1 February 2006
Where Safety Begins & Ends
Ensuring safety takes more than standards compliance and quality programs; good people still play a part
By Ellen Fussell Policastro
Next month marks the one-year anniversary of an oil refinery explosion in Texas City, Texas, that killed 15 people and injured 100. And 31 years have passed since the Flixborough plant explosion in the U.K. that killed 28 people. Since then, industries still question what's most important about their safety systems. Is it quality of manufacturing design, complying with industry standards, or having well-trained people implementing their safety processes?
Experts say all these factors and more are critical aspects manufacturers must consider when examining the reliability of their safety systems. Because safety systems mean different things to different people (emergency shutdown system, protective instrument system, and safety interlock system), the ISA-SP84 standards committee settled on the term "safety instrumented systems" (SIS) to indicate systems designed to respond to plant conditions that could be "hazardous in themselves," or conditions where, if they don't elicit action, "a hazardous event could occur," said Paul Gruhn, safety product specialist with ICS Triplex in Houston, and co-author with Harry Cheddie of Safety Instrumented Systems: Design, Analysis and Justification.
Any safety function performing in instrumentation processes requires manufacturers to determine its required level of performance. Safety standards call this the safety integrity level (SIL), which isn't necessarily a direct measure of process risk, but a measure of the system's required performance to control risks, Gruhn said.
After installing a safety system, it's imperative to perform regular maintenance to ensure all components function when needed, said Ian Verhappen with Syncrude Canada Ltd., in Alberta, Canada. Since this is a major factor in determining the system SIL, it's as important if not more than the design itself. "If the culture of the facility is not willing to support a safety-based system, then the result is a net negative investment," he said, "not only in resources but also safety, since people will assume they are protected by a safety system, when in fact they may not be."
It is a rigorous process to determine the SIL, said Roger Prew, ABB's manager of the lead competence safety center in the U.K. The process operator and regulator (the health and safety executive, or HSE, in the U.K) carry it out and make sure the system complies with all potential risks. They assess, document, and justify potential risks and use the assessment to determine the SIL, which they must apply according to the current IEC 61508 standard, he said.
"A safety control system, such as an emergency shutdown (ESD) or a fire and gas protection system (F&G), is one of a number of risk reduction strategies open to the process operator," Prew said. "A professional understanding of the law, the potential hazards of the process, and current standards are more valuable than foresight."
But while SIL compliance is critical to safety, it has no direct impact on plant uptime, said Luis Duran, brand director for Triconex in Irvine, Calif. "A company can purchase technology fully compliant with all safety standards, but poor product quality or implementation can create failure scenarios leading to plant trips that are even more dangerous than the risk or hazardous conditions they are supposed to prevent," he said.
Test design by forcing it to fail
Just because you comply with safety standards, it doesn't necessarily mean you're ensuring product quality, Duran said. "Quality isn't always implemented the same way by every company," he said. "So there are huge issues on how you make sure the safety system will perform as designed."
ISA Safety Division
Safety system degradation could be one circumstance under which a safety system could fail. Common sense is still one of the most important aspects of maintaining an effective safety system, Duran said, and maintaining high quality. Safety-system vendors focus on how the system performs when it is healthy, but they don't talk much about what happens when a failure is diagnosed, Duran said.
"In the oilfield industry, there is considerable risk both from human safety and financial perspectives," said Chris Casso, a supply chain manager at Epoch Well Services in Houston. "Proper design of safety control systems is essential to assure efficient performance in everyday operations as well as preventing potential catastrophes. This is usually best achieved by close up-front coordination between the designer and the user."
Critical factors to consider in the design phase include built-in redundancy, reliability, and diagnostics. "A safety system is more than a control system. The level of diagnostic a safety system needs is significantly higher than regular diagnostics," he said. It's also critical to make sure the system performs the same way, whether in healthy mode or during a diagnostic failure. A failure can create significant hazard in a plant, Duran said, "even bigger than hazards they're trying to prevent."
So manufacturers must pay attention to design to ensure they've accounted for all potential failures. "Our challenge is to make sure the design functions to our specifications and performs to our exacting requirements. We test the design by forcing it to fail," Duran said. One of the biggest challenges in designing fault-tolerant control systems is "to figure out how to test a design to make sure it does what we've designed it to do," he said. A fault insertion process helps Duran and his team test printed circuit board (PCB) assemblies, which can have up to 5,000 test points on a single board.
Standards only the start
While safety standards are important, they are no guarantee you won't experience problems.
There's no simple "cookbook of pre-planned solutions," Gruhn said. Standards "do not mandate technology, level or redundancy, or test intervals. And they can't cover all the variation, complexities, and details of today's systems." What the standards and regulatory agencies can do, however, is require you to meet certain target safety measures.
The ISA-SP84 committee on functional safety developed a standard originally intended for programmable logic boxes rather than field devices. But the scope eventually expanded to include other logic-box technologies as well as field devices. The committee based its work on the International Electrotechnical Commission (IEC) 61508 standard on relay, solid-state, and programmable systems, including field devices. Among its intended users are the transportation, medical, nuclear, and process industries.
Manufacturers should design logic solvers used in SIL 1 through SIL 3 safety instrumented functions (SIFs) to meet IEC 61508 or document them to meet the requirements of proven-in-use criteria. "The problem here is end users find it an insurmountable task to document that a logic solver meets the standards' proven-in-use criteria (with all the hardware and software target measures, fault insertion tests, and safety manual documentation)," Duran said. "The cost would be prohibitive, and the liability is not something the plant would want to undertake."
Therefore, when it comes to SIS logic solvers, the process industry has reached a consensus in generally specifying the equipment be third-party certified to meet IEC 61508, Parts 2 and 3. Although a nationally recognized testing laboratory is the accepted body to perform the certification, process plant specifications require mostly TÜV certification, he said.
Human failures undermine processes
No matter how well you design or manufacture a product, you'll experience failures if you don't implement proper processes. Who implements and installs your SIS can be as important as what they install. In many instances, you can have the best product, "but if you don't have a quality implementation team, you could possibly create issues instead of solving them," Duran said.
Yet Gruhn said that actual military studies show, "when faced with life-threatening situations requiring decision within one minute, people tend to make the wrong decisions 99% of the time." He cited accidents based on human failures where operators didn't believe rare events were real or when operators, overloaded with information, failed to act. "When things do go wrong, they tend to cascade and escalate," he said. In one plant, the distributed control system (DCS) printed out 17,000 alarm messages. "Overwhelming the operator with this much information is obviously detrimental," he said. "Too much information is not a good thing."
This is why process safety engineers should be certified, Duran said. Yet none of the safety standards or regulatory bodies (the Occupational Safety and Health Act, the Environmental Protection Agency, or an HSE) mandate plant personnel certification by any specific organization, Duran said. "In fact, safety standards don't even mandate certification of SIS equipment by any specific testing labs, for instance TÜV and Factory Mutual (FM)," he said.
International and national safety standards and regulatory agencies, such as IEC 61508, IEC 61511, and ANSI/ISA-84.01, require personnel involved in any stage of the SIS safety life cycle show documented competency for their assigned tasks, he said. As with SIS hardware and software certification, it's best if a third party issue competency assessment of a plant or contractor engineers.
It makes sense, if industry requires TÜV certified SIS hardware and software, that engineers who design, integrate, program, install, operate, and maintain the SIS should also be certified, Duran said. Then, you'll be more inclined to ensure you have a qualified design team of highly skilled engineers with extensive experience in safety and control system design.