iec 61508 - what it doesn't tell you
TRANSCRIPT
CIAL FEATURE IEC 61 508
IEC 61508-what it doesn’t tell by UU. S. Black
Experience has shown that unless certain work is done in advance, problems are likcly to occur when IEC 61.508 is applied in a real project context. This article outlines S O M ~ of the problems that can occur, and discusses what you need to do to avoid having difficulties. It outlines the essential steps needed to ensure delivery of a cost-effective implementation and a high level 01 risk assurance. The essential steps covered include: (a) Development of risk awareness and training of management and technical staff in the fundamentals of the risk- based approach; (b) Adjustment of your policy and strategy on risk so as to integrate the risk-basccl approach of IEC 61~508 into an overall risk management framework-a critical activity is to decide on the methods and parameter descriptions that will bc used to determine the necessary risk reductions for your applications so that they arc in alignment with your corporatc risk acceptance criteria; (c) Training of project and operational staff on the basic requirements of IEC 61508; and (d) Development of your project procedures so that they arc consistent with aid encapsulate the requirements of IEC 61508. Many of the essential requirements of IEC 61508 overlap with normal quality requirements and this can easily lead to needless duplication of work.
h e is a general perception that IISC 61508 i s sufficient clcfinition ti11 its own for what is needed for dl aspects of protcctiori systcm T i~izplerrieiiintioii, ‘rhis pemption is far from
reality aizd arises Irom iI1i\dqtlatt: knowlcrlgc of thc statitlard and what is iiecessnry for safety. ‘Ihc new IICC S ~ I I I L ~ ~ I - C I is genetic and international, and bccaiisc oT tlinl it cannot cover what is ncccssary for all scctors arid all countries. Many of thr! prriblcms that occur arc causeclby i t m f f icieiit accnuu~ being hken of;
riormal pixdice in thc industry sector legal rcqilirctrienw in he ctiuniry of applicatiun rqplator expectations how ai1 nrgaiiisalion does busincss corporate criteria on risl{.
Normal practices in the process sector
The origitial pui pose oE drvrloping 11SC 61 508 was so that it could provide a generic E ~ + ~ I I w \ v o ~ ~ c on which to
Imsc sector-specific sl;uid;a.rls. Sector-specific standards are beneficial ror thc followitin rcasons:
Each secror has its own expcricticc of npplyinR s ~ c h syslciiis arid il is impcrrtnnt to captuic such cxpcrieiice. This is particularly [he case for scnsors and actuation devicw. lhch sector has its own language and terms, and expressing thr: principlcs withiri 1I.X 61508 in fuiniliar terriis will aid illtiustry xccptance and reduce h e liketilioorl of mistaltcs.
Issued and merging stnnd;i-tls rclcvant to instrunicnt protcction systcnis iti tlic ofkliol-e industry inrhdr tliv lollo\viirig;
AI’I 14C (sixth edition) RccotnIiiended I’rachx for Analysis, Ilwign, Itistallatitiii and ‘I’estiug of Basic Surface Safety Systclns. IS0 Siandard 1041 8 (1 993) OiCsliore Proieciioii Platlorin- . ,Analysis, [lesigil, installation and ’ k i n g
of Unsic Surlace Safety Systems. 1l.X I)rart SLantlarcl 6151 I-Fuiidonal Safety- SaMy Related Systems for tlic I'roccss Iiid~islry. IS0 1,7702 l'elrokuiiz aticl Natural Gas I i i d i i s h - Kccluirccmcnts ancl Guidclincs for thc Contiul and Mitigation of Pircs and Explosions on C)ffsliorc Oil and Gas Installations. IS0 Draft Staiirlard 10418 Analysis, Dcsigii, InstalIa- tion and Testing of Basic siirfacc Safety Systcms. IS0 Draft Standard 17776-Guiclancc uti tods :ind tcchniclucs for hazard idciitification arid risk ~ISSCHS-
tncnt.
13cfot.c rii-idcrtalting any ncw projccts or m;.tjnr modification work it is important to unrlcrstancl thc current stxhis ancl significancc of all thc diovc! staudartls to the work iimolved. In the USA the current approach will be to apply either 1SA nr A1'I stmdards depending 011 whether [he rvorlr is onslioie or dBhnre. 'The majority of American Operators ;uid Gmlixtors either have little awareness 01 lliC 61508 or roiisicler i n m y of the requirements to be irrelevant or unnecessary within (lie pimcess seclor. This is ii: part due Lo the larikwage used atid the coricerri that the l<ejiulahr iriny expect compliaiice to ttie stanclard lor cxisiiiig as well as ncw hstallatims. 'Fliis position is likely io change once work 011 IEC fi1511'k is iurlhcr advanced. Currcntly tic lirst issuc of Part 1 and Part 3 of IEC 61511 haw I~ccn circulated for coiimen~.
11: h e Ill< o h h i - e iriduary iriaiiy corihactors are experienced in (Iesigiing facilitieq imortliiig Lo A N 14 C and i:imtinue to apply theprinciplcs til dl new designs. 111 niaiiy instmccs c i r r i t r i~ to i~s iirc riot f a i n i h with thc ni!w IlCC stmhrd and hive not applicd thc priiiciplcs until law on in thc design proccss. This has musecl problcms Iicca~tsc the design proccsscs of tlic two standards ~ r c tiot tlic sxnc. Lite application of IEC 61508 can lcad to extra work and in soiiie cases rerlcsign of instruinerit protection systcins for sccondary protcctiou. il particdar difficulty is that IEC 61508 rcquirttl prcclictions of coiiscqucnccs of failure to opcratc 011 clcniaiid. This rcqiiircs that sonic predictions arc m c l c of filial pruccss conditions, whctha- ctmtainnicnt is brcachccl and what impact that will haw: iin s i h t y . I t ills0 rcquil-es frequency prcdii:tion which in some iiisl;uices may require .F;iult trees IO be constructed.
I lie scope cif IIK 61508 is safety and erivironmeril, h i t the iiiairi ernghasis is on safety. il:iiviimment gels a brief ineohn but asset protection for etlorioinic reasotis is riot considered al all. 11 is Llierehe iinportant to delerininc the specilic risk reductioiis requirecl (i.e. safety aiicllor cnivironment and/or assct protcction) if rislts arc not to lic .U rideres tima tecl .
Another notable prol~lern occiirs wlicn IEC 61508 is appliecl lo fire anrl gas syslems. In sonic instances
I I
prediclions have iiot taken into account other protcction laycrs alii1 integrity lcvel asseswie:its lrave resulted in general purpose a m protection heing asscssecl :is SIL 2 or 3 (safety iiztegriiy level 2 or 3). Ikcausc fire and gas systcins h a w multiple functioiis ni:cl iriultiple coniponcnts, configuring 1-cal sysl-cins to riieet such high rcquircmcnts is not practical.
A iicw revision of IS0 10418 lias the objective of integrating IEC 61508 aticl Al'I 14 C into an over;ill :ipproach for offshort. Tlic first clraft of this stniiclai~il Iws Iiccn issuctl for coinnicnl. The proposecl npproncli wilt rcquirc dl itistl-unicnt hasctl secondary proiectioii s y s t m s to lie itnplc~nciitcrl :iccol;rlIng to IEC 61508. Lt is also lilrcty {-hat tlic iicw rcvision of 1SO 10418 will lie tiiore restrictive in Ihc arctiitccturcs it will pcrinit thnii ITi:C 61 508. It is Ihctcfiirc csscntial fur all offshorc applicnlions to take account of Ijoh stnnclards,
Legal requirements in the country of application
The 11X 61508 statirlwd require5 h w i r t l itlcntification anrl risk nualysis to be carried out to cnablc safcty functions arid safety iritejyity levels to Iic rlcfincrl. Tn l'arl5 it Rives exaniples nln iiuiiiber. iii1ncthr)rls that inay lie used. It is important to realise that not all inethods are equal a d not all would necessilrily mcrt tlic legal reqiiireiiiciits wihii: ~ h c LK. Sonic of the iiiethotls dcscribccl for instancc would not neccsswily result in the risk Iieirig reduced so far ;is iws;oriiit)ly pr;i(:lic;iblc. 11: h e U[< il will a l m y s be necessary to rlcmonstratr: in dminmtntion that the priiiciples of AI.ARf' (as low as rr;~sc.ind)ly 1)wtic;iblc) haw I w n appliccl ancl this a i n lie difficult wi(h RIJI~IC tc!chriiqiics such ;is risk graphs. It is possiblc to incorporatc A1,ARP conccpts into risk graphs but this requires prior ~vorlr to enstire that the parmeter dcscriptions arc adjiistctl.
Regulator expectations Tn ni;iny parts of thc world it is ncccssary to subinit
safety cases to Rcgdators for approval and agrceineiil, Before doing so it is worthwhile iiurling out wliat cxpcctations thc Ilcgulator has for liwad iclcntification, risk asacqslnent i l d sklfcty system iinplcnicntatiori. 'k e xg ectat iw (1 f it p i1l-t i cu 1 ill- 13 egulator inay clixigc depending mi the a1)ecific sectcir umler ccmsidcratiun or the nature of the risk, As iar ;IS L iini awre in the Uti ollsliore sector, quantilication of major risks i s m m i l l y expected Kisk R m p h or risk nintrix rizetliorlr; will Lheretorc not lie appropriate in al1,cases. One appmar:l~ wnrlh considering is 10 use risk graphs lor 'screening' purposes. With such ;in approach whcr~. [he iisc of Ltic risk graph tesiitts ill SI[, levels a h v e :i speciliecl levcl, quantification of ttic risk reduction rcijiiireineiils .~vntild lie carrictl out. Rcg~ilatoi-~ inay also haw opinions oii ~ l i c tiiaxitiiuin SlL h a t can I)c achicvcd in a spccilic sector. Alttioiigh RcguI;itol- opinions on sucli issucs riccd to IIC uonsidered they should not lx! l c f l i ~ i ~ ~ ~ l ~ ~ ~ l l ~ ! i ~ ~ ~ ~ l .
COkIPUTINC & CONTROI. ENGIhTERING JOURNAL ITIWJARY 2000
How an organlsatlon does business ‘Inhe IEC 61.508 safely lifecyclc is generic and docs
not align wcll with iiormnl gromss indusir y pmjcct prowdures. This call cause significxnt probletns siiicc it would be rinreasoriablc to expecl getieral pi’ojcct procediircs to be inodified to makc it easier to implcmeiil. a few safcty sysLenis. A particrilal- probletn is the issiic of hazard idcnti fication and risk ;isseswIiient. In the process sector tlic forwd Hwop is not carried out iintil I’&ll)s arc in thc final stagc of tlcfinilion. At this stage saFeLy systcnis would havc hccn already cleelincc1 so c d l i c l s ( x i arise bctween whal has bccn dcsigned and what is shown by €hasop to be necessary. ‘Ih avoid thcsc prokleins hazard idcntilication and risk ussessnient must be carricd out early in tlic process dcsign. It must, ho~rrfvcr, hc recognised that this is not a priicess design activity alone. A tearii approach involving o p c ~ lions, mechanical coiiiniiiincnt engineers, control specialists and firc aiid blasl: specialists will need lo be involvcd in [he decision- trialtitig proccss.
Aiiothcr imDortmt issue is how the safety managctiicnt planning and vwi hxtion activitics requiid in the IEC 61508 standard can he incorporated into normal project activitics. AH organisations unclcr- talting W O I ~ 011 projects norinally work tu I S 0 YOU0 quality skindarcls. The quality procedures
ol determining wha t risk reduction is nccdctl. These arc decisions that ncctl to lx undwiakcn by thc organisation rasponsihlc for thc overall salety of the installation. l‘hc decisions will infllialce Lhc final safety achieved and need to bc talum at a senior lcvcl iii the respoIisiIAc organisation. 111 biking s~icli dccisions it must bc recognised that riperntors arc cxposcd to iniiltiple risks. On any inst;~llaiiori t h e will hc ii iitiniher of instrument protcction system each of which will conkilxitc to an ovcrall risk. ‘Ilw ovcrall risk will include tlie risk of other functional failures such as rclicf system hilurc and tht: iinrinal risks from fires nurl cxplosion, falls and dropped
Many contractors do not see planninu
as part of their work and assume that the work will
be carried out by others, It is essential to get
clarity at an early stane
appliccl can usually tic sliown i:o tneet tlic csscntial rcyuircinents b u ~ this nccds to IF f o r t i d y docuincntctl in the specific plans developed [or thc silftty sysletii impleinentaliori.
IEC 61508 rcquircs an indepcndcnt functiiinal safely assessment tu bc carried out prior to stwt up 01 thc facility. It ncerls to he cotisidercd huw such assessments fit itito thc noniial safety rcvicw procecses. It will bc cxlicnsivc and confusing if thc functiotinl safety asscss- tncnts arc not inlegrated with thr: overall d e t y rcvicw proccss.
A fLirlher rcqiiircmcnt wilhiri 1EC 61508 i s iinporkml to notc. T h e standard rcquircs planning. ol validation, iristallation atid opcration aurl ~nainte~iancc activities. Many contractors do iiot see sticii planning iis par1 d thcir wtirlr ancl assumc that the work will 11c carried oul b y oilers. It is csscntial to get claritv a t a n cai-ly stage as to who is rcspmsible and then inakc stire hat they arc liilly irivolvccl during design activitics.
Risk acceptance criteria The standird does nol specify wliat can he tolerated i r i
tlic rvay of rti\iclual risk nncl a l l o w ~ H P I nalive nicthods
ohjecls. In consiticring what risk targets can bc applied to i l i i
individual itistrumctit h s e d sysknis thew ntlicr risks must bc colisidcl-ccd and talmi into account. l’hcrc are a riurnticr of w ~ q ’ s of rinderlaltitzg this tillwalioii pmcess and rhis must be decided in advance oi considering nn individual application.
Whcrc risk gwplis arc iiscd to determitie salcig intcgrii y levcls the residual risk will depend on how the paratnctcr clcscript.iotis in ITrC 61508 are inlerprctcd. ILfm using any rislc graphs thcrc will ticctl to he siiinr agreemctit oti the ranges assockitcd with each of the paranictcrs inclutleil in ilic risk gmph. As an exariiplc tlic paratnctcr W, which is delitied in ItiC 61508 as the proliability of
unwanted occul-reiice, ricctls to tiavc soim vnluc rangcs assigned to Wl, W2 a~ ic l W3 so ttiiit doc:isirrizs can hc taltcn by the teain involvctl in setting integrity lci&. Similar judginents must hc 1nildr: for each of thc parameters used in thc risk graph. Iri malting swli dric:isioiis it riecds to tic recrignised tliat selecting the ranges lor cacli parameter is in effcci clcciding the risk xceptalility critcl-ia. The dccisions taltcn on llic pararnetcrs will need to reflect thc opcratol- criteria on indiviclual and socictd risk and how ovci.all risks itre Lo be allocated to indii~idual iiistruniciit sgstcins.
Thc scopt: oI 11SC 61508 is limited ti.) cascs whcrc si&tp and cnvirrmmcntd risk iieed to bc rcduced. Risk acccptatiilily aileria for ovcrall safety ris1;s arc lcasonably \vel1 ~ ~ ~ n l ~ l i s l ~ c c l , The itidustry is wcll aligricd on what maximum individual rislc ciiii be Lolcratcd and how mcieial risks must he recluced to nwet AT.AKL’ reqttircmcnts. The criteria for acute cnvivrmmenlal risk arc riot u ~ l l cskihlishecl and c;tr:h coiiipany will nccrl trr clwitle wliar frcqiicncy i s juviilierl for it wide range of cuvironmenlnl cnnseqiicnccs. ’I’his is a cliT[icult task, but dccisions udl not bc aide Lo ke [alien 011 cnvironinr:iitid protection systcnis until
risk meptat)iIiLy uittria havc bccn t1eci:ciderl. Whew thc coiiscqucnccs of failurc iirc cconomic the
lcvcl of assurance nccdctl by business mariagcrncnt should bc cquallp high The lcvcl of pcrforinancc jiistificd for a specific application will dcpentl on thc followitig:
tlic cost of alternative levcls of perkmiaim the ecnnoriiic risk arising h i 1 rcbuild cost and lost
t l r rate of return expecied from ilic business ior proclwiion
iricreased invcstnient.
It should bc notccl that in thc process sector hnzauds leading Lo falality will olien resuli in eiivironriientnl damage atid ecotiomic loss. The risk red t ich i requited for reasons of economic risk may exreed what mi he justifid Lor rcasoiis of safcty.
Essential steps for all organisations If problems are to he avoided duriiig the project
inipicnicntation of process protection systetns usitig IEC61508 it is essential for all organisatinns io make a nutnlicr of inportant clccisions in advance. Thc dccisiotis arc corporate decisions irideperidenL 01 individual projects and will nced agreement ai senior rnntiageinent level. Such tlccisionns taltc t i t i i c and will lcatl to projecl delays i E riot considered in :iclvaiiw of project conimencemenl.
Experience tias shown that niariy ol the pinbleriis that occur during project iniplcnicntation are dtic to lack of trainitig or failure to spccify policy atid strategy at ai1 early stage. A four-stage approach should lie corisidcrccl as follorvs:
S&@ 7: ManaEemciit needs to bc inadc iiwiiw OF thc luiitiamentals of thc risl&xxd approach, tt ic iicw staticlards ancl rclcvant ~rgukitioiis. Technical sl~ecialisis arc unlikcly to havc thc authority OII thcir own to rualtc key drcisions on risk and tliosc with tlic ncwssiiry authority ncerl to have xlequatc iiwarcnws lxforc decisions can be talcen.
Si@ 2: A h being tiiaile awarc ol the lundaimiials o l the risk bascd approach in Stcp I tuanagcincnt ncccls to makc some futdanicntnl dccisioris sucli as the following:
Thc risk acccptalility criteria that arc to bc applied to individual instrutncnt systems so as to tncct overall corporatc objcjcctivcs on risk mduction. Tlic risks considercc1 sliould incluclc safcty, etivironmcnt and asset cconomic. 'i'lic nicthods that sliould bc iiscd to rlctcrminc tlic nt:wss;iry risk reduction. Tn ninlting such decisions it will Irc ncccssary to coiisirlcr Rckqilator cxpcctations in addition to thc lcvcl of assurance ncccssarp. Qimntitative mcthnds inay givc t i i m assurance hut c m involve additional cosk anti labe more tiinc.
Ste) .%. Project ancl tcclinicnl management nccd to Ibc riiailc amarc of tlic ittrid~iineii~:tls, tlic iiw sk~iirlai~cls and tlic rclcvnrit rc~ulatiotw 'L'hcy also nccrl ail under~~tt iding 01 the safcty 1iEct:pclc and tlic technical acliviiies ihal need 10 tri! r:;u.l-icd out at cacli stage.
Sit/) 4: I'roject: i ind technical maiiagcnient riecd to misiclei- the clinngm that shoulcl bc niatlc to projecl prncedures 40 as LO t!iJiil)lc cffcctivc ~ I I I C I cificicnt projeci cxeculiori. lssues hi: wi I I nwd to hc cotisicicrcd include the fdlowiiig:
, 1 1 he tleparl.ments th;it iiti: icsponsiblc for determining h e components of initial risk and wlicn siich work will lie carried oul. How the requited i d r rcduction is to lie dclcrinined, who should br: involvr:cl ancl whcn shoulcl thc th i s ions lie taken. I lie rleIxir~mcnts rrs1)onsihlc for iniplcmentin~ prolectioti sysleizia ixml Iiow the nccds of installation, validaiioti aiicl ogaations and inaintctiaticc arc to he incorporaied in dcsijins. How I u r i c h d s;ifcty is to be triaiiagerl aticl liow this activity fits into tiic overall aaCciy inauageuient pr(iccss. Tn particular, who and when iridepei~lmt fL1nction:il safcty iissCsstiiC.tits arc 10 be carried o ~ i t and how all thc ncccswy activitics rclatc to the riianagerrieiil of clunlit 5'.
r .
. . .