7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 1/8

1

Functional Safety Management – The good, the bad and theugly!  Lessons learned while striving for compliance with IEC 61511.

By Michael Scott, PE, CFSE

An efficient functional safety management program encompasses engineering, maintenance,

and operations personnel all working together for a common goal – prevention of loss of 

containment. This may sound straight forward but requires multiple entities within an

organization to align to achieve this common objective and can be difficult to implement within

a complex organization. So what does a “good” functional safety management system look

like?

Lessons Learned

First, let’s discuss the evolution / awareness process an organization typically adopts on their

road towards functional safety management. This evolution / awareness process is borne of 

the best intentions but, typically leads the end user to an intermediate undesirable position

short of their ultimate end goal. This results in regret costs and schedule delays in achieving a

fully compliant functional safety management system.

Step 1 - Desire for IEC 61511  –  Functional Safety – Safety Instrumented Systems for the

 process industry sector ” Corporate Alignment

In this step, the organization identifies the desire for IEC 61511 compliance and

champion(s) within the organization to convince management of the benefits of 

managing functional safety via a performance based methodology. Given full

compliance with EIC 61511 requires multiple entities within an end users organization to

align, a commitment from management is essential. This alignment change typically

requires a significant paradigm shift within the end user organization. Thus, this first

step is often the hardest.

Step 2  –  Modify Process Safety Risk Ranking to Support SIL Selection

In order to adopt IEC 61511, one needs to assign / calculate a required Safety Integrity

Level for a given Safety Instrumented Function. Thus, the end user organization has to

modify their current risk analysis methodology (i.e. Process Hazards Analysis (PHA)) to

support Safety Integrity Level (SIL) selection (i.e. Layer of Protection Analysis (LOPA)).

This task is typically owned by a corporate process safety department and multiple

methods of Risk Analysis and SIL Selection currently exist and the process safety

department has to make decision(s) on which methodology to adopt and which tool(s)

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 2/8

2

are they going use to support their overall risk analysis process. Most organizations are

looking to implement solutions that are aligned with their current wo rk process as close

as possible. Thus, requiring the least amount of changes in how they currently conduct

their risk analysis efforts. This concept sounds reasonable and very practical but,

ultimately is the first misstep made by most organizations.

Step 3  –  Identification of Areas of Concern

Once an organization has bought into the performance based risk concepts contained in

IEC 61511, the first desire is to identify a work process to complete a risk analysis on all

facilities within the organization. Many companies made the decision to focus on those

unit operations that historically were deemed to have a higher risk than other units.

Thus, a program would typically be developed to conduct a Risk Analysis / SIL Selection

on some small sub-set than the entire portfolio of processes within the organization.

Once again this concept sounds reasonable and very practical but, ultimately this is

another common misstep if an overall holistic approach is not adopted by the

organization.

Step 4  –  Development of Initial Safety Instrumented Systems Deliverables

Once the Risk Analysis / SIL Selection efforts for the high risk unit operations have been

completed, the end user is often anxious to review how the existing instrumentation /

controls fare from a performance based design review standpoint. Thus, Safety

Instrumented System deliverables are immediately generated for those Safety

Instrumented Functions (IPF) that were identified in the Risk Analysis / SIL Selection

process. These deliverables typically consist of the following:

  IPF List

  Safety Requirements Specification

  Cause & Effects

  SIL Verification Calculations

  Functional Test Plans

Once again, this concept sounds reasonable and very practical but, ultimately this is

once again a misstep if an overall holistic approach is not adopted by the organization.

Step 5  –  Identification of Gaps

With SIS deliverables completed, the organization wants to focus on Gaps. A Gap means

the organization needs to develop a project to spend dollars to close the Gap. Gaps

generally fall into three major categories from an end user standpoint:

1.  Capital Project required to install instrumentation / controls to achieve the

required level of risk reduction for existing kit

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 3/8

3

2.  Operations & Maintenance activities to begin testing SIFs and tracking of failures,

demands, time in bypass, etc.

3.  Incorporation of SIS work process into the everyday Management of Change

(MOC) process

Most organizations on the learning curve for IEC 61511 compliance immediatelyimplement bullet 1 and testing of SIFs in bullet 2. Remainder of bullet 2 – tracking of 

failures, demands, time in bypass, etc and all of bullet 3 incorporation of the SIS work

process in everyday MOC process is tackled sometime in the future because the

difficulties within the organization to be able to implement changes to achieve bullets 2

and 3. Once again this concept sounds reasonable and very practical but, ultimately this

is also a misstep if an overall holistic approach is not adopted by the organization.

Step 6  –  Realization Data is Stagnant

In most large organizations, completion of steps 1 through 5 above is a significant

investment and takes multiple years to complete. However, because an overall holistic

approach to IEC 61511 compliance was not developed / planned in the beginning and

instead each department within the organization focused on implementation of a

solution that impacted their department the least, the maintainability of the results of 

steps 1 through 5 is in most instances is not sustainable within the organization. Thus,

the data used to develop the deliverables has become stagnant because the IEC 61511

compliance exercise used a snap shot of data at the beginning of the project and did not

plan for an overall data management scheme for the life of the installation. For instance,

project A was implemented in Unit B. Assume project A added 2 defined SIFs and

deleted 1 existing SIF. In most organizations, the IEC 61511 compliance efforts did not

address ongoing projects and their impacts to Safety Instrumented System deliverables.Thus, either project A developed standalone Safety Instrumented System deliverables or

none at all. In both cases, a facility engineer cannot perform a simple task of generating

a master SIF List of devices to be tested. The initial IEC 61511 compliance efforts may

not have completed a review of all equipment (due to focusing on high risk areas) and /

or the MOC process to maintain the SIS design basis in an evergreen fashion was not

addressed during this interim period (several years).

This realization results in regret costs as the organization begins to tackle the harder

issues mandated by the overall holistic approach to IEC 61511 compliance. This implies

an overall work process and associated functional safety management tool(s) to ensurethe Risk Analysis / SIL Selection and associated SIS deliverables can be readily supported

in an evergreen fashion by existing personnel.

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 4/8

4

Key Attributes to Success Functional Safety Management 

Having discussed the typical work process and pointing out short comings that may not

be obvious to an end user who has not lived through the above steps or is in middle of these steps, it is extremely important that the extent of these well intended missteps be

fully grasped by the reader. This will be accomplished by focusing on the attributes of 

what a “good” functional safety management system looks like as opposed to dwelling

on the negatives achieved in some of the above key steps.

Step 1 - Desire for IEC 61511  –  Functional Safety – Safety Instrumented Systems for the

 process industry sector ” Corporate Alignment

Best practice for an organization would be to properly plan for functional safety

management activities and their impacts to the organization prior to implementation of IEC 61511. This planning would include the following:

  Survey of each business unit / facility to identify how they currently execute each

phase of the safety lifecycle.

  Realization that an evergreen overall functional safety management program is

mandatory and establish this requirement at the beginning of the IEC 61511

compliance project.

  Begin a functional safety management tool selection process that addresses key

issues in the survey of each business unit / facility as well as the best practice

attributes noted below in steps 2 through 5.

If the overall program level plan does not account for an evergreen work process, the

resultant data collected will become stagnant and will provide limited benefit to end

users. This in turn will result in loss of confidence in the data by the end users and

undermine the value of IEC 61511 compliance to the overall organization.

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 5/8

5

Step 2  –  Modify Process Safety Risk Ranking to Support SIL Selection

Best practice for an organization would be to utilize a functional safety management

tool that supports the following key criteria:

  Risk Analysis and SIL Selection methodology that is tightly integrated such thatchanges in the Risk Analysis (i.e. PHA) are automatically fed into the SIL Selection (i.e.

LOPA) and vice versa.

  Development of a Risk Analysis and SIL Selection methodology that supports data

extraction directly into a functional safety management engine to develop remainder

of the SIS deliverables.

This will improve the overall quality of the data set by minimizing re -typing of the same

information in multiple places. It also reduces the man-hour requirements to maintain a

valid PHA / LOPA and the resultant transmittal of data to the tool(s) completing the

remainder of the SIS deliverables. 

Step 3  –  Identification of Areas of Concern

Best practice for an organization would be to utilize a functional safety management

tool that supports the following key criteria:

  Risk Analysis and SIL Selection methodology that supports an evergreen work process.

Thus, results from initial IEC 61511 compliance efforts, future project PHAs, and / or

future Revalidation PHAs can be managed together as a single entity.

This will allow a facility engineer to review a list of critical protection layers that need to

function to prevent loss of containment. Thus, the facility engineer would be able to

conduct a risk analysis if pressure transmitter PT-100 needed to be removed from

service on a temporary basis. The master evergreen risk analysis includes the facility

siting results from Project B that occurred last year and added a new control room in

close proximity to the unit of operation in question. Thus, the facility engineer does not

need to review the latest PHA Revalidation / LOPA along with all individual capital

projects that have occurred since the last PHA Revalidation / LOPA to perform an

accurate assessment of risk associated with PT-100 being out of service.

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 6/8

6

Step 4  –  Development of Initial Safety Instrumented Systems Deliverables

Best practice for an organization would be to utilize a functional safety management

tool that supports the following key criteria:

  SIS deliverable methodology that supports an evergreen work process. Thus, resultsfrom initial IEC 61511 compliance efforts, future project PHAs, and / or future

Revalidation PHAs can be managed together as a single entity.

  SIS deliverable engine supports use of templates and a library of deliverables

  SIS SIL Calculation engine that supports and stores “what if” calculations against a

given SIF

  SIS SIL Calculation engine is capable of 

automatically generating the associated Cause &

Effect Diagram

  Functional safety management tool has MOC

capabilities within the tool itself 

  Functional safety management tool be capable of 

developing and managing deliverables associated

with IPLs

  Functional safety management tool should be

viewable by a large audience within engineering,

operations and maintenance

By maintaining the SIS deliverables in an evergreenfashion based upon latest project updates in concert with the latest Risk Analysis / SIL

Selection updates, a facility engineer can review the proposed scope of project X to de -

bottle neck Unit K for potential impacts to SIFs and / or critical Instrumented Protection

Layers (IPLs) (i.e. alarm with operator action). Thus identifying early in the project

lifecycle the need to modify a safety instrumented system and associated tasks /

deliverables that need to be generated by the project. This will greatly reduce regret

costs / schedule impacts if this scope is defined late in the project. By making the

functional safety management tool viewable by a large audience it helps facilitate the

communication / awareness process for these critical SIFs and / or IPLs. The remainder

of the other “best practices” bullets noted above are focused on reduction of man -hours

to generate and maintain SIS deliverables. This is critical if the end user organizationdesires to minimize additions and/ or maintain current head count through the IEC

61511 adoption process.

Step 5  –  Identification of Gaps

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 7/8

7

Best practice for an organization would be to utilize a functional safety management

tool that supports the following key criteria:

  Gap Tracking functionality that supports an evergreen work process. Thus, results

from initial IEC 61511 compliance efforts, future project PHAs, and / or future

Revalidation PHAs can be managed together as a single entity to manage Gaps.

These Gaps could be short falls in existing SIF designs that require additional field

devices, installation of a new inherently design concept, addition of new IPLs, etc.

Thus, the tool would communicate current as-is Risk Profile as well as the long term

view of what the risk profile could be if project A, B and C are implemented.

  Ability to address operations and maintenance aspects of the safety lifecycle:

o  Collection and analysis of failure rate data results from functional testing in a

paperless environment

o  Assignment / management of failure rate data in concert with an approved

vendors list for instrumentation and controls associated with a Safety

Instrumented System

o  Collection of failure rate data results from corrective work orders in a

paperless environment

o  Collection and analysis of time a SIF or IPL is in bypass or mean time to repair

o  Collection of root cause analysis data and comparison to initiating causes /

cause frequencies assumed in the Risk Analysis and SIL Selection methodology

(PHA/ LOPA) in a paperless environment

o  Ability to conduct an override r isk assessment

o  Ability to analyze impacts for deferred functional testing

o  Key Performance Indicator feedback on goodness of the functional

management system components

  Ability to support the day to day MOC process at the facility. Thus, the tool has the

ability to maintain risk analysis, SIS design basis and critical IPLs used in LOPA in an

evergreen fashion.

Conclusion

If an organization does not properly plan for functional safety management and set

specific goals for the program to ensure the data can be managed efficiently and

effectively in an evergreen fashion, initial IEC 61511 compliance efforts will fall short of 

expectations. A successful implementation must include the following:

  Commitment by management

7/27/2019 Functional Safety Management

http://slidepdf.com/reader/full/functional-safety-management 8/8

8

  Recognition of the importance of an evergreen work process

  Identification of key stakeholders within engineering, operations and

maintenance to support the paradigm shift of change required to implement an

evergreen functional safety work process

 Selection of a functional safety management tool that supports the key attributesnoted in this paper

One can successfully implement a fully IEC 61511 compliant functional safety lifecycle

management tool that supports the attributes contained in this white paper with proper

planning and due diligence.

 About the Author

Michael Scott, PE, CFSE (mike.scott@aesolns.com) VP of Process Safety with aeSolutions who

has executed multiple functional safety lifecycle management projects and developed a suite of 

functional safety lifecycle management tools aeShieldTM

and aeFacilitatorTM

to support these

projects.