Important functional safety standard for automation in the computer age
By William Johnson, Richard R. Dunn, and Victor J. Maggioli
This overview outlines key elements of the ISA84 committee on process sector functional safety, including scope, purpose, history, and technical issues. It also provides a preview of the forthcoming 2nd edition of ANSI/ISA-84.00.01 (IEC 61511 Mod).
Functional safety within the process sector has always been a priority. As the process sector moved into the computer age, new issues arose as manufacturing plants converted to computer control to replace electrical, pneumatic, and electronic controls. The process sector developed a variety of tools to address these problems, but safety performance did not always meet expectations. The need for improved understanding and harmonization of risk reduction approaches became evident with the occurrence of such major catastrophes as Seveso (Italy), Bhopal (India), Flixborough (U.K.), and Chernobyl (Ukraine). In response, OSHA developed and published OSHA 29 CFR, 1910.119-1992 (Final Rule: 24 February 1992), Process Safety Management of Highly Hazardous Chemicals, Explosives, and Blasting Agents; and the U.S. Environmental Protection Agency published EPA 40 CFR Part 68, Accidental Release Prevention Requirements: Risk Management Programs under the Clean Air Act (U.S. only). These regulations helped define areas that must be addressed in order to achieve a mandated level of functional safety performance in industry.
The International Society of Automation (ISA, formerly Instrument Society of America) recognized the need for an improved approach in handling process sector functional safety issues. As a result, ISA established Standards Project 84 (SP84, now called ISA84) to address this issue.
During the late 1980s, more than sixty experts from diverse backgrounds (including end users in the chemical petroleum industries, integrators, equipment manufacturers, consultants, and safety regulators) joined ISA84 to bring together their expertise in addressing process sector functional safety. ISA84 membership included members from many national and international technical organizations, such as the American Petroleum Industry (API), National Fire Protection Association (NFPA), American Society of Mechanical Engineers (ASME), Institute of Electrical Engineers (IEEE), The Health and Safety Executive (HSE) of U.K., and American Institute of Chemical Engineers (AIChE). Contributions from each of these organizations and others played significant roles in this effort. In addition, to ensure greater global awareness, ISA84 established and continues to maintain an active dialog with international technical user organizations such as The International Users Association-WIB, and NAMUR (Normenarbeitsgemeinschaft für Mess-Und Regeltechnik in der Chemischen Industrie).
This team developed and obtained approval from ISA’s Standards & Practices Board for the ISA84 scope and purpose:
- To define terminology that is particular to Electrical/Electronic/Programmable Electronic Systems (E/E/PES) and high reliability.
- Establish criteria for, and means of assessing, reliability and availability in practical applications.
- Provide general specification guidelines that facilitate understanding.
- Provide guidelines for process safety applications requiring high reliability.
- Develop guidelines for specific hardware/software configurations that can meet varying levels of reliability/availability.
- This work does not apply to nuclear power safety-related systems.
To develop standards and technical reports for use in applying Electrical/Electronic/Programmable Electronic Systems (E/E/PES) for use in process safety applications.
Safety life cycle
The ISA84 committee set out to define the boundaries of its work by developing a safety instrumented system (SIS) safety life cycle (see Figure 1), which illustrated the activities involved when addressing process sector functional safety. ISA84 then selected those activities to be addressed in its proposed standard (i.e., ANSI/ISA-84.01-1996) as noted in Figure 1.
Concurrent with the work to develop ISA-84.01-1996, the committee undertook a review of global activities in the process sector functional safety arena. A 1993 AIChE Center for Chemical Process Safety (CCPS) book, “Guidelines for Safe Automation of Chemical Processes,” served as a key reference for new issues (e.g., SIS, LOPA) related to the process hazards and risk analysis phase of the safety life cycle.
At about that time, the HSE of the U.K. issued a white paper on an approach utilizing programmable electronic (PE) equipment (i.e., software based) in safety applications. While this approach was already in use in parts of the U.S. process sector, having it validated by a third party such as HSE provided further confidence that consensus approaches to handling the design phases of the safety life cycle could be achieved.
ISA84 also became aware that the International Electrotechnical Commission (IEC) had initiated the development of a global functional safety standard (IEC 61508) for all industrial sectors.
ISA84 reviewed the IEC 61508 scope and purpose and recognized that it focused on equipment manufacturers’ requirements for developing products that could be utilized in safety applications. IEC 61508 recognized the need for sector-specific standards while providing owner/user requirements for those sectors without a sector-specific standard. For example, IEC planned to develop a standards committee to address process sector functional safety (i.e., IEC 61511) once IEC 61508 was issued.
ISA84 quickly recognized the value for such an IEC standard and determined that, subsequent to publishing ANSI/ISA-84.01-1996, their future efforts should be to:
- support development of IEC 61508;
- support development of IEC 61511;
- replace U.S. national standard ISA-84.01-1996 with a U.S. approved version of IEC 61511; and
- provide the technical reports which support transition to this global approach.
ISA84 began pursuing these goals after publication of U.S. national standard ANSI/ISA-84.01-1996.
ISA84 recognized that the European Workshop for Industrial Computer Safety (EWICS) white paper submittals served as effective global vehicles for introducing new safety design concepts. EWICS and CCPS were especially helpful to ISA84 since each provided a view of alternate design approaches (a tool that is now also supplemented by the development of ISA technical reports [TRs] for inclusion in today’s functional safety standards). EWICS and CCPS continue to play an important part in harmonizing new and improved design methods.
The impact of IEC 61508 on the safety life cycle is reflected in Figure 2. Note that IEC functional safety standards have an expanded scope that addresses all life cycle phases (i.e., from hazard and risk assessment (H&RA) through decommissioning). The clause numbers noted in the figure are based on ANSI/ISA-84.00.01-2004 (IEC 61511 Mod), “Functional Safety Standard for the Process Industry Sector.”
ISA84 recognized the need to address the impact of OSHA 1910.119, “Process Safety Management of Highly Hazardous Chemicals,” on U.S. process sector owner/users. Accordingly, ANSI/ISA-91.00.01, Identification of Emergency Shutdown Systems and Controls that are Critical to Maintaining Safety in Process Industries, was developed, approved, and issued via a fast-track approach while ANSI/ISA-84.01-1996 was being developed.
Terminology for this effort required a strong commitment by ISA84 to introduce technical terms that would be globally accepted. The international membership of ISA84 and the terminology being developed for IEC 61508 were essential in identifying and reaching consensus on such terms as safety instrumented systems (SIS), safety integrity level (SIL), safety instrumented function (SIF), basic process control system (BPCS), and the like.
The standards development required the integration of both quantitative and qualitative measures to ensure SIS designs had the ability to achieve their projected performance. To address this need, ISA84 developed ISA-TR84.02-2002, which illustrated approaches using various modeling techniques. This TR served two essential purposes:
- It illustrated various quantitative and qualitative tools to validating application designs.
- It demonstrated how TR development was beneficial and key in developing consensus among ISA84 members.
Subsequent to the issue of the 1st edition of IEC 61508, Parts 1 through 7 (1998-2000), the IEC 61511 committee completed and issued the 1st edition of IEC 61511, Parts 1, 2, & 3 (2003). ISA84 reviewed this standard throughout its development and accepted it as a U.S. national standard, replacing ANSI/ISA-84.01–1996. The only modification to IEC 61511 for adoption as a U.S. standard (i.e., ANSI/ISA–84.00.01–2004 [IEC 61511-1 Mod]) was reference to the U.S. handling of legacy systems (i.e., the grandfather clause).
For new projects, compliance with the IEC 61511 safety life cycle typically has minimal impact on total project costs. It requires project and operations leaders to follow the safety life cycle phases through the design, installation, and operation of the SIS.
For existing SIS, the costs to comply will consist of engineering cost and, in most cases, hardware cost. The engineering cost will vary in accordance with the quality of the existing Process Hazards Analysis (PHA). If the PHA has established a tolerable risk for the events under review and determined the target risk reduction for the SIF, little additional engineering is required beyond normal instrument and control design. The PFD of the SIF at the current test frequency can be calculated and compared to the required SIL. If the existing PHA has not adequately defined the need for risk reduction (e.g., SIF design, SIL requirements), considerable engineering effort may be required to conform to the standard. The PHA must be updated to define these requirements for each identified SIF. The target SIL for the SIF will then be determined to obtain the risk reduction required to obtain the tolerable risk for the event. The PFD of the SIF can then be calculated to determine if the tolerable risk for the event is achieved. If the SIF cannot meet the target SIL, the test interval may have to be decreased or redundant equipment added.
Design impact example:
If a site chooses to increase the test frequency to meet the target SIL, online testing may be required to avoid frequent process shutdowns. In many cases, at older sites, additional design and equipment will be required to allow online testing. The design impact for existing systems can be considerable depending on the SIL required for the SIF. The increased cost to allow online testing may be offset with the reduced need for future plant shutdowns. In addition, the ability to test the SIFs online removes the need for instrument mechanics (on overtime) during the plant shutdowns, since testing can be scheduled independent from shutdowns.
IEC 61511 1st edition:
As described above, the U.S. national standard ANSI/ISA-84.00.01-2004 is the same as the international standard IEC 61511, with the addition of a grandfather clause to accommodate existing SIS installations. Several members of ISA84 are also members of the IEC 61511 committee. ISA84 has contributed a great deal of time and energy to ensure the IEC 61511 international standard meets the needs of the U.S. chemical industry. A major contribution was the introduction of LOPA to the global safety community. Since its introduction, LOPA has become a very popular tool for determining the required SIL for a SIF.
While ISA84 development of U.S. national process sector functional safety standards—and contributions to the development of IEC 61511—have been significant achievements, an equally remarkable achievement is the development and publication of ISA84 technical reports. The technical reports provide timely (i.e., prior to maintenance of IEC 61511) guidance and examples of owner/user implementation of IEC 61511. This includes:
- tools to assist in implementing IEC 61511 requirements;
- example implementation of the full SIS safety life cycle;
- alternate methods for implementation of safety life cycle phases;
- addressing special hazardous operations (e.g., fire and gas, burner management) with regard to SIS implementation;
- addressing non-SIS protection layers; and
- addressing new technology.
The technical reports have also provided valuable technical input to the next edition of IEC 61511 due to be published in 2014. Major issues addressed by the technical reports include:
- ISA-TR84.00.02, Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques;
- ISA-TR84.00.03, Mechanical Integrity of Safety Instrumented Systems (SIS);
- ISA-TR84.00.04 - Part 1, Guidelines for the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod);
- ISA-TR84.00.04 - Part 2, Example Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod);
- ISA-TR84.00.05, Guidance on the Identification of Safety Instrumented Functions (SIF) in Burner Management Systems (BMS);
- ISA-TR84.00.06, Safety Fieldbus Design Considerations for Process Industry Sector Applications;
- ISA-TR84.00.07, Guidance on the Evaluation of Fire, Combustible Gas, and Toxic Gas System Effectiveness; and
- ISA-TR91.00.02, Criticality Classification Guidelines.
IEC 61511 2nd edition and future:
All three parts of the second edition of IEC 61511 committee draft (CD) have been completed and submitted to IEC. IEC has issued the three parts for commenting, along with a supportive cross-reference addendum. Transmission for commenting via ISA occurred on 2 April. The following schedule is planned:
- 3rd quarter 2012: national committee (NC) comments submitted to IEC 61511 for review;
- 4th quarter 2012: IEC 61511 committee meets to address NC comments;
- 2013: IEC 61511 meets as necessary to address all NC comments and develop IEC 61511 committee draft for voting (IEC 61511 committee draft voting (CDV);
- 1st quarter 2013: IEC 61511 committee issues final version of IEC 61511 CDV (all three parts) to IEC; and
- IEC issues IEC 61511 final draft international standard (FDIS) (i.e., IEC 61511 FDIS for Parts 1, 2, and 3) in 2014.
In 2014, ISA84 will review the 2nd edition of IEC 61511 and prepare any necessary modifications for adoption as the next edition of ISA-84.00.01. Submission to ANSI for their approval will follow.
Currently, ISA84 is reviewing and commenting on the IEC 61511 CD (committee draft). The comments will focus on proposed modifications to IEC 61511 such as:
- change of focus to application programming instead of software;
- relocation of application programming requirements throughout the text instead of leaving it solely in clause 12;
- addition of new hardware fault tolerance approach;
- expanded requirements and guidance for use of the BPCS for risk reduction;
- additional requirements and guidance for implementation of SIL 4 SIF;
- increased emphasis on holistic considerations in dealing with safety instrumented system qualitative and quantitative factors;
- expanded guidance throughout Part 2, including new annexes providing application examples;
- increased emphasis on security; and
- additional methods for determination of the required safety integrity levels.
The process sector is faced with many plant floor factors that require additional risk reduction analyses, such as security, wireless instrumentation, alarms, human factors, BPCS, and many other protection layer issues. These are all impacted by IEC 61511 and by IEC/ISA/CCPS global requirements in those specific arenas (e.g., ISA18 on management of alarms, ISA99 on control systems cyber security, ISA100 on wireless, and CCPS—Layer of Protection Analysis [LOPA]).
ISA84 is addressing these issues through the development and maintenance of technical reports and initiation of new ISA84 TR development teams such as:
- working group 8 (WG8) addressing wireless technology for safety applications, which includes a partnership with ISA100 to address joint issues between wireless and functional safety;
- working group 9 (WG9) addressing security issues in SIS applications; and
- ISA99 WG7, a joint effort with ISA99 to address overlapping security and functional safety related issues.
The efforts outlined in this article are only as effective as the resources utilized to develop these projects. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards. There is no membership fee to serve on ISA84 or any ISA standards committee, nor a requirement to be an ISA member. Your input and participation are welcomed and needed. For more information, contact Charley Robinson of ISA Standards, email@example.com.
ABOUT THE AUTHORS
William Johnson is a recognized expert in all phases of the IEC 61511/ANSI safety life cycle including Process Hazard Analysis, Layer of Protection Analysis (LOPA), Fault Tree Analysis, and Probability of Failure on Demand calculations. Johnson rejoined DuPont Sustainable Solutions (DSS) following 44 years of continuous service with the DuPont Company in areas including operations technical support, process dynamic modeling, control, and safety interlock system design. He has been a leader in various aspects of Process Safety Management (PSM) at the local site, business, division, and corporate level. He is a qualified Process Hazards Analysis (PHA) leader, a qualified LOPA leader, and a qualified instructor for several PSM-related subjects. Currently chairman of ISA84, he is a U.S. expert on international safety committees IEC 61508 and IEC 61511. He holds a BChE from the University of Maryland, and an MChE from the Stevens Institute of Technology, and is a Professional Registered Engineer in New Jersey and Delaware.
Richard R. Dunn (firstname.lastname@example.org) is Senior Control Systems Consultant with DuPont and a member and editing chairman of the IEC 61511 Standard Committee (Functional Safety Instrumented Systems for the Process Industry Sector) maintenance team 2nd edition development. He serves on IEC 61508 and leads ISA84 WG91 on Identification of Emergency Shutdown Systems and Controls that are Critical to Maintaining Safety in Process Industries. He is a CCPS book committee member on “Guidelines for Safe and Reliable Instrumented Protective Systems.” He holds a BSME from Michigan Technological University, where he conducted graduate studies in control systems and manufacturing systems engineering.
Victor J. Maggioli is President, Feltronics Corp., and a retired DuPont Engineer. He is an ISA Fellow and a member of ISA’s Standards and Practices Board; co-Director of ISA84; a lifetime member of IEEE; member of the IEC 61508; member of the European Workshop for Industrial Computer Safety (EWICS); original committee member of IEC 61131; and convenor of IEC SC65A Maintenance Team 61511. He also serves as a U.S. appointed expert to IEC SC65A on matters having to do with process sector functional safety.