The concept of evaluating control systems on the basis of risk and applying resources to make high-risk controls more reliable is not new. Chemical plant, refinery, and pipeline designers and their insurance carriers have long realized that high-risk controls need to be more reliable than other controls. The document that codified this thinking was ANSI / ISA S.84.00.01 - 2004, Parts 1–3 (IEC 61511 Mod).1 We will subsequently refer to this document as "S84." The other reference in the field is IEC 61508 "Functional Safety - Safety Related Systems - 1998" and its process-industry specific version, IEC 61511.
S84 is a consensus standard and is not formally binding. S84 has been in common use in them aerospace and nuclear industry since its inception. Chemical plants, refineries, and pipelines, however, are just now coming to the realization that the standard has much to offer them as well.
The regulatory implementation of the S84 became "generally accepted engineering practice" by way of an industrial explosion in 2004 where five workers were killed. The Occupational Safety and Health Administration (OSHA) cited the employer under the general-duty clause for not documenting that the plant's programmable logic controllers and distributed control systems installed prior to 1997 complied with generally accepted engineering practice such as S84. Since this citation was paid without contest, a precedent has been set that these consensus standards are now generally accepted engineering practice in the chemical manufacturing, refining, and pipeline industries.
Both OSHA and the Environmental Protection Agency (EPA) have recognized the potential value of the S84 standard. In fact, multiple companies have been cited over the past decade for not following S84, despite the fact that S84 is a non-binding consensus standard. OSHA and EPA are expected to continue citing companies under the general-duty clause if any shortcoming that might have involved control systems causes a Process Safety Management (PSM) or Risk Management Plan (RMP) incident.
For companies covered under 29-CFR-1910.119 (PSM) or under 40-CFR-68 (RMP), S84 or some variant of the standard should now be considered mandatory.
Since this presentation is focused on chemical manufacturers, refineries, and pipelines, the sections of S84 and IEC-61508/61511 that pertain to instrument design will not be discussed.
Instead, the overall requirements of S84 as they apply to the users of control systems are as follows:
Perform a risk-based analysis of the hazards caused by failure of the control system to operate on demand
Assign a desired reliability to the control system based on the hazard(s) created should the control system fail to operate on demand
If the existing control system is adequately reliable: document and maintain existing equipment so that the desired reliability is continued
If the existing control system is not adequately reliable: improve reliability until the possible hazard(s) are mitigated by the control system