Many believe Safety Integrity is all about component failure rates and complex calculations of probability of failure on demand. However, there are many ways to improve process safety without using a calculator, as this article explains.
International safety standards, IEC 61508 and IEC 61511, were developed as a direct result of several industrial process accidents. Applying the safety lifecycle approach described in IEC 61511 significantly reduces the likelihood of safety system failure.
Process operators face competing demands to maintain process safety, while at the same time meeting production targets. By June of this year (2015) all European Union Member States must implement the Seveso III directive into their own laws; changes from Seveso II stricter standards for inspections by government agencies and more effective enforcement of the rules for managing safety.
Inspectors look for evidence of good practice in process safety, with reference to IEC 61511 as the benchmark. Many experienced operators of hazardous process plants already manage safety to some extent. However, IEC 61511 calls for structure and planning, to ensure that nothing goes un-checked, and records should show that plans were followed and any resulting corrective actions completed. Producing documents to show functional safety is well-managed can be challenging, when the inspector calls.
Let’s take a look at 5 key areas, and explore opportunities for improvement. Three of these topics relate to the Operational phase of the safety lifecycle, which is applicable to all processes, regardless of age, or of SIS technology in use:
Safety Requirements Specification
The first main section of the IEC 61511 safety lifecycle is the Analysis Phase, where we identify all of the potential hazards in our process and the degree of risk reduction required of our Safety Instrumented System. The HAZOP (Hazard and Operability study) is only the beginning of the process. The key deliverable from the Analysis Phase is the Safety Requirements Specification, which should consolidate vital information from the hazard analysis, as a reference for future work.
Every safety function within the SIS is associated with a specific hazard; each SIF has performance and integrity requirements. The SRS must identify all safety functions, providing information relevant to the design and operation of the SIS. IEC 61511 lists 27 points that must be addressed by the SRS, plus additional requirements specific to SIS software. Failure to consider each of these points may lead to misunderstanding, incorrect assumptions or key facts being missed in the work that follows to design, build, operate and maintain the SIS.
For the operator of an existing process, writing an SRS is the ideal opportunity to really understand and document what you THINK you have and why you have it. It is a chance to really dig into the process safety requirements, considering important questions such as:
- how can the hazard occur
- what other measures are in place to reduce risk
- what are the minimum requirements to achieve a safe state of the process.
This activity will re-acquaint you with the original design intent and probably raise some very important issues to be addressed.
Using an independent consultant to help with SRS preparation is a good opportunity to challenge and question the work that has gone before, making sure that the safety requirements are clearly understood by all involved.
If you work on a hazardous process, do you know where the Safety Requirement Specification is stored? Has the SRS been updated to reflect any process modifications? Are the key points within IEC 61511 all addressed?
When selecting components of the SIS, a great deal of emphasis is placed on certificates which provide those all-important reliability figures. Theoretical reliability figures make assumptions about the device service and environmental conditions. In practice we should look carefully at our maintenance records to decide whether theoretical performance can be expected in practice.
Instrumentation must of course be suitable for the application. A valve designed to regulate flow may not be the most appropriate device to shut off of a process stream. Regulating valves which move continually may be prone to mechanical wear whereas a shutdown valve which rarely moves might stick, failing to close when needed. Digital valve positioners can automate partial stroke testing of SIS valves and provide useful diagnostic data to analyse any valve movements.
Analogue sensors are preferable to on-off digital inputs. The constant variations of an analogue value show that the device is still working, particularly if measurements can be correlated with other process variables. A digital input which only changes state when the hazard is present is prone to un-detected failure. Smart transmitters may provide additional diagnostics, provided the logic solver enables access to this data.
For each safety-related device, ask yourself:
- Are you experiencing higher than expected failure rates during testing or during operation?
- Does the device provide the information and protection I need?
- Does the device meet the design intent which you have established by writing an SRS?
Management of Safety System assets
SIS components installed in various locations throughout the process area should be clearly identifiable amongst similar equipment used for the basic process control system. The standards require us to make sure that competent people with the correct training and experience work on the safety instrumented system, and that no changes are made without proper planning and authorisation. Therefore it seems clear that maintenance technicians or field operatives need to know if a particular device is part of the SIS, or not.
Running a calibration check on a transmitter used within a flow control loop requires completely different precautions to running the same check on a similar transmitter used in a Safety Instrumented Function. The flow controller will freeze its output, keeping the flow constant whilst the transmitter is out of service, allowing operator adjustments. The SIF can no longer to protect against its identified hazard; the disabled measurement may lead to a process shutdown, or worse the process might continue to operate with reduced safety.
IEC 61511 includes requirements for configuration management, in which all parts of the SIS should be clearly identified, managed and traceable. By clearly identifying all component parts of the SIS, and training all personnel that SIS devices are subject to special controls, the risk of a change leading to a process safety incident is greatly reduced.
Planning for Proof Test and Inspection
Because process control systems continually take actions, failures are quickly identified when valves or pumps do not move as expected. Process safety systems only act when things go wrong, so failures could go un-noticed in normal operation. Safety Instrumented Systems use increased diagnostics to detect as many dangerous failure modes as possible. However, some failure modes can only be diagnosed by regular proof testing.
Many process operators do test safety devices periodically, however the planning and recording of those tests may not meet the specific requirements of the safety standards, when the inspector asks to see proof test records. Proof tests should be compatible with requirements in the SRS and with assumptions during SIL Verification. Proof test coverage and proof test frequency both impact the average probability of failure on demand calculation. Proper proof test plans will ensure that the design intent is met consistently, failures logged for future evaluation and records kept to allow proper auditing.
Management of maintenance overrides to the SIS
Maintenance overrides may be needed to enable proof testing whilst the process is in operation, or perhaps if a SIS device has failed and the process must continue operating whilst the repair is made. Facilities to override sensors are fairly common, and in some cases overrides are also possible on final elements. Overrides must be used with caution; an overridden safety function will certainly fail on demand!
For this reason, IEC 61511 requires operating procedures for control and authorisation of Maintenance Overrides, and checks to see that overrides are removed as soon as possible. Overrides should be reviewed at shift change, with automatic alarms to remind operators. Any override applied for longer than the mean time to repair should be challenged. Systems which offer software tools to control and monitor overrides may support operational procedures.
Help is available!
Experienced process operators most likely carry out some tasks intended to maintain safety, but many need help to formalise those activities into plans, structure and records in line with IEC 61511.
Emerson supports this requirement with a team of SIS consultants specifically trained in the application of IEC 61511 with a range of services aimed at optimising the SIS design and simplifying the job of regulatory compliance. They can help a customer develop solutions for issues identified by government inspectors. More importantly, they can help avoid issues by showing that Functional Safety is managed, according to the standards.
To find out more go to: www.EmersonProcess.com/IM508
From Jim: You can also connect and interact with other process safety professionals in the Safety Instrumented Systems group in Emerson Exchange 365 community.