Fault detection simply informs the user that the device is no longer capable of operating as required; it does not achieve or maintain process safety. Continuing to operate the process with a degraded or disabled SIS is a serious decision, requiring planned compensating measures that ensure safe operation and provide equivalent risk reduction. Many safety instrumented systems (SIS) are installed because the operator does not have sufficient time, is not continuously present or is not capable of achieving a consistent, reliable protective response in the time required. If the hazard and risk analysis has already taken credit for an operator appropriately acknowledging an alarm, the operators contribution to process hazards management has already been considered. An operator acknowledging a diagnostic alarm does not reduce the risk or make the operator stronger, faster or smarter. Only the user, through careful consideration of many application-specific factors, including the process hazard, process safety time, operator attendance, required safe state actions and operator work load, can determine if the operator is capable of providing equivalent risk reduction while the detected failure is corrected.
Manufacturers recommending that failures be alarmed rather than taking the appropriate safety action are potentially accepting significant liability. They simply do not have sufficient information about the intended operation or process risk to make such recommendations. Unfortunately, nearly every analysis report reviewed assumes that an operator is on-hand to step in and substitute for the basic process control system (BPCS) and/or SIS immediately upon receiving a diagnostic alarm, and that they will remain available to monitor the process equipment until the failed device is returned to service. Such assumptions are unrealistic, and manufacturers would be better advised to provide a detailed failure modes and effects analysis, so users armed with an understanding of what is necessary for safe operation can calculate an application-specific PFD and spurious trip rate.
4. Lack of complete proof test procedure
The user must validate and periodically demonstrate that the equipment operates according to the safety requirements specification. This demonstration includes diagnostics, alarms, manual operation and safety functionality as required by IEC 61511 Clauses 11.3, 16.2.2 and 16.3. Unfortunately, very few of proof-test procedures reviewed actually satisfy OSHA PSM requirements for a witnessed test of the equipments ability to operate as required.
Most safety manuals provide limited-scope proof-tests with estimated test coverage. Product operation is not fully proven by these partial tests. Since failure modes and distributions are not provided, it is not possible to determine whether the claimed proof test coverage is reasonably conservative or what failures the suggested test covers or does not cover. As already discussed, the proof test procedures do not address testing product diagnostics. Many devices have achieved a high SIL claim limit via large diagnostic coverage factors; yet, means and procedures for testing the diagnostics are not provided or discussed in the majority of safety manuals reviewed.
Safety manuals should provide proof test procedures that demonstrate equipment operation, including diagnostic, alarm and trip functions. Partial testing and diagnostics are tools for allowing more frequent validation of a subset of the failure modes, but the use of partial testing does not eliminate the need for full functional testing. Fundamentally, all protection layers must be auditable, therefore periodic proof-testing is necessary in order to prove that random and systematic errors have not degraded equipment performance. Incomplete testing cannot be accepted solely based on probabilistic techniques. Any failure that is not covered by test is a latent condition that can manifest itself anytime in the devices life. No user should approve a device for a safety application that cannot be fully proof-tested in order to ensure proper operation according to the safety requirements specification.
Processes operate in a safe manner when installed equipment meets the owners operability, reliability, and maintainability requirements. Safety is not sustainable when unreliable equipment is used. Low reliability equipment increases maintenance costs, reduces operations trust in the equipment and those that specified it, and increases overall risk due to process upset, shutdown, and start-up. Users must assess how well a device works in the intended application. Prior use information is essential to ensure proper installation, commissioning, testing, and maintenance in process industry applications.
The root of the safety manual problem is an inadequate understanding by manufacturers of what is really needed by users. The manuals reviewed do not contain sufficient information to ensure compliance with IEC 61511 or OSHA PSM requirements. To better support users, manufacturers must perform reasonable and conservative analysis of their products and provide better documentation of assumptions. Users require more than a table of numbers in order to verify that analysis assumptions match their devices application. Manufacturers are responsible for providing the fundamental information for that which they have control, thereby enabling users to efficiently and consistently do their job (4). Instead, most devices are making exaggerated claims based on rather flimsy and in some cases, suspect evidence.
Unfortunately, it appears that many of these issues will not be addressed by an upcoming release of IEC 61508. Committee members are encouraged to consider seriously changes to IEC 61508 that steer manufacturers in a direction that yields safe and reliable products. Manufacturers should be required to supply a failure modes and effects analysis with failure distributions so users can track their failures against the defined modes. They should also be required to report in-service data, ensuring that product claims can be met by field performance. Manufacturers should not assume that it is safe to alarm a fault rather than forcing the product to its safe state condition. They should report the failure modes that can be detected and allow users to determine whether it is appropriate to alarm or trip based on a hazards and risk analysis of the process equipment. Finally, manufacturers should provide proof-test procedures that fully test all required product functionality in order for users to achieve and remain in compliance with IEC 61511 and OSHA PSM.
- IEC 61508, Functional Safety of Electrical /Electronic/Programmable Electronic Safety Related Systems, Parts 1-7, Geneva, Switzerland (1999-2001).
- Guidelines for Safe and Reliable Instrumented Protective Systems, American Institute of Chemical Engineers, NY, (2007).
- Thomas, Harold, David Deibert, David C. Arner, and David Weir, Air Products & Chemicals, Inc., Safety Instrumented System Manuals-A Need to Balance Reliability and Safety, Process Safety Progress, Vol 27, No 1 (March 2008).
- IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Industry Sector, Geneva, Switzerland (2003).
- OSHA, Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents, 29 CFR Part 1910. Federal Register 57, 36, Washington, DC (1992).