“Without a solid foundation, you’ll have trouble creating anything of value.”  Erika Oppenheimer

Recently, I’ve been asked by quite a few clients to walk them through the steps of the safety lifecycle to ensure they aren’t missing anything in their safety program.  Trying to go through each step and explain its purpose over the phone, while connecting one piece of the puzzle to the next, can quickly become confusing.  This often leads to the person on the other end of the phone focusing on how each item coincides or leads to another step in the safety lifecycle, rather than addressing the original purpose of the conversation, which was to identify holes they might have in their safety program.  In an effort to clear up any confusion, I’ve decided to create a blog series covering the basics of the Safety Lifecycle.

Breakdown of the Safety Lifecycle

IEC 61511 has one version of the safety lifecycle, IEC 61508 has another, and OSHA makes no reference to a “safety lifecycle” at all.  What gives?

The safety lifecycle can be presented in many different ways.  It can be a diagram picture, where one step leads to another, or it can be graphically presented in a circular form.

Whatever your graphical preference may be, it’s important to remember that the safety lifecycle consists of three main phases, despite being called different phase names by different standards, and serves as a way to optimize the design of a Safety Instrumented System (SIS) and to increase safety.  The three main phases are:

  • Analysis
  • Implementation (‘Realization’), and
  • Operation

These three phases are comprised of various steps, and for many, this is where the confusion can begin.

Analysis Phase

During the Analysis phase of the safety lifecycle, eight different steps are addressed.  These steps include:

  1. Process Design
  2. Hazard Identification
  3. Risk Assessment
  4. Risk Tolerance Criteria (RTC) Confirmation
  5. Risk Reduction Allocation
  6. Safety Function Definition
  7. Safety Function Specification, and
  8. Reliability Verification

Logically enough, the first three steps make the most sense to most people when I’m explaining the Analysis phase to them.  The process design occurs first, otherwise, there’d be nothing for folks to evaluate.  Process design is followed by hazard identification, which is when a Process Hazard Analysis (PHA) is typically performed.  The PHA provides us with a systematic approach to discovering and describing the consequences of hazards in every aspect of the process.  While a PHA does an excellent job at identifying hazards and describing the consequences of those hazards, it does not always give a good estimate of the likelihood of hazardous events.  This is why, immediately after the hazards are identified, a risk assessment, typically in the form of a Layer of Protection Analysis (LOPA) may be performed.  A LOPA is an excellent tool for estimating likelihood and identifying the current safeguards in place.  After these safeguards are identified, we are able to remedy shortcomings between the risk a company is able to tolerate and the risk of the hazard occurring.  Remember, it is only by knowing both the consequences and likelihood of an event that we know the risk of a hazard.

Either before or immediately after that, it is important to confirm the RTC for an organization is appropriate.  It is my personal preference to confirm the RTC is appropriate beforehand so that the hazard identification and risk assessments are appropriately in line with the level of risk a company is willing to tolerate.  The RTC will tell the organization and the safety consultant how much risk reduction is required and what kind of layers of protection, or safety functions, to allocate it to.  These functions need to be defined in terms of what they are supposed to do, specified in terms of how they are supposed to do it, and in compliance with the standards for safety instrumented systems.  When complying with standards for safety instrumented systems, calculations must be performed to verify that they achieve the reliability – the risk reduction – that is required.


During the implementation phase, we have nine separate steps to address:

  1. Mechanical/Electrical/Structural (Implementation)
  2. Software Configuration
  3. Equipment Build
  4. Factory Acceptance Testing (FAT)
  5. Construction/Installation
  6. Site Acceptance Testing
  7. Validation
  8. Training, and
  9. Pre-Startup Safety Review

The implementation phase requires a number of disciplines to contribute to the detailed design as well as the software configuration.  Making sure these items are implemented to the respective codes and standards is important for personnel safety.  From the hardware design, cabinets and panels are built.  Although not strictly required by the standards, FATs of both the hardware and the software are a good idea before proceeding to field construction and installation.  Once installed, site acceptance testing confirms that the installation was done properly, which is followed by validation – confirming that the safety functions do what they are supposed to do, and training, so operating and maintenance staff can do what they are supposed to do.  The last step in implementation, before operation, is performing a pre-startup safety review (PSSR).  The PSSR helps to ensure that installations meet the original design or operating intent, while also revisiting the hazards in the process to see if any new ones have surfaced due to changes during the detailed engineering and construction phase of a project.


Just like the Analysis and Implementation phases of the safety lifecycle, the Operation phase has steps associated with it, too.  These include:

  1. Operation
  2. Training
  3. Proof Testing
  4. Inspection
  5. Maintenance
  6. Management of Change, and
  7. Decommissioning

After all of the steps in the previous two phases have occurred, the SIS should be operating.  With any luck, this means that it doesn’t do anything.  Throughout the operating life of the project, there are ongoing requirements for training, proof testing, inspection, and maintenance.  What this means for your personal plant varies by the regulated standards your plant has accepted and chooses to follow. The SIS standards are very concerned, and rightly so, that safety not be compromised when changes are made to a system, so a management of change procedure must be adhered to, and the decommissioning and demolition that frequently precedes the implementation of a process modification must be carefully evaluated for its impact on functional safety.


The Safety Lifecycle fits in with the natural progression of a project.  It is most successful when it begins early.  Unlike the project execution cycle, the safety lifecycle continues well past plant startup to cover operation and eventual decommissioning. You may be asking yourself, why even utilize the safety lifecycle in the first place?  Why do we think it’s such a strong tool to use?  Where do the regulations and standards come from that apply to the safety lifecycle?  What is necessary to complete all of the steps under each phase?  What areas are frequently overlooked by companies?  We’ll explore those questions and more in future posts.