Reducing human error in safety systems

Mark Hodgins, Product Marketing Manager – Level for Endress+Hauser Ltd, discusses how to avoid operator error in safety instrumented systems.

Control of human failures during the full life cycle of a safety instrumented system is vital to ensure that a safety function will operate correctly when required. Since the introduction of modern electronic instrumentation, there have been steady improvements in the hardware, and it is now likely that human factors are the dominant cause of system failures. Commissioning, maintenance and proof testing are times when direct human interaction with a safety system occur and consequently introduce the possibility of errors that have a negative impact on safety.

Breaking a safety instrumented function (SIF) down into the standard three elements of sensor, logic and actuator, it is apparent that human errors are most likely to be introduced through incorrect handling of the sensor. Errors relating to the actuator will be revealed during testing, and the logic’s complex programming is supported by detailed design and rigorous management of change (MOC) procedures. The sensor, on the other hand, can have complex parametrisation, and commissioning and testing procedures are often poorly defined. In addition, changes made during the system’s life cycle are often not subject to sufficient MOC procedures.

For the SIF to meet the target level of risk reduction, the probability of failure on demand of each element must be known. Typically, the manufacturer’s data will be used to calculate if the SIF meets the required level, but it should be remembered that this data is only valid if the device is used, commissioned, tested and maintained following the instructions in the functional safety manual. At the strictest definition any deviation from the functional safety manual renders the manufacturer’s failure rate data invalid. This of course leads to unknown failure rates and hence any calculations become invalid. Ultimately this leads to it no longer being possible to demonstrate that the target SIL of the system is met. For complex devices such as radar level transmitters, the sheer number of parameters that could potentially be adjusted makes this a complex task to manage.

Dependable software

Looking specifically at the sensing element of the SIF and considering modern programmable smart instrumentation, there are several potential issues that need to be considered throughout the whole life cycle. Software tools are used for commissioning, adjustment and proof testing, and consideration should be given to how these tools interact with the device and how they are used by the operator. To reduce errors that could impact safety performance, a good software tool should:

• Give clear instructions, ideally with the aid of graphical representations to ensure the operator understands the parameters being set.
• Follow a clear logical sequence so that all safety relevant parameters are set.
• Not overload the operator with too many parameters, keeping the task simple.
• Prevent the setting of parameters that would potentially compromise safety performance.
• Ensure that proof tests are carried out correctly and completely.
• Ensure that the user is prompted to lock the device after completion of any sequence.
• Generate records of the ‘as left’ state.

Breaking the tasks into separate activities such as commissioning, SIL confirmation and proof testing ensures that the work remains focused and the operator is not overwhelmed with information and options. Using an Endress+Hauser radar level transmitter and DeviceCare software as an example, there are separate software wizards available for each of these tasks.

Simple and safe commissioning

The first stage after installation of the radar level transmitter would be to carry out basic commissioning. Here the commissioning wizards would be used. The wizard guides the operator through the common steps required to commission the radar level transmitter. The use of the wizard ensures:

• All settings important to a basic set-up are covered.
• Clear instruction is given on each setting.
• A defined end point is clearly given when the device is commissioned.
• A prompt to generate a record of the commissioning settings is given.

After the completion of commissioning using the wizard, the operator can be confident that the radar transmitter will perform as intended. This may not be the case if the operator is left to enter individual parameters based only on what they perceive to be correct and relevant.

If our example radar is in a SIL-rated SIF, the next activity would be to employ the SIL confirmation wizard. Once the wizard is started it will confirm if the settings are in accordance with the functional safety manual. For the radar device given in our example, the wizard has two modes depending on the settings in the transmitter. For simple applications, ‘increased safety’ mode will be used and a simpler proof test can be employed (i.e. it is not necessary to raise or lower the level through trip point). For more demanding applications, there are some safety-relevant parameters that can be changed from standard settings and here ‘expert’ mode is employed. If the wizard is operating in expert mode based on the parameters entered, then it will specify that a full test involving changing the level is performed. At the end of the sequence a prompt to generate a time-stamped pdf record of the activity with the operator’s name will be given. The user can be confident that:

• All safety relevant parameters have been checked.
• Settings that deviate from the functional safety manual have been excluded.
• An adequate parameter-dependent test based on the functional safety manual has been performed.
• Records showing that the activity has been performed correctly have been generated.

Proof testing

For a proof test to be valid it must uncover a known proportion of the dangerous undetected failures, in other words the failures not detected by the transmitter’s own diagnostics. The functional safety manual will give example proof tests and state the coverage of each test. These tests should be seen as the minimum requirement because if the steps in these tests are not completed then the coverage of any other test is unknown. Again, the wizard will guide the operator through the test, ensuring all steps are completed and a time-stamped pdf record of the test is generated.

Crucially, the software will not generate the proof test record until the transmitter is SIL locked again after the proof test. This is important as experience shows that locking of transmitters after proof testing is often neglected; in the operator’s mind the task is complete once the test has passed. It should be remembered that locking of SIL devices against unauthorised modification is a requirement of IEC 61508. What is often not realised is that with some modern smart instrumentation the SIL locking itself will change the diagnostics running in the device. If a transmitter is not SIL locked, it is not in compliance with the functional safety manual and all SIL data is invalid.

By adopting the use of such software tools, errors such as entering an incorrect value and violations such as cutting corners during a proof test can be controlled, increasing the confidence that a SIF will perform as planned.

The potential for human error during commissioning, maintenance and proof testing can be greatly reduced through the use of suitable software tools. Software that guides the technician and restricts them from making potentially dangerous errors, deviations or omissions in commissioning or testing both simplifies the task and reduces the risk of functional safety being compromised.

As well as being a leading manufacturer of instrumentation for safety systems, Endress+Hauser offers services and solutions to optimise your processes in terms of reliability, safety and economic efficiency. For practical guidance on assessing the useful lifetime of SIL instruments and developing a functional safety management plan, visit www.smarter-decisions.co.uk.

Contact Details

Endress+Hauser UK

• +44 161 286 5000
• info@uk.endress.com
• https://www.uk.endress.com
• Floats Road Manchester M23 9NF GB
Facebook Twitter Instagram

About us

A strong partner worldwide

Endress+Hauser is a global leader in measurement instrumentation, services and solutions for industrial process engineering. We provide process solutions for flow, level, pressure, analytics, temperature, recording and digital communications, optimising processes in terms of economic efficiency, safety and environmental impact. Our customers come from various industries, including chemical, food & beverage, life sciences, power & energy, primaries & metal, oil & gas and water & wastewater.

Benefits

• Net sales of 2.4 billion euros – a strong partner
• More than 13,900 employees worldwide – a reliable employer
• Equity ratio of 71% – solidly financed
• Continuous annual investments of approximately 160 million euros – future-oriented
• Nearly 7,800 patents and patent applications – innovative and creative

Where we supply to

UK Ireland, Europe, Africa, Asia, Australia, South America, North America

Industries we supply to

Automation, Chemicals, Consultants, Components Electronics, Energy and Power, Food and Beverage, Glass Ceramics Cement, Metals and Minerals, OEM, Paper and Pulp, Pharmaceutical Cosmetics Toiletries, Plastics and Rubber, Recycling, Textiles, Tobacco, Water and Wastewater

• Endress+Hauser Corporate video (English)

• Micropilot FWR30 - The cloud connected radar level sensor - Demounting

• Water is our life: meet Niek Brink from Endress+Hauser