SAFETY SYSTEM FUNCTIONAL AUDITING

Palaniappan R . Kannan Consultant SISRA Consultants SINGAPORE 650318

KEYWORDS:
Safety Instrumented System, Functional Safety Audit, Assessment, SIS Audit Methodology, SIS O&M Phase, System Audit Implementation.

ABSTRACT:
No one can review their own work. This needs to be done by another individual or a team depending on the complexity. This is the basis for assessment and auditing as advocated in Safety standards. In order to make a facility safe all the hazards need to be identified and controlled. Chance of a hazard manifesting itself is very high at the weakest point of control. That is why safety system standards focus on performance based lifecycle implementation. Any lapse in any phase of the lifecycle can defeat all the efforts put forth in earlier phases. A study by HSE UK revealed that 44% of the accidents related to control and safety system failures were due to flaw in specifications. The remaining 56% were due to flaw in other phases of the lifecycle such as design implementation, commissioning and operation. Even though faults can be introduced design and commissioning phases they show up only during operation. The purpose of Audits is to capture mistakes and reveal, where the life cycle activities were not properly followed. This paper attempts to present a systematic approach to auditing.

INTRODUCTION:
Various international standards dealing with Safety Instrumented Systems(SIS) emphasis on Safety System Auditing. IEC 61508 defines functional safety auditing as.. systematic and independent examination to determine whether the procedures specific to the functional
safety requirements comply with the planned arrangements, are implemented effectively and are suitable to achieve the specified objectives

It also notes that functional safety audit can be carried out as part of functional safety assessment.

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

SAFETY SYSTEM ASSESSMENT CHARACTERISTICS:

Depending on the project size and its characteristics, assessment has to be carried out at various phases of the project. The aim of assessments are to make sure that the hazards are controlled at the determined levels and all the requirements as specified in the requirement specification are met. These requirements shall include performance requirements, functional requirements and integrity requirements. Since assessment is a review process, some degree of independence is necessary in the team/person undertaking the assessment. The team should also be competent enough to effectively carry out the job. The main functions in an assessment are: - To make sure that hazard and risk assessment recommendations are implemented - Safety Requirements Specification is followed in design, construction and implementation - Operating, emergency, maintenance and safety procedures pertaining to safety systems are in place. - Safety system validation is properly done - Employee training related to safety system is completed - Further safety assessment procedures are in place - Recommendations from previous assessments have been resolved. All the above characteristics of assessment should be the characteristics of Safety system auditing too. However, since auditing is the assessment carried out in the operation & maintenance phase alone, the focus is only on this particular stage of the project.

AUDIT FLOW CHART:

The audit that is conducted during the operation & maintenance phase of safety system lifecycle falls under various steps as shown the figure below:

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

Prepare Audit Procedure Appoint Auditor & Plant Co-ordinator Review implementation of recommendations Come out with a detailed audit plan Conduct the Audit Submit the report List the recommended changes

Modification request.

Study Impact analysis Impact analysis report

Change authorisation Change implementation Audit log

SAFETY INSTRUMENT SYSTEM AUDITING STEPS

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

These steps can be broadly divided into three major phases namely, - Procedure development - Auditing - Change implementation.

AUDIT PROCEDURE DEVELOPMENT:

The audit procedure can be an overall corporate procedure, which should cover all the details, related to safety system audits to be conducted in various facilities. It should as a minimum cover: - Types of audits. The two main types can be the first audit conducted immediately after project implementation and the other audits conducted subsequent to the first audit. The project implementation audit should cover all the phases of the lifecycle up to operation the phase at which its being conducted. - Frequency of audits. - Auditing method and steps - Audit participants and the level of independence required for the auditor / team - Audit recording and presentation formats.

AUDITING:
Auditing should be an independent activity to be conducted by competent personnel outside the project (or) an Operation & Maintenance team and should be reporting directly to the management. The requirement for an individual (or) team of auditors depends on the scope of audit. Suppose a project implementation audit is planned then the whole safety system activities, documents and assessment reports up to this point needs to be audited. This will start with hazard-risk analysis up to O&M procedures including application software design. So if a single auditor competent in all these areas can not be found then a team has to be identified and empowered to conduct the audit. Auditing needs to be planned in advance to be effective. The first step is to appoint the auditor-incharge and the co-ordinator on the plant side. Apart from familiarity with the Safety System in the facility, the co-ordinator should be familiar with various procedures followed in the facility. He should also be capable of skilfully co-ordinating with the auditor and the O&M team. In order to plan for the audit, the auditor should be provided with copies (or) given full access to documents and procedures necessary. The requirement against which the facility needs to be audited has to be clearly identified. For example, during the project implementation type of audit, the focus can be on the project safety requirement specification and the various procedures in place. On subsequent audits the focus can be on the implementation of earlier recommendations, modifications carried out after the earlier audit and on the changes done to corporate, regulatory and facility targets. Based on the audit focus the audit plan needs to be developed. The plan should describe the detailed requirements against which the particular audit will be carried out. It should also identify all the elements. This plan should be circulated among all the departments concerned with the audit

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

for comments. Once the plan is finalised, the plant co-ordinator and the auditor need to identify the people who should to be interviewed. A detailed audit schedule can be prepared and circulated. Auditing can start with a kick off meeting and can be followed with: - document & procedure review - interviews - record review - field auditing As the auditing is conducted audit progress meetings need to be held. Auditors should discuss and brief their findings during these meetings to the facility representative. These meetings should also be used to review the validity of the audit focus and if any change needs to be effected to the audit focus. A closing meeting needs to be held to give an overview of the report points. Apart from presenting the findings the audit report should summarise the recommendations and action plans so that the implementation can be verified during the subsequent audit. These recommendations and action plans can be prioritised so that those with high priority can be rectified. The priority can be based on how essential the recommended point is, in the present and future phases of the lifecycle. Mutual co-operation and trust between facility personnel and the auditor is required for the success of the audit. In choosing the auditor the following competencies and skills can be looked in: - Co-operating - Presenting - Adapting - Coping - Influencing An attempt is made to come out with a format to record and report the audit findings: (Note that this is only a sample and the elements are neither complete nor exhaustive)

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

PHASE: SAFETY REQUIREMENT SPECIFICATION

0-Do not exist 1-Poor 2-Fair 3-Good 4-Very Good 5-Excellent Notes

Points:

Element
SIF Description

Look for How all the data required for SIF description were derived and recorded? All these records are latest & updated?

Questions Correct measurement for the hazard taken? Operating ranges, trip points & actions to be taken identified? Process safety time & other layers of protection mentioned? Operating state stated?

Verification 1. Hazard /Risk/LOPA analysis. 2. SIF description in SRS.

Points

Threshold limit

How is it determined Pre-alarmed for for each parameter? operator action? Trouble shooting zone available? Buffer zone between trip point & hazard zone available?

1. Record for limit determination? 2. Records showing all the zones?

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

CHANGE IMPLEMENTATION:
Based on the recommendation in the audit report, action points can be listed and based on the priority of these points action can be taken. Each action point can be an input to the modification phase, generating a modification request. The audit action points should also fix the responsibility. The responsible department should generate the modification request and should be responsible for the recommended action until its closed out. However, it should be noted that the audit action points are not the only inputs to the modification phase. Based on the modification requested, the impact this modification can bring about in the safety system has to be studied. If necessary the study should start from the hazard and risk analysis phase. For example, the existing design did not provide for manual means to actuate the final elements independent of the logic solver and the audit recommends for such a facility, then this modification is safety system is a design related point and does not need hazard analysis. The impact analysis study should come out with a detailed study report for each modification requested. This report should also contain existing document/drawing mark-up as attachments and any other detail, which can provide complete information for change authorisation discussion and decision making. Usually a team performs change authorisation. Some facilities call this team as Management of Change team. This team should comprise of competent persons who completely understand and are responsible for the changes that are effected. Once the change is authorised by the Management of Change team the authorised change should be implemented and logged in the audit log. The audit log should contain all the details about the implemented change, including the corrected documents and drawings as attachments. During the next audit these audit logs will be used to verify what recommendations were implemented and what were not implemented.

SUMMARY:
This paper focuses on the methodology of conducting SIS audits. SIS audits are part of functional safety assessment, that are carried out during the O&M phase of the SIS lifecycle. The fundamental aim of the safety audits is to make sure that the hazards are controlled at the determined levels by the SIS system installed in the facility. The auditing function contains three major phases. They are procedure development, auditing and change implementation. Audit procedure can be a corporate procedure or a generic procedure related to the facility. Auditing itself should be an independent activity based on a detailed audit plan developed for each audit. Auditing should be carried out against the elements identified in the audit plan and stick to a schedule. Mutual co-operation and trust between auditors and the interviewees are required for

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org

the success of the audit. Audit report comprises of change recommendations and prioritised action plans which needs to be implemented through the management of change procedures followed in the facility.

REFERENCES:
1. Functional safety of electrical / electronic / programmable electronic safetyrelated systems, IEC 61508, 2000, International Electrotechnical Commission, Geneva, Switzerland. 2. Application of safety instrumented systems for process industries, ANSI/ISA 84, 1996, ISA, Research Triangle Park, NC, USA.

Copyright 2004 by ISA The Instrumentation, Systems and Automation Society. Presented at ISA AUTOMATION WEST; www.isa.org