Who is responsible for what in a 61511 project?
2.1 The process industry supply chain
The IEC 61511 safety life-cycle is aimed at applications where instrumented systems are used for risk reduction in the process industry sector - including chemicals, oil and gas, pulp and paper, pharmaceutical manufacturing, food and beverage, and non-nuclear power generation.
The requirements of this standard apply to the entire supply chain involved in the delivery of an SIS, not just the end user. This means equipment suppliers, software providers, engineering services companies, consultants and system integrators.
Typical responsibilities of each of these is explained in further detail below.
Often referred to as the Duty Holder, the process plant responsible for the hazard is ultimately responsible for implementing the safety life-cycle.
2.2 The Duty Holder
In many countries hazardous end user process plants come under the special attention of legislation and regulatory bodies due to the possibility of significant loss events. Classification of each process plant is based upon the quantity and hazardous nature of materials being stored or processed.
As part of that responsibility the duty holder has to ensure that their own personnel, service providers and equipment suppliers are adequately competent or capable. However, this does not absolve service and equipment providers from their own responsibilities in provision of equipment or services. One only needs to look at accident history and the subsequent legal proceedings to realise that there is typically a level of joint liability when things go wrong.
The Duty Holder must interpret the framework of the generic safety life-cycle and develop appropriate procedures and evidence of activity to ultimately prove conformance. In most countries in the world this is an effort to show that following "best practice" is sufficient, rather than strict legal compliance.
All Duty Holders are responsible for setting up appropriate functional safety management, planning and verification capabilities for the entire safety life-cycle. They may appoint other companies to manage projects on their behalf, but they are still ultimately responsible for any failings.
Unless the Duty Holder has an internal engineering resource, the typical end user's direct responsibility for the SIS is in three other main phases of the life-cycle.
The first main phase is the production of the safety requirements specification (SRS). Getting this right is crucial. Even if the end user does not physically write the SRS it should be supervised and scrutinised very carefully, including all the stages used to produce it such as hazard identification, risk assessment and protection layer allocation.
The second main phase is the validation of the system before it goes into service. The end user Duty Holder must take an active witnessing role in ensuring that the system as designed and built actually meets the SRS in its entirety.
The third main phase is the operation and maintenance of the system. This is the longest part of the SIS life-cycle and the part where the end user has the most influence for the long term sustenance of safety integrity.
2.3 Equipment Suppliers
Companies who promote their equipment and/or software for use in safety applications have responsibilities for being accurate about claims they make about their products.
There is currently, as of 2019, no formal framework for ensuring that Safety Integrity Level (SIL) capability claims are valid. This means equipment choice needs to involve careful consideration of the evidence that manufacturers provide with their products.
Broadly speaking, elements used in safety applications can be separated into the following categories:
- Logic solvers, comprising hardware and each of the following if programmable;
- Embedded Software.
- Utility Software (for program configuration).
- Application Programs.
- Final Elements.
- Interposing devices.
In each main category, there is the possibility for devices being either "Type A" or "Type B" according to designations for equipment in standard IEC 61508.
IEC 61508 edition 2 is the manufacturer's reference standard for designing hardware and software.
Type A devices are non-complex and contain no software or programmability. These devices are generally easier to qualify for use in a safety application as there is no software involved. However they typically have less self-diagnostic capability, meaning there is usually little or no information available if they fail in service between proof tests.
Examples of Type A devices include discrete (on/off) sensors and switches, non-programmable relays and contactors, solenoid valves, actuators and final element valves.
Type B devices can contain complex components such as microprocessors and typically they offer programmability, meaning embedded software is present. These devices are generally less easy to qualify for use in a safety application due to the presence of complexity and software. However they typically have better self-diagnostic capability, meaning there is often good information available to the user if they fail in service.
Examples of Type B devices include smart sensors (also known as instruments or transmitters), programmable logic solvers, programmable relays and all other devices which have embedded software.
When equipment suppliers assess their products, either by themselves or using a third party assessor, they must designate if the device is Type A or Type B. They must also produce information with a minimum set of detail as specified in Annex D of IEC 61508-2; known as a "Safety manual for compliant items".
2.4 Engineering Companies (EPC's)
Engineering companies (EPC's) who work on behalf of end user Duty Holders will typically be working on new SIS projects, or sometimes large refurbishments where complete systems or major sub-systems are being replaced. EPC's do not work in isolation, and will often be joined by the Duty Holder's technical representatives for key phases of hazard, risk and SIL assessment, sign-off of documentation and witnessing of testing activities before the system enters or re-enters service.
This embedded nature means the EPC takes on some joint liability for technical decisions and engineering activities relating to the SIS before the operations phase.
As a result, EPC's tend to focus on getting a project completed on time and within budget, with less emphasis on the operational aspects of the system. This limited responsibility means that the Duty Holder must take care that operational requirements are not side-lined and are given equal weighting in terms of priority for the final design.
Consultants who work on behalf of end user Duty Holders or engineering companies will typically be working on only a few specific phases of the safety life-cycle.
As each specialist consultant provides support for only a limited aspect of the overall safety life-cycle, it is important that the Duty Holder or engineering company sets very clear boundaries and expectations for deliverables.
The best way of setting boundaries and expectations is for there to be very clear Terms of Reference and detailed procedures provided by the Duty Holder and/or engineering company. Experienced consultants will require this approach and will question missing or conflicting information.
An example problem that can occur is when different consulting companies assist with HAZOP (Hazard and Operability study) and subsequent SIL Determination activities involving LOPA - Layer of Protection Analysis. If the quality of the HAZOP is not sufficient for the LOPA, then significant time can be wasted. Several similar examples persist at different stages of the design.