April 18th, 2018
Process Safety regulations, standards, and loss prevention practices are derived from a tangled web of documents. Navigating references between entities can be convoluted to determine if your system is in compliance with all of the associated parties. Over the years, many things have changed in the industry that includes products, standards, regulations, and equipment approvals. These changes have resulted in improved safety measures through risk avoidance and advancements in technology and products.
The purpose of this article is to provide a brief explanation as to how end-user, insurance companies, system manufacturers, standards organizations, and government agencies identify how a process safety system is to be designed, operated, and maintained over its lifecycle. The intent herein is to outline the referenced standards and associated documented clauses to clarify the lineage and demystify compliance.
Occupational Safety & Health Administration (OSHA)
The United States Occupational Safety and Health Act 1970 created the Occupational Safety and Health Administration (OSHA), which is part of the United States Department Of Labor. The purpose of this administration is to assure the safe and healthy working condition for men and women by setting and enforcing standards, providing training, outreach, education and assistance. In 1992, OSHA created the Process Safety Management regulation, which is composed of standards of organizational and operational procedures. Specifically, 29 CFR 1910.119 contains requirements for preventing or minimizing the consequences of toxic, reactive, flammable, or explosive chemicals. US companies that contain 10,000+ pounds of hazardous material are required to adhere to the PSM documented regulations.
PSM is a performance-oriented standard which allows employers flexibility in complying with the requirements. The standard directly references and enforces Recognized And Generally Accepted Good Engineering Practices (RAGAGEP). These consists of widely adopted codes such as NFPA, consensus documents, non-consensus documents, and internal standards. In 2000, OSHA officially recognized the revised ANSI/ISA S84.01-1996 “Application of Safety Instrumented System for Process Industry” as a generally accepted good engineering practice.
Compliance with ISA S84.01 does not ensure compliance with PSM standards because the regulations cover a broader spectrum than just functional safety for the process industry sector. However, if a company can demonstrate that if an existing SIS designed to 1910.119(d)(3)(i)(F) (design codes and standards employed) complies with ISA 84(technically now transitioning to IEC 61511) and it meets all other OSHA PSM requirements related to a SIS, it shall be considered in compliance.
Factory Mutual (FM)
Factory Mutual (FM) is a global insurance provider and loss prevention engineering company that determines risk by engineering analysis versus actuarial approach. FM provides an extensive testing and approval process to ensure products meet quality, technical integrity, and performance for the purposes of property loss prevention. FM Approval is recognized and respected worldwide.
FM has developed an extensive set of combustion control standards that are used for testing and approval reference purposes. This includes automatic shutoff valves, flame sensors, flow and pressure switches, and other combustion control equipment. Specifically, FM 7605 is an approval standard that defines the requirements for programmable logic control (PLC)based burner management systems. This standard directly references compliance of both hardware and software to meet the requirements defined in IEC 61508 Standard on Functional Safety of Programmable Electronic Systems.
The figure below depicts the relationship between regulating bodies, the underwriter, and industry standards. Dotted lines represent direct references of the associated standard within the written documentation. This diagram shows the lineage from a regulator and legal perspective.
National Fire Protection Association (NFPA)
The National Fire Protection Association (NFPA) is a global nonprofit organization devoted to eliminating death, injury, property, and economic loss due to fire, electrical and related hazards. This is accomplished by delivering codes and standards to minimize risk. In reference to the use of BMS, they have produced NFPA 85-Boiler and Combustion System Hazard Code, NFPA 86-Standard for Ovens and Furnaces, and NFPA 87-Standard for Fluid Heaters.
In 2015, the NFPA standards listed above were updated to invoke the concept of a safety instrumented system (SIS) by referencing ISA 84/IEC 61511. The NFPA 85 standard is a prescriptive approach with specific requirements. This standard also states that an end-user can utilize alternate solutions as long as one can demonstrate conformance to the ISA 84/IEC 61511 standard, which is a performance-based standard, and approval of the appropriate authority having jurisdiction.
American National Standards Institute / International Society of Automation (ANSI/ISA)
The American National Standard Institute (ANSI) oversees development, promotion, and safeguard standards and guidelines for the purpose of global competitiveness of U.S business and quality of life. This organization manages and coordinates a national consensus by standardizing and accrediting the procedures of the standards developing organizations. Meaning, they confirm that the standards meet the Institute’s requirements for openness, balance, consensus and due process.
The International Society of Automation (ISA) is a nonprofit professional association that sets the standard for applying engineering and technology to improve the management, safety, and cybersecurity of modern automation and control systems used across industry and critical infrastructure. ISA covers a broad range of concepts in the automation field and most of them have been recognized by ANSI. In reference to the content herein, the ANSI/ISA 84 standard defines the standard and technical reports for use in applying Electrical/Electronic/Programmable Electronic System (E/E/PES) for use in process safety applications. This standard was created to supplement the PSM in implementing the instrumentation and controls necessary for safe operation. In general, the standard covers the safety lifecycle, which outlines a process from cradle to grave, and defines Safety Integrity Level (SIL), which is a measurement of performance based on risk reduction. For more on SIL, read our blog on the topic.
International Electrotechnical Commission (IEC)
The International Standards Commission (IEC) is an international standards organization that prepares and publishes international standards for all electrical, electronic and related technologies.The commission developed IEC 61508 that outlines a global functional safety standard that applies to equipment manufacturers for developing products that are utilized in safety applications, which applies to all industry sectors. This standard ensures the quality and reliability of safety equipment providing an umbrella standard covering all industries.
Many countries around the world do not have regulating organizations such as OSHA to ensure safe working conditions. This led to the need to develop the IEC 61511 standard, which covers safety management, hazard analysis, design and implementation, pre-startup safety review, and training, which encompasses the life-cycle concept. Essentially, this standard outlines engineering practices to ensure the safety of industrial processes.
IEC 61508 has a narrow sector focus on the process industry and, more specifically, requires that an analysis is performed to remove any single failure of common equipment that can cause unsafe conditions. This concept was adopted by ANSI/ISA S84 and provides engineering concepts and strategies to meet the analysis requirements.
The standards outlined above identify some key attributes that define clear requirements for safety system compliance. This includes the use of input/output (I/O) modules that are approved or certified by an accredited body. No single failure of common equipment should be able to cause a process hazard. Also, independent or isolated safety functions from other basic process control logic must be protected from unintentional effects. This means that BMS logic must be isolated from the standard combustion control logic. These details govern how systems are designed and applied. Many older systems do not comply with the newstandard and the following section provides insight into the compliance of legacy systems.
The Compliance of Legacy Systems
All over the US, hazardous industrial process systems have been running for decades. During the design and installation phase of these legacy systems, they may have complied with the existing safety standards. Unfortunately, over the years we have witnessed some safety failures that resulted in catastrophic incidents. These incidents have led to changes in the industry and an advancement in testing and quality assurance of the initiating and corrective devices, as well as a statistical risk-avoidance approach to the system design. Most legacy systems include non-safety rated components and/or controllers. These cases have led to OSHA including a grandfather clause within the PSM regulation released in 1992. Later ISA recognized that legacy equipment concern in the industry and included a grandfather clause within the ANSI/ISA 84 standard as well.
The grandfather clause (1.y) states the following: “For existing SIS designed and constructed in accordance with codes, standards, or practices, prior to the issue of this standard (for example, ANSI/ISA-84.01-1996), the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner”.
Many existing legacy SIS installations utilize a run-to-fail strategy, which can have unpredictable consequences. The SIL concept provides a predictable failure rate during the useful life cycle of the device. However, once the device has exceeded the end of the life cycle it can have sporadic failures and the predictability no longer applies. Therefore the SIL rating of the associated Safety Instrument Function (SIF) can exceed the expected value causing exposure to additional unintended risk.
How “safe is safe enough” is a question that every owner must determine. The grandfather clause listed above provides owners with the ultimate decision to determine if they meet the standards. OSHA defines very clearly in the PSM requirements that all safety systems must have safety specifications, operating procedures, personnel training, failure tracking, management of change, and audit records irrelevant to the installation date. Traditionally, when OSHA performs an investigation they compare to the current published good engineering practices regardless if the process was installed prior to issuance of S84.01-2004. So, determination of a “safe” system is up to the owner, but upon judgment day only current published standards will be referenced.
This gap between acceptance and judgment has prompted the ISA 84 committee to publish seven additional technical reports to further support the subjects around this topic. Technical Report, TR84.04, provides two steps to evaluating legacy systems that include a hazard/risk analysis and the SIF to meet a predetermined risk level. The risk level can be determined by economic or asset protection as defined by the owner. The OSHA PSM regulation, as well as FM Global underwriters, utilize a risk-reduction approach to define a clear measurable risk level. The owner chooses how risk is determined, but it must be clearly documented with supporting evidence.
Are You In A Comfortable Risk Zone?
Process safety is a major concern to everyone, not just those that work in process facilities. For decades, many different methods and strategies have been deployed. OSHA has attempted to regulate the compliance to ensure standards are adhered to. The supporting sections above outline some of the major supporting standards and how each is referenced in an effort to clarify what exactly is the base reference.
Process owners are ultimately held responsible to determine if they are truly “safe”. The way in which that is determined is optional but having the data to support the claim is not.Risk avoidance is the best-published method known and alternative methods are acceptable, but providing the data to support an alternative method and convince the governing bodies is risky within itself. In most cases, the lack of concern for meeting the safety requirements is due to lack of understanding of the requirements as well Recognized And Generally Accepted Good Engineering Practices (RAGAGEP).
Compliance can be a convoluted subject and requires extensive knowledge and analysis to determine. It is highly recommended to pull in third-party experts to accurately deduce whether you are in a comfortable risk zone.