Whilst every effort is made to ensure technical accuracy of the information supplied on iceweb.com.au, Keyfleet Pty Ltd and its employees accept no liability for any loss or damage caused by error or omission from the data supplied. Users should make and rely on their own independent inquiries. By accessing the site users accept this condition. Should you note any error/omission or an article offends please do not ignore it, contact the webmaster and we will review, rectify and remove as necessary.
Get seen by the people who use
your products!
THIS SPACE
can be yours
Kimberly A. Ford and Angela E. Summers, Ph.D., P.E.
Premier Consulting + Engineering
Published in part: Chemical Engineering Progress, May 1999
Abstract
The ANSI/ISA S84.01-1996 standard on the Application of Safety Instrumented Systems for the Process Industries has introduced many new requirements for the assessment, evaluation, design, installation, operation, and maintenance of safety instrumented systems (SIS). As with any new standard, one of the most difficult compliance aspects to address is the consideration for existing systems. The standard includes a clause for existing equipment, in which the owner/operator must only demonstrate that the SIS is "designed, maintained, inspected, tested, and operating in a safe manner."
The process industries are under continuous pressure to improve the operation of their facilities. This optimization results in an environment of constant change, in terms of upgrades and expansions. The "grandfather" clause is for existing SIS only. At some point, the modifications of the process unit and the SIS will be significant enough to trigger the full requirements of ANSI/ISA S84.01-1996. This paper will address the various criteria that are being used throughout the process industries to define the boundaries and limitations of this clause. It will also provide recommendations on how to make sure that a process facility is protected in regard to the "grandfather" clause.
Introduction
The ISA (International Society for Measurement and Control) developed a standard entitled the Application of Safety Instrumented Systems for the Process Industries. In 1996, this standard was formally released and in 1997 it was adopted by ANSI (American National Standards Institute). Since its promulgation, this standard has become the accepted industry practice for all new Safety Instrumented Systems (SIS) designed and installed for use in the process industries. However, the application of the standard to existing safety systems is not as straightforward.
The ANSI/ISA S84.01-1996 includes a clause for addressing existing SIS which states that the owner/operator of SIS designed and constructed prior to the issue of this standard must demonstrate that the system is "designed, maintained, inspected, tested and operating in a safe manner." This "grandfather" clause, ANSI/ISA S84.01-1996, 2.2.1, releases the owner/operator of such systems from the new requirements of the standard, if they can meet the criteria of the clause. This leads to questions regarding how to demonstrate compliance with the clause and at what point modifications to the process or the SIS become significant enough to trigger the full requirements of the standard ANSI/ISA S84.01-1996.
Determining Applicability of the "Grandfather" Clause
In order to utilize the exception for existing systems provided by the "grandfather" clause, an owner/operator must prove its applicability. There are two methods which are being employed within the process industry to demonstrate that the Safety Instrumented System is "designed, maintained, inspected, tested, and operating in a safe manner." The first is to utilize the cyclic Process Hazards Analysis (PHA) process as a vehicle for investigating the safety system. The second is to review the existing SIS in comparison to the key design requirements of the S84 standard and by identifying deviations, determine whether further efforts are warranted to analyze the SIS.
One of the principle opportunities to review the safety system associated with a process is during the cyclic process hazards analysis. Under the requirements of the OSHA Process Safety Management ruling (29 CFR 1910.119) and the EPA Risk Management Plan (40 CFR 68) every covered process must undergo a PHA on a five year cycle. Within the PHA, the teams are required to identify potential causes of process hazards and identify the associated engineering and administrative controls. One of the most important types of engineering controls is the safety instrumented system which has been provided to prevent or mitigate a potential process event. Following the discussion of each potentially hazardous scenario in accordance with the PHA methodology being employed, the team can discuss the existing SIS and subjectively evaluate it with regard to the "grandfather" clause. The team will need to consider all of the elements of the clause, namely SIS design, maintenance, inspection, testing, and operation, in order to formulate a judgment regarding the SIS adequacy. In order to evaluate the adequacy of the design, the PHA team will need to affirm that the SIS functionality is appropriate to fulfill the intended safety function and that the SIS architecture is consistent with the required risk reduction. This judgment should also consider the frequency of process demands on the SIS and the history of incidents and near misses associated with the SIS. The team will also need to review the maintenance, testing, and inspection records in order to evaluation the sufficiency of their frequency and content. If the team is unable to agree that the SIS meets all of the requirements of the "grandfather" clause, they can develop an action item for the particular SIS to receive full consideration under the S84 standard; hence excluding it from coverage under the "grandfather" clause.
Another approach to SIS evaluation is the development of a checklist based upon requirements within the ANSI/ISA S84.01-1996 standard. This checklist would address the major philosophical and technology issues defined in the standard. Any significant deviations from the design characteristics defined in the standard would identify the SIS under consideration for exclusion from the "grandfather" clause. A few examples of the types of issues that could be addressed in the checklist are provided in Table 1.
Table 1 |
| Example Criteria
for Identifying Existing SIS to be Excluded from the "Grandfather" Clause |
| Does the SIS function take the process to a safe state without human intervention? |
| Are the designed "fail safe" modes of the SIS elements consistent with a safe state? |
| Is the SIS logic solver separate from the Basic Process Control System (BPCS)? |
| Are sensors for the SIS separate from the sensors for the BPCS? |
| Is the technology employed in the SIS appropriate for the expected performance? |
| For SIS associated with high risk events, are two valves provided for process isolation? |
| Does each SIS I/O device have independent wiring? |
| Is periodic functional testing performed for all of the SIS elements, including field sensors, logic solver, and final elements? |
| Is all equipment provided to perform testing at the desired test interval? |
| Is sufficiently redundant and available power provided to the SIS? |
| Historically, has the performance of the SIS met the operating demands? |
| Is sufficient documentation available to describe the desired SIS function and the expected design, operation, maintenance, testing, and inspection? |
| Note: An answer of "No" to any question indicates potential exclusion from the "grandfather" clause. |
Even if the existing SIS design is accepted under the "grandfather" clause, it is important to note that the documentation, training, and other such requirements of the standards are not waived. Therefore, effort must be directed at developing documents such as the Safety Requirements Specification (SRS), procedures for SIS operation, testing, and maintenance, and records of periodic functional testing, inspection, and maintenance. This information should already exist as a part of the Process Safety Information required for compliance with OSHA 1990.119.
Other important factors that should be considered when determining the applicability of the "grandfather" clause are the implications associated with the general duty provisions of both the EPA and OSHA. The Clean Air Act Amendments of 1990 obligate the caretakers of facilities "to design and maintain a safe facility". OSHA requires owners to provide a place of employment that is "free from recognized hazards". In the performance of the general duty, industry standards that have been developed to provide industry with tools to prevent accidents should be employed. By using the shelter of the "grandfather" clause to avoid bringing existing systems into full compliance with the S84.01 standard, companies may be at risk of penalty for failing to fulfill the responsibilities of the general duty clause.
The Relationship Between Management of Change and the "Grandfather" Clause.
Even if an existing safety instrumented system has been found to meet the stipulations of the "grandfather" clause, changes to the SIS, or the process to which it is providing protection, may revoke this protected status. Therefore, the Management of Change (MOC) procedures must be revised to address the issue of the SIS status with regard to ANSI/ISA S84.01-1996. At some point, the modifications of the process unit or the SIS will be significant enough to trigger the full requirements of ANSI/ISA S84.01-1996.
The objective of the MOC clause in the S84.01 standard is to ensure that the MOC requirements of the OSHA PSM rule are addressed following any change to an SIS. OSHA rule 29 CFR 1910.119 Paragraph (l) addresses the MOC requirements. It states that written procedures must be developed and implemented for any change in process chemicals, technology, equipment and procedures, except for "replacement in kind". Two important elements, related to SISs, are that the MOC procedure must address the "impact of [the]change on safety and health" and the requirements that any affected process safety information be updated to reflect the change.
Within the S84.01 standard, the concept of Management of Change is introduced at the end of the Safety Lifecycle Model, presented in Figure 1. The initiation of a change to the SIS or the process should return the SIS to the appropriate phase of the lifecycle, i.e., the first phase affected by the modification. The elements of all subsequent Safety Lifecycle phases will also need to be addressed. The review of the change is also required to ensure that the Safety Integrity Level (a measure of SIS availability) has been maintained.
The standard indicates that a formal MOC procedure may be required as a result of the following types of changes:
OSHA also includes the following changes as initiators for the MOC process:
A review of each of the lifecycle steps and the types of changes that will impact the SIS definition associated with this step can clarify the interpretation of the extent of the "grandfather" clause.
Conceptual Process Design
Any change to the conceptual design of the process, which would likely be reflected by changes in the Process Flow Diagrams (PFDs) or by considerable revision to the Piping and Instrumentation Diagrams (P&IDs), can be expected to have a significant impact on the definition of the safety functions that are to be performed by the associated SISs. The addition of new process equipment will require the addition of new SISs, which will be covered by the ISA standard. Existing SIS that are involved in modifications of this degree may also require significant redesign because of changes in the potential process hazard, the definition of the safe state of the process, or the performance requirements of the SIS. SIS changes of this type will require modification of the SRS which should signify a major change and the full application of the requirements of ANSI/ISA S84.01-1996 is recommended.
Safety Requirements Specification (SRS)
The SRS serves as the design basis document for the SIS, providing both the safety functional requirements and the safety integrity requirements.
The types of changes that would require a modification to the SRS include:
Any changes to an existing SIS that impact the major elements of the SRS can be termed significant and the full application of the S84.01 standard should be seriously considered.
SIS Conceptual Design
Changes in the SIS Conceptual Design may negatively impact the performance of the SIS. Any change that has the potential to change the availability of the SIS should result in the continued application of the "grandfather" clause to be strongly questioned.
Examples of SIS conceptual design changes that would meet this criteria include:
SIS Detailed Design
Changes that only impact the SIS at the detailed design level are unlikely to have a measurable impact on the performance of the system. Therefore, changes of this type are less likely to warrant revoking the protection provided by the "grandfather" clause. Examples include:
SIS Operation, Maintenance, Testing, and Inspection
When evaluating changes of operating and maintenance procedures with regard to the question of continued applicability of the ANSI/ISA S84.01-1996 "grandfather" clause, it is important to keep in mind that only those changes that can have a consequential impact on the SIS functionality or performance need be considered.
One possible change that may significantly impact the requirements or performance of the SIS is a large reduction in operations or maintenance manpower. As owner/operators endeavor to reduce the workforce, it may become difficult for the operators to fulfill their requirements in response to SIS trips or alarms. SIS performance problems may also result from reduced or inexperienced maintenance support. These problems include:
These inadequacies could lead to an increase in SIS random and common cause failures due to inadequate testing or errors in calibration and repair activities. Therefore, significant changes in the operations or maintenance philosophy should be considered as criteria for revoking the "grandfathered" status of all of the affected SIS.
Conclusions
When considering the use of the "grandfather" clause provided within ANSI/ISA S84.01-1996, it is important to approach each existing system with a formal, systematic and documented method. It is the responsibility of the owner/operator of the SIS to determine that existing SIS meet all of the requirements of the clause and to document the operating, testing, inspection and maintenance conditions under which this will remain true.
The "grandfather" clause only addresses the SIS design and construction. Therefore, when an existing SIS has been determined to be covered by the "grandfather" clause, the other requirements of the standard must not be ignored. The clauses related to documentation, training, procedures, and testing are applicable to all SIS, existing and new. Owner/operators of "grandfathered" SIS must also acknowledge that this status does not provide an indefinite shield against the full requirements of the standard. The process industries are under
continuous pressure to improve the operation of their facilities. This optimization results in an environment of constant change, in terms of upgrades and expansions. At some point, the modifications of the process unit and the SIS will be significant enough to trigger the full requirements of ANSI/ISA S84.01-1996.
References