Understanding functional safety and related standards
21 March 2017
How well do you understand the term functional safety? Could you describe why there are international standards that specifically deal with functional safety, which parts of these standards apply to engineering or management activities and what measures are required to ensure compliance? Here, Peter Stabler of BPE answers these questions and gives an overview of functional safety and related standards.
The immediate problem is the risk of falling foul of safety regulators. Although complying with functional safety standards is not a legal requirement, they are widely regarded by regulators as representing “best practice”. In the UK, safety legislation is generally not prescriptive, but rather requires process plant operators to employ best practice in managing the safety of their operations. Consequently, the HSE increasingly requires evidence that best practice has indeed been adopted in UK--based process facilities. Demonstrating compliance with both engineering and management aspects of functional safety standards provides unambiguous, documented and auditable evidence of this.
There is, however, a more positive motivation for businesses to seek compliance with functional safety standards - they represent best practice for a reason. Companies that comply with the standards benefit from a comprehensive, “joined--up” and cutting edge approach to the management of safety. he reason for this is that the standards incorporate more than narrow engineering guidance. Equally important are the management practices that must be implemented to ensure both initial and ongoing compliance.
In this regard, functional safety standards have much in common with quality standards – they require compliant companies to specify and adopt a systematic, and auditable management approach. Put another way, compliance requires implementation of a “management system” that regulates the full lifecycle of safety instrumented systems. In parallel with engineering tasks relating to the specification, design, installation and verification of safety instrumented systems, management activities must be undertaken to ensure, for example, the adequacy of suppliers, the competence of personnel and the documentation of tasks undertaken. Achieving and maintaining compliance with functional safety standards helps businesses ensure not only the safety of their operations, but also that they are managing their operations effectively.
Managing risk in the chemical process industries
The IEC 61508:2010 functional safety standard defines safety as “freedom from unacceptable risk”. This definition implies that compliance with the standard requires both an understanding of current levels of risk and a determination as to whether or not these risks are acceptable. In the chemical process industries, plant owners need to systematically appraise risk for their process operations and to define criteria for the acceptability of these risks.
Engineering risk is defined as the product of the frequency of occurrence of a hazardous event, and the consequences associated with the event. Risk levels can therefore be mitigated by reducing either the frequency of a hazardous event occurring, or by minimising any consequences should it occur.
Of course, well-engineered process plants are designed to minimise risk through the adoption of Good Engineering Practice (GEP). Designers may incorporate a number of independent protection layers to reduce the frequency or consequences of hazardous events. Examples of such protection layers could be pressure release valves (incorporating the appropriate treatment of vented gasses), the plant’s process control system or physical barriers such as bunds that reduce the spread of spillages.
Figure 1: Protection layers considered in a LOPA
These traditional measures of controlling risk are just as valid today as they have always been. Functional safety standards acknowledge such risk reduction measures, and allow process plant owners to take credit for associated reductions in risk. Formal techniques, such as a Layer of Protection Analysis (LOPA), have been developed to enable a systematic appraisal of existing protection layers and to quantify the risk reductions that they confer. The protection layers that are typically considered in a LOPA are shown in Figure 1 left.
After existing protection layers have been taken into account, further reductions in risk may be achieved through the implementation of safety instrumented systems. IEC 61508:2010 and related functional safety standards have been designed specifically to ensure that such systems (and component devices) are both engineered and managed correctly throughout their full lifecycle. Compliance with the standards ensures that the level of risk reduction claimed for a safety instrumented system is actually realised in practice.
Functional safety and safety instrumented systems
Industry practitioners variously refer to the combination of a sensor, logic controller and final element (possibly an actuated valve, or a motor starter) as a safety instrumented system, an instrumented safety system, a safety integrity level (SIL) loop, an automated protection system or a safety-related system. For the remainder of this paper, we will continue to use the term “safety instrumented system”, or “SIS”.
The IEC 61508:2010 standard defines functional safety as “part of the overall safety relating to the process and its process control system that depends on the correct functioning of safety instrumented systems and other risk reduction measures”. The emphasis is on the “correct functioning of a safety instrumented system” - once credit has been taken for other risk reduction measures. (See Figure 2 below).
In order to achieve functional safety, a safety instrumented system must work as designed, and with a high probability of success. Put another way, functional safety means that, once all existing protection layers have been accounted for, the additional risk reduction factor required from the SIS is actually realised.
Figure 2: SIS and other protection layers
Functional safety is thus the primary objective in specifying, designing, installing and maintaining an SIS. To achieve an acceptable level of functional safety, both the engineering and management of the SIS must comply with the standards throughout its lifecycle.
It is also important to emphasise that compliance with IEC 61508:2010 and related standards is only required if the claimed risk reduction of an SIS is equal to or greater than a factor of 10. Indeed, the standards are based on the concept of order of magnitude reductions in risk claimed for safety instrumented systems. Each order of magnitude reduction is referred to as a “safety integrity level: or “SIL”. Functional safety standards require increasingly stringent engineering and management processes as SIL levels increase.
So SIL 1 reduces risk by a factor of 10, SIL 2 by 100, SIL 3 by 1,000 and SIL 4 by 10,000.
Safety instrumented systems are not process control systems
Safety instrumented systems are distinct from process control systems. They are designed to provide a “final protection layer” to prevent harm to people or the environment in the event of the occurrence of a hazardous event. A safety instrumented system is distinct from a process control system in that it is required to operate with a high and predictable probability of success at infrequent intervals. In contrast, process control systems are designed to operate continually in order to keep process variables within pre-defined ranges.
Safety instrumented systems sit “on top” of the process plant and its associated process control system– only coming into action when they are required to do so in response to a hazardous event in order to prevent an accident occurring. The intermittent nature of demands placed on safety instrumented systems requires that they are maintained and undergo testing at regular intervals. This is a key feature of the requirements of the standards. Safety instrumented systems must work as intended when they are needed – with a high probability of success. Functional safety standards provide a framework for quantifying, and justifying, the probability that an SIS will work as intended when required.
As discussed earlier, process control systems may also provide a protection layer for the prevention of harm. However, they may not be used as a SIS and the risk reduction factor claimed must not exceed 10.
Figure 3: The safety lifecycle (IEC 61511:2003)
The safety lifecycle
A key feature of functional safety standards is the concept of a safety lifecycle for safety instrumented systems. (See Figure 3 left).
The concept of the safety lifecycle came about following numerous studies of SIS failures that resulted in accidents. One authoritative study by the HSE* showed that poor specification of the SIS was the root cause of 44% of failures experienced by such systems. A further 21% were caused by changes after commissioning. (See Figure 4 below).
*Out of Control: Why control systems go wrong and how to prevent failure; Sheffield (UK) Health & Safety Executive, 1995.
The concept of the safety lifecycle therefore addresses both engineering and management issues relating to safety instrumented systems. Management of the SIS safety lifecycle is crucial in order to ensure that safety instrumented systems are not only designed and installed where needed, but also that they achieve the required levels of functional safety over the entire safety lifecycle from specification to decommissioning.
Management activities and functional safety
Most managers will understand and be familiar with engineering aspects of functional safety. Terms such as “HAZOP”, “Commissioning Plan” and even “FMEDA” and “LOPA” are part and parcel of the language of modern process plant design and operations. How many managers, however, are familiar with the management activities that are also required in order to achieve functional safety?
Figure 4: Root cause of SIS failures
Functional safety management activities are an absolute requirement for compliance with the standards. They must be applied in full at all stages of the SIS safety lifecycle and across the SIS supply chain. They touch every person, every company and every activity associated with the implementation of a SIS.
Functional safety management activities are described in one of the few prescriptive parts of the standards: IEC61508:2010 Part 1, Section 6. Although only three pages in length, this section seems to cause a great deal of consternation.
Examples of management activities that are required in order to ensure functional safety include:
• enunciation of a comprehensive policy and strategy for achieving functional safety;
• clear allocation of responsibilities to responsible persons;
• ensuring and managing the competency of responsible persons;
• appropriate management of communications;
• appropriate management of suppliers;
• appropriate follow up and resolution of recommendations;
• hazardous incident reporting and analysis; and
Figure 5: Compliance requires consideration of both safety lifecycle and supply chain
• appropriate management of documentation.
Beware “hidden” safety instrumented systems
The ultimate responsibility for compliance with functional safety standards lies with the end user – the entity that owns and relies upon the safety instrumented system. The end user must not only ensure that safety instrumented systems are operated in compliance with functional safety standards, but that they are correctly specified, designed and installed prior to operation. This demands a holistic view incorporating not only the safety lifecycle of such systems but also stringent management of the supply chain involved in the creation of such systems. (See Figure 5 left).
Safety instrumented systems can find their way into a process plant without the end user even being aware of it. End users should beware of safety instrumented systems that come with packaged equipment such as mills, centrifuges, inertion systems, boilers, burners, vacuum pumps or nitrogen generators. How many of these come with level transmitters, temperature transmitters or oxygen analysers? What is the SIS protecting against, and what would the consequences be should the SIS fail when needed?
Safety instruments systems may also appear on a site unannounced as part of an ATEX compliant equipment package. ATEX equipment suppliers may use temperature transmitters to ensure that the surface temperature of pump casings or bearings, for example, do not exceed the stated threshold temperature required for the particular ATEX certification. The equipment supplier is responsible for ensuring their equipment is suitable for the specified ATEX area classification, but it is the end user that assumes responsibility for ensuring that any safety instrumented systems are fit for purpose, actually have the required performance characteristics and are maintained and managed correctly - and it is the end user that is liable if they fail to do so.
Finding the right solution
Functional safety standards are here to stay, and demonstration of compliance with the standards will continue to be essential in order to demonstrate “best practice” in process plant safety. End users understand this, but frequently lack the knowledge and resources required to ensure that their operations comply. Non-compliance not only incurs the risk of falling foul of safety regulators, but also represents a lost opportunity to implement a cutting--edge approach to the management of safety.
Requirements for compliance with functional safety standards vary depending on the relevant safety lifecycle stage(s) and also the position that a company occupies in the supply chain. A well-designed functional safety management system specifies the requirements for compliance based on these principles.
Many companies have taken measures to comply with functional safety standards, however all too often a lack of understanding of what is required (or not required) frustrates these efforts. Managers should ask themselves whether they are certain that compliance is (or is not) required. If compliance is required, is it actually being achieved - and how can this be demonstrated? Relying on an incomplete understanding of functional safety standards is no longer an acceptable option.
About the author
Peter Stabler BSc (Hons), PhD is an associate consultant at process engineering firm BPE. His career spans nearly 30 years in the process development industry. During that time he has led on national and international projects for the likes of Unilever and James Finlay Ltd. He specialises in the fine chemicals, pharmaceutical and food industries.
Contact Details and Archive...