-
by Peter Herena -
Topics:
Some people draw inspiration from great artists, some draw passion from great novels. I firmly believe much passion can be exhibited from discussing a topic much more mundane - Safety Instrumented System (SIS) design standards. Exhibit A is to observe the reaction a safety system engineer demonstrates when two simple words are uttered: Grandfather Clause.
But first, some background.
IEC 61511, "Functional Safety: SIS for the Process Industry Sector," is a standard that has been recognized worldwide as a good engineering practice in the design of safety systems. It defines the concept of a SIS Safety Lifecycle; the end user goes through risk analysis, quantitative verification, and the development of testing and maintenance procedures to keep the safety system working properly.
The roots of this standard is from the International Society of Automation (ISA) and is called ISA 84.00.01-2004, with a key modification that is one of the more controversial topics in SIS engineering - the "Grandfather Clause." Since we'll spend some time discussing it we might as well go directly to the source - Section 1.y of the ISA standard:
"For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard, the owner/operator shall determine that the equipment is designed, maintained, inspected, tested and operating in a safe manner."
Grandfather Clause: Beware the Fine Print
Plant operators should consider the last sentence of the Grandfather Clause with great care because it can be abused. Severely. What it implies is that you don't necessarily need to follow ISA 84 if the system was installed pre-standard (and remember, the first version of the standard came out in 1996). But people often, and conveniently, forget the second portion of the clause, which is that the plant operator must determine that the equipment has been designed, maintained, inspected, tested, and is operating properly.
So how exactly does one appropriately invoke the Grandfather Clause? In order to do due diligence, the plant operator should review the original design material to make sure it is valid with respect to the current risk. And the operator should provide records and procedures to prove that the system has been tested on a regular basis. And the operator should provide maintenance records and procedures that the components go through fast and effective replacement when necessary. And, well, if you do all those things you've essentially accomplished the most critical aspects of ISA 84 anyway.
When Changes Matter
Another thing that is conveniently forgotten is that the Grandfather Clause locks you into the original design. Once you've changed a key component (say from a relay system to a programmable logic solver, or from a pneumatic device to microprocessor-based transmitter), you've fundamentally changed the design and thus the Grandfather Clause is invalidated. But wait, you say,"I just installed a brand new PLC with diagnostic bells and whistles that must be better than the old relay cabinet it replaced! If I've 'improved' the SIS, the Grandfather Clause should still apply!"
The concept that microprocessors, PLCs and computers are strictly better than older hardware is a fallacy. In excellent books like Paul Gruhn's Safety Instrumented Systems: Design, Analysis and Justification (p.145), he goes through an exercise that demonstrates how switching from a simple relay system to an off-the-shelf, low-diagnostic PLC can result in WORSE safety performance.
But even if the user selects a high-end SIL 3 certified safety PLC that probably does have better safety performance than a relay system, the level of complexity has risen so substantially that simply invoking the Grandfather Clause is cynical to the point of negligence. A Safety PLC can afford the user significantly more power, bypassing, diagnostics, action on failure, resets, and more. The design philosophy needs to be codified so engineers, board operators, instrument techs, and all other key personnel understand their importance.
Grandfather Clause in Perspective
I'm not all hate when it comes to the Grandfather Clause. It does fine for its intent: it provides some cover to allow owner/operators to focus on performing critical SIS upgrades so long as the existing "legacy" equipment is still being maintained per original design. But invoking the Grandfather Clause doesn't mean you can wash your hands of the system entirely. You still must follow the proper steps and documentation to ensure the system is designed, tested, and maintained properly. And when changes inevitably happen to the system, it's time to let old Gramps relax in retirement and then read into the rest of the ISA 84 standard.