Is ‘IEC 61511’ still the best kept secret in the Process Industry?
This year marks the fifth anniversary of two high profile accidents in the process industry, the first of which occurred at BP Texas facility in the U.S. (March, 2005: 15 killed, 180 injured) and the second one at Buncefield in the U.K. (Dec, 2005: 43 injured). Both accidents illustrate the consequences of failures in plant safety as both explosions occurred due to inadequate level monitoring systems (safety instrumented systems) which resulted in the ignition of uncontained flammable liquids. (More familiar terms for ‘safety instrumented systems’ (SIS) include ‘emergency shutdown systems’, ‘trip systems’, ‘safety interlock systems’ or ‘safety shutdown systems’).
The accident at Buncefield occurred due to the overflow of a fuel storage tank which lasted 40 minutes at rates of 4,000 gallons per minute, creating a cloud of flammable vapor that was visible on security cameras as it spilled over the bund wall. This cloud spread throughout the facility and into the parking lot of neighboring facilities before it was ignited. The resulting explosion spread to 20 nearby fuel storage tanks. Like many previous incidents in the process industry the Buncefield incident highlighted (in a dramatic way) the need for high integrity systems. However before protective systems are installed there is a need to determine the appropriate level of integrity that such systems are expected to achieve. ‘The overall systems….must be of high integrity – with sufficient independence to ensure timely and safe shutdown.. Site operators should meet the latest international standards (The Buncefield Major Incident Investigation Board).
The Buncefield Major Incident Investigation Board stated that competent authorities and operators of sites should develop and agree a common methodology to determine safety integrity level (SIL) requirements for overfill prevention systems in line with the principles set out in the IEC 61511 standard. Where independent automatic overfill prevention systems are already provided, their efficacy and reliability should be reappraised in line with the principles of 61511 standard.
Similar to Buncefield, the investigation of the BP Texas Refinery highlighted problems with safety system design and selection, inadequate Process Hazard analysis (PHA), and mismanagement of safety critical equipment. During the process startup the level transmitter indicated that the liquid level in the splitter tower was gradually declining, although it was actually rising. Based on the analysis of the relief system, the blowdown drum was undersized and the emergency relief system design did not address the potential of a large liquid release in the event the raffinate splitter tower overfilled. The instruments associated with the raffinate splitter tower and the blowdown drum were causal factors in the BP Texas City explosion. The IEC 61511 approach (or its US equivalent ISA 84) were not followed at BP Texas.
Inadequate and fragmented safety measures at the BP Texas site, pointed to a failing in the industry as a whole, according to the Independent Safety Review Panel which stated: "We are under no illusion that deficiencies in process safety culture, management, or corporate oversight are limited to BP… We urge [these] companies to regularly and thoroughly evaluate their process safety management systems, and their corporate safety oversight for possible improvements.”
Structured methodologies for the deployment of prevention and mitigation measures in the form of international safety standards have been developed for the very purpose of reducing the likelihood of such events occurring, and if they do occur, minimising the severity of the consequences. IEC 61511 "Functional Safety – Safety instrumented systems for the process industry sector” is the only internationally approved method to demonstrate compliance to the application of safety instrument systems for process industries. The IEC 61511 standard (comprising three parts) was first published by the International Electrotechnical Commission (IEC) as IEC 61511 in 2003. It was developed by an international working group comprising experts from the chemical and petrochemical industries. As such it represents the worldwide consensus view on how such systems should be engineered to ensure safety. It covers all aspects of the lifecycle of a system, from initial specification and design through to installation, operation, maintenance and eventual decommissioning.
It is our belief at Pilz Ireland, however that the process industry is still largely unaware of the requirements and therefore many facilities still fail to effectively apply the IEC 61511 standard. The rewards of such a structured approach are highlighted by the benefits that correct specification and management of safety instrumented systems can achieve i.e. providing a cost-effective and ‘quantifiable’ risk reduction approach that avoids the common pitfalls of either costly over-specification or inadequate under- specification of safety instrumented systems. In relation to incorrect specification a study by the UK HSE (Health & Safety Executive) found that 85 percent of all safety control system failures are engineering-related, with about 60 percent built-into the SIS before installation.
The IEC 61511 standard was developed specifically to prevent incidents in the process industry such as Buncefiled and BP Texas. The standard defines four levels of safety integrity, SIL1, SIL2, SIL3 and SIL4. The higher the required SIL level the higher the associated safety level that the system needs to achieve and the lower the probability that the system will fail to perform properly. The required or ‘target’ SIL is determined by a hazard and risk assessment that takes into account safety instrumented and other measures that reduce the risks associated with the hazard under consideration. The tolerable risk target for the specific application is taken into account Corporate Risk Tolerance Criteria approach and ALARP approach (as low as reasonably practicable). The following steps highlight the recommended IEC 61511 compliance approach:
1. For measures reliant on a Basic Process Control System (BPCS) a list of consequence scenarios are generated (from HAZOP/PHA Stage).
2. These scenarios are assessed to filter those with a "high consequence”
3. A Layer of Protection Analysis (LOPA) methodology is then conducted yielding a statistical determination of the performance level required.
4. The Detailed Safety Requirements Specification (DSRS) follows the LOPA stage allocating safety functions to specific protection layers and systems i.e. outlining the ‘required’ or ‘target SIL’.
5. The Safety Instrumented Functions (SIFs) are then designed and validated in accordance with the required safety integrity levels
6. Once the design has been validated by competence persons, the Installation and Commissioning phases can now be implemented.
7. Following Installation and Commissioning the Safety validation process (SIL Verification, Functional Safety Assessment) designed at the specification stage is now completed, with a determination that the system as implemented meets all the safety requirements (i.e. ‘achieved SIL’)
The above stages enables the project teams to understand the exact cost, benefits and performance levels for all relevant functions and to select the most effective and adequate safety solutions based on an objective and fully traceable analysis. The development of management/maintenance systems, policies and procedures ensure ongoing performance of implemented systems and completes compliance with the IEC 61511 Standard.
Historically, legacy instrumentation and control systems implemented in the process sector were based on then ‘best practice’ and ‘site experience’. However higher demand, new technologies and new standards provide a pathway to improved performance in process design, implementation and operation. There is an increasing demand for conformity assessment to be carried out by third party bodies who will examine the abilities of a company to manage its safety activities. In particular, safety systems may not be considered acceptable unless they are supported by suitable management systems with competent staff. The intelligent adoption of IEC 61511 combined with the selection of appropriate SIS platform not only address these issues but will yield additional benefits including:
- Deterministic Predictability
- No Under/ Over Specifications
- Higher Availability
- Reduced Test Intervals
- Independent Validation of SIS integrity
- Compliance with Best International Practice
- Demonstration of a compliant methodology to interested parties
- Full traceability: the early consideration of the safety issues in the plant lifecycle will simplify future operational or plant modifications due to the traceability provided.
It is no coincidence that the major contributory factors of the Buncefield explosion were foreseeable and would have been detected and considered in the process described above. That is why the main recommendation from the investigations was the adoption of a process as defined in IEC 61511. However awareness and implementation of the IEC 61511 standard still remains a mystery to many and for others remains the best kept secret in the process industry.
The overall cost of the Buncefield explosion to its owners (Texaco/Total Oil) and the U.K. economy is estimated to be well in excess of £300 million (some estimates put the figure at over €1bn). The HSE in the UK believe that the primary contributing factors would have been detected in a competently managed IEC 61511 lifecycle. Consequently the HSE are recommending such an approach when constructing new plant or retrofitting existing plants. U.S. authorities have issued similar recommendations from the outfall of the BP Texas accident. The process sector would do well in reviewing their current strategies to mitigate against similar incidents at their own facilities.
For further information or to learn more about the IEC 61511 Process, email sales@pilz.ie or contact us at 021 4346535
Or for more information on our services follow the link to
www.pilz.ie/ie/services/process_safety
