Stop Guessing Which Hazard Study You Need

Take the Free Assessment Now →
Control & AutomationEditorial Archive

Pills of Functional Safety – Part I

By Francesco Paolo Nigri and Danilo Sallustio

Listen to this article

Introduction

Francesco Paolo Nigri

The process risk is the combination between the probability of occurring of an unwanted event and the expected consequences. Depending on the way the process is structured and the involved hazardous substances, in particular in gaseous state, industrial plants can produce a high level of risk to people and environment. In this case we refer to the SEVESO directive which focuses on plants characterised by a major risk.

The process is assumed to be safe if the corresponding risk is reduced below an acceptable level. In other words, the risk associated with the operations of any process has to be mitigated to achieve an acceptable level of safety. The risk reduction is usually achieved step by step. If the tolerable risk level is not reached at once, further risk reduction measures have to be immediately adopted. Each measure corresponds to a layer capable of carrying out its function of:

  • basic process control,
  • monitoring or alarm,
  • safety.

The technical standards

Danilo Sallustio

Safety measures consist of automatic systems able to activate safety functions. If an acceptable level of safety cannot be achieved at once by basic process control systems and alarm systems, the IEC 61508, “Functional Safety of Electrical, Electronic and Programmable Electronic Systems”, strongly recommends safety barriers known as Safety Instrumented Systems (SIS). These systems often allow a residual risk level lower than the tolerable threshold.

The main purpose of the IEC 61508 is calculating the probability of failure of a SIS when it is spurred by the process to perform its safety function:

  • under specific conditions;
  • in a given time interval.

The IEC 61508 aims at developing electrical, electronic and programmable electronic systems able to perform their safety function with a given value of the Probability of Failure on Demand (PFD). The criteria of the IEC 61508 are applicable to many industrial sectors, such as:

  • the process industry,
  • the nuclear sector,
  • the transportation sector,
  • the “machinery” sector as defined by the “machine directive”.

The IEC 61508 formally deals with electrical, electronic and programmable electronic safety systems. The principles of the standard are so general that they can be used in the development of safety systems based on further technologies. Therefore, the IEC 61508 is important for those who manage all possible safety strategies to reduce the risk below an acceptable threshold. In order to provide a full view of the development of a SIS, the IEC 61508 introduces the “Safety Life Cycle”, that can be regarded as a guideline to achieve the safety integrity level required by any safety component of the SIS.

The IEC 61511 has been recently available to estimate the level of reliability required to any safety instrumented systems (SIS) to reduce the process risk below an acceptable threshold. IEC 61511 is therefore the standard for the application of functional safety in the process industry.

Probability of Failure on Demand (PFD) and Safety Integrity Level (SIL)

Safety Instrumented Systems are electrical, electronic or electronic-programmable systems (E/ E / EP) whose technical standard, IEC 61508 or EN 61508, always requires full evidence of the Probability of Failure on Demand (PFD). The failure is any event capable of spoiling the ability of the system to carry out its safety function. The IEC 61508 relates the PFD to the reliability level of the safety system: the higher the reliability level, the lower the probability of its failure. Once the PFD of the safety system is known, the IEC 61508 allows to estimate the safety integrity level of the system, known as the Safety Integrity Level (SIL). The SIL has only four values.

SILPFD
10,01 < PFD ≤ 0,1
20,001 < PFD ≤ 0,01
30,0001 < PFD ≤ 0,001
40,00001 < PFD ≤ 0,0001

Relation between PFD and SIL

Calculating the PFD is the main purpose of the functional safety. The probability of failure of a safety system continuously increases with the operating time. In other words, as time passes the PFD of the safety system tends to the unit value. In order to avoid the drift over time of the PFD towards the unit value, attempts are made to improve the reliability of the safety instrumented systems.

pfd vs time

PFD versus time

Risk Graph

A first calculation of the Required SIL is made possible by the Risk Graph that proves to be sufficiently reliable if the analysis is carried out by people who are familiar with the specific conditions of the process. The Risk Graph proposes four different categories of consequences ranging from minor damages to catastrophic consequences. Furthermore, it does take into account only the probability of occurrence of the unwanted event since it introduces two further factors:

  • the frequency of exposure of people to danger,
  • the likelihood of avoiding the hazard.
risk graph

Risk Graph

Lets’ explain the meaning of “a” and “b”:

  • a: a safety system with SIL 1 is not necessary because it is possible to reach an acceptable risk threshold by ordinary process control and alarm systems;
  • b: a safety system with SIL 4 is not enough in consideration of the very high value of the inherent risk of the process.

Failures

No system is free from failures and safety instrumented systems are not an exception to the rule. We can basically distinguish three types of failures:

  • early failures;
  • random failures;
  • wear out failures.

Early failures are due to design errors that already exist when the safety components are placed on the market. They are identified with software errors, discrepancies due to inadequate production techniques or operations of electrical and electronic components not in line with their design specifications. Early failures occur over time always in the same way and therefore are considered systematic failures. The implementation of organisational measures in the development phase of the components and the adoption of quality-oriented procedures generally minimise early failures. They can be further reduced by simulating the operating conditions expected during actual operations.

Wear out failures are caused by the inevitable aging that determines a progressive loss of functionality of the safety components until their final failure. Wear out failures can be avoided by means of predictive maintenance techniques.

On the other hand, random failures are unavoidable events for all the components of a safety system. They are not present at the time of their placing on the market and can occur at any time during their operations, starting from commissioning.

The most effective ways to reduce random failures are:

  • keeping the probability of failure as low as possible (failure prevention),
  • detecting dangerous failures by activating internal diagnostic functions or carrying out manual proof tests (failure detection),
  • improving failure tolerance by redundancies that is duplicating the communication channels available to an instrumented system to carry out its safety function (failure tolerance).

The reduction of random failures passes through the adoption of:

  • failure avoidance,
  • failure detection,
  • failure tolerance.

Part II is continued in our Nov/Dec edition

Show More

    Would you like further information about this article?

    Add your details below and we'll be in touch ASAP!


    Input this code: captcha

    Francesco Paolo Nigri

    INAIL, Direzione Regionale della Puglia

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Back to top button

    Join 25,000 process industry specialists and subscribe to:

    PII has a global network of suppliers ready to help...