All over the world, the deeply troubling pattern of increasingly brazen cyber incidents highlights the disruptive damage and incredible costs of cyber-attacks. As cyber threats increase, so does the risk to your operation. The security of your industrial controls systems (ICS) is now a board-level concern.
aeSolutions, a recognized leader in ICS cybersecurity, has the experience, the talent, and the services to help you develop your strategy, assess your risk, create a sustainable program, and remediate your gaps and vulnerabilities.
We understand the strong connection between Industrial Cybersecurity and Process Safety. We also believe that you can’t achieve process safety in today’s world of open, integrated control systems without addressing cybersecurity. At aeSolutions we have expertise in both fields and are working with some of the world’s leading oil & gas and petrochemical companies to help them engineer industrial cybersecurity into their new or existing control systems and integrate cybersecurity into their Process Safety processes.
Our proven aeCyber™ tools, techniques and templates provide you with a jump-start to industry best-practices as well as a risk-based strategic roadmap. By choosing aeSolutions you:
- Have access to our broad industry experience and our deep understanding of the inter-dependencies between industrial automation, safety and security.
- You will also benefit from our standards-based, systematic and pragmatic approach to program and controls development.
- You will have the information and confidence you need to successfully build-out your cyber risk management program.
Our aeCyber™ suite of services is a risk-driven approach organized into four competencies: Governance, Risk Management, Security Implementation, and Security Operations. By working with you and focusing on the core mission in each of these four areas, we can help you meet your mission.
Benefits of choosing aeCyberSolutions™
• We are uniquely experienced helping companies develop ICS security programs, frameworks, policies & practices
• We are multi-disciplined, with combined Process Control, Process Safety, & Industrial Cybersecurity
• We are leaders in ICS cybersecurity standards development (e.g. ISA/IEC 62443)
• We don’t ‘sell-then-switch’- when you meet with us, you’re meeting with the people who do the work
• We have the skills and experience to design and implement cybersecurity mitigations
Our Core Services
We Can Help
Our Core Services
aeSolutions offers industrial control system (ICS) cybersecurity risk assessment services in every phase of the process automation/process safety lifecycle. Our aeCyberPHA method links realistic threat scenarios with known vulnerabilities and existing countermeasures and couples that with credible consequences from the PHA to determine cyber risk.
What is Truth? Do our SIL calculations reflect reality?
Is our industry stuck in the past? The current industry trend is to only look at random hardware failures in safety integrity level (SIL) probability of failure on demand (PFD) calculations. No one would appear to be updating assumptions as operating experience is gained. Hardware failure rates are generally fixed in time, assumed to be average point values (rather than distributions), and either generic in nature or specific to a certain set of hardware and/or conditions which the vendors determine by suitable tests or failure mode analysis. But are random hardware failures the only thing that cause a safety instrumented function (SIF) to fail? What if our assumptions are wrong? What if our installations do not match vendor assumptions? What else might we be missing? How are we addressing systematic failures?
One obvious problem with incorporating systematic failures is their non-random nature. Many functional safety practitioners claim that systematic errors are addressed (i.e., minimized or eliminated) by following all the procedures in the ISA/IEC 61511 standard. Yet even if the standard were strictly adhered to, could anyone realistically claim a 0% chance of a SIF failing due to a human factor? Some will say that systematic errors cannot be predicted, much less modeled. But is that true?
This paper will examine factors which tend to be ignored when performing hardware-based reliability calculations. Traditional PFD calculations are merely a starting point. This paper will examine how to incorporate systematic errors into a SIF’s real-world model. It will cover how to use Bayes theorem to capture data after a SIF has been installed — either through operating experience or industry incidents — and update the function’s predicted performance. This methodology can also be used to justify prior use of existing and non-certified equipment.
Methodologies in Reducing Systematic Failures of Wired IPLs
By Rick Hanner
The history of high consequence incidents in industry reveals that most accidents were the result of systematic failures, not hardware failures. However, a higher degree of focus in engineering is often on the quantifiable failures of hardware. Process Safety risk gaps are often closed or reduced by several types of Independent Protective Layers (IPLs). Two common types are Safety Instrumented Functions (SIFs) and Basic Process Control System (BPCS) functions. The SIFs typically reside within a SIL-rated programmable logic controller, and their achieved quantitative performance is calculated based on random hardware failures of the SIF hardware components. Conversely, BPCS protective layers are assigned generic industry-accepted probability of failure credits. The BPCS generic industry-accepted probabilities of failure are conservatively assigned and consider unquantifiable human-induced systematic failures.
Richard E. Hanner – aeSolutions Greenville, SC
Tab Vestal – Eastman Kingsport, TN
The use of Bayesian Networks in Functional Safety
By Paul Gruhn
Functional safety engineers follow the ISA/IEC 61511 standard and perform calculations based on random hardware failures. These result in very low failure probabilities, which are then combined with similarly low failure probabilities for other safety layers, to show that the overall probability of an accident is extremely low (e.g., 1E-5/yr). Unfortunately, such numbers are based on frequentist assumptions and cannot be proven. Looking at actual accidents caused by control and safety system failures shows that accidents are not caused by random hardware failures. Accidents are typically the result of steady and slow normalization of deviation (a.k.a. drift). It’s up to management to control these factors. However, Bayes theorem can be used to update our prior belief (the initial calculated failure probability) based on observing other evidence (e.g., the effectiveness of the facility’s process safety management process). The results can be dramatic.
Reverend Bayes, meet Process Safety. Use Bayes’ Theorem to establish site specific confidence in your LOPA calculation
Bayes’ Theorem is an epistemological statement of knowledge, versus a statement of proportions and relative frequencies. It is therefore a method that can bridge qualitative knowledge with the rare-event numbers that are intended to represent that knowledge. Bayes’ Theorem is sorely missing from the toolbox of Process Safety practitioners. This paper will introduce Bayes’ Theorem to the reader and discuss the reasons and applications for using Bayes in Process Safety related to IPLs and LOPA. While intended to be introductory (to not discourage potential users), this paper will describe simple Excel™ based Bayesian calculations that the practitioner can begin to use immediately to address issues such as uncertainty, establishing confidence intervals, properly evaluating LOPA gaps, and incorporating site specific data, all related to IPLs and barriers used to meet LOPA targets.
Breathing life into the alarm management lifecycle
‘Evergreen’ and ‘lifecycle’ have become two common buzz words in our industry. They are thrown around in a variety of topics, processes, and philosophies as descriptions of how management plans should be set up. But what does it really mean to have an evergreen process? How does one keep a lifecycle alive? This is especially relevant when it comes to topics such as alarm management, where it is commonly touted that once a plant rationalizes their entire system, they have completed alarm management. This paper will deconstruct the alarm management lifecycle and pinpoint key aspects that can be integrated into process safety management systems and work processes that already exist. Tying the alarm management lifecycle to what is already being done as part of process safety and good engineering practice will help to ensure it remains ‘evergreen’ and delivers the intended benefits.
SIL ratings and certification for fire & gas system hardware; Is industry barking up the wrong tree
By Paul Gruhn
There are many devices (sensors, logic solvers and final elements) used in safety instrumented systems that are independently certified for use in safety applications to different safety integrity levels (SIL). There is considerable debate however whether fire and gas system hardware should have SIL ratings at all. Vendors are naturally interested in promoting independently certified hardware in order to differentiate their products. Considering the differences between safety instrumented systems and fire and gas systems, focusing on the SIL rating or performance of the actual fire and gas hardware alone is considered by some to be a misleading and questionable practice. This paper reviews a) the differences between safety instrumented systems and fire and gas systems, b) how typical voting of fire and gas sensors not only reduces nuisance trips (which is desirable) but also reduces the likelihood of the system actually responding to a true demand (which is not desirable), and c) why concepts and standards that apply to safety instrumented systems (e.g., SIL ratings) may not be appropriate for fire and gas systems.
Addressing Common Process Control Network (PCN) Misconfigurations Will Increase Availability, Security and Safety
The purpose of this paper is to raise awareness around common OSI Layer 2 networking misconfigurations found in Industrial Process Control Networks. These misconfigurations often introduce significant security vulnerabilities and negatively impact ICS availability. We’ll discuss the commonly found misconfigurations and demonstrate how they impact ICS security and availability, and present a case study from an oil & gas refinery that suffered widespread PCN outages as a result of these misconfigurations when attempting to upgrade two existing PCN switches.
Development and features of the aeSolutions FM approved FGS1400 MKII
The FGS 1400 MK II combines the required functionality into the latest generation of TÜV-certified safety PLC. By using the same hardware / software platform as the Siemens Simatic PCS7 series, the FGS 1400 MK II can be integrated into the entire plant system solution. It offers the advantages of common HMIs, spare parts, training, engineering / configuration tools, maintenance, and procedures to produce a dramatic saving in both installed cost as well as lifecycle costs.
Accounting for Emergent Failure Paths in LOPA
By Dave Grattan
One of the fundamental assumptions made when using standard LOPA (Layer of Protection Analysis) is that the barriers selected for a common threat path are independent. In most cases the analysis made by the LOPA team is adequate to judge the degree of independence between barriers. However, this may not always be the case, especially when the desired LOPA target is less than 1e-4 per year. In these cases, LOPA is more susceptible to unaccounted for system effects, than to independent random failures (what LOPA assumes). Another way to say this is that whenever a model (for example, LOPA) predicts that a failure will occur with a negligible chance, the probability that the model can fail becomes important.
Potential failure paths can emerge between barriers in a common threat path due to what is known as “system effects.” That is, to the interaction between otherwise independent barriers due to common support systems (for example, Maintenance), or other Operational or Management impacts. Emergence is a system effect that cannot be identified through other methods, such as IPL (Independent Protection Layer) validation. However, Human Factors methods exist that provide a framework for discovering emergent failures between barriers due to system effects.
This paper will discuss the application of one such system technique known as “NET-HARMS” (Networked Hazard Analysis and Risk Management System). The NET-HARMS technique is a combination of two well-established Human Factors methods, the first being HTA (Hierarchical Task Analysis) and secondly, a modified SHERPA (Systematic Human Error Reduction and Prediction Approach) as the taxonomy used to classify system failures. Both methods are easy to use and can be learned quickly with a little practice. The author has several years’ worth of experience applying these methods to difficult LOPA problems involving administrative controls, and will show how this analysis can be extended to include hardware barriers as well.
Can we achieve Safety Integrity Level 3 (SIL 3) without analyzing Human Factors?
Many operating units have a common reliability factor which is being overlooked or ignored during the design, engineering, and operation of high integrity Safety Instrumented Functions
(SIFs). That is the Human Reliability Factor. In industry, there is an over focus on hardware reliability to the n’th decimal point when evaluating high integrity SIFs (such as SIL 3), all to the detriment of the human factors that could also affect the Independent Protection Layer (IPL). Most major accident hazards arise from human failure, not failure of hardware. If all that were needed to prevent process safety incidents is to improve hardware reliability of IPLs to some threshold, the frequency of near miss and actual incidents should have tailed off long ago – but it hasn’t. Evaluating the human impact on a Safety Instrumented Function requires performing a Human Factors Analysis. Human performance does not conform to standard methods of statistical uncertainty, but Human Reliability as a science has established quantitative limits of human performance. How do these limits affect what we can reasonably achieve with our high integrity SIFs? What is the uncertainty impacts introduced to our IPLs if we ignore these realities?
This paper will examine how we can incorporate quantitative Human Factors into a SIL analysis. Representative operating units at various stages of maturity in human factors analysis and the IEC/ ISA 61511 Safety Lifecycle will be examined. The authors will also share a checklist of the human factor considerations that should be taken into account when designing a SIF or writing a Functional Test Plan.
Process Safety Management, Jenga, Drift, and Preventing Process Industry Accidents
By Paul Gruhn
Process Safety Management, Jenga, Drift,
and Preventing Process Industry Accidents
Paul Gruhn, P.E., CFSE
Global Functional Safety Consultant
aeSolutions, Houston, TX
There have been many well publicized process industry accidents over the last several decades. Much has been written about them, and many lessons learned have been proposed. Yet evidence would indicate there has not been a lessening of industry accidents. More recent realization of the complexity of modern processes, and the organizations responsible for designing, building, running, and maintaining them, has resulted in a broader understanding of accident causation, and what can be done to try and prevent further incidents. This paper will review the previous thinking process and recommendations, and offer an alternative approach and recommendations.
You Do Leak Detection, but Do You have Breach Detection?
By Paul Rostick
Pipeline leaks are bad for everyone. They can have catastrophic effects on the environment, on communities, and a company’s bottom line. Given a bad enough leak, you could lose your license to operate, lose a fortune in revenue, even face jail time. No one wants leaks.
Pipeline companies invest considerable effort preventing, detecting, and responding to leak incidents, but are the investing enough effort preventing, detecting, and responding to cybersecurity incidents. Since, in principle, a cyber-incident could lead to a leak incident, companies should consider breach detection as part of their overall leak prevention program.
Download the PDF to read the entire article…
Addressing the Security Requirements in Functional Safety Standard IEC 61511-1:2016
The 2016 edition of IEC 61511-1: 2016 added two new requirements regarding the security of safety instrumented systems (SIS). The first requirement states that “a security risk assessment shall be carried out to identify the security vulnerabilities of the SIS” and the second requirement states that “the design of the SIS shall be such that it provides the necessary resilience against the identified security risks”. The standard directs the reader to ISA TR84.00.09, ISO/IEC 27001:2013, and IEC 62443-2-1:2010 for further guidance on how to comply with these requirements. While these documents are informative, the 479 combined pages do not provide concise guidance on how to address the specific security requirements. The purpose of this paper is to offer step-by-step guidance on how to address the security requirements in 61511 and to identify specific clauses in the reference standards for further information.
If it isn’t secure, it isn’t safe™
The convergence of Information Technology (IT) and Operations Technology (OT) platforms has exposed modern industrial automation systems to increased risk. Cyber threats have the potential to affect multiple layers of protection, including basic process control, process alarms and safety instrumented systems. In certain circumstances it may be possible for a single cyber threat to simultaneously defeat all three layers of protection. Unfortunately, traditional process hazard evaluation and mitigation techniques such as HAZOP and LOPA do not include a requirement to evaluate or mitigate cyber threats. This paper examines two aspects of integrating cybersecurity and process safety risk management.
How taking credit for planned and unplanned shutdowns can help you achieve your Safety Integrity Level (SIL) targets
Achieving Safety Integrity Level (SIL) targets can be difficult when proof test intervals approach turnaround intervals of five years or more. However, some process units have planned and predictable unplanned shutdowns multiple times a year. During these shutdowns, it may be possible to document that the safety devices functioned properly. This can be incorporated into SIL verification calculations to show that performance targets can now be met without incorporating expensive fault tolerance, online testing schemes, etc. This can result in considerable cost savings for an operating unit.
This paper will discuss various solutions to meet a SIL target, taking credit for planned and unplanned shutdowns to help meet a SIL target, justification for applying diagnostic coverage in SIL verification calculations, summary of determining diagnostic credit, applying diagnostic credit from a shutdown event, and a case study.
Improving Barrier Effectiveness using Human Factors Methods
By Dave Grattan
The Process Industry has an established practice of identifying barriers to credit as IPLs (Independent protection layers) through the use of methods such as PHA (Process Hazard Analysis) and LOPA (Layer of Protection Analysis) type studies. However, the validation of IPLs and barriers to ensure their effectiveness especially related to human and organization factors is lagging.
The two related issues this paper will address are, (1) the human and organization impact on effectiveness of a single barrier, and (2) the human and organization impact on all barriers in the same threat path.
Case Study of a Safety Instrumented Burner Management System (SI-BMS)
By Mike Scott
This case study will discuss the application of the safety lifecycle as defined by ANSI/ISA 84.00.01‐2004 (IEC 61511 mod) to two single burner multiple fuel boilers. Each boiler is capable of firing natural gas, oil and/or waste gas, in order to supply the plant header with 1,365 psig steam at a maximum capacity of 310,000 lb/hr. The project team included the end client task force at the manufacturing facility, the engineering firm with design/procurement responsibility, the boiler OEM, the burner/gas train OEM, and the safety instrumented system consultant.
The Case for Penetration Testing in ICS Environments
Rising awareness of securing industrial control systems (ICS) and focus of organizations to roll out ICS cybersecurity programs have prompted a fresh look at the applicability and benefits of penetration (pen) testing. A well designed pen testing project in a controlled environment provides insights and in‐depth findings that cannot be otherwise obtained from traditional risk assessments alone. It complements risk based assessment by taking a deeper look at critical zones and conduits that were identified during the assessment. The results and recommendations help generate cybersecurity requirements specifications and drive standardization of security measures across multiple plants within an organization. This paper highlights the benefits of pen testing in an ICS environment and offers guidelines to design and conduct a pen testing project.
Improving Human Factors Review in PHA and LOPA
By Dave Grattan
Human Reliability practitioners utilize a variety of tools in their work that could improve the facilitation of PHA‐LOPA related to identifying and evaluating scenarios with a significant human factors component. These tools are derived from human factors engineering and cognitive psychology and include, (1) task analysis, (2) procedures and checklists, (3) human error rates, (4) systematic bias, and (5) Barrier effectiveness using Bow‐tie. Human error is not random, although the absent minded slips we all experience seem to come out of nowhere. Instead, human error is often predictable based on situations created external or internal to the mind. Human error is part of the human condition (part of being a human) and as such cannot be eliminated completely. A large portion of this paper describe with practical examples the five tools previously mentioned.
Burner Management System Challenges and Opportunities in Brownfield Installations
A two‐prong templatized approach to multiple brownfield burner management system upgrades can result in significant cost savings. The first step requires coming up with an equivalent design for the safety instrumented burner management system following the ISA 84 safety lifecycle, as allowed in current NFPA standards. The second step utilizes a templatization approach for multiple units with common functionality that will allow an organization to further maximize savings. Actual experience doing this on repeat BMS projects indicate the level of overall savings can be as high as 75% on the safety lifecycle, 70% on the control system design and integration, and 35% on the operation and maintenance activities. The combined overall savings are roughly 60%.
Lessons Learned on SIL Verification and SIS Conceptual Design
By Rick Hanner
There are many critical activities and decisions that take place prior to and during the Safety Integrity Level (SIL) Verification and other Conceptual Design phases of projects conforming to ISA84/IEC61511. These activities and decisions introduce either opportunities to optimize, or obstacles that impede project flow, depending when and how these decisions are managed. Implementing Safety Instrumented System (SIS) projects that support the long‐term viability of the Process Safety Lifecycle requires that SIS Engineering is in itself an engineering discipline that receives from, and feeds to, other engineering disciplines.
This paper will examine lessons learned within the SIS Engineering discipline and between engineering disciplines that help or hinder SIS project execution in achieving the long‐term viability of the Safety Lifecycle. Avoiding these pitfalls can allow your projects to achieve the intended risk reduction and conformance to the IEC 61511 Safety Lifecycle, while avoiding the costs and delays of late‐stage design changes. Alternate execution strategies will be explored, as well as the risks of moving forward when limited information is available.
Benefits of Simple Consequence Modeling for Burner Management Systems
The current approach used to analyze fired heaters during a Process Hazard Analysis (PHA) is inefficient and outdated. Fired heaters can be one of the more complex systems evaluated in a PHA, however they certainly aren’t anything new. In fact, they are one of the most common pieces of process equipment throughout industry, and have been for quite some time. Why then is such a large amount of PHA team time still needed to analyze them? Why, when using the same Process Safety Information (PSI), methodology, and risk criteria, can the results still be inconsistent? The obvious answer is the PHA team; different teams yield different results. Since the results of a PHA can impact several facets of a facility and its operation, including driving the Safety Integrity Level (SIL) for the heater’s Burner Management System (BMS), inconsistencies between analyses can have significant safety and financial impacts. If the consequence estimation is over conservative the selected SIL may be too high, which will result in an over designed and a very costly Safety Instrumented System (SIS). Conversely, if the consequence estimation is too low, the facility’s risks may not be adequately reduced by the selected SIS. Therefore a means to efficiently and consistently determine the consequence is critical. This paper will describe how simple consequence modeling can solve this problem, its inherent benefits, and the cost savings it provides.
Improving the Safety Instrumented System (SIS) Design Process with Graphic Diagrams
During a Safety Instrumented System (SIS) implementation project at a plant site new to the ANSI/ ISA 84 process safety lifecycle world, we discovered the importance of utilizing graphic diagrams in the development of SIS‐related documentation to support the on‐site team meetings and document decisions. The author will present examples of the different types of graphic diagrams, methods in which the diagrams were utilized, and the benefits that each provided in the implementation of certain phases of an ANSI/ ISA 84 SIS lifecycle project. These diagrams were considered to be valuable process safety information and part of the final SIS Front End Loading design.
Implementing Safety Instrumented Burner Management Systems: Challenges and Opportunities
Implementing a Safety Instrumented Burner Management (SI‐BMS) can be challenging, costly, and time consuming. Simply identifying design shortfalls/gaps can be costly, and this does not include costs associated with the capital project to target the gap closure effort itself. Additionally, when one multiplies the costs by the total number of heaters at different sites, these total costs can escalate quickly. However, a “template” approach to implementing SI‐BMS in a brownfield environment can offer a very cost effective solution for end users. Creating standard “templates” for all deliverables associated with a SI‐BMS will allow each subsequent SI‐BMS to be implemented at a fraction of the cost of the first. This is because a template approach minimizes rework associated with creating a new SI-BMS package. The ultimate goal is to standardize implementation of SI‐BMS in order to reduce engineering effort, create standard products, and ultimately reduce cost of ownership.
Core Principles of an ICS Cybersecurity Program
The design and implementation of Industrial Control Systems (ICS) cybersecurity program poses significant challenges due to the stringent requirements of a manufacturing plant and how control systems and their networks are engineered, operated and maintained. While industry has made significant strides in gaining awareness and applying resources to address these requirements, many organizations have also come to realize that implementing cybersecurity measures in the ICS environment – also referred to as Operations Technology or OT, is challenging and quite different from implementing cybersecurity in the enterprise IT environment. Many of the concepts proven and accepted in enterprise IT are either too difficult and/or complex to execute or simply not relevant to the operating environment. Guidance provided by the NIST framework and other publications are helpful to getting started, and experience also dictates that there are a core set of cybersecurity elements for the ICS environment that must be done right. This paper highlights the uniqueness of the ICS environment and offers core principles for a successful development and launch of an ICS cybersecurity program.
Conducting a Human Reliability Assessment to support PHA and LOPA
By Dave Grattan
A better methodology is needed to handle human factors and administrative controls when quantifying initiating cause frequencies and Independent Protection Layer (IPL) credits in PHA and LOPA, and is the topic of this paper. The methodology is aligned with the work of Swain and Guttmann (1983) Handbook of Human Reliability Analysis (NUREG/CR-1278). This paper will describe how the method can be applied to the semi-quantitative needs of PHA and LOPA. The results may also be used as an input to further QRA (Quantitative Risk Assessment).
This paper will present an overview of the Human Reliability Analysis (HRA) methodology, worksheets used to develop and document the HRA, examples of HR Event Trees, a method to incorporate the results back into PHA and LOPA, and lessons learned from conducting HRAs.
Beyond Compliance Auditing: Drill ‘til you find the pain points and release the pressure!
The authors of this paper look beyond traditional OSHA PSM and USEPA RMP regulatory compliance auditing to explore the value of drilling down around the process safety lifecycle; locating the pain points; and releasing the pressure on the system. Compliance auditing has historically provided a “check-the-box” approach to meet regulatory requirements imposed by OSHA and USEPA. Regulatory compliance, however, is no guarantee of the prevention of major accidents. There is still a need to identify hazards, understand and manage risks. Today’s auditors need to determine how to systematically identify the root cause of the “pain points” that will foster conversations around releasing the “pressure” on existing practices to achieve a vibrant integrated process safety management system.
Integrating ICS Cybersecurity and Process Safety Management (PSM)
The majority of process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks. Standards have been developed on how to assess and mitigate cyber risks to these systems. This paper provides an introductory summary of these topics.
Codes and Standards Update: Safety Instrumented Burner Management Systems (SI-BMS)
By Mike Scott
Invoking the concept of a Safety Instrumented – Burner Management System in all three of the NFPA 85, 86 and 87 series of codes / standards is a significant milestone for industry. This paper will explain changes as they apply to the concepts of Safety Instrumented Systems and include a discussion on equivalency clauses and / or linking paragraphs to ISA S84.00.01 – 2004 (IEC 61511 Mod) possibly allowing deviation from prescriptive requirements. Modification of logic solver requirements with inclusion of a direct reference mandating the use of Safety PLCs with minimum SIL capabilities in certain instances and changes related to sensors and valve requirements will be shared. This paper will also highlight areas where the concepts of Safety Instrumented Systems in the author’s opinion have been potentially misapplied within the NPFA series.
Understanding Overpressure Scenarios and RAGAGEP
During the PHA the team identifies consequences of concern arising from potential process deviations, identifies existing safeguards, or if LOPA (Layer of Protection Analysis) is required, the Independent Protection Layers (IPLs) available to reduce the likelihood of the consequence to a tolerable risk level. If the team identifies a gap, the team will propose recommendations to close the gap. An overpressure scenario can be a significant contributor to the risk of a facility. Overpressure of pressure vessels, piping, and other equipment can result in loss of containment of flammable or toxic materials. This paper will develop guidance including related RAGAGEP (Recognized and Generally Accepted Good Engineering Practice) to help engineers and designers participate in the safety lifecycle for managing the risk of overpressure.
Upcoming Changes in IEC 61511 2nd Edition
By Paul Gruhn
It has been over 10 years since the first release of IEC 61511. That committee has worked diligently to create a 2nd edition. A CD (Committee Draft) went out for review and comment by the national committees in 2012. The FDIS (Final Draft International Standard) went out to the committee in November 2015. The standard should be released in 2016. Note that there may still be editorial changes to the standard, but no further technical changes will be accepted for this edition. This paper summarizes the differences between the first and second editions of IEC 61511.
Impacts of Process Safety Time on Layer of Protection Analysis (LOPA)
The ability of an Independent Protection Layer (IPL) to achieve a given level of risk reduction is dependent upon its fulfillment of several core attributes. A key provision for any IPL to be considered effective and functionally adequate is its capability to respond to a process demand quickly enough to stop the propagation of the hazard scenario it was designed to prevent. While this seems obvious and reasonable, the estimation of Process Safety Time and the specification of IPL Response Times is more complex, and often deferred or overlooked altogether. What is Process Safety Time? How is it determined? When? And by whom? This paper examines the relationship between Process Safety Time and IPL Response Times, essential variables for the justification of IPL effectiveness, and their impacts on the success of Layer of Protection Analysis (LOPA).
Is Cost Effective Compliance with the IEC61511 Safety Lifecycle Sustainable?
By Mike Scott
While the concept of execute, monitor and sustain seems straightforward, for a variety of reasons, most companies who have committed to the IEC61511 journey, are solely focused on the execution of safety lifecycle documentation. This myopic approach will result in their failure to realize the full benefits to their organization of a cost effective risk management program. In addition, without development of a holistic multi-year plan for safety lifecycle compliance, end user companies can expect to incur significant regret costs and schedule delays as they attempt to change the safety culture of their organization around adoption of IEC61511. In this paper, a proven roadmap for efficient and cost effective safety lifecycle compliance and risk management will be defined, which emphasizes the use of an evergreen work process to support the concepts of execute, monitor and sustain.
Stopping the Swirl: Facilitation Tools that Improve PHA Results and Efficiency
Effective Process Hazard Analysis (PHA) facilitators combine soft skills with technical knowledge to guide PHA teams through a thorough identification and analysis of process hazards. Facilitators should consider the following examples of tools successfully used to stop the swirl by providing the PHA team with the right information at the right time.
A Leader’s Tactical Approach to Influence Changes in Process Safety Culture
By Laura Ankrom
Once an organization recognizes that a process safety culture change is needed, the question then becomes, how do we engage top level leadership so that they influence culture? And, what tactical activities and behaviors can leaders promote and participate in that will have a notable outcome? Key topics covered by the author include visible leadership, effective communications, risk based decision making, self-assessments, lesson learning, key performance indicators, and active monitoring and feedback.
IPL/CMS – Integrity Management of Non-SIS Independent Protection Layers After the LOPA
By Ron Nichols
A discussion of the identification, selection, implementation and management of Non-SIF IPLs through the process lifecycle.
Functional Safety Organization for Predictably Executing the ANSI/ISA 84 Safety Lifecycle
By Kathy Shell
Many companies are in the process of validating or updating their asset integrity management program for safety instrumented systems with the intent of achieving the performance standards in ISA 84.00.01, Functional Safety: Safety Instrumented Systems for the Process Industry. It is a challenge to determine the best organizational structure, the relevant roles and responsibilities, and the training or skills of individuals in key positions to execute the Safety Lifecycle workflow.
Some companies are setting up groups within their engineering organizations; others are expanding their reliability or maintenance departments. Still others are assigning the leadership roles in the process safety departments. In truth, execution of the Safety Lifecycle, as with the Process Safety Standard 29 CFR 1910.119, requires an integrated work flow across multiple disciplines and areas of practice.
The author will outline the organizational characteristics of a strong Functional Safety Program and the roles to be filled to predictably execute the full Safety Lifecycle and achieve the related risk management objectives. These roles will be outlined in terms of responsibilities, technical and business acumen and training, and interpersonal skills relevant to success.
Identifying Facility Siting Raw Risk and the Risk Reduction Decision Process
By Craig Shell
One of the outcomes of a facility siting study is the presentation of information to the facility site leadership team so they can recognize all of the hazards that can impact buildings intended for occupancy. It is this hazard recognition and risk reduction process that will be discussed in this paper. The authors will present a methodology for completing a facility siting assessment that starts with identifying a MCE, followed by breaking the MCE into additional credible events, and identifying likelihood and additional safeguards needed to manage the risk.
Roll Out and Maintenance Integration of SIS Proof Test and Inspection
A review of the technical and management challenges associated with implementing a standard SIS proof testing philosophy and documentation strategy across a multi-facility upstream oil and gas business unit.
Effective Management of PSM Data in Implementing the ANSI/ISA-84.00.01 Safety Lifecycle
An examination of the efficiencies that can be gained by effective PSI and MI data management and coordination.
A Database Approach to the Safety Lifecycle
Using a systematic database approach to design, develop, and test a Safety Instrumented System (SIS) using methodologies in compliance with ANSI/ISA S84.01 requirements can result in improved quality of design deliverables and system configuration while reducing implementation effort.
Industry Update: Safety Instrumented Fire & Gas Systems (SI-FGS)
By Mike Scott
An exploration of marketplace and industry trends surrounding Fire & Gas Detection Systems and their relationship to Safety Instrumented Systems. Includes results of an informal survey of OEMs, engineering firms, and end users to ascertain driving factors in the acceptance and use of of SI-FGS systems.
What is the Safety Integrity Level of My Existing Burner Management System?
By Mike Scott
A discussion of the issues, decisions, and challenges encountered when applying the concepts of the Safety Lifecycle per ANSI/ISA 84.01, IEC 61508 and / or IEC 61511 to the design of an existing BMS for a single-burner natural-gas-fired installation. Also discusses identification of typical BMS SIFs and subsequent SIL determination.
Burner Management System Safety Integrity Level Selection
By Mike Scott
A discussion of utilizing quantitative methods to select the appropriate Safety Integrity Level associated with Burner Management Systems. Focuses on identifying the required amount of risk reduction and how that can impact efficiency and costs.
Identifying Required Safety Instrumented Functions for Life Safety
Systems in the High-Tech and Semiconductor Manufacturing Industries A discussion of issues and challenges encountered when attempting to apply Safety Lifecycle concepts per ANSI / ISA S84.01 to the design of a Life Safety System at a state-of-the-art fiberoptic manufacturing facility. Focus on industry-specific issues associated with the use of mitigation versus prevention techniques (typically encountered in the process industry).