Edward Lowton
Editor |
Home> | Plant, Process & Control | >Valves and actuators | >Design and implementation of safety systems: Are we still out of control? |
Design and implementation of safety systems: Are we still out of control?
22 July 2024
While progress has been made towards addressing systematic errors in safety systems, further work remains to be done. A concerted effort involving clear specification, expert guidance, and the adoption of software tools can significantly contribute to improving the reliability of the SIF, explains Mark Hodgins
AS WE approach the 30th anniversary of the publication of "Out of Control" by the Health and Safety Executive (HSE) in 1995, it's pertinent to assess the progress made in addressing systematic errors in safety systems.
While advancements have been made in the realm of random failures, systematic errors persist, posing significant challenges to safety and operational integrity.
Understanding systematic failures
Analysis conducted by the HSE revealed that the majority of safety system failures stemmed from systematic errors rather than equipment failures. They were failures in procedure or design, the way that equipment was implemented, or how the safety function itself was specified.
The key point to emphasise is that these failures were not directly related to the equipment. They were caused by the humans who worked on those systems.
What has changed?
Over the past three decades, significant strides have been made in mitigating random failures through improved component quality and diagnostic capabilities. However, instances of systematic failures - i.e. failures in a design or operational/maintenance process which could impact the safety of the system - have not decreased at the same rate.
Out of Control analysed a range of faults and looked at where in the lifecycle phase these were introduced. HSE investigations showed that 59% of incidents have their root cause either in design and implementation (15%) or incorrect equipment specified for the application (44%).
In essence, when you switch on your plant for the first time, 59% of the root causes of a future dangerous fault or the safety system failing to function as intended have already been designed in.
Incident classification scheme
1. Safety requirements specification - Function requirements specification; safety integrity requirements specification
2. Design and implementation
3. Installation and commissioning
4. Operation and maintenance - Action by operational workers; maintenance activities
5. Changes after commissioning - Modification and retrofit; decommissioning
Where do we see human errors occurring?
If we look at a basic safety instrumented function (SIF), each has at least three components: an actuator, a logic unit, and a sensor. Essentially: sense, decide, act.
Final element - it could be a valve or a contactor; these are usually simple to set up and any errors are easily revealed.
Logic unit - setup is typically quite complex with multiple causes and effects, but it is usually subject to a high level of testing during the design and commissioning phases and additionally, particularly in the oil and gas and chemical industries, subject to significant management of change (MOC) procedures. Any changes to the settings must be reviewed and validated.
Sensor - when we get to the front end, the parametrisation can be complex and we often find that this is not well defined in the design phase. It can be left to the decisions of the commissioning engineer or perhaps maintenance personnel to make changes later. Such changes are not usually subject to rigorous MOC procedures, and errors in settings may remain hidden.
A common example is operators complaining that the output from a device is bouncing around. An easy fix for a maintenance tech is to put some dampening on it. Unfortunately, this often happens without review and testing to see whether it will still respond in time in the event of a real actuation. It is necessary to go back and look at the process safety time and, unfortunately, on many occasions that does not happen.
The other big consideration with sensors is changing technologies. MOC is often sadly lacking in this instance as well.
Leveraging functional safety manuals: A crucial guide
RTFSM - "Read the functional safety manual" - is a variation on a maxim that many in engineering will be familiar with.
For every piece of equipment used in a SIF, there will be a functional safety manual. It is the only document that the regulations specifically call for.
It includes guidance on avoiding systematic faults, applying measurements appropriately, testing during the lifecycle, permitted modifications, and decommissioning procedures.
It is important to emphasise that the functional safety manual defines the conditions under which the failure rate data applies. If it is not adhered to, you cannot calculate the safety of your SIF. This is something that is commonly overlooked during the lifecycle. People just look at the SIL capability of an instrument, but it could come to light after an incident that there were conditions in the functional safety manual that were not adhered to. In that case, it is no longer possible to prove you have a functioning SIF.
The human element: 3 Ps framework
As previously mentioned, every systematic fault involves a human failure. In line with this, the "3 Ps" framework - Personnel, Process, and Paperwork - provides a structured approach to addressing human systematic failures and can provide a good starting point.
Extending the 3Ps framework
Personnel: Speak to experts
No matter how well trained your personnel are, it is still worth speaking to experts in the field. If you have similar plants elsewhere in the world, speak to them to understand what their experience has been. If you have a good vendor, they may have specialists that have worked on similar systems before. You can never have enough advice at the beginning of the process, or indeed throughout the entire lifecycle.
Process: Review and validation
Review and validation is a key element. There is a requirement for the validation steps under IEC 61511, but also consider asking someone else to conduct the review. Once again, vendors are typically very happy to help.
Paperwork: Detailed specification
The important thing here is the changeover between the phases, particularly the detailed specification leading into the design phase.
There have been instances where the design specification of the SIF has not been adequately relayed to the design team. Going on from that, from the design through to the commissioning activities, this information has not been fully relayed, and it cascades downwards. Moving into the operational phases, the proof test methods will not have been adequately defined to test for the actual condition we’re trying to protect against.
Leveraging software solutions
In recent years, software tools have emerged as invaluable assets in addressing systematic errors across various phases of the safety system lifecycle.
There are multiple benefits derived from using software during the design and implementation of safety systems. One of the primary ones is that the software knows the functional safety manual; it knows which combinations of parameters are allowed or not. It will not let the person doing the commissioning deviate from the functional safety manual. It will give them clear guidance when something is not suitable for use in a SIF.
The benefits of using software
Personnel - less reliance on expert knowledge
- Guided steps to commission a SIL device.
- Guided setup wizard reduces the probability of errors which could impair the safety function.
Procedures - deviation from the functional safety manual is not possible
- Compliant with the FSM.
- The software may define the initial proof test based on the settings.
Paperwork - time-stamped PDF record of what was done and the results
- Allows the user to create documentation of settings and proof test.
Conclusion
Throughout the lifecycle of safety systems, from specification to installation and commissioning, and during operation and maintenance, human error remains a key concern. However, advancements in software tools offer the opportunity to mitigate these risks. By providing guided steps, ensuring compliance with functional safety manuals, and generating detailed documentation, modern software can significantly reduce the likelihood of errors that compromise safety functions.
Additionally, it is essential to recognise the critical role of clear specification and expert advice during the design phase. Engaging with specialists, particularly vendors, and adhering to functional safety manuals are sound practices that contribute to the effectiveness and reliability of safety systems.
Mark Hodgins is customer training manager and Endress+Hauser UK's safety expert
If you'd like to listen to Mark discussing the design and implementation of safety systems in further detail, together with what Endress+Hauser can do to help, why not check out our webinar on the subject, available here: tinyurl.com/2vjpyyrp
For more information:
Tel: +44 161 286 5000
- Digitalisation helping to drive growth
- Guided radar level solutions
- Accurate biogas measurement
- Instruments for flow measurement
- For oil and gas applications
- Improving the safety and efficiency of hydrogen production and carbon capture
- Multi-echo tracking
- Advanced production facility
- Monitoring solutions that help cut costs
- Thermometer portfolio