Should Functional Safety impact assessments be undertaken when modifying a SIS?

Typically, many organisations follow a strict regime when it comes to handling operational changes via defined management of change procedures. However, experience highlights that in some cases attempts are made to implement changes with limited use of an available change management process. In such cases, there is a risk that the potential impact of change on operational safety can get overlooked.  

Lean management and tight budgetary constraints are also prevalent within many process industry organisations, which can lead to shortcuts when trying to bridge change management activities in order to reduce costs.

There may also be a misconception that not all changes proposed for a safety related system need to be analysed for their impact and that only those changes that are ‘perceived’ to have a direct influence on the SIS, e.g. addition of new hardware, really need to be impact assessed. Although this approach is incorrect, there is a significant potential for this approach to be followed by some safety engineers for when managing such change requirements.

The decision as to whether a change has any bearing on the safety instrumented system should only be identified after performing a Functional Safety (FS) impact assessment. The decision of whether to undertake an FS impact assessment should not be solely based on whether the change will be obvious in terms of any proposed change e.g. adding in new hardware to an existing SIS cabinet, as this will negate the purpose and benefits of carrying out the assessment in the first place.

Why are FS impact assessments performed?
Before implementing any proposed changes for the SIS, a FS impact assessment should be performed to quantify how safe the proposed changes are and to investigate the risk of potential failure. This ensures functional safety isn't compromised if changes are made that could affect a safety system or an associated system, such as a basic process control system (BPCS).

"The value and benefit of conducting a 
functional safety impact assessment can be misjudged 
and even undervalued"

Organisations which follow a functional safety management (FSM) system process must perform regular FS impact assessments when any changes are made to a safety related system. Again, however, this should not be the only reason why FS impact assessments are carried out. Unfortunately, the value and benefit of conducting a FS impact assessment can be misjudged and even undervalued. Here the organisation’s FSM process is often seen as the ‘item of censure’ for delivering an FS impact assessment in the first place without due regard to the importance and significance of this crucial change management process.  Frequently safety engineers don‘t realise the magnitude of the ‘systematic’ FS impact assessment approach will have on supporting them in delivering overall functional safety assurance.

FS Impact assessments act as a means of determining the impact that a change to a specific safety function will have on other functions in the safety related system or other associated control systems and its effect on the risk reduction allocation to the protection layers.

It provides the mechanism to identify many forms of proposed changes regarding functional safety and integrity to items such as:

Hardware requirements
Software requirements
The application program
Testing and verification requirements
Competent resources
Implementation time and schedule
Cost of the solution

In order to identify if there are any additional requirements for implementing the proposed solution or change, then the FS impact assessment process and in-depth analysis would reveal them.

What do we mean by formal records of FS impact assessment?
Any FS impact assessment performed for any change will need to be formally recorded. This is to ensure and demonstrate that a systematic process has been followed and that there is evidence of what was considered for the assessment. The process and the results of the assessment should be documented as this provides the traceability as to why a specific approach was undertaken for implementing the change. Also, this provides the means to check if all the necessary items or topic areas were sufficiently covered for assessing the various impact implications.

This also provides evidence to an independent competent person who can be appointed to approve the results of the assessment and to endorse the change for implementation. The formal record of the assessment also enables the development of the method statement for implementing the change and to consider all the necessary parameters for successful implementation. This would also provide a means of verifying the solution and supporting the necessary forward and backward traceability for demonstrating change management to interested stakeholders.

Which changes are to be impact assessed for Functional Safety?
All changes will need to be impact assessed provided the change is part of a safety system and/or critical interface. For example, any changes made to the HMI or operator workstations that indicate the safety related system’s status are usually considered as non-safety changes and are typically ignored. However, by assessing proposed changes via the FS impact assessment, alerts can identify and display status colours, alarms and process graphics, revealing the impact on critical saftey functions an operator‘s response may have.  This can be seen in a scenario where an operator’s ability to respond to a highly managed alarm has been impaired, thereby altering the claimed risk reduction credit.

The FS impact assessment process should also be used on a broader basis to sustain operational requirements. For example, any changes attributed due to failure of a proof test within the safety related system should also be handled by the change management and FS impact assessment practices for rectifying the issue before the corrective action is implemented and the solution re-verified.

Who should undertake and approve the FS impact assessment?
In accordance with the recommendations identified in the relevant safety standards, a competent person and / or team should perform the FS impact assessment for the proposed changes and document their findings in a structured report. The report will then need to be reviewed and approved by another competent and independent person(s), ensuring a robust and systematic review has taken place, which can support the original findings.

Depending on the outcome of the FS impact assessment, a decision may be reached to determine whether the proposed modification could impact safety or not. If there is an impact, then the process will need to return to the first phase of the SIS safety lifecycle affected by the proposed modification.
Competency will need to be determined and authorised to undertake such FS impact assessment report review activities, depending on safety related knowledge, experience, training and qualifications.

The takeaway question:
How are changes to a Safety Related System being handled within your organisation? Have all changes been subject to an FS impact assessment? Are there formal records produced for these FS impact assessments? Can you readily demonstrate your findings to both internal and external stakeholders?  

For further information see

Contact me at if you want to talk through how ABB can help you with changes to your Safety Related System
Should Functional Safety impact assessments be undertaken when modifying a SIS? Should Functional Safety impact assessments be undertaken when modifying a SIS? Reviewed by Lorine Wyman on June 21, 2018 Rating: 5

No comments:

Powered by Blogger.