Risk & Safety
Safety could be defined as the absence of risk to persons – employees or public.
In an ideal world, safety would be easily achieved by the elimination of risk.
In the real world however, safety is achieved by the reduction of risk to an acceptable or tolerable level.
Once a hazard has been identified, measures can be introduced to reduce the level of risk associated with the hazard.
Functional Safety – What is it?
Measures taken to reduce risk take many forms e.g. procedure, relief , PPE, control system etc.
The Risk Reduction Measures may be either passive or active. Mostly it’s a combination of both.
Passive measures, such as fire doors or PPE reduce the risk simply by being there.
A Functional Safety System however, is an Active Measure , expected to react to the hazardous event and carry out some function in order to reduce the potential risk resulting from the hazard.
For example. a high level switch in a tank designed to sense a hazardous event and respond in a pre-programmed way – by shutting off the fill valve. The entire circuit from the level switch through the control logic to the valve is called a Safety Instrumented Function or SIF – often referred to in Ireland as an Interlock.
Where does SIL come into it?
The relevant standards for the Process Industry are –
- IEC 61511 Safety Instrumented Systems for the Process Industry Sector and its generic parent
- IEC 61508 Functional Safety of Electrical/electronic/programmable Electronic Safety-related Systems
The standards set out to quantify the level of risk reduction achieved by an interlock.
They define four Safety Integrity Levels, generally called SIL 1, SIL 2, SIL 3 and SIL 4.
|Safety Integrity Level||Target Risk Reduction|
|Non SIL||None to < 10||Applies to Standard PLC interlock or stand-alone ‘hardwired’ interlock.
To comply with 61511 – can only be used for non-safety functions.
|SIL 1||10 to 100||Most common – easiest to achieve|
|SIL 2||100 to 1000||Requires good design and safety management practices|
|SIL 3||1000 to 10000||Very rare – requires sophisticated design|
|SIL 4||10000 to 100000||Best avoided – not normally achievable with standard equipment|
How is the SIL level achieved ?
The standards differentiate between Demand and Continuous Modes of operation.
The normal mode for safety interlocks in the process industry is Demand mode, where the interlock is only active when a demand is made upon it.
For Demand mode operations the Risk Reduction = 1/PFD (PFD= Probability of Failure on Demand)
Therefore to achieve a given level of Risk reduction we need to design the interlock to achieve the corresponding PFD.
For Example, a SIL 1 interlock will need to achieve a PFD of between 10-1 and 10-2.
In other words we accept the risk that it could fail 1 in 10 times it is asked to function.
The best we expect is that it will fail 1 in 99.99 times of asking.
You can see therefore that even SIL1 holds no great promise of freedom from risk.
It is also apparent that, in terms of the standard , by using a single Non SIL interlock we accept that, at best, it could fail once in every 10 times it is asked to function and at worst may not function at all.
How do we know what SIL level we need (SIL Target) ?
Once the requirement for a risk reduction measure / interlock / SIF has been defined in a risk assessment process such as a HAZOP , the Target SIL for the interlock must be set .
The process used for setting the target SIL for an interlock is variously called a SIL Assessment /SIL Determination / SIL Classification.
(Note: The term SIL Verification refers to the process of verifying that all of the requirements for the target SIL have been met in the completed installation.)
There are various methods of determining the required SIL , the most common being semi RISK Graphs, Risk Matrix and Layer of Protection Analysis.
These are discussed in detail elsewhere but one thing all methods have in common is the requirement for calibration to suit the given circumstances and risk tolerance of the user.
The risk graphs provided in the standards and in vendor literature are just one example of calibration. Many of the risk graphs in circulation come from the UK mainland where industries are larger, risks are higher and operating histories in terms of safety is much different.
Each plant should calibrate a risk graph to suit their own activities, risks, operating history etc.
Veritex has developed a risk graph calibration more suited to Irish Industry where industries are generally cleaner, with lower risks and high expectation of safety for operating personnel.
The graph is available to clients as a basis for calibration.
What about our old friend the Hardwired Interlock ?
The much misunderstood and often maligned Hardwired Interlock has traditionally provided a degree of comfort in regard to the reliability of measures taken to address a process hazard.
Standard PLC’s are not reliable enough to be used on their own in safety related functions. An additional layer of protection is almost always required in order to achieve the required risk reduction level.
Best practice has always been to provide a back up hardwired interlock for high risk safety functions, in order to protect against control system failure.
For more info on control system failure, see the UK HSE Document HSG238 ‘Out of Control – Why Control Systems go wrong and how to prevent failure’
All too often in recent years , the control system integrators are relied upon to achieve functional safety, often without an adequate safety specification, or independent verification to ensure that the intended functionality is being achieved.
In consequence some plants in Ireland have, in recent years, unwittingly perhaps, discontinued the use or maintenance of hardwired safety interlocks.
Hardwired Interlocks – Pros & Cons
|What is a Hardwired Interlock?||A permanently wired electrical circuit which typically uses relays to shut off or disable the target equipment. They can be SIL compliant or not.
Most older hardwired interlocks in place are probably non SIL.
|What is Soft Interlock?||An interlock which uses a PLC and associated software to achieve the safety function. They can be SIL compliant if properly installed in a Safety PLC. All existing soft interlocks installed in standard PLCs are not SIL compliant.|
|Is one better that the other?||Not really but soft interlocks are easier to override.
IEC61511 sees no difference unless one is SIL compliant.
|Why are hardwired interlocks used?||Three reasons –
1) Used in conjunction with and as a back-up to a soft interlock they provide an additional layer of protection which remains in place in the event of control system failure, malfunction or bypass.
2) Where equipment can be operated manually (e.g. with a Hand/Off/Auto switch) the interlock can be active in all modes
3) They have traditionally been seen to be more reliable being more difficult to bypass or disable. Therefore they are preferred for safety functions.
|How effective are hardwired interlocks?||Quite effective, if they have been well designed and regularly tested.
However it is quite common to use standard components such as relays.
These are subject to wear and tear, which can result in random failures.
|Should they continue to be specified?||Absolutely, unless you have a Safety PLC.
However for safety related functions, best practice now indicates that they should be SIL rated
|What should I do with my existing interlocks?||Many plants have, over the years, installed interlocks as part of a project and left it at that. All interlocks, whether hardwired or not, whether SIL or not, are only effective if they are tested regularly.
The obligation to reduce risk applies throughout the plant lifetime.
Existing interlocks should be examined to verify effectiveness and robustness of design.
|Do I need to upgrade my existing hardwired interlocks to SIL||For the vast majority, probably not. Especially if they were built to 'best practice standards' at the time and can be proven to be effective.
Operating history can also be taken into account in determining tolerability of the existing risks.
What is the Legal Status in Ireland?
In Ireland there is no prescriptive legal Act or Regulations specifically relating to Functional Safety.
However, the Safety, Health and Welfare at Work (General Application) Regulations 2007 (SI299) , includes the following general provisions under ‘Duties of Employer’ –
- “Where it is not possible fully to ensure that work equipment can be used by employees without risk to their Safety or Health, the employer must ensure that appropriate measures are taken to minimise any such risk”
- The employer shall ensure that ‘Control systems are safe, and are chosen making appropriate allowances for the failures, faults and constraints to be expected in the planned circumstances of use’
The term Work Equipment can be taken to include everything from the canteen kettle to a process reactor or centrifuge.
The term ‘minimise’ can be taken to read ‘Minimise so far as is Reasonably Practicable’ .
Do I need to comply with IEC 61511 ?
Remember that compliance with IEC61511 does not mean that all of your interlocks will be SIL rated. Typically only a relatively small percentage of interlocks in a process plant are found to require a SIL rating.
Also while SIL interlocks do have a lifecycle management requirement, all interlocks require careful maintenance.
Any interlock whether SIL or not is only as good as its maintenance and test regime.
New Installations Given the statements above from the Health and Safety at Work Act, it would be difficult to argue against the adoption of IEC61511.
The obligation to minimise risk obviously requires the risks to be identified and reduction measures to be put in place. These will include Functional Safety systems where the risk assessment indicates.
The requirement that ‘Control systems are safe, and are chosen making appropriate allowances for the failures ... to be expected ’ is a clear indication that robust functional safety systems are required - i.e. it will not be sufficient to rely solely on the basic Process Control System.
This will require the application of current best practice and best available information, which can only be found in IEC61511.
The HSA guide to ‘Use of Work Equipment’ also states that
‘There are a number of harmonised European standards that deal with the design of control systems – ‘ A clear indication that the harmonised standard IEC61508/61511 represents best practice.
It is only when something goes wrong that the judgement of those involved in the safety lifecycle will be questioned. Failure to adopt IEC61511 could, in those circumstances, be seen as negligence.
Existing Interlocks Responsibility for safety under the Health and Safety at Work act apply equally to legacy systems which were designed and installed before the advent of IEC61511.
While it may be argued that the standard applies equally to older plant the following points are relevant -
1) It is probably not practicable or cost effective to review the entire plant and re-specify safety systems.
2) The plant, its perceived hazards and associated risks have an operating history which may be used to argue that the existing risk is tolerable.
3) This should not be mistook to mean that the existing safety interlocks are safe.
Quite the contrary is the case. Process safety measures operate in demand mode and their condition will only be known when a demand is made upon them.
Unless there is a regular maintenance and testing regime their condition will remain unknown. In extreme cases, the target valve, for example, might never normally operate and it may be completely seized.
Many of the older hardwired interlocks rely on standard hardware components which more subject to random failure as they age.
Similarly for standard PLC interlocks - the chances of a systematic failure are the same now as at the time of installation.
4) The ANSI version of the standard ANSI/ISA-84 allows the plant owner to determine the safety and effectiveness of legacy interlocks without the need to apply the standard.
It is clear from the above that the minimum obligation on plant owners/operators is to
1) Document existing safety interlocks.
2) Review the design to ensure effectiveness at addressing the risk, failure mode etc.
3) Identify areas where the existing measures may need to be strengthened
4) Identify hazards for which risk reduction measures are not in place.
5) Establish maintenance and test regime.