Functional safety (FS) is an important concept in the creation of complex systems such as petrochemical processes and manufacturing plants. It is defined by IEC standard 61508, and can involve a sophisticated process of analysis, design and verification. But it’s worth going through the ideas of FS as a way of looking at any sort of system where hazards may be present.
The International Electrotechnical Commission (IEC) describes functional safety as “the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the consequence of the hazardous event”, and gives the examples of smoke detectors activating a fire-suppression system, or a level switch in a tank of flammable liquid closing an inlet valve to prevent overflowing — these are known as safety functions (or ‘safety instrumented functions’ in the process sector).
Specifically, FS does not refer to passive safety, which might be represented by a fireproof door or the crumple zone of a car.
A key phrase in IEC 61508 is E/E/PE - it refers to electrical, electronic and programmable electronic systems: “You do get mechanical safety and shutdown systems, but strictly speaking they are outside the scope of IEC 61508,” says Simon Burwood, managing director of Engineering Safety Consultants Ltd, and an experienced functional safety engineer who is one of the UK members of the committee responsible for IEC 61511 (see sidebar).
“The standard can be split into two,” says Burwood: “One is specifying the level of integrity each safety function needs to meet, and the other is demonstrating that they each meet that level”. The standard accepts that you cannot eliminate risk altogether, but aims to reduces risks to levels as low as reasonably practical. It also covers the need for a system to fail safe: “Making sure that if it does fail, it fails in the right manner”.
Typically in a process plant you’ll have a distributed control system — its primary objective is not necessarily to shut down the plant when it’s not safe”. Rather, says Burwood, a separate, independent safety instrumented system (SIS) (or ‘safety-related system’) “will perform shutdown tasks to bring the plant to a safe state only when something else has gone wrong… when your basic process control system has failed. That would be through a logic solver, which takes the inputs from sensors to determine the response required. It is usually a safety PLC or a combination of safety relays.
IEC 61508 is concerned with the entire life cycle of a system, and FS should be considered right at the beginning of the design process, says Burwood: “We might perform a hazard and risk assessment with our client to firstly identify the need for a SIS, then decide what integrity level they need for their identified safety functions. Then we can start to use that and other information to develop a safety requirement specification (SRS) — that’s a critical document required as part of 61508 compliance, to specify exactly how your safety functions are supposed to operate. This would include set points, integrity requirements, environmental conditions, et cetera. It’s a detailed record of what a systems integrator would need to design and implement the safety system.”
In the standards for IEC 61508, safety integrity level (SIL) is a vital concept: “SIL represents the level of integrity that a safety function either needs to meet or has in fact met,” says Burwood (see box).
“Deciding on the level of integrity a safety function needs to meet is essentially done by risk assessment,” Burwood adds. But demonstrating [ITALS] that it meets that level requires data: "Ideally, you collect your own failure rate data on the devices in your plant, and calculate failure rates from that,” says Burwood - large companies like Shell and BP maintain their own databases of facilities worldwide, and ESC provides software to help firms collect and assess data - “but in reality most people will rely on manufacturers to provide data on critical equipment”. Off-the-shelf components such as valves and relays may be certified as suitable for use in, say, a SIL3 safety function.
“There are also generic databases which will give a typical failure rate range,” adds Burwood. Organisations such as SilSafe and Technis (FARADIP.THREE) produce tables of upper- and lower-bound figures for components used in process industries. An ultrasonic level meter, for instance, may have a DU (dangerous undetected failure rate) of between 60 and 250 FITs (that is, failures per billion hours). Industry-specific databases exist, such as OREDA (offshore and onshore reliability data), set up in 1981 by the Norwegian oil and gas industry.
As FS applies to programmable electronics, for example PLCs and logic solvers and smart field devices, programming too is subject to assessment: “You don’t quantify the performance of code,” says Burwood. “A software error is considered to be systematic, and we therefore address that by audit procedures and measures for the avoidance of systematic failures.”
He continues: "Once you’ve identified what level of integrity each function needs and demonstrated that each of your functions meet that level, you need to do a functional safety assessment (FSA)”.
The IEC describes the FSA as “the critical activity that ensures functional safety has actually been achieved. Those carrying out the functional safety assessment shall be competent, shall have adequate independence and shall… judge the extent to which the objectives and requirements of IEC 61508 have been met”.
“The FSA should be done several times in the system lifecycle,” says Burwood, but “the key is that it must be done prior to the introduction of hazards.
“Equally we might perform an FSA on the decommissioning of a safety function at the end of its life cycle.”
[Note that a Functional Safety Audit (FS Audit) is not [ITALS] the same as a Functional Safety Assessment (FSA): rather, it is a project quality management review of adherence to company FS procedures, akin to an ISO9001 process.]
IEC 61508 does not demand certification, but it says you need a ‘competent person’ to undertake an FSA. “There is guidance available,” says Burwood, “and certification is a good way to do it; for example, our company’s functional safety management system is certified under the UKAS accredited CASS scheme by SIRA”, which is now under CSA Group.
The 61508 Association: www.61508.org
Engineering Safety Consultants Ltd: www.esc.uk.net
CSA Group/SIRA: www.csagroupuk.org
Box: FOCUS - SAFETY INTEGRITY LEVELS
The Safety Integrity Level (SIL) required for a particular safety function is determined by the frequency and severity of a hazard. Hazards that can occur more frequently or that have more severe consequences will have higher SIL Levels.
SIL1 is the lowest level; SIL 4 the highest, and the SIL rating of a component or system is dependent on its average probability of failure on demand (PFDavg) or average frequency of dangerous failure (PFH).
SIL 4 requirements “are very rare,” says Simon Burwood: “You sometimes see them in the machinery and manufacturing sector, where you are working with high-demand or continuous mode safety functions; the critical difference is that if they fail, then the hazard will immediately present itself.”
On the other hand, “SIL 1s are common - a typical process plant might have 20 to 30 SIL 1 safety functions,” says Burwood. “If they fail it wouldn’t necessarily cause a hazard, but you might have lost the ability to bring the system to a safe state if you need to.
“The example we often use in training is that a high-demand or continuous system might be the brakes in your car; as soon as the brakes fail, a hazard presents itself. Whereas a low-demand system that is more typical in the process sector is like an airbag: if it fails, it’s not going to cause a crash, but if you DO have a crash, it’s not going to be available.”
Box: VARIANTS OF IEC 61508
IEC 61508 — also known in the UK as BS EN 61508 — relates to the functional safety of E/E/PE safety-related systems in general, but there are specialist variants of the standard for specific industries and applications. These include:
IEC 61511: Safety instrumented systems for the process industry sector
IEC 61513: for the nuclear industry
IEC 62061: safety of machinery
EN 50128 & 50129: railway applications
ISO 26262: road vehicles
Box: MINING SECTOR CASE STUDY
Mining trade organisation The Global Mining Guidelines Group (GMG) has published guidelines for applying functional safety to autonomous systems in mining (available for free download via www.is.gd/tagure).
The organisation says: “Functional safety is an important industry challenge as adoption of autonomous systems grows. While autonomous mining is an opportunity to remove people from potentially hazardous situations, there are also residual risks.”
An example is a Norwegian project to run a fleet of six Volvo autonomous vehicles transporting limestone on a three-mile stretch between a mine operated by Brønnøy Kalk AS and the rock crusher (pictured). Tests on the system began in 2018.
Gareth Topham, functional safety principal at Rio Tinto adds: “Whether it be fully autonomous or semi-autonomous, there are degraded modes or unexpected situations that people deal with every day in mines. To manage the removal of a potential control and introduce a technical solution as an alternative, we have to apply functional safety principles to confirm we are reducing the risks as much as we reasonably can.”
Topham was a co-leader of the project, alongside Chirag Sathe, equipment automation principal at BHP.
This guidance begins by identifying important reference materials and listing standards that are relevant to applying functional safety to various aspects of autonomous systems. The core content of the guideline is an example of a functional safety lifecycle for applying autonomous systems in mining and identifies some key expectations and responsibilities for providing information, documentation, and support at each stage. It also offers high-level guidance on software development, verification, and validation; competency management; cybersecurity; and assurance documentation.
GMG said that one of the strengths of its work is its inclusivity in representing different parts of the industry. “The engagement in this project has been an excellent example of how traditional competitors can come together to create a safer future through the GMG community,” says GMG vice-chair of working groups, Andrew Scott. Topham says that the guideline will “provide clarity on the expectations between the various parties involved in delivering automation to mines.”
GMG added that it expects the guidance to evolve over time with new standards and technological advances. A separate GMG project on system safety is also ongoing and will complement this guideline by addressing adjacent topics such as safety case and risk management, human factors, integration, and verification and validation.