Functional Safety

This course puts functional safety into context with other important
safety measures. We define what functional safety is and why its
important in the wider context. We introduce some basics
principles of safety instrumented system and end with summary of
well-known equipment used today in process plant.
The term safety often gets used in the context of occupational
safety, namely slips, trips and falls. However process safety and
functional safety have a different focus.
Safety is a general term that has been defined as a freedom from
danger risk or injury, or freedom from intolerable risk. It’s the
condition of being protected from harm for any other event which
could be considered undesirable.
Process safety involves keeping the process under control and
keeping hazardous materials inside the pipes and vessels.
It’s the concern of many different disciplines including process
experts, mechanical, electrical, control and instrument, as well as
safety professionals.
Functional safety is essentially a subject of process safety.
When hazards occur, the correct operation of automated
equipment such as sensors, logic solvers and valves should bring
the process to a safe state. Functional safety principle ensures
that each hazards is prevented or mitigated by equipment
designed with correct integrity.
The need of safety instrument systems is driven by various
factors, not least of which are process industry accidents such as
the one that occurred at Buncefield in 2005.
Operators of major accident hazards sites look to reduce the cost
of insurance by demonstrating that SIS and other protection layers
are well designed and maintained.
Standard are the third driver for SIS. Companies and organizations
work globally to agree best practices such as IEC 61511 which is
the global reference source for specifying designing and
maintaining safety instrumented systems.
A study of incidents involving control systems was conducted by
the Health and Safety Executive in the United Kingdom, with the
first results published in the book (out of control my control
systems go wrong and how to prevent failure).
Although its just one study, notice that the hazard owner is
effectively responsible for setting requirement as well as operating,
maintaining and modifying an SIS after it has been placed into
service. So even if an end-user contracts out the design this
research shows that over 80% of problems get introduced before
or after a system is designed and installed.
To demonstrate the need of SIS her is an example. This drawing
represents a tank with two level transmitters named LAH level
alarm high and LAHH level alarm high high.
Each transmitter is connected to separate logic solver, one of the
basic process control system –BPCS- the other for safety SIS.
If its functioning correctly the BPCS logic solver can take an action
at the level alarm high trip point to close the valve CV1 before an
overfill occur. The system responds differently in the case of some
specific faults that the functional safety standards called
dangerous failures. For instance if valve CV1 is motor operated, a
loss of power will mean it will not respond even if a correct signal
is received from the BPCS.
However the function of from sensor LAHH through the SIS
system logic solver to separate valve XV1 is completely
independent and the spring actuated valve will stop the flow into
the tank even on complete power loss. This is the basic principle
of independence in protection layers that the IEC series of
standards highly recommends for achieving functional safety
integrity.
You may already know types of SIS by another name such as
examples here in the next slide, for some people the term system
historically referred to just the logic solver element, however its
important to remember that the SIS in IEC 61511 includes all the
field equipment as well as the logic solver. Many other types of
protection layers can be used to reduce the risk in process plants.
These are commonly given the term independent protection layer,
or IPL. A SIF is one form of IPL that uses instrumentation. Non-
instrumented IPLs can be very effective and reliable when
correctly designed for a given hazard, however non-instrumented
IPLs such as mechanical relief valves are not subject to the
detailed SIL requirements of IEC 61511 and are therefore not
assigned SIL target.