Complying with IEC 61511 Operation and Maintenance Requirements

Summary

It is hard to believe that the IEC 61511 standard has been in existence since 2003, and most companies operating in the process, chemical and refining industries—or any other hazardous process manufacturer—have adopted its practices. It is also significant that any plants that were built at that time with safety instrumented systems (SISs) will now be halfway through their useful life. This raises the question of how well companies have been recording the performance of their SIS in terms of failures, spurious trips, time to repair/restore, and proof testing results. The new 2016 edition of IEC 61511 emphasizes this need more strongly in terms of preventing systematic issues through procedures and competency. This article highlights how testing and documenting the performance of the SIS is an essential part of ensuring it can fulfill its designed functional safety requirements. This is especially true as the SIS approaches its end of useful life.

Over the past two decades, automation has constituted one of the dominant factors used by chemical and petrochemical industries in cost reduction efforts. Automation has been characterized by staff layoffs, and the few who remain are not only exposed to prolonged work hours but also are struggling to cope with the increasing work demands. Coupled with the shortage of skilled employees, the condition is even worse when more complex instrumentation and automation systems are introduced.

In the face of such challenges, the introduction of the IEC 61511 standard for the process industries has steadily shaped safety improvements through the safety life cycle (SLC). This is a shift from a strictly prescriptive methodology to a more performance-based methodology. The objective is risk reduction. This article will not define the application of the standard but will examine one important aspect of the SLC: the operations and maintenance (O&M) requirements for the plant SIS.

IEC 61511-1 Clause 16: SIS operations and maintenance

The use of the SIS term, contrary to the safety system, is based on the existence of numerous safety systems, but not all are in compliance with IEC 61511. Only safety instrumented functions (SIFs) that are part of safety instrumented systems are required to comply as represented in figure 1.

In IEC 61511-1 Clause 3.2.72, SIS refers to an SIS meant to implement one or more SIFs and is made of any combination of sensor(s), logic solver(s), and final element(s), as illustrated in figure 2. An SIS can include either safety instrumented control functions, safety instrumented protection functions, or both. An SIS also may include software.





To fulfill IEC 61511-1 Clause 16 requirements, an adequate operation and maintenance plan is required by the end user in meeting the required safety integrity level (SIL) of each SIF during operation and maintenance tasks to ensure maintenance of function and integrity of the SIS (figure 3).

The importance of lagging and leading indicators The IEC 61511 is a “performance-based” standard that requires the owner/operators to undertake “periodic” assessments to identify:

• ● near misses
  ● trips—real and spurious
  ● faults—random and systematic
  ● process upsets.

The purpose of lagging data is to assist in preventing future problems, developing training programs, and improving procedures. The purpose of leading indicators also is to help predict future events, which may include overdue inspections and late maintenance challenges. Through a clear understanding of the leading and lagging indicators, effectiveness and efficiency can be enhanced

Operations and maintenance plan The O&M plan is a working document tailored to ensure SIS maintenance meets its designed functional safety and entails:

• routine and abnormal operation activities
• proof testing
• procedures, measures, and techniques ideal for operation and maintenance
• verification of adherence to protocols
• period for undertaking such activities
• identity of the stakeholders.

Operation and maintenance procedures IEC 61511-1 Clause 16.2.2 mandates the creation of O&M procedures with the relevant safety planning and provides:

• routine actions that need to be carried out to maintain the “as designed” functional safety of the SIS such as proof test intervals
• requisite actions and constraints in risk mitigation
• system failure and demand rates–related information
• audits and tests-related information
• the maintenance procedures in case risks occur, including:
  • fault diagnostics and repair procedures
  • revalidation procedures
  • maintenance reporting requirements
  • tracking performance procedures
  • properly calibrated and maintained tools

These requirements place a heavy burden on the O&M personnel who need to have the requisite skill set to be able to maintain the SIS. In addition, the O&M personnel will be required to follow a written proof test procedure as defined in IEC 61511-1 Clause 16.2.8. The proof tests will need to cover the entire SIS including the sensor(s), the logic solver, and the final element(s) (e.g., shutdown valves and motors). In addition, the proof tests will need to be carried out at intervals that were specified and used to calculate the PFDavg for the SIF. The implication is that personnel training is a key element to ensuring the SIS can be maintained and operated correctly.

What happens in practice? To adhere to the IEC 61511-1 Clause 16 provision, adequate documentation and tracking system knowledge is vital to follow adequate procedures. It remains to be seen how diligent the personnel are at recording this data, since it depends on the plant’s safety culture as reported in the Tesoro incident in 2010, which resulted seven deaths.

How data is recorded

Most basic process control systems (BPCS) need a historian logging trips, alarms, and diagnostic faults for archiving plant data. Normally, this type of data associated with the SIF also is recorded in a historian. Besides, the purpose of proof testing is to reveal undetected faults, and it must be undertaken pursuant to the written procedure. When proof test coverage is included, the frequency and thoroughness of manual proof testing will be assured.

IEC 61511-1 Clause 16.3.3 also demands records storage certifying that proof tests and inspections were completed and includes:

• outline of tests and inspections
• tests and inspection dates
• identity of the individual performing tests and inspections
• unique identifier of the system tested
• results of the tests and inspection.

Technology can help Currently, handheld tablets are widely used in recording data in electronic format. However, having a dedicated tool specifically designed for this purpose remains a challenge. Consequently, O&M personnel rely on Excel spreadsheets to supplement paper-based systems.

O&M personnel would need a tool that can record functional safety-related statistics/performance metrics, as well as life events such as:

• demands—both real and spurious
• inspection and proof test results
• maintenance activities
• failure reporting.

Recording demands such that the user can determine which protection layer failed is another important aspect because the information provided would enable the user to determine the demand frequency of the hazard scenario and initiate a corrective action (figure 4). The information also could be used to determine the demand frequency of the hazardous event (figure 5).




Having a tool that enables the storage of physical devices of the SIS in a database and identifies them by their associated tags and/or descriptions will enable O&M personnel to enhance efficiency in undertaking replacement procedures (figure 7).

Giving the O&M personnel an automatic proof test generator that allows them to specify individual proof test steps with pass/fail criteria would be a significant benefit (figure 8). This would allow the O&M personnel to only record factual data during a proof test.


Problems found during proof testing need to be repaired pursuant to IEC 61511-1 Clause 16.3.1.4. Although the standard doesn’t specify a particular time period, the mean time to restore (MTTR), as used during the SIL determination of the SIF(s) and for the PFDavgcalculation, must be followed to restore the SIS to its safe state as soon as possible. Having the ability to identify and rectify deficiencies quickly and effectively is the key (figure 9). The ability to record these maintenance activities via a handheld or mobile device would simplify the O&M personnel’s job.

Essentially, being able to select and locate a device from the plant’s hierarchy tree for maintenance and/or replacement via the tool will save time, especially if the O&M personnel can record the cause and any comments (figures 10 and 11).


Another benefit would be enhancing the ability of the O&M personnel and the plant’s safety manager or team to view all the encountered events as presented in figure 12. The benefits from maintenance of a well-structured, defined, and automated recording system include:

• detailed failure analysis
• false plant trip reduction
• comparison of actual performance with assumed performance
• adequate risk reduction
  • continued data collection
• ability to establish level of accuracy in risk reduction (high or low)
• the ability to identify if the risk reduction is more than adequate:
  • system is overdesigned
• enhance system flexibility 
• data for future safety life-cycle tasks, including:
  • risk assessment
  • layer of protection analysis
• SIL target selection
• SIL verification.

Final thoughts

This article has outlined key issues involved in following the requirements of IEC 61511 Clause 16 for operation and maintenance of the SIS. As mentioned at the outset, the article highlights how testing and documenting the performance of an SIS is an essential part of ensuring it can fulfill its designed functional safety requirements, as defined in the SRS.

Key points include:

• There is a need to manage risk—not ignore it.
• There is a need to adopt an appropriate safety-first culture to ensure O&M personnel are trained and competent to maintain the plant SIS.
• Recording lagging and leading indicators is an important part of maintaining and improving process safety.
• Having the proper operation and maintenance procedures in place is vital to ensuring a safe and well-maintained SIS.
• Developing a safety checklist will ensure consistency in approach and methodology that can be adopted over multiple sites Undertaking regular employee competency assessments is crucial to prevent mistakes that could lead to accidents or spurious plant trips.
• Ensure that proof testing is conducted in accordance with the safety requirements specification of the SIS (i.e., using the same test interval as used in the PFDavg calculations).
• Recording all maintenance activities accurately and faithfully in accordance with IEC 61511 Clause 16.3.
• Using software tools/technology to assist in recording and auditing maintenance activities, spurious trips, SIS demands, calibration, and faults will save time and improve effectiveness. 
• Using software tools/technology to help analyze failures, false trips, and actual performance of the SIS compared to assumed performance will help in meeting IEC 61511 Clause 16.2.6. Any discrepancies must be assessed.
• Well-recorded and accurate SIS performance data will enable plant safety personnel to reevaluate the frequency of proof testing, based on the historical data gathered, plant experience, hardware degradation, and software reliability.

This article comes from the May 2021 issue of Intech Focus: Process Control and Safety.