November 2008

Verifying legacy systems: A European safety perspective

By Colin Easton

In the U.K. process industries, the Health and Safety Executive (HSE) recognizes IEC 61511 as relevant good practice for functional safety of safety instrumented systems (SIS) in the process industry sector. In HSE's view, if users meet the requirements of IEC 61511, thereby demonstrating they have reduced the risks under the control of safety instrumented systems to a level as low as reasonably practicable (ALARP), they have done enough to comply with U.K. law as far as safety instrumented systems are concerned.

A project following an HSE surveillance visit to an existing process facility prompted us to describe how the site addressed HSE issues about site legacy safety instrumented systems. Using IEC 61511 can assure existing safety instrumented functions are capable of achieving the required contribution to risk reduction when applying the ALARP principle.

These concepts are applicable to the assessment of the majority of legacy SIS systems used within the process industries. The safety integrity level (SIL) verification of legacy SIS is a process that reviews and assesses a SIS based on the consequences of previously identified hazardous events. The legacy verification process focuses on the ability of an existing SIS to meet the recommendations of IEC 61511 and the current process plant design intent. It recognizes the legacy system's design meets the standards of the day and applies the techniques and measures in IEC 61511 as a performance benchmark for the verification of the legacy SIS in terms of fitness for purpose through the proven-in-use argument supported by SIL calculations.

The verification process examines the installed safety instrumented sub-system components and functions for purpose and adequacy and will determine what measures of protection and intervention they perform to minimize the risks of an incident and will establish what, if any, remedial works are required to the SIS.

The IEC 61511 standard is concerned with the functional safety of process plant safety instrumented systems. It requires:

  • Hazard and risk assessment to identify overall safety requirements. This usually takes the form of a HAZOP study that helps develop the site's safety management system and COMAH compliance strategy.
  • An allocation of safety requirements to the safety-instrumented system.
  • A business works within a framework applicable to all instrumented methods of achieving functional safety.
  • Detailed use of certain activities, such as safety management, which may be applicable to all methods of achieving functional safety, and which the site's safety management system addresses.

IEC 61511 is not simply concerned with the aspects of design, but addresses all the relevant safety lifecycle stages including the initial concept, design, and implementation.

Verification process

SIL verification at the chemical incineration plant helped us evaluate if a legacy system provided a sufficient level of protection and met ALARP requirements in terms of risk contribution. The framework for the study included IEC 61508 and IEC 61511.

The verification process comprises two main stages. The first stage is an evaluation of the risk reduction contribution required from the safety instrumented systems. It considers existing passive and active protection devices in terms of prevention and mitigation of the identified plant hazards and assesses their contribution towards the overall risk reduction target. It assesses if a tank bund area is adequately sized to provide over spill mitigation in addition to the prevention provided by a high level switch. In such an assessment you could use a combination of visual inspection and interrogation of existing hazard study reports, drawings, and documents to gain an impression of the state of the SIS, and other protection layers contributing to the overall risk reduction requirement.

The second stage is a numerical evaluation of legacy safety instrumented functions to verify you can achieve the required risk reduction contribution (target safety integrity level). For this stage, equipment manufacturers can provide information about the quality systems and control, current status, remaining life, and serviceability of obtained equipment. Where possible, you should review manufacturers' data sheets for either the installed equipment or suitable replacements.

Safeguards, risk tolerability

The verification of legacy systems begins with a review of the existing hazard and operability study report, (HAZOP), plant risk assessments and the as-built plant PIDs to identify existing safe guards and the plant control of major accident hazard (COMAH) report to ascertain the site tolerability of risk criteria.

The existing safeguards are required to achieve or to maintain a safe state of the process and contribute to the necessary risk reduction to meet the tolerable risk a company determines as a part of the COMAH report ALARP argument.

The ALARP argument means weighing a risk against the trouble, time, and money needed to control it. The decision-making process requires the company to exercise judgment, apply good practice, and (for high risk situations) use formal techniques including cost-benefit analysis to form a judgment. HSE recognizes IEC 61511 as relevant good practice and acceptable as a part of the ALARP argument.

You can achieve the necessary risk reduction by either one or a combination of SIS or other protection layers, such as mechanical protection in the form of venting or passive protection in the form of a tank bund of fire wall. As in the case of the tanker off-loading procedures, a person could be an integral part of a safety function providing a risk reduction. In this case, you should consider all human factors and any claim limited by complexity of the task, training, and experience.

Verification findings

The worse case scenario identified in the HAZOP was a loss of containment leading to a possible ignition of a vapor cloud or asphyxiation of an operator and based on plant information. This has occurred once in 16 years of plant operation. Using the risk ranking matrix, we selected the following appropriate parameters:

  • Consequence severity S3 using the asset parameter, local damage/partial shutdown. This means plant restart is possible, but it costs up to £500,000 (U.S. $823).
  • Frequency ranking PE based on 1 loss of containment in 16 years of operation.

We considered the unprotected risk intolerable, and (based on HSE advice) we set the protected risk required to two orders of magnitude less than the unprotected risk value.

The simplified risk model looked at four possible protection layers, each contributing a one-order-of-magnitude risk reduction. The safety instrumented function therefore was required to achieve a target risk reduction factor of 10 which is equivalent to a safety integrity level of 1.

We had to address the target SIL1 with respect to systematic and hardware integrity to substantiate achieving the SIF claim of RRF 10 by the existing tank farm equipment.

For the systematic element we demonstrated the plant equipment could meet the prior-use and hardware-fault-tolerance requirements. For the hardware elements we used the simplified formulas in 61511 to demonstrate the PFD average was achievable.

U.S. perspective on IEC standard

When it comes to safety standards, most of the U.S.-based ISA84 standard is identical to the international standard, IEC 61511, at least "the whole first paragraph is identical as far as the U.S. stance," said Paul Gruhn, safety product specialist at ICS Triplex in Houston.

A few years ago, OSHA wrote an interpretation letter to ISA confirming the ISA84 standard is recognized as the good engineering practice that they expect users to follow in order to be compliant with the appropriate portions of the U.S. Process Safety Management (PSM) Regulation (29 CFR 1910.119).

What's different?

The term "as low as reasonably practical (ALARP) is a U.K. legal concept," Gruhn said. "While I discuss it in my classes, I'm not aware of it being used in the U.S., although the general concepts certainly apply."

Control of major accident hazards (COMAH) is the U.K. equivalent of the U.S. PSM regulation. This section contains requirements for preventing or minimizing the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals, Gruhn said. "These releases may result in toxic, fire, or explosion hazards. OSHA estimates it applies to 25,000 facilities in the U.S.," he said. COMAH applies mainly to the chemical industry, but also to some storage activities, explosives and nuclear sites, and other industries where threshold quantities of dangerous substances identified in the regulations are kept or used.

Other differences lie in the U.S. grandfather clause in ISA84 standards. "The ISA84 committee wanted to address legacy systems as well," Gruhn said. "That was the whole point of including the grandfather clause in ISA84. That's the only clause that does not exist in the international version of the standard (IEC 61511)," he said.

The clause essentially came from the U.S. PSM regulation and states, "for existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard (e.g., ANSI/IS-84.01-1996), the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner."

"Overall, the U.S. perspective is no different," Gruhn said. "People must verify that existing systems are safe using the same methodology described by [Easton]."