A safety control system or device is deemed to be safety related if it provides functions which significantly reduce the risk of a hazard, and in combination with other risk reduction measures, reduces the overall risk to a tolerable level, or if it is required to function to maintain or achieve a safe state for the equipment under control (EUC).
These functions are known as the safety functions of the system or device and are the ability to prevent initiation of a hazard or detect the onset of a hazard, and to take the necessary actions to terminate the hazardous event, achieve a safe state, or mitigate the consequences of a hazard.
Safety Control System
All elements of the system which are required to perform the safety function, including utilities, are safety related, and should be considered part of the safety related system.
Safety related control systems may operate in low demand mode, where they are required to carry out their safety function occasionally (not more than once/year) or in high demand (more than once/year) or continuous mode where failure to perform the required safety function will result in an unsafe state or place a demand on another protective system.
The likelihood of failure of a low demand system is expressed as probability of failure on demand, and as failure rate per hour for high/continuous demand systems.
Safety related control systems operating in continuous or high demand mode where the E/E/PES is the primary risk reduction measure have been known as HIPS (high integrity protective systems).
However, use of such systems does not circumvent the need for a hierarchical approach to risk reduction measures such as inherent safety, and careful consideration of prevention of common mode failures by use of diverse technology and functionality (such as relief valves), independent utilities and maintenance and test procedures, physical separation, and external risk reduction (such as bunds).
Measures should favour simple technological solutions rather than complex ones. The lowest failure rate which can be claimed for high integrity systems operating in continuous or high demand mode is 10-9 dangerous failures per hour.
It should be noted that control systems for equipment under control which are not safety related as defined above may also contribute to safety and should be properly designed, operated and maintained. Where their failure can raise the demand rate on the safety related system, and hence increase the overall probability of failure of the safety related system to perform its safety function, then the failure rates and failure modes of the non-safety systems should have been considered in the design, and they should be independent and separate from the safety related system.
A control system operating in continuous or high demand mode, for which a failure rate of less than 10-5/hr is claimed in order to demonstrate a tolerable risk, provides safety functions, and is safety related.
Also Read : What is Distributed Control System (DCS) ?
In some circumstances, the safety function may require the operator to take action, in which case, he/she is part of the safety related system and will contribute significantly to the probability of failure on demand (PFD).
Typically, in a well designed system, a figure of 10-1 is assumed for the probability of an operator failing to take correct action on demand.
Where exceptional care has been taken in design of human factors such as alarm management, instructions and training, and where such arrangements are monitored and reviewed, then a probability of failure on demand of not better than 10-2 may be achievable.
Any supporting hardware or software, such as alarm systems, would also need the requisite integrity level).
|System||Claimed failure rate or probability of failure on demand|
|Non-safety related system||Not better than 10-5/hr|
|Operator action||10-1/demand (typical)10-2/demand (best)|
|High integrity protective system||Not better than 10-9/hr|
The integrity required of a safety related system depends upon the level of risk reduction claimed for the safety function to be performed.
Safety integrity is the probability that safety related system will satisfactorily perform the required safety function under all stated conditions within a stated period of time when required to do so.
Safety integrity is therefore a function of performance and availability.
Performance is the ability of the system or device to perform the required safety function in a timely manner under all relevant conditions so as to achieve the required state.
Availability is the measure of readiness of the system to perform the required safety function on demand, and is usually expressed in terms of probability of failure on demand.
Performance and availability depend on:
- Proper design or selection, installation and maintenance and testing of the plant interfaces, including sensors actuators and logic, for the required duty and full range of process and environmental conditions under which they will be required to operate, including, where necessary, any excursions beyond the safe operating limits of the plant;
- Accuracy and repeatability of the instrumentation;
- Speed of response of the system;
- Adequate margins between normal and safe operating limits and the system settings;
- Survivability from the effects of the hazardous event or other external influences such as power system failure or characteristics, lightning, electromagnetic radiation (EMR), flammable, corrosive or humid atmospheres, temperature, rodent attack, vibration physical impact, and other plant hazards;
- Independence (the ability of the system to act alone, without dependence on other protective measures, control systems or common utilities or to be influenced by them.
The following measures are required to ensure adequate performance and availability of the safety related system:
- Protection against random failures by hardware reliability, fault tolerance (e.g. by redundancy) and fault detection (diagnostic coverage, and proof testing);
- Protection against systematic and common mode failures by a properly managed safety lifecycle, independence from common utilities, common management systems and other protective systems, and by diversity. The lifecycle includes hazard and risk evaluation, specification, design, validation, installation, commissioning, operation, maintenance, and modification.
Historically, little industry guidance has been available for qualifying or quantifying safety integrity levels to achieve to achieve a requisite risk reduction.
Most major companies will have developed internal standards which relate safety related system integrity to required risk reduction. These standards are likely to address the design process, system configuration, and demonstration that the required risk reduction has been achieved by qualitative or quantitative analysis of the failure rate of the design.
They will also have procedures to ensure that the integrity is maintained during commissioning, operation, maintenance, and modification.
Integrity levels for safety related systems may be determined from the hazard and risk analysis of the equipment under control.
A number of different methodologies are available, but the process includes identification of hazards and the mechanisms which can initiate them, risk estimation (likelihood of occurrence), and risk evaluation (overall risk based on likelihood and consequences).
The risk estimation provides a measure of the risk reduction required to reduce the risk to a tolerable level.
Hazard identification results in the identification of safety functions which are required to control the risk.
The safety functions may then be allocated to a number of different systems including E/E/PES, other technology and external measures.
For each system providing a safety function, a failure rate measure can be assigned which in turn determines the integrity required of the system. alternatively, a qualitative approach (based on the likelihood and consequence of the hazard, and the frequency and level of exposure and avoidability) may be used to define the required integrity.
Safety Integrity Levels
IEC 61508 assigns four software and hardware safety integrity levels (SILs) to required measures of risk reduction.
Guidance is then provided on the system configuration, level of subsystem fault tolerance and diagnostic coverage, and safety life-cycle measures required to achieve the designated hardware SIL, and the software methods and life-cycle measures required to achieve the designated software SIL.
It also provides guidance on qualitative methods for establishing the SIL level required. Part 2 of the standard places architectural constraints on the hardware configuration by setting minimum fault tolerance and diagnostic coverage requirements for each element or subsystem.
It should be noted that IEC 61508 limits the risk reductions which can be claimed for a safety related E/E/PES which operated in low demand mode or continuous mode to no better than 10-6 and 10-9 respectively for SIL4.
The requirement is more demanding for subsystems which do not have well defined behaviour modes or behaviour (e.g. programmable systems).
The standard requires that a reliability model of the system architecture be created and the reliability predicted and compared with the target safety integrity level to confirm that the required risk reduction has been achieved.
It is necessary to demonstrate that the required level of integrity has been achieved in the design, installation, operation and maintenance of the system.
It should be noted that the integrity of a safety related system is critically dependant upon the detection and correction of dangerous failures. Where there is a low level of diagnostic coverage, as is usually the case with lower integrity systems, then the integrity is critically dependent upon the proof test interval.
Where there is a high level of diagnostic coverage to automatically reveal failures on-line, for example for high demand high integrity systems, then the integrity is also heavily dependant upon the frequency of diagnostic checks, and the mean time to repair the equipment, which includes the diagnostic test interval.
SIL levels are now being quoted for proprietary subsystems (and certified by test bodies). Quoted SILs should be associated with proof test intervals, diagnostic coverage and fault tolerance criteria.
They are useful for evaluation of architectural constraints, but do not eliminate the requirement to confirm that the requires safety integrity level for the safety function provided by the system has been achieved.
Software includes high level user application programmes and parameter settings.
Note : Contains public sector information licensed under Open Government Licence v3.0.