As part of our participation and leadership on a number of committees, aeSolutions’ principals and employees are committed to sharing our knowledge and experience with our customers and colleagues through technical papers.
The Case for Penetration Testing in ICS Environments
Rising awareness of securing industrial control systems (ICS) and focus of organizations to roll out ICS cybersecurity programs have prompted a fresh look at the applicability and benefits of penetration (pen) testing. A well designed pen testing project in a controlled environment provides insights and in‐depth findings that cannot be otherwise obtained from traditional risk assessments alone. It complements risk based assessment by taking a deeper look at critical zones and conduits that were identified during the assessment. The results and recommendations help generate cybersecurity requirements specifications and drive standardization of security measures across multiple plants within an organization. This paper highlights the benefits of pen testing in an ICS environment and offers guidelines to design and conduct a pen testing project.
Improving Human Factors Review in PHA and LOPA
By Dave Grattan
Human Reliability practitioners utilize a variety of tools in their work that could improve the facilitation of PHA‐LOPA related to identifying and evaluating scenarios with a significant human factors component. These tools are derived from human factors engineering and cognitive psychology and include, (1) task analysis, (2) procedures and checklists, (3) human error rates, (4) systematic bias, and (5) Barrier effectiveness using Bow‐tie. Human error is not random, although the absent minded slips we all experience seem to come out of nowhere. Instead, human error is often predictable based on situations created external or internal to the mind. Human error is part of the human condition (part of being a human) and as such cannot be eliminated completely. A large portion of this paper describe with practical examples the five tools previously mentioned.
Burner Management System Challenges and Opportunities in Brownfield Installations
A two‐prong templatized approach to multiple brownfield burner management system upgrades can result in significant cost savings. The first step requires coming up with an equivalent design for the safety instrumented burner management system following the ISA 84 safety lifecycle, as allowed in current NFPA standards. The second step utilizes a templatization approach for multiple units with common functionality that will allow an organization to further maximize savings. Actual experience doing this on repeat BMS projects indicate the level of overall savings can be as high as 75% on the safety lifecycle, 70% on the control system design and integration, and 35% on the operation and maintenance activities. The combined overall savings are roughly 60%.
Lessons Learned on SIL Verification and SIS Conceptual Design
There are many critical activities and decisions that take place prior to and during the Safety Integrity Level (SIL) Verification and other Conceptual Design phases of projects conforming to ISA84/IEC61511. These activities and decisions introduce either opportunities to optimize, or obstacles that impede project flow, depending when and how these decisions are managed. Implementing Safety Instrumented System (SIS) projects that support the long‐term viability of the Process Safety Lifecycle requires that SIS Engineering is in itself an engineering discipline that receives from, and feeds to, other engineering disciplines.
This paper will examine lessons learned within the SIS Engineering discipline and between engineering disciplines that help or hinder SIS project execution in achieving the long‐term viability of the Safety Lifecycle. Avoiding these pitfalls can allow your projects to achieve the intended risk reduction and conformance to the IEC 61511 Safety Lifecycle, while avoiding the costs and delays of late‐stage design changes. Alternate execution strategies will be explored, as well as the risks of moving forward when limited information is available.
Benefits of Simple Consequence Modeling for Burner Management Systems
The current approach used to analyze fired heaters during a Process Hazard Analysis (PHA) is inefficient and outdated. Fired heaters can be one of the more complex systems evaluated in a PHA, however they certainly aren’t anything new. In fact, they are one of the most common pieces of process equipment throughout industry, and have been for quite some time. Why then is such a large amount of PHA team time still needed to analyze them? Why, when using the same Process Safety Information (PSI), methodology, and risk criteria, can the results still be inconsistent? The obvious answer is the PHA team; different teams yield different results. Since the results of a PHA can impact several facets of a facility and its operation, including driving the Safety Integrity Level (SIL) for the heater’s Burner Management System (BMS), inconsistencies between analyses can have significant safety and financial impacts. If the consequence estimation is over conservative the selected SIL may be too high, which will result in an over designed and a very costly Safety Instrumented System (SIS). Conversely, if the consequence estimation is too low, the facility’s risks may not be adequately reduced by the selected SIS. Therefore a means to efficiently and consistently determine the consequence is critical. This paper will describe how simple consequence modeling can solve this problem, its inherent benefits, and the cost savings it provides.
Justifying IEC 61511 Spend
Many companies subscribe to the thought process that simply completing compliance documentation identified by IEC 61511 is the end goal. Anything more than that is deemed too tedious and represents a substantial cost center. Unfortunately, documentation is just one aspect of the lifecycle, and one that isn’t substantially making your assets safer from one day to the next. We believe the essence of the standard is to not only generate documentation, but to monitor the performance of protections layers vs. assumptions made in the front of the lifecycle. As poor assumptions are identified, companies can sustain their business by eliminating the root cause, therefore removing the previously invisible risk.
In this paper, we advocate that one should generate compliance documentation as efficiently as possible, but really focus on the impact of bad assumptions and putting a financial basis behind its meaning. This information can then be benchmarked on a monthly basis to set company targets, monitor improvement, and understand the impacts financially.
Implementing Safety Instrumented Burner Management Systems: Challenges and Opportunities
Implementing a Safety Instrumented Burner Management (SI‐BMS) can be challenging, costly, and time consuming. Simply identifying design shortfalls/gaps can be costly, and this does not include costs associated with the capital project to target the gap closure effort itself. Additionally, when one multiplies the costs by the total number of heaters at different sites, these total costs can escalate quickly. However, a “template” approach to implementing SI‐BMS in a brownfield environment can offer a very cost effective solution for end users. Creating standard “templates” for all deliverables associated with a SI‐BMS will allow each subsequent SI‐BMS to be implemented at a fraction of the cost of the first. This is because a template approach minimizes rework associated with creating a new SI-BMS package. The ultimate goal is to standardize implementation of SI‐BMS in order to reduce engineering effort, create standard products, and ultimately reduce cost of ownership.
Core Principles of an ICS Cybersecurity Program
The design and implementation of Industrial Control Systems (ICS) cybersecurity program poses significant challenges due to the stringent requirements of a manufacturing plant and how control systems and their networks are engineered, operated and maintained. While industry has made significant strides in gaining awareness and applying resources to address these requirements, many organizations have also come to realize that implementing cybersecurity measures in the ICS environment – also referred to as Operations Technology or OT, is challenging and quite different from implementing cybersecurity in the enterprise IT environment. Many of the concepts proven and accepted in enterprise IT are either too difficult and/or complex to execute or simply not relevant to the operating environment. Guidance provided by the NIST framework and other publications are helpful to getting started, and experience also dictates that there are a core set of cybersecurity elements for the ICS environment that must be done right. This paper highlights the uniqueness of the ICS environment and offers core principles for a successful development and launch of an ICS cybersecurity program.
Risk Criteria Selection and the Impacts on LOPA Results: To Sum or Not to Sum, That is the Question
In the CCPS book Layer of Protection Analysis – Simplified Process Risk Assessment, Layers of Protection Analysis (LOPA) is initially described as the analysis of a single cause-consequence pairing. However, later in the book, there is the discussion of summing risk for multiple scenarios. In practice, several companies prefer to sum the frequencies of multiple causes leading to a single consequence when conducting LOPA. Summing the causes can be a useful tool in that it will ensure proper integrity of a safety function to address all of the causes for a single consequence and assist in the reduction of the numbers of Independent Protection Layers (IPLs) necessary at a facility. However, caution must be taken in using this method, as there may be unrealized effects on LOPA results, and therefore unintended impacts to the entire safety lifecycle. In contrast, evaluating only a single cause-consequence pair also poses different concerns when relating the results to selected risk criteria.
This paper seeks to provide insight into the effects of each choice, including the pros and cons of each method. Deeper examinations into the definitions of risk criteria and consequence are explored.
Conducting a Human Reliability Assessment to support PHA and LOPA
By Dave Grattan
A better methodology is needed to handle human factors and administrative controls when quantifying initiating cause frequencies and Independent Protection Layer (IPL) credits in PHA and LOPA, and is the topic of this paper. The methodology is aligned with the work of Swain and Guttmann (1983) Handbook of Human Reliability Analysis (NUREG/CR-1278). This paper will describe how the method can be applied to the semi-quantitative needs of PHA and LOPA. The results may also be used as an input to further QRA (Quantitative Risk Assessment).
This paper will present an overview of the Human Reliability Analysis (HRA) methodology, worksheets used to develop and document the HRA, examples of HR Event Trees, a method to incorporate the results back into PHA and LOPA, and lessons learned from conducting HRAs.
Beyond Compliance Auditing: Drill ‘til you find the pain points and release the pressure!
The authors of this paper look beyond traditional OSHA PSM and USEPA RMP regulatory compliance auditing to explore the value of drilling down around the process safety lifecycle; locating the pain points; and releasing the pressure on the system. Compliance auditing has historically provided a “check-the-box” approach to meet regulatory requirements imposed by OSHA and USEPA. Regulatory compliance, however, is no guarantee of the prevention of major accidents. There is still a need to identify hazards, understand and manage risks. Today’s auditors need to determine how to systematically identify the root cause of the “pain points” that will foster conversations around releasing the “pressure” on existing practices to achieve a vibrant integrated process safety management system.
Integrating ICS Cybersecurity and Process Safety Management (PSM)
The majority of process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks. Standards have been developed on how to assess and mitigate cyber risks to these systems. This paper provides an introductory summary of these topics.
Understanding Safety Instrumented Systems (SIS) Field Device Fault Tolerance Requirements
By Paul Gruhn
The IEC 61511 standard includes a table listing the fault tolerance requirements for field devices for different safety integrity levels. There are clauses stating how the fault tolerance requirements may need to be increased in some cases, may be decreased in some cases, and alternative fault tolerance tables from IEC 61508 may be used in some cases. This paper will summarize all these requirements, as well as changes in the table that will appear in the second edition of IEC 61511 that is expected to be released in the summer of 2016.
Codes and Standards Update: Safety Instrumented Burner Management Systems (SI-BMS)
Invoking the concept of a Safety Instrumented – Burner Management System in all three of the NFPA 85, 86 and 87 series of codes / standards is a significant milestone for industry. This paper will explain changes as they apply to the concepts of Safety Instrumented Systems and include a discussion on equivalency clauses and / or linking paragraphs to ISA S84.00.01 – 2004 (IEC 61511 Mod) possibly allowing deviation from prescriptive requirements. Modification of logic solver requirements with inclusion of a direct reference mandating the use of Safety PLCs with minimum SIL capabilities in certain instances and changes related to sensors and valve requirements will be shared. This paper will also highlight areas where the concepts of Safety Instrumented Systems in the author’s opinion have been potentially misapplied within the NPFA series.
Understanding Overpressure Scenarios and RAGAGEP
During the PHA the team identifies consequences of concern arising from potential process deviations, identifies existing safeguards, or if LOPA (Layer of Protection Analysis) is required, the Independent Protection Layers (IPLs) available to reduce the likelihood of the consequence to a tolerable risk level. If the team identifies a gap, the team will propose recommendations to close the gap. An overpressure scenario can be a significant contributor to the risk of a facility. Overpressure of pressure vessels, piping, and other equipment can result in loss of containment of flammable or toxic materials. This paper will develop guidance including related RAGAGEP (Recognized and Generally Accepted Good Engineering Practice) to help engineers and designers participate in the safety lifecycle for managing the risk of overpressure.
Upcoming Changes in IEC 61511 2nd Edition
By Paul Gruhn
It has been over 10 years since the first release of IEC 61511. That committee has worked diligently to create a 2nd edition. A CD (Committee Draft) went out for review and comment by the national committees in 2012. The FDIS (Final Draft International Standard) went out to the committee in November 2015. The standard should be released in 2016. Note that there may still be editorial changes to the standard, but no further technical changes will be accepted for this edition. This paper summarizes the differences between the first and second editions of IEC 61511.
Impacts of Process Safety Time on Layer of Protection Analysis (LOPA)
The ability of an Independent Protection Layer (IPL) to achieve a given level of risk reduction is dependent upon its fulfillment of several core attributes. A key provision for any IPL to be considered effective and functionally adequate is its capability to respond to a process demand quickly enough to stop the propagation of the hazard scenario it was designed to prevent. While this seems obvious and reasonable, the estimation of Process Safety Time and the specification of IPL Response Times is more complex, and often deferred or overlooked altogether. What is Process Safety Time? How is it determined? When? And by whom? This paper examines the relationship between Process Safety Time and IPL Response Times, essential variables for the justification of IPL effectiveness, and their impacts on the success of Layer of Protection Analysis (LOPA).
Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?
While the concept of execute, monitor and sustain seems straightforward, for a variety of reasons, most companies who have committed to the IEC61511 journey, are solely focused on the execution of safety lifecycle documentation. This myopic approach will result in their failure to realize the full benefits to their organization of a cost effective risk management program. In addition, without development of a holistic multi-year plan for safety lifecycle compliance, end user companies can expect to incur significant regret costs and schedule delays as they attempt to change the safety culture of their organization around adoption of IEC61511. In this paper, a proven roadmap for efficient and cost effective safety lifecycle compliance and risk management will be defined, which emphasizes the use of an evergreen work process to support the concepts of execute, monitor and sustain.
Validating Process Safety Assumptions Using Operations Data
As facilities are assessing risk, making recommendations for gap closure, and designing safety instrumented functions (SIFs), assumptions are made to facilitate calculations in the design phase of protection layers used to reduce the likelihood of hazards occurring. The purpose of this white paper is to identify key assumptions and replace the assumptions with real-world operations data to prove that the risk may be greater than perceptions based on design.
Stopping the Swirl: Facilitation Tools that Improve PHA Results and Efficiency
Effective Process Hazard Analysis (PHA) facilitators combine soft skills with technical knowledge to guide PHA teams through a thorough identification and analysis of process hazards. Facilitators should consider the following examples of tools successfully used to stop the swirl by providing the PHA team with the right information at the right time.
Who and What Equals How I’m Closing My Gaps
Following a layer of protection analysis (LOPA), numerous recommendations and proposals are identified to close gaps associated with process safety performance. This paper explores a methodology created to allocate the targeted risk reduction factor (RRF) between different types of work and stakeholders.
Options for Developing a Compliant PLC-based Burner Management System (BMS)
A consideration of the three approaches to developing a compliant PLC-based Burner Management System including the design and implementation complexities, advantages, and disadvantages of each approach.
A Leader’s Tactical Approach to Influence Changes in Process Safety Culture
By Laura Ankrom
Once an organization recognizes that a process safety culture change is needed, the question then becomes, how do we engage top level leadership so that they influence culture? And, what tactical activities and behaviors can leaders promote and participate in that will have a notable outcome? Key topics covered by the author include visible leadership, effective communications, risk based decision making, self-assessments, lesson learning, key performance indicators, and active monitoring and feedback.
IPL/CMS – Integrity Management of Non-SIS Independent Protection Layers After the LOPA
By Ron Nichols
A discussion of the identification, selection, implementation and management of Non-SIF IPLs through the process lifecycle.
Impacts of Demand Rates on SIF/SIS Design and Mechanical Integrity
An examination of the differences between Low Demand, High Demand, and Continuous Mode SIFs, and provides examples and practical guidance for SIL Determination, conceptual design, SIL Verification, and long-term Mechanical Integrity considerations for each.
aeSolutions’ Safety System Lifecycle Management Solution
ARC Advisory Group provides their view on aeShield Safety Lifecycle Management Solution and how it addresses today’s key industry challenges.
Functional Safety Organization for Predictably Executing the ANSI/ISA 84 Safety Lifecycle
By Kathy Shell
Many companies are in the process of validating or updating their asset integrity management program for safety instrumented systems with the intent of achieving the performance standards in ISA 84.00.01, Functional Safety: Safety Instrumented Systems for the Process Industry. It is a challenge to determine the best organizational structure, the relevant roles and responsibilities, and the training or skills of individuals in key positions to execute the Safety Lifecycle workflow.
Some companies are setting up groups within their engineering organizations; others are expanding their reliability or maintenance departments. Still others are assigning the leadership roles in the process safety departments. In truth, execution of the Safety Lifecycle, as with the Process Safety Standard 29 CFR 1910.119, requires an integrated work flow across multiple disciplines and areas of practice.
The author will outline the organizational characteristics of a strong Functional Safety Program and the roles to be filled to predictably execute the full Safety Lifecycle and achieve the related risk management objectives. These roles will be outlined in terms of responsibilities, technical and business acumen and training, and interpersonal skills relevant to success.
Identifying Facility Siting Raw Risk and the Risk Reduction Decision Process
By Craig Shell
One of the outcomes of a facility siting study is the presentation of information to the facility site leadership team so they can recognize all of the hazards that can impact buildings intended for occupancy. It is this hazard recognition and risk reduction process that will be discussed in this paper. The authors will present a methodology for completing a facility siting assessment that starts with identifying a MCE, followed by breaking the MCE into additional credible events, and identifying likelihood and additional safeguards needed to manage the risk.
Roll Out and Maintenance Integration of SIS Proof Test and Inspection
By John Kelley
A review of the technical and management challenges associated with implementing a standard SIS proof testing philosophy and documentation strategy across a multi-facility upstream oil and gas business unit.
Effective Management of PSM Data in Implementing the ANSI/ISA-84.00.01 Safety Lifecycle
An examination of the efficiencies that can be gained by effective PSI and MI data management and coordination.
A Database Approach to the Safety Lifecycle
Using a systematic database approach to design, develop, and test a Safety Instrumented System (SIS) using methodologies in compliance with ANSI/ISA S84.01 requirements can result in improved quality of design deliverables and system configuration while reducing implementation effort.
Industry Update: Safety Instrumented Fire & Gas Systems (SI-FGS)
By Mike Scott
An exploration of marketplace and industry trends surrounding Fire & Gas Detection Systems and their relationship to Safety Instrumented Systems. Includes results of an informal survey of OEMs, engineering firms, and end users to ascertain driving factors in the acceptance and use of of SI-FGS systems.
Industry Update: Safety Instrumented Burner Management Systems (SI-BMS)
By Mike Scott
An exploration of marketplace and industry trends surrounding Burner Management Systems and their relationship to Safety Instrumented Systems. Includes results of an informal survey of OEMs, engineering firms, and end users to ascertain driving factors in the acceptance and use of SI-BMS systems.
Case Study: Safety Instrumented Burner Management System (SI-BMS)
By Mike Scott
A discussion of the application of the Safety Lifecycle as defined by ANSI / ISA 84.00.01-2004 (IEC 61511 mod) to single-burner multiple fuel boilers. Topics include challenges encountered and project cost savings realized.
What is the Safety Integrity Level of My Existing Burner Management System?
By Mike Scott
A discussion of the issues, decisions, and challenges encountered when applying the concepts of the Safety Lifecycle per ANSI/ISA 84.01, IEC 61508 and / or IEC 61511 to the design of an existing BMS for a single-burner natural-gas-fired installation. Also discusses identification of typical BMS SIFs and subsequent SIL determination.
Burner Management System Safety Integrity Level Selection
By Mike Scott
A discussion of utilizing quantitative methods to select the appropriate Safety Integrity Level associated with Burner Management Systems. Focuses on identifying the required amount of risk reduction and how that can impact efficiency and costs.
Identifying Required Safety Instrumented Functions for Life Safety
Systems in the High-Tech and Semiconductor Manufacturing Industries A discussion of issues and challenges encountered when attempting to apply Safety Lifecycle concepts per ANSI / ISA S84.01 to the design of a Life Safety System at a state-of-the-art fiberoptic manufacturing facility. Focus on industry-specific issues associated with the use of mitigation versus prevention techniques (typically encountered in the process industry).
Safety Instrumented Burner Management Systems – Requirements for the Paper Industry
By Mike Scott
A discussion of how to ensure equipment such as dryers, kilns, thermal oxidizers, power boilers and black liquor recovery boilers conform to ANSI/ISA 84, IEC 61508, IEC 61511, NFPA 85, NFPA 86 and BLRBAC guidelines.