Ian Curtis, safety consultant for Siemens Industry Automation advocates a ‘back to basics’ approach to ensure effective functional safety and says modern safety system tools can help reduce complexity, deliver value and drive risk reduction when implementing a Safety Instrumented System (SIS).
Things are getting ever more complex in the world of functional safety. Increasingly powerful programmable safety systems, the trend toward integration between control and safety, cyber security concerns and the increased use of Commercial Off The Shelf (COTS) technologies within safety systems are all contributing factors which ramp up the complexity factor.
The functional safety world has, despite its understandably conservative approach, changed considerably in recent years as it hangs on to the coat-tails of technological advancement. However the need to keep things as uncomplicated as possible from a human perspective is still very important. Even though programmable safety systems are much more capable and powerful than they once were, the extra power and flexibility they bring needs to be controlled so that SIS are easy to understand and straightforward to apply throughout all stages of the safety lifecycle.
To help tame the complexity and thus ensure functional safety technology contributes effectively to risk reduction, it is important to take a holistic approach. Effective use of existing and new standards and a structured approach to safety system implementation through effective functional safety management are part of the answer, but also important is the use of new technologies and tools which help simplify aspects of the safety lifecycle.
Standards show the way
When it comes to achieving best practise the accepted route is to follow the appropriate standards. The standards in question fall into distinct categories; application specific, sector specific or general. For certain applications, such as Burner Management Systems (BMS), one would typically follow an application standard whereas for more generic safety instrumented systems, such as an ESD system for a process plant, one would follow the process sector specific standard IEC61511. In the unlikely event that neither is applicable (i.e. when using a fully variable programming language) one would typically revert to using the basis standard for functional safety IEC61508.
Historically many of the application oriented standards take a prescriptive approach whilst the newer standards, such as IEC61508 & IEC61511, promote a more performance-based approach. In an effort to get the best of both worlds there are recent guidance documents and standards advocating a combination of both approaches.
Application standards typically describe, in detail, what must be done to implement the SIS whilst performance-based standards seek to ensure that the SIS will “perform” when there is a demand placed upon it, so, by using a combined approach, the standards not only describe “what to do” but also “how well to do it”.
Recent technical reports from the ISA such as “Guidance on the Identification of Safety Instrumented Functions (SIFs) in Burner Management Systems (BMS)” (ISA-TR84.00.05-2009) help show how this combined approach can work in practise.
Also, recent guidance on Fire and Gas systems such as 'Guidance on the Evaluation of Fire, Combustible Gas and Toxic Gas System Effectiveness' (ISA-TR84.00.07-2010) follows a safety lifecycle similar to that of IEC61511, again marking a coming together of performance based and prescriptive approaches.
Of course identifying the right standard or combination of standards to use is just the beginning. They have to be followed and this is not always easy. Performance based standards are often open to interpretation, there will be areas of the standards which may be unclear on first reading, but help is at hand as there are various guides to implementing IEC61511 (“EEMUA Pub 222 Guide to the application of IEC61511 to
Safety Instrumented Systems” is one such) and these provide useful clarification and sample documentation. Guides such as this are very useful in helping to interpret the standard as they effectively capture the experience of a wide range of practitioners and distil it into the form of useable advice. In a similar vein, the IEC61508 association provides role-based guidance in its toolbox talks and specific guidance on key issues such as legacy systems from its website.
Functional safety management is key
The standards seek to address random hardware failures and systematic errors by having competent people develop, implement, operate and maintain a sound technical solution using good processes throughout.
The latest version of the standard, IEC61508 Ed.2 (2010), significantly increases the emphasis on functional safety management and makes competence a normative requirement. In essence companies must ensure that those involved in the safety lifecycle are competent to perform the activities required of them, and that they perform those duties following work processes that are in accordance with the requirements of the standard and provide documented evidence to demonstrate this.
If using sub-suppliers then it is incumbent on a company to ensure they too address issues of competence and FSM. A “joined up” approach between organisations is required to ensure nothing falls through the cracks. Roles & responsibilities need to be assigned and documented in a project safety plan.
As the name implies a Safety Instrumented System comprises everything from sensor, through logic solver to actuator. All the elements of the chain are important and the chain is only ever as strong as its weakest link.
IEC61511-1 requires that equipment should be assessed for conformance with IEC 61508 or should meet the “prior use” requirements.
The standards don’t make third party certification or conformity assessment of systems compulsory, however the associated guidance documents point out the benefits of such an approach in increasing confidence and reducing the activities required assuring suitability for any given application.
The alternative “prior use” route has proved quite challenging to date, with relatively few organisations having sufficiently good reliability data to underpin a “prior use” justification. In general this requires greater effort to meet the requirements for evidence of suitability.
In practise the path most trodden is to use systems and subsystems from reputable vendors with a proven track record which have been conformity assessed in accordance with IEC61508 by equally reputable independent organisations. Whilst this is arguably the easiest route it is still important to check that the reports which accompany such certification activities to ensure that any assumed conditions when making the assessment will also match the intended application.
Sometimes technological advancements such as more effective distribution of control and safety can bring benefits in terms of making systems simpler to implement. As an example of this the ability to combine both failsafe and standard I/O in the same I/O subsystems in a Zone 1 hazardous area with failsafe communication back to the process and safety controllers can bring many benefits, but importantly helps to reduce complexity by incorporating the I.S. barriers into the equipment, enhancing diagnostics and significantly simplifying the SIL verification activity.
Keeping it simple with safety lifecycle tools
The standards place significant emphasis on a safety lifecycle approach and this has prompted a move towards more use of safety lifecycle tools. The traditional Cause & Effect Matrix (CEM) approach for documenting and defining safety logic is well established, but a move toward encompassing other aspects of the lifecycle has taken it beyond simply being a specification tool during the analysis phase. The newer breed of safety lifecycle tools are not just planning tools to allow an engineer to document the CEM logic required for a SIS in a form that will be familiar to them, but they can now subsequently automate the creation of the logic for the SIS and allow testing and commissioning using the same CEM format for engineering, testing and visualisation. This approach can significantly reduce the engineering time as well as the possibility of human error and misinterpretation, thus significantly reducing systematic errors. The enhanced functionality of such tools can also embed the mechanisms for implementing overrides and bypasses in a carefully controlled manner without this needing to be custom engineered within the code. Essentially, these tools tame the extra power and capability of state-of- the-art programmable safety PLCS, and keep the logic in a form that everyone, from the process engineer right through to the regulatory authorities, can understand.
Software development typically follows a “V” model approach - and this is also advocated by IEC61508 for SIS software. At various levels within the “V” there are requirements for test plans, verification activities and ultimately validation. The closer the code is to the original design document, the easier all of these activities become so the use of a Cause and Effect matrix can bring significant benefits in terms of streamlining the software development activity.
By automating the creation of the operator graphics for the SIS logic these tools also make a significant contribution to the latter stages of the safety lifecycle and help to close the loop by supporting change management of the SIS code. In another exciting development these CEM tools are also able to generate the Cause & Effect diagrams from the SIF models contained in a typical SIL verification tool.
By getting the basics right and building on a sound foundation of effective functional safety management and competence, modern safety system tools can help reduce complexity, deliver value and ultimately help achieve the target risk reduction for safety instrumented systems both when commissioned and throughout operation.