Over the last few years, ORS has conducted multiple Functional Safety Assessments (FSAs) for major greenfield projects, brownfield modifications, and already operating assets in the North Sea. The FSAs have been performed at several stages of the project’s lifetime, from late FEED (FSA stage 1), through detailed engineering (FSA Stage 2), after installation and commissioning (FSA Stage 3), and after several years of operations (FSA Stage 4 and 5).
While there is great variation in both the assets and the stage of the project development, some common issues seem to recur across most of the FSAs. Over a series of articles, we aim to highlight a few of these and offer overall suggestions for improvement. This article deals with the functional safety framework and management. Other articles in this series will cover:
Safety requirements; Specification and transparent follow-up,
Functional safety during installation, commissioning, validation, and handover to operations.
Functional Safety during operation
According to IEC 61511-2:2016 A.220.127.116.11, The basic objective of an FSA is to demonstrate compliance with agreed standards and practices through independent assessment of the safety instrumented system's development process.
Prior to the hazards being present (i.e. prior to starting up the system), an FSA shall be undertaken to confirm that (IEC 61511-1:2016 18.104.22.168.5):
the risk assessments have been carried out
the recommendations arising from the H&RA that apply to the SIS have been implemented or resolved;
project design change procedures are in place and have been properly implemented;
the recommendations arising from any FSA have been resolved;
the SIS is designed, constructed, and installed in accordance with the SRS, any differences having been identified and resolved;
the safety, operating, maintenance, and emergency procedures pertaining to the SIS are in place;
the SIS validation planning is appropriate and the validation activities have been completed;
the employee training has been completed and appropriate information about the SIS has been provided to the maintenance and operating personnel;
plans or strategies for implementing further FSAs are in place.
The above items that the FSA shall confirm can be summarized as three basic elements that need to be in place from the beginning of project development until the asset's decommissioning:
A Functional Safety Framework;
A solid foundation for the safety requirements;
A transparent follow-through of the requirements.
The Functional Safety Framework
Effective planning and management of functional safety need to be established at the very beginning of the project development. The Functional safety plan must define who is responsible for what (Operator, design contractor, subcontractors, (package) suppliers) and clearly outline the interfaces and boundaries within functional safety. Responsibility must be clearly defined for all the project phases, from FEED through detailed design, installation, commissioning, and operation. Further, the Functional safety framework should ensure transparency and consistency throughout the project development by clearly indicating the connection between the various SIS lifecycles.
Systematic failures are one of the main causes of major accident hazards, and a proper functional safety framework and management system are key steps to prevent systematic failures.
In many ways, functional safety is a combination of risk management and quality management. Many of the requirements that shall be covered in the functional safety management planning are already (or should already) be covered in corporate standards, guidelines, project execution models, and quality plans. Due to this, there are often several overlapping plans that in one way or another related to functional safety management. The various plans are seldom cross-referenced effectively, and it is hard for the functional safety engineers to know which plans and procedures are relevant- Vice versa, the quality managers and package responsible engineers may not always have a good understanding of risk engineering and functional safety. The consequence of this is sometimes that it becomes unclear which functional requirements should be included in FATs, and the functional safety engineers are not always sufficiently involved.
While functional safety in most cases is properly managed at an overall level in the organizations both at the operator, the EPC contractor, and the sub-contractors, we often see that an integrated functional safety plan and SIS lifecycle plan for the entire asset does not exist. The EPC contractor is often given the responsibility to develop a functional safety management plan and SIS lifecycle plan, however, these plans only focus on the parts of the scope the EPC contractor is responsible for, usually up to the end of detailed engineering. This often leaves gaps with regard to the responsibility for implementing functional safety in the commissioning and testing phase prior to start-up, such as SIF validation and how to verify the SIFs end-to-end prior to start-up, responsibility for proof test procedures, etc. Other issues such as documentation requirements for operation (e.g. SRS for operation) are often raised at a late stage. Further, there are often inconsistencies in how functional safety is treated in e.g. process systems, marine systems, package suppliers, and utility systems.
The asset operators often lean on corporate guidelines for functional safety, but in many cases, these are too generic to fully cover the functional safety management and planning for a specific asset. All of this results in a “gap” / “black box” in functional safety management, going from the design phase to the operational phase. Often the operator applies “different” functional safety management frameworks during design and operation (where most or all functional safety management planning is left to the EPC contractor during the engineering phase). The EPC contractor and the design team at the operator do not always have the overview of the functional safety management systems to be applied when the asset is put into operation, often leading to re-work or additional work during handover to operations. Another consequence could be that the functional safety framework for operations is not 100% suited to incorporate all functional requirements from design. A recurring issue is SCE tagging of all components involved in the SIFs (including IO cards) and proof testing of electrical relays and circuit breakers (as final elements of SIFs, or as part of the electrical isolation function).
How to improve
A functional safety responsible role for the asset, both for the engineering phase and for the operational phase should be nominated as early as possible. This is to ensure that functional safety planning considers all the phases of the SIS lifecycle, including commissioning, testing, and operation from the beginning.
Further, a Functional safety management plan for the Asset should be developed by the operator, already in the FEED phase. This FSMP should specify how the overall requirements in the corporate guidelines apply to the project, and clearly define interfaces between EPC contractor(s), Operator, and e.g. sub-contractors responsible for company-provided items. It is essential to coordinate the individual FSMPs so that the interfaces and boundaries are understood, controlled, and managed.
The asset FSMP should also clearly outline the requirements for the SIS lifecycle steps including commissioning, testing, and operation. The Asset FSMP should clearly define the connection between the SIS lifecycle phases, considering the overall project execution plan, project-specific milestones, and interfaces between various systems and suppliers (process systems, marine systems, package deliveries (such as burner management systems), etc.)
The SIS lifecycle plan should be improved and better aligned with the project execution plans to clearly define the required input (including which revisions) are required for each of the SIS lifecycle steps, as well as ensure that sufficient revisions of relevant documents are issued to capture changes during the design phase. In the same way, each supplier or contractor has its own project execution plan (PEP), while the owner or operator must have an overall PEP that integrates the individual plans, the overall SIS lifecycle plan must be tied to this PEP.