Should Functional Safety impact assessments be undertaken when changing a SIS?

Managing Change

This is the question that is always asked when changes are being proposed for a Safety Instrumented System (SIS). Typically, many organisations follow a strict regime when it comes to handling operational changes via defined management of change procedures, however experience highlights that numerous organisations implement such requirements with limited use of an available change management process. This increases the risk of overlooking the real impact that these changes could have on operational safety.

With lean management and tight budgetary constraints currently in place within the majority of process industry organisations, there is always a tendency to try and bridge the change management activities so as to reduce the cost when trying to implement such solutions.

There may also be a misconception that not all changes proposed for a safety related system need to be analysed for their impact and that only those changes that are ‘perceived’ to have a direct influence on the SIS e.g. addition of new hardware, really need to be impact assessed. This is an incorrect approach, however one which is followed often by safety engineers managing such change requirements.

The decision as to whether a change has any bearing on the safety instrumented system should only be identified after performing a Functional Safety (FS) impact assessment. The decision of whether to undertake an FS impact assessment should not be based on whether the change will, or will not, affect the SIS because otherwise the purpose and benefits of the FS impact assessment process will be completely negated.

So, why are FS impact assessments performed?
Prior to implementation of any change requests on a SIS, an FS Impact assessment will need to be performed in order to identify if the change being proposed is safe and that it does not have the potential to manifest into a failure, which can cause a catastrophic incident. This would mean that functional safety is not compromised by implementation of this change either to the safety system on which the change is being performed, or to other dependent systems e.g. a Basic Process Control System (BPCS).

Organisations who follow a compliant Functional Safety Management (FSM) system process will mandate to undertake FS impact assessments for any changes made to a safety related system. However culturally, the question to ask is ‘Should this be the only criteria as to why FS impact assessments are undertaken’? In some organisations, the value and beneficial outcome of the FS impact assessment process is completely misplaced and undervalued. Here the organisations FSM process is often seen as the ‘item of blame’ for delivering an FS impact assessment and as such can be the main reason safety engineers perform an FS impact assessment in the first place. Frequently the safety engineers don‘t realise the significance that the ‘systematic’ FS impact assessment approach will have on supporting them in delivering overall functional safety assurance.

FS Impact assessments act as a means of determining the effect that a change to a specific safety function will have to other functions in the safety related system or other associated control systems and its effect on the risk reduction allocation to the protection layers. It provides the mechanism to identify any changes regarding functional safety and integrity to:

    · Hardware requirements
    · Software requirements
    · Application Program
    · Testing and Verification requirements
    · Competent resources
    · Implementation time and schedule
    · Cost of the solution
In order to identify if there are any additional requirements for implementing the proposed solution or change, then the FS impact assessment process and in-depth analysis would reveal them.

What do we mean by formal records of FS impact assessment?
Any FS impact assessment performed for any change will need to be formally recorded. This is to ensure and demonstrate that a systematic process has been followed and that there is evidence of what was considered for the assessment. The process and the results of the assessment should be documented as this provides the traceability as to why a specific approach was undertaken for implementing the change. Also, this provides the means to check if all the necessary items or topic areas were sufficiently covered for assessing the various impact implications.

This also provides evidence to an independent competent person who can be appointed to approve the results of the assessment and to endorse the change for implementation. The formal record of the assessment also enables the development of the method statement for implementing the change and to consider all the necessary parameters for successful implementation. This would also provide a means of verifying the solution and supporting the necessary forward and backward traceability for demonstrating change management to interested stakeholders.

Which changes are to be impact assessed for Functional Safety?
All changes will need to be impact assessed provided the change is part of a safety system and/or critical interface. As an example, on face value, any changes made to the HMI or the operator workstations that provide the status of the safety related system are usually considered as non-safety changes and are typically not rigorously impact assessed. However, by assessing the proposed change via the FS impact assessment process, this may have identified changes to display status colours, alarms and process graphics, thereby revealing an impact on the operator response to certain critical safety actions and impacting on functional safety e.g. operator ability to respond to a highly managed alarm has been impaired thereby altering the claimed risk reduction credit.

The FS impact assessment process should also be used on a broader basis to sustain operational requirements. For example, any changes attributed due to failure of a proof test within the safety related system should also be handled by the change management and FS impact assessment practices for rectifying the issue before the corrective action is implemented and the solution re-verified.

Who should undertake and approve the FS impact assessment?
In accordance with the recommendations identified in the relevant safety standards, a competent person and / or team should perform the FS impact assessment for the proposed changes and document their findings in a structured report. The report will then need to be reviewed and approved by another competent and independent person(s) to ensure a robust and systematic review has been undertaken commensurate to the FS impact assessment report findings.

Depending on the outcome of the FS impact assessment, a decision may be reached so as to ensure the proposed modification could impact safety or not. If there is an impact, then the process will need to return to the first phase of the SIS safety lifecycle affected by the proposed modification, and therefore, it will be the starting point for safety lifecycle activities to be carried out for implementing the change.

Competency will need to be determined and authorised to undertake such FS impact assessment report review activities, depending on safety related knowledge, experience, training and qualifications.

So, how are changes to a Safety Related System being handled within your organisation? Have all changes been subject to an FS impact assessment? Are there formal records produced for these FS impact assessments? Can you readily demonstrate your findings to both internal and external stakeholders? For further information see www.functionalsafetyinsights.com

ABB (ABBN: SIX Swiss Ex) is a pioneering technology leader in electrification products, robotics and motion, industrial automation and power grids, serving customers in utilities, industry and transport & infrastructure globally. Continuing a history of innovation spanning more than 130 years, ABB today is writing the future of industrial digitalization with two clear value propositions: bringing electricity from any power plant to any plug and automating industries from natural resources to finished products. As title partner of Formula E, the fully electric international FIA motorsport class, ABB is pushing the boundaries of e-mobility to contribute to a sustainable future. ABB operates in more than 100 countries with about 135,000 employees. www.abb.com

    •   Cancel
      • Twitter
      • Facebook
      • LinkedIn
      • Weibo
      • Print
      • Email
    •   Cancel

    Contact us

    seitp202 b4f48ebd6e934a25c125826d003bf627