The impact of human actions on the reliability of safety instrumented systems
24 January 2010
With increasing SIL level and single safety loops, the impact of human behaviour increases. It can no longer be ignored.
Valves in a bypass — If after the test one of the valves remains in closed position, the measurement is not functional.
The international codes IEC 61508 and IEC 61511 are often used for functional safety in the process industry. According to these codes, scenarios (or risks) are first identified and then classified as SIL 1, 2 or 3.
Next the safety instrumented systems are allocated to ensure that for each scenario the risks are reduced sufficiently. The risk reduction realised in the application is checked via a so-called Probability of Failure on Demand (PFD) calculation.
Safety functions are often implemented redundantly. Due to the availability of SIL certified devices, manufacturers say that in the future SIL 2 and SIL 3 instrument safety loops could be built as a single loop. For grass root projects this is a very interesting development because it creates the possibility to reduce the number of I/O points and therefore a saving on hardware costs. This potential saving however also has a disadvantage that, up to now, has not been recognised.
To guarantee the reliability of the instrument safety loop, a partial or full loop test has to be executed frequently during the life cycle. Very often, these tests will be executed in a running installation.
To prevent the safety loop being activated by accident during the test, a so called Maintenance Override Switch (MOS) is placed in the loop. Placing the MOS is a conscious action that is covered by a procedure.
However, during the test, other activities can be executed that override security but are not checked by procedures.
For instance, consider the valves in a bypass when using a level measurement, or the closing of a steam tracing, or the switching off the purge in a process line. When applying a pressure measurement in some applications the process line should be protected from plugging, for example in cases where liquids can become solids at ambient temperature. Protection is realised by steam tracing or purge.
Apart from these examples, there are of course other possibilities. Just ask your own maintenance technicians how they can (inadvertently) override safety loops.
Now there is a chance that after the test, due to human failure the MOS is not taken out of the safety loop. In this case, the safety loop remains ineffective by accident. It is ineffective due to human failure.
Calculating for human error
According to the code IEC 61508/61511 data are used for the PFD calculations that represent the random dangerous failures of the equipment—the hardware. Human error is not mentioned explicitly.
Now comes an important question: is this is a problem or not? Can the possibility of human error be factored into the safety calculation? For an end user it is important that the required reliability is realised under all circumstances.
In Table 1 the effect is explained if human behaviour is included in the PFD calculation for single SIL 2 and SIL 3 safety loops.
The SIL level provides the required reliability (PFD) and the necessary risk reduction (RRF). For a SIL 1, 2 or 3 the required PFD is at least 0.1, 0.01 or 0.001 and the required RRF is at least 10, 100 or 1000.
According to the HEART (Human Error Assessment and Reduction Technique) database the probability of making a human error is 0.003. This probability is related to a simple action without pressure and done by well educated people.
If this probability is included in the PFD calculation, then it appears that for a single SIL 2 safety loop the actual RRF is reduced from 100 to maximum 75, and for a single SIL 3 safety loop from 1000 to maximum 250.
From the above it appears that with increasing SIL level and single safety loops the impact of human behaviour increases and is not negligible anymore.
Reducing the impact
How can this impact be reduced? There are two solutions:
1) By procedure a double check can be executed for all scenarios that can introduce an inadvertent override (‘four eyes’ principle). By doing the double check, the probability of a human error for SIL 2 and SIL 3 loops becomes acceptably small.
2) The SIL 2 and SIL 3 loops can be executed redundantly, which would require extra hardware. Each individual safety loop can be seen as multiple ‘SIL 1 worthy’ loops. As we have seen, for SIL 1 loops the impact of human behaviour is acceptably small.
As always each solution has its own advantages and disadvantages. The ‘four eyes’ principle of course is the cheapest solution but the disadvantage is that it is assumed that the double check has no common cause.
Because there obviously is a common cause, the assumed level of reliability is only realised in theory.
‘Common cause’ in this context means that two persons do the check independently for 100% verification. But because it becomes a routine procedure it is hard to believe that the 100% level will be reached. In practice it will be significantly lower and the real level is not controllable.
If the redundant loops are executed, an inherent solution is realised for all human actions provided common causes are eliminated in the design. Because redundancy introduces the installation of extra hardware, in practice the best solution, as usual, seems to be the most expensive one but also opens the possibility to improve plant availability.
—Chris Baltus, SABIC Europe, Geleen, The Netherlands
IEC 61508 and IEC 61511
In 1998 the IEC published IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems, a standard for safety-related system design of hardware and software. Although it has its origins in the process automation industry sector, it is a generic functional safety standard, providing the framework and core requirements for sector specific standards.
The standard covers the complete safety cycle, which has 16 phases that are divided into three general groups: phases 1-5 for analysis, phases 6-13 for realisation, and phases 14-16 for operation.
According to IEC 61508, risk is a function of frequency of the hazardous event. The risk is reduced to a tolerable level by applying safety functions from electronic and programmable safety technologies. Other technologies may be used to reduce the risk, only electronic and programmable functions are covered by IEC 61508.
Since that time sector specific standards have been released with the IEC 61508 framework, such as IEC 61511 (process), IEC 61513 (nuclear) and IEC 62061 (manufacturing).
IEC 61511, titled Functional safety - Safety instrumented systems for the process industry sector provides good engineering practices for the application of safety instrumented systems in the process sector. Such systems are referred to as Safety Instrumented Systems. It does not provide requirements for other instrumented safety systems, such as fire and gas systems, safety alarms, or safety controls.
Most Viewed Articles...