IEC61511ImplementationTheExecutionChallenge

TomShephardandDaveHansenMustang PublishedinControlmagazineMay2010
ABSTRACT TheSafetyInstrumentedSystem(SIS)standard,IEC61511,isdrivingtheneedfornewengineeringtoolsandProjectExecutionPlans (PEP).Thestandardisalifecycleapproachtodefining,implementingandmanagingaSafetyInstrumentedSystems(SIS).Industry discussionstendtofocusonthetechnicalaspectsofthestandardhoweverprojectexecutionisprovingtohaveanequalorperhaps greaterimpactonthequalityandsuccessofanIEC61511project.Bothchallengesaredrivingtheneedforoperatingcompaniesto modifyandcreatetheirinternalPEPs,tools,guidelines,standardsandprocedures.ThesameistrueforEngineering,Procurement andConstruction(EPC)andMainAutomationContractors(MAC).Thisarticledescribesafewofthechallenges,fromtheEPCand MACperspective,andsuggestsapproachestoenhanceIEC61511executionandtechnicaloutcomes. CoordinatingProjectExecutionandFunctionalSafetyPlans Figure1isanexampleoftheelementscommonlyperformedandsupportedbyEPCsandMACs.ForprojectsthePEPdefinesthe scopeofwork,rolesandresponsibilities,workprocessesandprocedures,QA/QCplans,etc.AFunctionalSafetyPlan(FSP)is requiredbyIEC61511andencompassesmanyofthesePEPprocessesandproceduresbutcontinuesbeyondtheprojecttoinclude theentiresafetylifecyclethroughcommissioningandoperations.Italsoincludesadditionalrequirementsthatarespecifictosafety systems.Theprojectteamneedstocoordinateandcrossreferencebothdocumentstoensuretherearenoconflictsorexclusions. SomemaychoosetowriteanFSPthatisspecifictotheprojectandanotherforoperations.BothmustsatisfytheIEC61511 requirements. ProcessHazardAnalysis(PHA) ThequalityoftheIEC61511implementationprojectbeginswiththePHA andthePHAteamsabilitytoaccuratelyidentifyhazardsandquantifyrisk. PHAshavebeenperformedfordecades.Theprocessismatureand generallyunderstood.HoweverIEC61511processesarerevealing previouslyundetectedPHAdeficienciesandirregularities.Thenumerical aspectofthePHAandtheaccuracyandconsistencyoftheassigned ConsequenceandLikelihoodratingsareimportant.PHAteamstendto calibratetheirapplicationofriskratingsdifferently.Thisbecomes apparentwhenSafetyIntegrityLevels(SIL)resultingfromaLayerof ProtectionAnalysis(LOPA)areinconsistentforidenticalhazards.This variabilitymayresultinSISoverdesign(unnecessarycosts)orunder design(designintegrityisinadequateforthetruerisk).Variabilitycan alsoimpactOperationsandMaintenance(O&M)iflikeSafety InstrumentedFunctions(SIF)withinafacilitydifferindesign,maintenance intervalsandoperatingprocedures. Specialistsinrotatingequipment,firedvesselsandreactorsarerequiredto accuratelyidentifyandquantifyoperatingrisk.PHAsmaymissor overestimateequipmentuniquehazardsiftheappropriatespecialistsdo notparticipateintheassessment.Amissedhazardmaybecomeapparent ifthePHA/LOPAdoesnotdoesnotrequireaSIFthatiscommonly employedtoprotectagainstaknownoperatingrisk. Figure1 SimplifiedSISLifecycle (Partial)

2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

ProceduralandtechnicalissuesmayariseduringaPHAthatrequiresexpertandperhaps,corporatelevelclarification. Theprocedures,toolsandstandardsmayfailtoprovideadequateguidancecausingtheteamtotabletheproblemfor laterresolutionandpotentiallydelayPHAcompletion. AsindicatedinFigure1,theapplicationofIEC61511increasesthenumberofanalysisanddesignstepsthatcan lengthenSISdesigncycle.Theprojectmustbewellplanned,managedandcorrectlyscheduledandresourcedtokeep theSISdesignoffoftheprojectscriticalpath. LayerofProjectionAnalysis(LOPA) LOPAisbecomingacommonlyacceptedmethodfordetermininglayersofprotectionandallocatingsafetyfunctions. ThePHAreportistheLOPAstartingpoint.ForeachPHAhazardandassociatedriskvalues,theLOPAteamidentifiesand assignsoneormoreIndependentProtectionLayers(IPL)untiltheriskisreducedtoanacceptablelevel.Common instrumentationIPLsarealarmsandreliefvalves.IfariskremainsafterotherpreferredIPLsareapplied,theremaining riskistypicallyreducedbyaSIF.LikePHAs,LOPAreportsareissuedwithrecommendationsandactionitemsthatmay requirefurtheranalysisandassessment.ThereportinthisformisoftenhandedofftotheEPCorMACtoimplement. OncereceivedtheEPCorMACgenerallyreviewstheLOPAreporttounderstanditscontentandcompleteness.Amonth ormoremaylapsebeforethisstepiscompleted.Oncloserexamination,questionsmayariseandirregularitiesmay becomeapparent.AtypicalexampleisanalarmassignedasanIPL.TheLOPAguidelinesfortheprojectmayspecify rulessuchas:1)theOperatormustbeabletorespondtothealarmandinitiatecorrectiveactionwithin10minutes,2) theOperatorresponseandcorrectiveactionmustoccurwithintheprocessresponsetime(typicallywithintheprocess responsetime)and3)thealarmmustbeindependentfromtheeventandequipmentthatmayhavecausedthehazard, e.g.afailureintheBasicProcessControlSystem.Onreviewoneormoreoftheseassumptionsprovetobeincorrect. AnotherirregularityseeninLOPAreportsisvariabilityinSILtargetswhentheequipment,hazardscenarioandIPLsare thesame.ThiscanbesymptomofaproblematicPHA.Forthesereasonsaprocessshouldbeinplacethatallowsthe LOPAteamtochallengeandreviewthePHAandifnecessary,makechangesinthePHAifanerrorisconfirmed.(Asa counterpointSILvariabilitycanalsoresultifIPLsarenotappliedconsistentlyintheLOPA.) TheLOPAreportdoesnottypicallyprovidethefollowinginformationrequiredtoprogresstheSRS: SIFfinalelements AnswerthequestionDoesSIFactivationcreateanewhazard? Hazardprocessresponsetimes Potentialsourcesofcommoncausefailure Confirmationthattheassessmentaddressesallmodesofoperation

ItisnotuncommonthataproposedSIFfinalelementcreatesanewhazardwhenitmovestoitssafestateorposition. Thistriggersaoneoff(andunplanned)hazardassessmentthatmayrequirearevisittothePHAorLOPA.Process responsetimeisoftendifficulttodefineandprovidedbydifferentdisciplinesandequipmentspecialists.Afast responsetimemaytriggeranewhazardthatalsorequiresfurtherassessment.Identifyingsourcesofcommoncause failureoftenrequiresinputfromseveraldisciplines.Theadditionaltimeneededtoassesshazardswhenoperatingin differentoperatingmodesisoftenoverlooked.

2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

SuggestionsforimprovingPHAandLOPAoutcomesandexecutioninclude: ProvidetheFSPbeforetheprojectstarts.Itshouldclearlydefinethesiteorcorporateapproach,tools, processesandpersonnelforimplementingIEC61511.Itshouldincludeaprocesstoresolveproblemsthatare notdirectlyaddressedinthePEPandFSP,andhowtoprovidetheanalysisinformationtypicallymissinginthe LOPAreport,e.g.,SIFresponsetime. Projectteamsshouldresistthetemptationtoshortcutortruncatetheanalysisphasetosavemoneyorreduce projectschedule.Thiscancauseateamtomissacriticalhazardordefineunnecessaryrequirementsthatresult inhigherSISlifecyclecosts. ProvideequipmentandriskspecificPHAandLOPAexamples(corporateapproved)thatclearlyshowthe expectedapplicationofthecorporateandprojecttools,riskmatricesandIPLrules.Thisshouldhelptoachieve moreaccurateandconsistentoutcomes. AlignthePEPwiththeFunctionSafetyPlan.RevisetheplantoaddresschallengesthatareuniquetoanIEC 61511implementation. IncreasetrainingforPHAandLOPAteamsonthecorrectuseandapplicationofthesuppliedtools,standards andprocedures. Providecheckliststhatdefinetherecommendedstepstoassesshazardsforcommonequipmenttypessuchas firedvesselsandrotatingequipment. Provideadocumentedprocesstotrack,expediteandresolvePHAandLOPArecommendationsandaction items. ProvideaQualityAssuranceplantoconfirmtherequisiteproceduresarefollowed. AssignateamtoverifyandconsolidatePHAandLOPArecommendationsandreplaceconsider recommendationsandactionitemswithactionabledecisions.TheteamshouldbeempoweredtocorrectPHA andLOPAerrorsandomissionsidentifiedafterthereportisissued. Havetechnicalspecialistconductpreassessmentsofspecialtyequipmenttoreduceanalysistimeandimprove results. InsurePHAandLOPAteamsincludethenecessarytechnicalexpertise. EnsureManagementofChangeproceduresencompassallstepsintheIEC61511process.

SafetyRequirementsSpecification(SRS) ThisphasebeginstheshiftfromanalysistoSISengineeringanddesign.WhencomparedtotraditionalSISspecifications, theSRSisamajorexpansioninbothdepthandbreadth.ExamplecontentisidentifiedinFigure2.TheSRSmaybeone documentoracompilationofdocuments.TheSRSisthemasterdocument.Referenceddocumentsaresubordinateto theSRS.TheglobalSIScontentismorecomprehensivewhencomparedtohistoricalSISspecifications.Itshouldnot usegeneralizationsthatwereoftencommontothesespecifications.Thetimeandeffortneededtocompletethis sectionisgenerallyunderstood.Incontrast,thetimeandeffortneededtofullyspecifyindividualSIFscanvarywidely. OnprojectshavingalargenumberofSIFs(commontolargefloatingproductionplatforms)thisnewactivitymay noticeablyincreasetheSISengineeringeffort.Inresponse,EPCsandMACsmustmodifyandadapttheirprocedures, executionplansandcostestimatingtoolsaccordingly.

2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

Figure2SafetyRequirementsSpecificationInputsandReports

ThesimpletaskofissuingtheSRSrequiresdiscussion.Theglobalsectionshouldbeissuedforapprovalearly.Issuing theSIFsectionmayneedtooccuronaSIFbySIFbasissincecompletiondependsonwhenPHA/LOPAactionitemsare completedandwheninformationavailable.TheSRSforaSIFcanbeseveralpages.IftheSRSisissuedasasingle document,theClientischallengedwithreviewingacomplexdocumentthatmaybe100sofpages.Thetraditional projectreviewperiodis510days. SuggestedinFigure2,theinformationrequiredtofullydefineanddocumentaSIFmayentail40ormoreuniquedata items.Thesourceanddetailrequiredtodocumenteachitem(e.g.,proposedSIFarchitecture)mustbeclearlydefined. Theefforttogather,trackandreviewthisdatacanbesignificant.Foralargeprojecttheworkincludesmigratingand recordinglargeamountsofdatathatmaybeprovidedindifferentformats,atdifferenttimesandbydifferentdisciplines andorganizations.CompaniesarebeginningtodevelopinhouseSRSdatabasetoolstoimproveproductivity,reduce errorsandtrackSIFdevelopmentandapprovalstatus.ThesetoolsmayalsobeusedtocreateSRSdeliverables,status reports,andactionitemslistsandprovideacentralrepositorytomanagetheSRSovertheSISlifecycle.Information providedbydifferentdisciplinesandorganizationsrepresentsaninterfacechallengethatshouldbeaddressedinthe PEPInterfaceManagementPlan.Thepotentialfordatatransferandtranscriptionserrorsshouldbeaddressedinthe PEPQualityPlan. CompletingtheSIFsectioncanbechallengingandtypicallyrequiresaSISengineerthathassignificantdepthand breadth.Oncecompletedacoldeyesqualitycheckbyabyaseniorcompetentpersonshouldbeconsidered.The QualityPlanshoulddefinetheapproachtothesechecks,e.g.,verifyallSIFs,onlycomplexSIFS,orarandomlyselected percentage.
2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

TheSIFspecificationprocessmayidentifyproblemsthatcantriggerasecondaryworkprocessordesignchange. Example,theLOPAdefinesahazardinanexothermalreactorasahotspotthatcanexceedmetallurgylimits.The reportproposes2outof3sensorvoting.ProjectP&IDsshowthreethermocouplesmountedvertically.Ifthiswerea largereactorthisdesignmayfailtodetectthehotspot,andthethreesensorswillseeverydifferenttemperatures.The designdoesnotappeartomeettheintent.TheSISengineershouldcontacttheLOPAownertoconfirmtheintentwhich maytriggeradesignchange. Figure3identifiesacommonscopequestion.WhataretheprojectrequirementsfordocumentingProtective InstrumentedFunctions(PIF)thatarenotrequiredbytheLOPA/PHA?PIFsmaybeprovidedforsafety(notSILrated), environmental,regulatory(proscriptive),andassetprotection.ArePIFsdocumentedintheSRS?DotheSIFanalysis andverificationstepsapplytoPIFs?WilltheSRSdifferentiatebetweenSIFsandPIFs?Thesequestionsneedtobe answeredbeforebudgetsarefirmedupandschedulesdeveloped. Figure3ProtectiveInstrumentedFunctions(PIF)intheSRS?
PHA/LOPA SIFs PIFs from Equipment Safety Standard (eg, NFPA-85) SIL = ? `` PIFs from Industry Sector Safety Standard (eg, API RP 14C)

SIFs PIFs SIL = 1 to 3

Incl. PIFs?
SRS

TheapproachtoverifyingSIFresponsetimeisatypicalscopequestion.Example,willitbecalculatedduringdetailed designusingpublishedperformancedataandvalvesuppliertestrecords?Perhapsitisonlyverifiedduringpre commissioningwhichcanberiskyiftheresponsetimetargetisnotmet. SuggestionsforimprovingSRSoutcomesandexecutioninclude: DefinewhatinformationisincludedintheSIFspecificationsection,thelevelofdetailrequired,whoprovides theinformation,andwhorecordsitintheSRS.(Thiscanimpactproposals,projectscopeandschedules.) ProvideanexamplespecificationforcommonSIFtypesandindicatethelevelofdetailrequired. DefinetheapproachtoassessinganddocumentingPIFsthatarenotSILrated.

2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

DefineiftheSRSwilldifferentiateinstrumentedfunctionsbytype,e.g.,safety,environmental,regulatoryor assetprotection. ThePEPQualityPlanshoulddefinethequalitychecksrequired. TheglobalSRSnarrativesectionshouldbecompletedandapprovedbeforeSIFspecificationworkbegins. Confirmwhichdocument,e.g.,theSRSorprojectinstrumentdatabase,isthemasterrepositoryforalarmand tripsettings. DefinehowandwhentheindividualSIFspecificationswillbeissuedforapproval. UtilizeelectronictoolstomanagetheSRSSIFdefinitionsection,supportelectronicdatatransfertoandfrom othersystems,andtomanageSRSdataovertheSISlifecycle. DeveloptoolsfortrackingSIFspecificationdesignandcompletionstatus.

SILandSpuriousTripRate(STR)Calculations SILandSTRtargetsareverifiedusingprojectapprovedcalculationtoolsandreliabilitydatasets.TheSRStypically providestheinformationneededtocorrectlymodeltheSIF.FinalSILcalculationsaregenerallyprovidedlateinthe project.Tosupportearlyequipmentprocurement,preliminarySILcalculationsareoftenrecommendedtoconfirmthat SIL2and3SIFsandthemorecomplexSIL1SIFscanmeettheSILandSTRtargets.Failuretomeetatargettypically triggersastudytoidentifyalternatedesigns.Individualstudiesmayrequireafewhourstoafewdaystocomplete.The elapsedtimemaybeweeksorlongerwhentheavailabledesignoptionsdeviatefromtheprojectorfacilitystandards,or theprojectimpactsareassessed.StudiestofindalternativesforcomplexordifficultSIFscantakesignificantlylonger. IfnotdefinedintheFSP,thereliabilitydatausedinSILcalculationsshouldbeselectedearlyintheproject.TheFSPor PEPmustdefinehownewdatawillbeassessedandformallyapprovedforuse.OverlyconservativedatacandriveSIF designtowardsunnecessarilyhighcapitalandlifecyclecosts.Dataprovidedfromcommercialresourcescanbe significantlymoreconservativewhencomparedtoClientcollectedorproductvendorprovideddata.Conversely, inaccuratedatacanleadtoadeficientdesignandafaultyverificationstep. Suggestionsforimprovingverificationcalculationsandexecutioninclude: TheFSPorPEPshouldidentifythecalculationsoftwareandthesourceofthereliabilitydataused. ProviderulestoguidehowSIFsaremodeled,namedanddocumented,targetPFDsafetyfactor,applicable CommonCausefactors,etc. Definewhatinformationanddetailisrecordedinfreeformfields. ProvideexamplecalculationsforcommonequipmentandcomplexSIFs. Definetheprocessforapprovingthirdpartyreliabilitydatausedinpreliminaryandfinalcalculationsandits introductiontotheteam. Definewhattestintervalisused,e.g.,usetheintervalspecifiedintheSRSorperformiterativecalculationsto determinethemaximumintervalpossibleandstillmeetSILandSTRtargets. Definetheprocessforissuingandapprovingcalculations.

2010MustangEngineering,L.P.

IEC61511ImplementationTheExecutionChallenge

Miscellaneous Thefollowingareadditionaltopicsandrecommendationstoconsider: Defineprojectrequirementsforfactorytesting,sitevalidationtestingandchecklists,onlineandofflineproof testprocedures,recordkeeping,andtheprocesstotrack,correctandverifyinspectionandtestdeficiencies. Provideprocedureexamplestoconfirmscopeandformatrequirements. DeterminehowIEC61511processes,documentsandproceduresarecoordinatedandintegratedwithexisting facilityO&MpracticesandSafetyManagementprograms.Changesinorganizationalboundaries,workprocess andtechnicalproceduresmayberequired.Thisprocessandimplementationshouldbeframedandbudgeted asaseparate,standaloneprojecttobetterascertainitssuccessandtimeline.

Conclusion ImplementingIEC61511requireschangesinhistoricalworkprocesses,procedures,toolsandexecutionplans. Operatingcompaniesshouldcontinuetodevelopcorporatestandards,guidelinesandtoolstoguideprojectteamsand improveconsistencybetweenprojects.EPCsandMACswillcontinuetodeveloptheexecutionandtechnicalplans, procedures,toolsandresourcesrequiredtosuccessfullyimplementthisstandardintodayscomplexproject environment. AuthorBios TomShephardisanautomationProjectManagerandMainAutomationContractor(MAC)ProgramManagerat MustangEngineering.Hehas28yearsofcontrolandsafetysystemexperienceintheOil&Gas,refining,marketing andchemicalindustries.TomisaCertifiedAutomationProfessional(ISA)andacertifiedProjectManagement Professional(PMI).HeholdsaB.S.inChemicalEngineeringfromNotreDameUniversity. DaveHansenistheSafetySystemPracticeLeadatMustangEngineering.Hehasover20yearsofcontrolandsafety systemexperienceinOil&Gas,refiningandchemicalindustries.HeisaSouthernAlbertaInstituteofTechnology(SAIT) instrumentationtechnologygraduate,aCertifiedEngineeringTechnologist(Instrumentation)andaCertifiedFunctional SafetyExpert.

2010MustangEngineering,L.P.