence through apprenticeship, formal external training courses and technical qualifications such as ONC or HNC from a recognised technical college

• Local training in company procedures needs to be documented as does on-the-job training, inductions and mentoring

9

How GSE Can Help COMAH requires adherence to a number of regulations, standards, and associated guidance documents. As your workforce turns over due to retirement and competition, are your systems at risk? As you continuously improve plant operations, adding automation and improved processes, are you forgetting that your functional safety requirements must be managed, tested, and maintained, as well?

GSE believes that following a structured process is the key to compliance, and more importantly, to ensuring the safety of your people, plant, and environment. We would like to discuss all of your COMAH compliance needs, how our staff of experts can keep your site personnel abreast of new legislation, and how we can help you implement any changes required to maintain compliance.

We have an excellent track record providing these services in numerous high-hazard environments, including major Oil and Gas and Chemical Operators, along with smaller manufacturing facilities.

Our approach is to discuss your facilities and operations, and with a full understanding of the extent and roles that your existing systems play in reducing risk, propose a detailed solution to help you achieve and maintain compliance.

For further advice and recommendations please contact us at Engineering@gses.com

Worldwide Locations

www.GSES.com | info@gses.com

About GSE Systems

GSE Systems, Inc. is a world leader in real-time high-fidelity simulation, providing a wide range of simulation, training and engineering solutions to the power and process industries. Its comprehensive and modular solutions help customers achieve performance excellence in design, training and operations. GSE’s products and services are tailored to meet specific client requirements such as scope, budget and timeline. The Company has over four decades of experience, more than 1,100 installations, and hundreds of customers in over 50 countries spanning the globe.

Information about GSE Systems is available at www.gses.com.

HEADQUARTERS MARYLAND, USA

© 2016 GSE Systems, Inc.

Connect with us on: