Notes
Acronyms
HSE - Health & Safety Executive
E/E/PE - Electrical, electronic and programmable electronic
CCF - Common Cause Failure
EUC
SIF - Safety Instrumented Function
SIS - Safety Instrumented Systems
SRS - Safety Requirements Specification
SRECS - Safety Related Electrical Controls Systems
PFDavg - Probabiltiy of Failure on Demand Average
HFT - Hardware Fault Tolerance - Voting Systems
PFH - Probability of Dangerous Failure Per Hour
Market Environment
Buncefield Fuel Depot - Loss of containment (hydrocarbons and jet fuels), as fueling overflowed and ignited, causing an explosion.
Significant Economic Impact ~Β£894,000,000
No deaths - 43 injuries.
UK Legal Requirements
Health and Safety at Work etc. Act 1974
The Management of Health & Safety at Work Regulations 1999
Control of Major Accident Hazards (COMAH) Regulations 2015
Dangerous Substances & Explosive Atmospheres (DSEAR)
The Offshore Installations (Offshore Safety Directive) (Safety Case etc.) Regulations 2015
Increased dependence on safety critical systems to achieve target risk levels.
Increased need to justify that you have achieved adequate levels of safety.
Safety regulators using international standards as basis of what is reasonable ("accepted good practice").
Increasing formality of safety culture, management of functional safety, competence of the organisation and personal competence.
Increasing interest in management of legacy systems.
Business reputation in relation to safety a key business driver. Nobody will work with you if you kill people.
IEC 61508 and Functional Safety
Functional safety of electrical, electronic & programmable electronic safety-related systems
Published in UK as BS EN 61508
Sub-standards:
62061: Machinery
61513: Nuclear Power Plants
61511: Safety Instrumented Systems for the Process Industry Sector
Read the acronyms then have a flick through the standard.
Essence of Functional Safety
Safety: Freedom from unacceptable risk
Functional Safety: Part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.
Achievement of safety through application of control systems, requirements identifying what has to be done and how well it has to be done
What has to happen: Airbag deployment
How well it should be done: Deploys every time needed.
Passive Systems - Fire Resistant Door, insulation on windings - Not functional safety
Functional safety only interested in active systems.
Terminology:
Equipment Under Control (EUC): Sensor, Controller and Actuator
Safety-Related System: Layer of protection, 2nd system.
Risk: Likelihood of the Consequence & Severity of the Consequence (Morbid Matrix - Fatalities)
Frequency x Consequence
Tolerable Risk: Risk which is accepted in a given context on the current values of society (qualitative/quantitively)
R2P2 Guidelines - 1 in 1 million chance generally tolerable, for example.
1 x 10 to power of -6 generally accepted. 1x10 to -5 with criteria
Target Risk: May be more than what's tolerable or vice-versa.
ALARP Demonstration: As low as reasonable practicable
Likelihoods:
Probability (one in a thousand)
Frequency (10-4 fatalities per year)
Qualitative ("negligible) - Drive to move away from this from HSE.
Consequences:
Worst Case
Worst Credible Case
Safety Function (Functionality) - Determined from hazard analysis. What has to be done to ensure the specified hazardous event does not take place or to mitigate the consequences of the specified hazard event.
Safety Function (Safety Integrity) - Safety Performance - Likelihood of the safety function being achieved. Determined from risk assessment.
Hazard Terms (IEC 61508-4):
Harm: Physical Injury or damage to the health of people or damage to property or the environment.
Hazard: Potential Source of harm. Danger to persons within a short-term scale or long-term effect (e.g. exposure to dangerous materials). Potential - Credible source of harm.
Hazardous Situation: Circumstance in which people, property or the environment are exposed to one or more hazards.
Hazardous Event: Event that may result in harm (e.g. near-miss, close-call). Depends on exposure to the consequence of the hazardous event and whether any such exposed people can escape the consequences of the event after it has occurred.
Harmful Event: Occurrence in which a hazardous situation or hazardous event results in harm.
Risk: Combination of the probability of occurrence of harm and the severity of that harm.
Tolerable Risk: Risk which is accepted in a given context based on the current values of society.
Residual Risk: Risk remaining after protective measures have been taken.
EUC Risk: Risk arising from the EUC or its interaction with the EUC control system.
Target Risk: Risk intended to be reached for a specific hazard taking into account the EUC risk together with the E/E/PE safety-related systems and the other risk reduction measures.
Safety Integrity
Probability of the safety-related system performing the specified safety function under all the stated conditions within a stated period of time.
High Safety Integrity = Low dangerous failure rate.
Safety integrity is solely concerned with dangerous failures.
Reliability covers both safe and dangerous failures and is not the same as safety integrity.
Safety Integrity Level (SIL)
One of four levels - 1 lowest, 4 is highest.
SIL 0/A - Below level 1 but better than control system.
Level 4 - Nuclear Submarine.
General Process Plan - SIL A/O, SIL 1, a few SIL 2, very small, if any, number of SIL 3. SIL 4 incredibly rare.
SIL 3 - System causes immediate harm on failure.
SIL - A characteristic of the safety function.
Quantified target failure measure specified for each SIL.
Need a risk assessment to determine - Can't assign without assessment.
Layers of Protection and Mitigation
Layers:
1 - EUC
2 - EUC Control System
3 - Alarms and Operator Intervention
4 - Electrontric/E/PE Safety-Related - Outside safe operation - Safety system kicks-in, still safe and contained. Mitigates against EUCC, EUC Control System and Alarms/Operator Intervention failure.
5- Physical Protection (Relief Devices)
6 - Physical Containments (Bunds)
7 - Fire & Gas System
8 - Plant Emergency Response
9 - Community Emergency Response
1-5 Protection - Mitigation 6-9
LOPA - Layers of Protection Analysis
Safety Functions added to provide risk reduction:
Conditional Modifiers - Risk reduction parameters which are applied in the context of the consequence of the hazardous event. Made up of parameters that reduce the frequency of the specified consequence arising. Non-Engineered risk parameters. Put control room in nuclear bunker, put fence around tank, working procedures, ATEX rated equipment. Should be auditable (policies, procedures, training records etc.).
Examples: Probability of ignition, specified weather conditions, probability of person/persons within the specified area (occupancy), probability of escape.
CCF - Lack of independence between safety layers.
If common cause failure is not addressed the Target Risk will not be achieved.
SFs within SIS
A safety related system compromises a number of Safety Functions within SF Loops
SIF - Sensor, Logic Controller (Loop)
SIS - Multiple SIF via same logic solver. PLC
Initiating Events - The minimum combination of failures or errors necessary to start the propagation of an incident sequence. Can be a single initiating cause, multiple causes, or initiating causes in the presence of enabling conditions.
Place demands on the safety function loop.
Mouse breaks, operator can't respond, creates demands on the safety function.
Demand - The triggering of the safety system.
People can be part of the Safety Function Loop - HSE accepts it but as an engineer it's a bad thing.
Target Failure Measure - Ability of the of the safety function to meet a specified performance.
If safety function performed correctly:
Hazardous event will not take place; or,
The consequences of the hazardous event will be mitigated
The physical extent of the Safety Function Loop is defined by the functionality of the Safety Function.
Human factors need to be addressed in the context of the functionality and the SIL of the Safety Function.
If common cause failures are not addressed, the Target Risk will not be achieved.
Functional Safety Requirements Specification
Safety Requirements Specification (SRS)
Should inform the function and integrity requirements
Part of the End User Specification
Determined from the hazard analysis and risk assessment.
Must have traceability for justifying the E/E/PE System Safety Requirements Specification
Line of sight from valve back to Hazop.
If it's not written down it's rumor.
Technologies
Electro-mechanical - Low Complexity
Solid State Electronic - Low/Medium Complexity
Programmable Electronic - High Complexity
Examples of Safety Related Systems
Emergency Shutdown Systems
Continuous Control Systems
Railway Signaling Systems
Guard Interlocking Systems
Automobile: Airbag/ABS
Information-based decision support tool where erroneous results affect safety.
IEC 61508 Standard
About to get new version of 61508 and 61511
Eight part standard covering all safety lifecycle activities.
Concept
Specification
Design
Implementation
Operation
Maintenance
Modification
61508 Format:
Part 0: Functional Safety and IEC 61508
Part 1: General Requirements
Part 2: Requirements for electrical, electronic, programmable electronic systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methos for the determination of SILs
Part 6: Guidelines on the application of parts 2 & 3
Part 7: Overview of techniques and measures.
Software:
How not to introduce systematic faults.
Safety Function = Safety Instrumented Function
SRECS = BPCS/EUC Control Systems
Strategy to Achieve Functional Safety
Subsystems
Sensors
Controller
Final Elements - e.g. valve
Failure of the subsystem will result in the failure of the safety function.
Extent of Safety Function - All elements combined together.
Out of Control (Book) - HSE review of 34 incidents involving controls systems.
Majority of failures occur at Specification (44%)
20% are Changes after Commissioning
15% during Design & Implementation and Operation & Maintenance
Total of 60% of failures are built into safety-related systems before service.
Correct specification/design = Reliability and safety
Don't have safety functions if avoidable - Use passive functions.
Hazard and Risk Analysis - HAZOP and LOPA.
Determines the SFs and the SIL of the SFs
Ensure line of sight from build back to Hazop
Software Safety Requirements Specification and E/E/PE System Design Requirements Specification
Validation/Verification - Test that doing it correctly. SIL verification, run maths on it. SEF - Plan tests before writing software.
Failure Categories and SILs
Dangerous Failures:
Failure of an element and/or subsystem and/or system that plays a part in implementing the safety function that:
Prevents a safety function form operating when required (demand mode) or causes a safety function to fail (continuous mode) such that the EUC is put into a hazardous or potentially hazardous state; or
Decreased the probability that the safety function operates correctly when required.
Safe Failure:
Failure of an element and/or subsystem and/or system that plays a part in implementing the safety function that:
Results in the spurious operation of the safety function to put the EUC into a safe state or maintain a safe state; or
increase the probability of the spurious operation of the safety function to put the EUC into a safe state or maintain a safe state.
Continued trips = Decreased perceived value, increased need to justify the implementation of the system.
Typically, if 1oox then done for safety, 2oox then reduce spurious trip rate.
The safety function determines whether a failure is safe or dangerous
e.g. overpressure valve - Spurious (Safe), Fails to Shut (Dangerous)
No fail-safe pieces of kit - Can only be determined to fail safe depending on scenario where it's used (e.g. fail open/closed).
Failure Categories:
Random Hardware Failures
Systematic Failures: Incorrect specification h/w or s/w (e.g. specified wrong valve), software/human errors, omissions in safety requirements.
Design Strategy
Need to buy items with low Random Hardware Failures
Employ systems to overcome human error - Systematic Safety Integrity
Cannot achieve a SIL by buying good quality hardware, doing only a HAZOP and LOPA.
Need a systematic management system.
Both contribute to the SIL
Safety Integrity Levels
1-4 Levels - 1 Least Integrity, 4 is Highest Integrity
On Process sites, don't typically see higher than L2
Need hardware and systematic integrity to achieve SIL
Safety Related System
Carried out each safety function to achieve the functionality of that safety function.
Achieves the required safety integrity for each safety function (as specified by the SIL and Target Failure measure of the safety function)
Low Demand Mode of Operation (Average Probability of Dangerous Failure on Demand [PFDavg]) - Once Per Year
Overall Design Framework
To meet a SIL:
Hardware Safety Integrity
Quantify random hardware failures to meet target failure. Measure to specified SIL. (Voting Systems)
Comply with the requirements of Architectural Constraints for the specified SIL
Systematic Safety Integrity
Comply with the requirements for systematic safety integrity for the specified SIL OR
Comply with the requirements for Proven In Use (PIU) for the specified SIL.
Proven in Use - Had the valve installed and maintained for 30 years and only had a single failure. Need sufficient documentary evidence to claim PIU. Experience is that not many/if any achieve this as nobody has all info HSE want.
Target Failure Measures
Modes of Operation:
Low Demand Mode: Where the safety function is only performed on-demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is no greater than one per year; or
High Demand Mode: Where the safety function is only performed on-demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year; or
Continuous Mode: Where the safety function retains the EUC in a safe state as part of normal operation.
Target Failure Measures
Relates to the ability of the safety function to meet a specified performance.
As a system, the safety related system when averaged must meet the SIL.
Target probability of dangerous mode failures to be achieved in respect of the safety integrity requirements, specified in terms of either
The average probability of a dangerous failure of the safety function on demand (for a low demand mode of operation)
The average frequency of a dangerous failure [h-1] (for high demand or continuous).
Continuous: Begin at F2 as the control system is continuously operating to prevent failures arising at F1
Safety Function: contains the essential information for designing the E/E/PE safety-related system.
Functionality + Safety Integrity + Mode of Operation
Compliance Requirements:
If any element of the safety function is a lower SIL, the SIL of the system is the lowest SIL.
Allocation of the Overall Safety Function
Do LOPA - Determine target level is SIL 3.
Can't meet - So go back round the loop.
Or go to lowest SIL possible using passive measures.
Management of Functional Safety & Competence
To specify responsibilities in the management of functional safety for an E/E/PE safety-related system, or for one ore more phases of the overall, E/E/PE system and software safety lifecycles.
To specify the activities to be carried out by those with responsibilities in the management of functional safety.
Can extend outside remit of control - e.g. to suppliers.
Functional Safety Assurance Measures
Safety Assurance Measures
Verification
Validation
Functional Safety Audits (Management System)
Functional Safety Assessment:
Investigation, based on evidence, to judge the functional safety achieved by one or more E/E/PE safety-related systems and/or other risk reduction measures.
Clause 8: IEC 61508-1
May be carried out after each safety lifecycle phase of after a number of safety lifecycle phases.
Minimum FSA 3
Independence is defined by the SIL requirements.
Functional Safety Audit:
Systematic and independent examination to determine whether the procedures specific to the functional safety requirements to comply with the planned arrangements are implemented effectively and are suitable to achieve the specified objectives. FS Audits can be carried out as part of a functional safety assessment, better to split out though.
Verification
Confirmation by examination and provision of objective evidence that the requirements have been fulfilled.
Has it been implemented to design.
Require verification of all phases.
Validation
Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.
Validation is the activity of demonstrating that the safety-related system under consideration, before or after installation, meets in all respects the safety requirements specification for that safety-related system.
Last updated