You have heard it all before. The plant hasn’t changed much. It was compliant when it was installed. We have SIF proof-test procedures. The gas detectors function test OK, IR gas detectors are calibrated for life. We’ll consider that when we need to upgrade… and so on.
Those are all true in the right context, but they can create a false sense of confidence across the maintenance and operations teams until an incident occurs. Then the intended hazard-detection and safety-protection functionality either does not work or works only partially. An after-action incident investigation discovers the problem: a quiet instance of non-conformance in the safety system that had been there for years.
Mid- to late-life brownfield plants have delivered huge value over the life of the asset. They have been operationally optimised to near-perfect levels and print money, creating long and exciting careers, and profits for the owners and the wider economy. This is when systems degrade quietly, through small steps over years, not months. The change is gradual. The consequences appear suddenly. Risk-reduction effectiveness and compliance drift are rarely caused by negligence; they stem from operational pressure, cost controls, incremental plant changes, and assumptions that were never revalidated.
This article explains how safety systems drift into non-conformance and how to identify it before an incident exposes the gap, and what practical control looks like when you need to prove it hasn’t. In a sense, this applies to any other hazard control feature or system found in industrial or manufacturing facilities, such as mechanical safeguarding, pressure relief systems, electrical protection systems, or fire protection systems.
Functional Safety SIFs that still pass but no longer protect
A common failure in Functional Safety is treating it as set-and-forget. IEC 61511 requires a lifecycle approach to ensure that Safety Instrumented Functions (SIFs) continue to deliver the risk reduction they were designed to provide over the life of the Safety Instrumented System (SIS).
Too often, SIFs continue to pass proof tests while quietly drifting away from their original design intent and no longer provide the level of protection assumed. The system remains energised and operational, but the protection layer assumed in the Layer of Protection Analysis (LOPA) workshop is no longer there.
A functional proof test may still pass: transmitter calibration is correct, the trip setpoint closes the valve, and the operator sees the alarm on the DCS. This does not account for the accumulation of undetected failures, nor for proof-test procedures modified to avoid shutting down the unit because restart is difficult or costly. Over time, proof testing can become procedural rather than engineering-led. Tests are executed to meet the required interval rather than to achieve the proof-test coverage assumed in the SIL verification. When this occurs, dangerous undetected failures accumulate, and the achieved PFD no longer meets the design basis.
In these cases, the achieved risk reduction no longer matches the original design assumptions. The result is a SIF that appears compliant but no longer meets its SIL target, a non-conforming SIF, even though it still passes the proof test.
A common example is an urgent weekend instrument failure, where maintenance replaces a failed sensor or valve with a ‘like-for-similar’ device without engineering review. While the replacement may appear equivalent, the SIL verification is not revisited,
and the achieved Risk Reduction Factor (RRF) may now fall below the target. The required SIL and PFD are no longer achieved, even though the loop remains in service.
In other cases, actuator torque or valve stroke requirements are not checked. Months later, the valve fails to close on demand due to incorrect grease or insufficient actuator torque. The failure is latent, undetected, and only revealed when the SIF is demanded.
Urgent brownfield changes are often assessed for operability but not for their impact on safety function performance. Process modifications may increase the demand rate or consequence severity assumed in the original LOPA. When this occurs, the original SIF design basis may no longer be valid, and the required SIL may increase without reassessment.
Bypass management can also become normalised on operational facilities. Temporary overrides applied during faults or nuisance trips remain in place longer than intended or become normalised operational practice. In these cases, the SIF is unavailable more often than assumed in the SIL verification, reducing the achieved risk reduction.
That is why IEC 61511 requires a defined functional safety management plan with supporting lifecycle processes. Proof testing, maintenance, and plant changes must be controlled through engineering review, management of change, competency requirements, and SIL re-verification. Without this discipline, a SIF can remain energised and operational while no longer delivering the risk-reduction effectiveness it was designed to provide.
Each issue appears minor in isolation. Accumulated over the years, they result in material SIS non-conformance and reduced hazard protection.
Fire and gas detector coverage that no longer matches the hazard
If a Fire & Gas System (FGS) was installed using a performance-based design Fire and Gas Mapping methodology, it was likely based on a sound hazard-risk assessment. In many cases, in legacy FGS, prescriptive design methods have been used, in which a set of rules is applied based on a high-level assessment. In the process, gas detection for flammable or toxic materials is needed. Detector locations and quantities are then selected by the design consultant, leading to either conservative over-engineering or ineffective protection against potential facility hazards.
Over time, cumulative plant and process changes quietly reduce the effectiveness of the FGS. It could be a combination of operations introducing new process modes and pushing equipment to its limits; shifting from proactive to reactive maintenance to save costs; detectors operated well past their useful life; maintenance competence lost through staff turnover; or reduced training budgets and plant changes, including changes to equipment layouts and process flows.
We have seen what happens next. A significant unintended gas release occurs. It is not detected by the system, which is meant to provide coverage. It is only by luck that no ignition source is found, but the potential remains for event escalation and extended fire if ignition occurs.
Standards move on but the facility didn’t
Standards are regularly improved or replaced as engineering knowledge advances, new technology becomes available, and industry lessons are learned. In brownfield environments, facilities do not always adopt these updates unless they become widely accepted practice or are driven by a regulator compliance program.
When those lessons apply to existing facilities, brownfield operators face the cost of retrospective compliance. That cost must compete with production, maintenance, and capital priorities. Asset owners are often forced to make difficult decisions about what to implement and what to defer.
In other cases, standards that are now widely considered normal practice are postponed. “We’ll address it in the next major upgrade.” “The system is grandfathered.” Sometimes legacy assets cannot realistically carry the burden of full compliance upgrades.
This is where drift begins to appear in how standards are adopted. It rarely happens in a single decision. Over time, reasonable improvements in guidance are not implemented, leaving risks dormant within the facility. When an incident occurs, there is often a difficult realisation that following updated standards could have reduced the consequences.
The old saying comes into play – why fix something when it's not broken? We have all heard that raised when discussing retrospective compliance improvements and the potential costs involved. In practice, a risk-based and practical approach to compliance is often the most effective starting point. This is where Equinox helps clients apply risk-based, practical compliance.
Machine safety drift on operational facilities
Machine Safety hazards do not develop slowly; they are part of the design if correct safeguards are not in place. Rotating shafts, cutting tools, conveyors, and moving machinery present mechanical hazards from the moment equipment is installed. Cutting and crushing hazards are common and require control. Without effective safeguarding, these hazards exist from day one.
What changes over time are the condition of the safeguards, employee training and knowledge retention, and machinery modifications made without engineering review that introduce hidden risks.
On many legacy machinery facilities, AS/NZS 4024 did not exist when the plant was originally installed. Even where no incidents have occurred, and equipment is considered safe by experienced operators, unassessed hazards may still be present without adequate safeguarding.
On operational facilities, guarding arrangements are often modified during maintenance, removed for access, or altered to keep production moving. Equipment is added to existing lines, access platforms are installed, and maintenance practices evolve. New machines were installed without hazard identification or safeguarding assessment. Over time, the original safeguarding intent can be weakened.
This is commonly seen on manufacturing sites. During machine safety assessments on sawmill operations, equipment such as saws, conveyors, resaws, and moulders may still operate as designed, but guarding arrangements, emergency stop coverage, and isolation points no longer align with current AS/NZS 4024 expectations. Experienced operators often manage these risks in practice, but facilities should not rely on their best people to maintain assumed compliance. Experience can reduce exposure, but it is not a control measure.
Similar conditions occur on infrastructure facilities such as wastewater treatment plants. Equipment, including thermal drying equipment, sludge conveyors, pumps, filters, and gantry cranes, contains exposed moving parts that require effective guarding. Fixed guarding assessments often identify accessible rotating components, pinch points, or access openings that no longer meet guarding requirements following maintenance or plant modifications.
The objective is not to replace machinery. The focus is clear hazard identification, risk assessment, appropriate non-engineering controls, and practical safeguarding improvements while the facility remains operational.
What good brownfield safety system management actually looks like
Safety risk on operational facilities is not static. Process conditions change, equipment ages, and small plant modifications accumulate over time. The safety systems protecting the facility need to keep pace with that reality.
Good governance starts with visibility. Asset owners need to know where the real gaps are. On brownfield sites, this often means revisiting assumptions that have not been challenged for many years. We regularly see proof test procedures that no longer reflect the SIL verification assumptions, or fire and gas detector layouts that were designed for a facility configuration that has since changed.
Documentation must track the plant as it actually operates. Proper Management of Change (MOC) processes are critical for minimising drift. Safety Requirements Specifications, cause-and-effect matrices, re-validated fire and gas detector installation against the last mapping study, and maintenance SIF proof-test procedures must remain aligned with the installed systems and current hazards.
Mature brownfield safety management is not about chasing perfect compliance everywhere. It is about understanding the gaps, prioritising them based on risk, and implementing practical improvements over time. That may involve re-engineering proof testing for critical SIFs, remapping fire and detector coverage following plant changes, or screening legacy systems against key updated standards to identify upgrades that reduce real risk.
How we typically help
For brownfield facilities, this usually starts with practical engineering reviews rather than large projects. Typical engagements include:
Fire and Gas Detection Systems
- Fire and gas mapping studies to assess detection coverage and identify gaps in existing systems
- Fire and gas mapping integrated into plant upgrade projects
Functional Safety (IEC 61511)
- Independent Functional Safety Audits
- SIL verification and gap analysis of existing SIS & SIFs
- SIF proof test procedure review and test coverage assessment
- Functional Safety Management Plan reviews against IEC 61511
Machine Safety
- Machinery hazard and safeguarding assessments against AS/NZS 4024
- Fixed guarding assessments on existing equipment
Risk Prioritisation
- Risk-based prioritisation of safety upgrades for brownfield facilities or machinery
- Compliance mapping against existing implementation
Proving safety systems will perform when demanded
Brownfield facilities can operate safely for decades, but the effectiveness of safety systems should never be assumed. Over time, small changes accumulate: plant and machine modifications, maintenance shortcuts, outdated procedures, and standards that move on while the facility does not.
The challenge is not proving a system worked in the past. The challenge is to identify non-conformance drift using practical engineering compliance methods. Then the facility can demonstrate that the safety system will perform when demanded.
Brownfield Safety Systems – Common Client Questions
Q: “The plant has been operating safely for years. Why review the safety systems now?”
Past operation does not confirm that safety systems will perform when demanded. Brownfield facilities accumulate changes over time: equipment additions, control modifications, maintenance substitutions, and evolving operating conditions. These changes gradually invalidate the assumptions used in the original safety design. A safety system can remain energised and appear operational while no longer delivering the level of protection originally intended.
Q: "If proof tests pass, doesn’t that confirm the SIF is working?”
Not necessarily. Proof tests often confirm that the loop still responds to a trip condition. They do not always confirm the dangerous failure detection coverage assumed in the SIL verification if the test doesn’t provide the correct level of testing coverage. If proof tests are simplified to avoid shutdowns or operational disruption, undetected failure modes accumulate. The SIF may still trip during testing while no longer achieving the required probability of failure on demand. The SIF sensor or final element might have been replaced without completing SIL verification, and now the SIF no longer meets the required risk-reduction targets.
Q: “Our fire and gas detectors are still installed where they were designed. Why reassess coverage?”
Fire & gas detector locations are based on assumptions about zone hazards, release behaviour, congestion, ignition probability, occupancy and mapping to achieve risk-based coverage targets. Brownfield facilities rarely remain static. New equipment, pipework, structural changes, or ventilation modifications alter how gas disperses or how fire hazards occur. A detector layout that was effective at commissioning can gradually lose coverage of credible release scenarios as the facility evolves.
Q: “We have been operating this machinery safely for years without an incident. Why carry out a Machine Safety Assessment now?”
Experienced operators often compensate for missing safeguarding through familiarity with the equipment. This creates reliance on human behavior rather than engineered risk reduction. Many legacy facilities were built before modern machine safety standards such as AS/NZS 4024 were widely applied. Unassessed hazards can remain present for years without incident until conditions change, modifications are made, or new personnel are introduced. A AS/NZS 4024 Machine Safety Assessment identifies these hazards and ensures the required safeguarding is in place to reduce injury risk.
Written by Hardie McLaren, Principal Engineer, Equinox Automation