Hazardous process industry sites must carry out periodic functional safety assessment (FSA) of safety instrumented systems. But why?
Many hazardous process industry sites have viewed Functional Safety Assessment (FSA) as a project activity to be completed when a new safety instrumented system (SIS) gets installed, and of course, that is absolutely correct. Some have also registered that FSA is required for modifications, and a few have acknowledged that it must even be completed for minor changes to an SIS.
But what about existing, or "legacy" systems where apparently nothing is being changed and no SIS equipment is being modified? The system didn't fail last time it was needed, so surely it will be perfectly good next time?
The question is, would it even be beneficial to carry out an FSA on an SIS that has been installed for many years and possibly even pre-dates the original IEC 61511 standard, never mind the new one?
Well, the latest edition of IEC 61511 (edition 2, published in 2016) seems to make it clearer that FSA is not just a new design or modification activity, but also an ongoing operational requirement to sustain safety integrity.
So, to answer some of the above questions, let's consider what can actually go wrong over the operation lifetime of an SIS that is apparently not being modified.
The average time that people stay with a single employer is under 5 years in most developed countries. The typical design life of a modern SIS is 10 to 20 years, depending exactly which sector you are working in. The upshot of this is that there are often very few (if any) people left with the knowledge of when a system was installed and validated, and this gets worse the older the system gets and the more prone to wear-out failure. This means regular FSA as a review and learning exercise is a corporate must.
Unlike the SIS, processes are subject to regular change to meet production demands. This can mean changes in operator manning, changes in other protection layers, or the physical plant layout. An operations FSA is designed to review plant changes for impact on the SIS.
Even the best designed safety systems may need to be bypassed in the operations stage. Often this is done for good reason, such as after a process upset to get things re-started. A bypassed SIS or even a single SIF means ZERO protection from that layer. An FSA in the operations stage is designed to look for this and ensure that procedures are put in place to log and review all bypasses.
It may be possible that a proof test is occurring too frequently or too infrequently if there have been operational changes to associated independent protection layers. An FSA in the operations stage will check proof test frequencies.
Failures and Demands Occur
As SIS demands or equipment failures occur, really useful data is being generated that should be checked against the original assumptions in the hazard and risk assessment (H&RA) stage. An operations FSA will cross-check actual demand and failure with the H&RA.
People are not perfect
Unplanned modification to the SIS can occur when, for instance there is a non like-for-like instrument replacement. An operations FSA will check for this. It's also possible that unplanned changes can happen to trip points when a safety system logic solver program is restored after loss of memory. There are ways to look for this and ensure future FSA's keep checking that the application program software is only changed under modification procedures.