Discipline guidance for assessment of C&I issues in COMAH reports

Introduction

This guidance assumes that the assessor is already familiar with control systems issues as applied in COMAH sites. A working knowledge of the principles contained in standards concerned with the design of control systems is required, and an understanding of BS IEC 61511 in particular is recommended. For an overview of C&I issues, see the Control Systems as part of the Technical Measures section of this manual

The aim of this guidance is to assist consistency in COMAH assessment by suggesting what sort of information should be included to make the key demonstrations.

The framework links information already present in the SRAM with the requirements of accepted good practice such as that found in BS IEC 61511. This standard had been referred to because of its close fit with the requirements of COMAH legislation. For those sites using other standards, see Guidance for Retrospective Application and Non 61508 Based Standards on COMAH Sites.

Much of the information required by a full BS IEC 61511 design lifecycle is also required as a part of the COMAH process, and so by adherence to this standard, COMAH sites should find that they are able to efficiently comply with the requirements to make the necessary COMAH demonstrations.

Conversely, where a site has used no specific standards in the past, BS IEC 61511 offers a convenient framework for assessment and inspection work.

In addition to the core C&I issues, the requirements of BS IEC 61511, if followed, should also assist companies with their demonstrations of SMS and Process Safety issues.

Initial Read

On the initial read of the report, it should be possible to determine whether or not the site uses safety instrumented systems as risk reduction measures. This constitutes 'key information'.

The information being sought at this stage is not detailed. Ideally, the COMAH report should include a statement that such systems are used on the site. Also, a statement that would satisfy 5.2.1.1 of BS IEC 61511 would be preferred. This requires: "that the company has a policy and strategy for achieving safety in its safety related control systems; that this policy is subject to evaluation; and that the policy is communicated throughout the organisation."

In the absence of the above statements, the assessor will have to use their professional judgement as to whether the equivalent information is present. Reference can be made to this example of a suggested format for addressing C&I issues in a COMAH report as a comparison. Evidence to consider may include:

References to compliance with standards such as BS IEC 61511, BS EN 61508 or similar. (See here for discussion on other standards) ;

Mentions of automatic shut down systems in process descriptions;

If insufficient information is present, the provisions of the SRAM should be followed. The guidance for detailed assessment could also serve as a guide for what information to ask the company to provide.

If the company does not appear to use, or claims not to use, safety-instrumented systems as a part of its MAH prevention strategy, then it is likely to be for one of the following reasons: 1) that they do not need safety instrumented systems; 2) That they use safety instrumented systems but have omitted them from the COMAH report; 3) safety instrumented systems should be in use, but are not provided. Steps should be taken to identify which of these applies. In any case the matter should be discussed with the rest of the assessment team to get a view on the likely need for safety related control systems.

If safety instrumented systems are not needed on the site, the SRAM should be followed to obtain an explicit statement from the site as a request for further information. This further information should include evidence to support the claim, such as results of HAZOP reviews, for example.

If the site does actually use safety instrumented systems, but has not provided any information about them, the provisions of the SRAM should be followed for obtaining further information.

If the site does not use safety instrumented systems, and it is found that they should be used, then the provisions of the SRAM should be followed to determine the need for enforcement action.

If the information described above, or its equivalent, has been provided, the assessor should move on to full assessment.

Full assessment

The full assessment should identify measures taken on site with specific measures outlined in BS IEC 61511, or equivalent standard.

An 'equivalent standard' may, in certain cases, be a company's own standard, which itself may be based on BS IEC 61511 or BS EN 61508, or some other recognised international standard. For further information on non 61508 based standards, Guidance for Retrospective Application and Non 61508 Based Standards on COMAH Sites

Criteria 4.28 , 5.1 , 5.2 , 5.2.1.10 & 5.2.1.11 - Design of Safety Instrumented Systems.

The report should include the site's policy for achieving functional safety of safety related control systems. The report must show a direct link between the SIS and the hazard being protected against. It should also provide some discussion of how the required integrity of control systems is established and implemented.

The report should include details of who is responsible for the management of the design and maintenance of the site's safety related control systems. (Assessment Team Issue: Links to the SMS Assessment criterion 4.3a )

The report should contain a full list of all safety related control functions or systems used on the site. The list should identify each loop, and the loop's unique identifier.

The report should state which standard these systems have been designed to. If the standard claimed is not a currently recognised relevant standard such as BS IEC 61511 or BS EN 61508, then a justification for this should be included in the report.

If the site has control systems that pre-date appropriate standards, or no longer has the original documentation to show the design approach, then the site should review its existing measure against BS IEC 61511 to establish any possible shortfalls in the existing systems, and to inform any further action, if necessary.

To complete the demonstrations, relevant documentation should be provided for representative safety instrumented systems or functions.

The reason why the example control systems and functions are representative should be given.

Evidence should be present that shows that safety functions have been allocated to appropriate protection layers. (Assessment Team Issue: Links to the Process Safety Assessment criterion 3.1 , 3.4.2 and 3.4.3 .) (NOTE: The use of a SIS as the single and only means of risk reduction should be subject to detailed inspection.)

Examples of such documentation are:

• results of functional safety assessments such as HAZOPs or other risk assessment of the hazard concerned;
• records of the safety requirement specification;
• software safety requirement specification if applicable;
• testing, installation, commissioning and validation reports, such as factory acceptance test reports;
• representative verification reports.

Criteria 5.2.4.3 , 5.2.4.4 - Maintenance and Operation. The requirements for a successful demonstration of the C&I aspects of maintenance and operation are based on the provisions of clause 16 of BS IEC 61511. If a company claim that they are conforming to the standard, and can include documentary evidence to support this, then the demonstration will have been made.

The report should include details of an overall management system for ensuring routine maintenance is carried out.

The report should contain information that demonstrates that the operation of safety-instrumented systems on the site has been considered as a potential initiator, and give brief details about how this is managed in practice. Demonstration could be made by inclusion of a sample operating procedure.

As well as referring to the general arrangements on site for managing maintenance, the report should show that SIS specific maintenance issues have been addressed.

The demonstration of maintenance of safety-instrumented systems could be made through inclusion of information from a representative safety instrumented function, a function identified as relating to a MAH scenario.

Details of the proof test frequency and how this was derived. If this is not in accordance with BS IEC 61511 or BS EN 61508, then a justification should be provided.

Examples of systems or arrangements to limit the effect of maintenance as a major accident hazard initiator.

An example of a representative maintenance procedure.

An example of a procedure for dealing with faults and failures.

Details of proof test procedures for revealing undetected faults should be included, with example documentation and some information on how the procedures were established.

Criterion 5.2.5.1 modification.

The requirements for a successful demonstration of the C&I aspects of modification is based on the provisions of clause 17 of BS IEC 61511. If a company claim that they are conforming to the standard, and can include documentary evidence to support this, then the demonstration will have been made.

The site should have a procedure for the modification of safety-instrumented systems. To complete the demonstration, a representative example of the use of this procedure should be included in the report.

Example model of C&I aspects for inclusion in a comah report.

Notes:

UPPER CASE text gives examples of information that could be used to make a demonstration.

This is GUIDANCE, not a legal requirement. It seeks to encompass HSE's experience of COMAH report assessment, and subsequent inspections.

SECTION 1 - Design and Installation.

This section of the report is intended to fully or partially meet the requirements of the following COMAH Assessment criteria:

• 5.2.1.1 (For the purposes of the C&I discipline),
• 5.2.1.2,
• 5.2.1.5, (where appropriate)
• 5.2.1.6,
• 5.2.1.10
• 5.2.1.11

By meeting these requirements, we are demonstrating that the design of our control systems is proportionate to the risk of the major hazards of our site, and are therefore taking all necessary measures to prevent an incident based on the failure of a safety instrumented system.

The policy of this company for achieving functional safety of safety related control systems is:

[STATE POLICY, OR GIVE LOCATION OF POLICY IN COMAH REPORT]

The following persons/departments are responsible for managing the use of safety related control systems on this site:

[GIVE DETAILS, OR REFERENCE TO APPROPRIATE SECTION OF COMAH REPORT. IT MAY BE USEFUL AT THIS POINT TO REFERENCE THE SECTION

OF THE REPORT DESCRIBING MANAGEMENT OF COMPETENCE FOR THOSE

PERSONS/GROUPS/DEPARTMENTS IDENTIFIED.]

The system for managing the lifecycle of safety related control systems is described in [REFERENCE TO COMAH REPORT ENTRY]/ available on site for further inspection if required.

The following safety related control systems are used on site: [LIST OF SAFETY RELATED CONTROL SYSTEMS USED ON SITE]

(If no systems are used, state it explicitly. This claim could be subject to verification through inspection.)

These control systems are designed in accordance with:

[NAME OF STANDARD USED TO DESIGN OR REVIEW THE SYSTEM.]

(Preferred standard is BS IEC 61511. BS EN 61508 may have been used, if some other standard is claimed, see this link .)

To demonstrate the adequacy of these control systems, the following has been chosen as a representative system for the site as a whole for the following reasons:

[STATE REASONS WHY THE SPECIFIC SYSTEM/FUNCTION HAS BEEN CHOSEN. SUGGESTED EXAMPLES INCLUDE ONE OR MORE OF THE FOLLOWING:THE FUNCTION WITH THE HIGHEST SIL; A FUNCTION IN USE ON A PROCESS WITH THE HIGHEST MAJOR ACCIDENT HAZARD POTENTIAL, EVEN IF IT IS NOT OF A HIGH SIL RATING; A FUNCTION THAT IS USED FREQUENTLY ACROSS THE SITE.]

This system/function has been identified as safety critical as the result of [STATE METHOD OF RISK ASSESSMENT, e.g. HAZOP, AND GIVE REFERENCE TO WHERE IN THE COMAH REPORT THIS PROCESS IS DESCRIBED.]

[ENTER NUMBER HERE] functional safety assessments were carried out in the design of this control function/system. An example of the documented results of one of these assessments is included in Appendix [APPENDIX REFERENCE].

(If the plant has not been designed according to an appropriate standard, or the original documentation is no longer available, or the company is unable to demonstrate the suitability of control system design, then a retrospective application of relevant parts of BS IEC 61511 is recommended as a requirement for further inspection activity or enforcement action.)

Other means of protecting against a major accident in this part of the plant include:

[LIST OTHER METHODS OF PROTECTION SUCH AS INHERENTLY SAFE PROCESS DESIGN, MECHANICAL ISSUES SUCH AS PIPEWORK OR PRESSURE VESSEL DESIGN, OR ANY OTHER RISK REDUCTION MEASURES PRESENT.]

Safety functions have been allocated to these specific protection layers for the purpose of prevention, control or mitigation of hazards from the process and its associated equipment as shown in Appendix [APPENDIX REFERENCE].

The risk reduction target of the control system/function described has therefore been determined as [SIL]. Representative examples of documentation of the safety instrumented system safety requirement and software safety requirement specifications are included in Appendices [APPENDIX REFERENCE].

A factory acceptance test report is shown in Appendix [APPENDIX REFERENCE].

SECTION 2 Operation and Maintenance.

This section of the report is intended to fully or partially meet the requirements of the following COMAH Assessment criteria:

• 5.2.4.3,
• 5.2.4.4.

By meeting these requirements, we are demonstrating that the operation and maintenance of our control systems are proportionate to the risk of the major hazards of our site, and that we are therefore taking all necessary measures to prevent an incident based on the failure of a safety instrumented system.

The policies and procedures for operating the plant are given in:

[STATE POLICY, OR GIVE LOCATION OF POLICY IN COMAH REPORT]

One of the objectives of the operating policy is to ensure that the designed safety integrity of the safety instrumented system is maintained.

[IF APPROPRIATE] An example of an operating procedure that demonstrates this approach is included in Appendix [APPENDIX REFERENCE].

The policies and procedures for managing general maintenance are covered in:

[STATE POLICY, OR GIVE LOCATION OF POLICY IN COMAH REPORT]

For safety instrumented systems, the objective of the maintenance system is to maintain the designed functional safety.

The following persons/departments are responsible for managing the related control systems on this site:

[GIVE DETAILS, OR REFERENCE TO APPROPRIATE SECTION OF COMAH REPORT.]

The following system has been chosen to demonstrate the use of maintenance and inspection to maintain the designed safety integrity of the equipment.

[GIVE DETAILS OF SYSTEM CHOSEN - OR USE ONE PREVIOUSLY MENTIONED IN THE REPORT.]

The routine proof-test frequency for this equipment has been defined by the safety integrity levels set out in the design of the equipment. This is based on the level of risk reduction assigned to the equipment, and is therefore proportionate to the hazard.

[IF THE TEST FREQUENCY IS NOT IN ACCORDANCE TO BS IEC 61511, SAY HOW THE TEST FREQUENCY HAS BEEN DETERMINED, AND WHY.]

The following actions and constraints are necessary to prevent an unsafe state and/or reduce the consequences of a hazardous event during maintenance.

[GIVE DETAILS OF ANY MEASURES SUCH AS BYPASSING OR ADDITIONAL MITIGATION STEPS TAKEN WHEN MAINTAINING.]

The maintenance procedure for this equipment is shown in Appendix [APPENDIX REFERENCE].

The document in Appendix [APPENDIX REFERENCE], shows typical information maintained on system failure and demand rates.

The document in Appendix [APPENDIX REFERENCE], shows typical audit and test results on this safety instrumented system.

A procedure for dealing with faults or failures in this system are included in [APPENDIX REFERENCE].

Details of calibration and maintenance of instruments used during normal maintenance activities are available for inspection on site.

Appendix [APPENDIX REFERENCE] shows the written proof-test procedure designed to identify undiagnosed failures on the [STATE FUNCTION] safety function. It is based on the [STATE METHOD, e.g. FMEA, FAULT TREES, RCM] method of failure identification.

Appendix [APPENDIX REFERENCE] shows an example of a completed proof test for this system.

Section 3 Modification and Decommissioning.

This section of the report is intended to fully or partially meet the requirements of the following COMAH Assessment criterion:

• 5.2.5.1
• 4.3 d).

By meeting this criterion, we are demonstrating that our modification procedures for use on safety related control systems are reducing the risk of a major accident initiator resulting from modifications to as low as is reasonably practicable, and therefore are taking all necessary measures.

Copies of the site's modification and decommissioning procedures are contained in Appendix [APPENDIX REFERENCE]. Typical examples of documentation generated by these procedures are shown in Appendix [APPENDIX REFERENCE].

Guidance for retrospective application and non 61508 based standards on COMAH sites

1. HSE recognises BS IEC 61511 as relevant good practice for safety functions implemented by safety instrumented systems in the Process Industry sector in the context of assessing compliance with the law in individual cases and the use of good practice: Risk management: Expert guidance.


2. Hardware and Software Issues.
   
   2.1 This standard can be used when reviewing health or safety measures on an existing plant/installation or situation (such as when considering retrofitting, safety reviews or upgrades), duty holders should compare existing measures against current good practice. The good practice measures set out should be adopted so far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to existing plant, for example, all the good practice expected for new plant. However, there may still be ways to reduce the risk e.g. by partial solutions, alternative measures etc."
   
   2.2 Based on this information, it would appear logical that, if a COMAH site hasn't already done so, it should review its existing measures for managing the risks from use of safety instrumented systems against the provisions of BS IEC 61511. As a general rule, sites should be aware of which safety-instrumented functions are the most critical. It would make sense, therefore, that every site using non-61508 based standards should carry out a review of at least a sample of their installation to get some idea of how well the existing design compares with those required by BS IEC 61511. The findings from this review should then be used to make a decision as to whether or not further work is required.
   
3. Management Systems Issues.
   
   3.1 About half of the provisions in BS IEC 61511 relate to management systems, rather than pure technological issues. It is strongly recommended that sites review any existing relevant systems against BS IEC 61511 as a part of their ongoing review of safety management systems."

Possible topics for inclusion in intervention plan

Internationally accepted good practice in the design and use of safety instrumented systems address many of the same issues that are covered by the COMAH regulations. If a site follows a standard such as BS IEC 61511 therefore, much of the information required of them by COMAH should be readily available.

This section of guidance breaks down common issues between COMAH and BS IEC 615111 into typical HSE Assessment team areas to act as a prompt for possible issues to include in an intervention plan.

Predictive and process safety issues

Criterion 3.1.

Check that HAZOPs or other risk assessment tools have correctly identified safety critical functions.

Audit the site's approach to identifying hazard and hazardous events of the process and associated equipment.

Criterion 3.4.2

Carry out joint inspection with C&I specialist on key safety instrumented systems as required.

Criterion 3.4.3

Liaise with other disciplines on safety integrity of measures in place, and human factors issues as required. C&I Inspector to provide input on integrity of instrumented systems and alarm systems.

Audit a sample of safety instrumented control functions to determine suitable allocation of safety functions to protection layers.

Check that the required safety instrumented functions have been identified.

Audit the designed safety integrity level of the safety instrumented functions.

Safety Management Systems Issues

Criterion 4.3 a

The roles and responsibilities of personnel involved in the management of major hazards at all levels in the organisation, including contractors where appropriate, and the provision of training to meet identified training needs.

Criterion 4.3 b

Liaise with C&I Inspector to assess the site's ability to use this information to inform safety instrumented system design.

Criterion 4.3 c

Audit of procedures implemented to evaluate the performance of the safety-instrumented system against its safety requirements.

Review site's procedures for auditing their own performance on the management of safety-instrumented systems.

Review the site's procedures for safety instrumented system configuration management. (These points are also useful for hazardous area electrical equipment and other safety critical items.)

Check site's procedure for uniquely identifying all constituent parts of a system.

Audit the procedures for preventing unauthorised items from entering service.

Criterion 4.3 d

Review the site's procedure for functional safety assessments of safety-instrumented systems.

Check systems for documenting functional safety assessments.

Check procedures for defining the frequency of auditing activities.

Criterion 4.6

Review the site's policy for achieving functional safety of safety related control systems.

Criterion 4.7

Review arrangements for identification of persons, departments, organisations or other parties that are responsible for carrying out and reviewing each of the life cycle phases. Establish whether these parties been informed of their responsibilities.

Audit the competence of those responsible for safety lifecycle activities.

Audit of procedures provided to ensure prompt follow up and resolution of recommendations arising from the following activities:

hazard and risk assessment; assessment and auditing activities; verification activities; validation activities; post incident and post accident activities.

Check that the site's management of change procedures include changes to safety-instrumented systems.

Criterion 4.8

Check site's definition and allocation of responsibilities against the requirements of BS IEC 61511. 05 May 2006 10:13:13 +0100