Future applications of safety-related control systems using electronic or Programmable Electronic Systems (PES) technology to protect potentially hazardous plant will be affected by the emerging International Electrotechnical Commission (IEC) 1508 draft standard, Functional safety – safety related systems.
This standard sets out a generic approach for lifecycle activities related to safety. Key features include a systematic, auditable and coherent approach to the safety lifecycle. This includes defining four discrete Safety Integrity Levels (SIL) – one is the lowest and four the highest, with each level having target failure measures assigned.
IEC 1508 is a voluntary standard, with a risk-based approach to specifying safety protection systems. However, if an explosion occurs on a plant the owner and potentially sub-suppliers will have to show they have applied `due diligence’, in designing the safety system to the latest and most appropriate standards and codes of practice – which is bound to include being aware of the needs of IEC 1508. For 1508 to be successful, however, individual application guidelines for different industries will have to be developed.
Process industry guidelines
Application guidelines for IEC 1508 for the process industry were the subject of a symposium and workshop, organised by ICS in Maldon in November, where the views of end users, contractors, the Health and Safety Executive (HSE) and suppliers were considered.
Codes and guidelines already exist for designing safety systems. They include the HSE’s PES guidelines, American Petroleum Institute’s (API) REP14C standard, the Engineering Equipment Materials Users Association (EEMUA) Publication 160, the UK Offshore Operator’s Association (UKOOA) instrument-based protective systems guidelines and ISA’s S84 safety standard for the process industry.
All are expected to be considered in preparing the emerging IEC 1511 standard for the process industries, a sub-set of 1508.
Taking the UKOOA guidelines first, Mervyn Currie, from BP in Aberdeen, said that the risk-based approach taken in 1508 is also included in UKOOA’s document, which considers protection of assets, reduction of risk to personnel, environment protection and continuity of production.
Currie said: `The cost of ownership of a safety-related system is directly related to the level of integrity provided’.
Assessments of levels of integrity (SIL), therefore, need to be carefully evaluated to ensure that these are not over specified.
System design also needs to take into account the application of new technology. Currie said: `Field devices should not be digitally integrated into logic systems yet, as there is insufficient confidence in smart systems at present’. He said that there was a higher potential for system errors in software than non-programmable systems, and as high integrity software was expensive they would only use it for SIL levels 0, 1 and 2.
Currie said that third party accreditation may help improve confidence but was not an absolute requirement. `For example, AK levels in the German TUV 1506 standard does not mean a lot as it does not directly relate to SIL requirements’. Currie said that there is also a timescale issue where equipment with long lead times has to be ordered early, so plans for changes need to be taken into account.
Three countries which disagree with 1508 are the USA, France and Canada. Paul Gruhn, from ISA’s S84 committee, says that the Americans cannot go along with quoting acceptable death rates for different industries, part of 1508.
He also said that mandating ISO 9000 was not acceptable, as the USA did not want this to become a certifiable activity – with all the implications for suitably qualified staff. Gruhn said the preference by OSHA in the USA (similar to HSE in the UK) was for the owner to determine and document the basis for all design decisions.
Gruhn highlighted HSE’s document Out of Control as a good basis to show that errors in the specification stage were the main cause of dangerous situations.
Mike Moroney, from contractor Kvaerner, said that 1508 adds structure to the design process to determine system architecture before the Hazop. He said this should include, where possible, involving the offshore OIM and maintenance superintendent in the design team.
Another different approach needed was for functional specification, from users for contractors, to include a statement of objectives – such as outlined in Appendix F of the Crine specifications for design philosophies, which helps the vendor to apply the correct solution.
For example, on one project, the DCS system on a refinery became safety related when it was found that the flare stack was under-sized for handling all the relief valves opening at once on the plant.
Moroney said that tolerable risk levels have to be agreed, although this can provide a legal trail in the USA.
He said that it was particularly important to document the intent of the software design, as it was often natural to do things without full documentation. He said this was particularly important for a plant which has a 20 year lifecycle undergoing continuous modification.
Moroney said that although 1508 was not law, it is written in blocks of stone which could break on the user’s head if not followed’. He said this `voluntary’ standard could be used against you in Court if it is not considered from the outset in the design of all aspects of the lifecycle of a safety system.
Implications of 1508 for Triple Modular Redundant (TMR) system and PLC suppliers will be increasingly important. ICS, for example, is already using TUV approvals in the development of Camelot, a major TMR system advance with a £20+ million investment. More in C&I later!