Angela Summers

Random, systematic, and common cause failure: How do you manage them?

A safety instrumented system (SIS) may fail to operate as desired when one or more of its devices fail due to random, systematic, and common cause events. IEC 61511 (ANSI/ISA 84.00.01–2004) stresses the importance of minimizing the propagation of device failure into system failure through design, operating, inspection, and maintenance practices. To fully understand the lifecycle requirements, it is first necessary to understand the types of failures and their potential effects on the SIS. Although several technical standards and other specialized literature address the topic, it is still a “fuzzy” matter, subject to misunderstanding and discussion. IEC 61511 Clause 11.9 requires that the SIL be verified using quantitative analysis, such as reliability block diagrams, fault tree analysis, and Markov modeling. This analysis includes only those dangerous failures that are random in nature. Common cause failures may or may not be included in the verification calculation depending on whether they exhibit random or systematic behavior. Any personnel assigned responsibility for verifying the SIL should understand each failure type and the strategies that can be used against it. Consequently, this article provides an overview of random, systematic, and common cause failures and clarifies the differences in their management within IEC 61511.

Risk criteria, protection layers, and conditional modifiers

Risk analysis assesses the likelihood and consequence of events. The acceptability of the identified risk is determined by comparing it to a specified risk tolerance. The criteria applied depend on the analysis boundary, which may be the hazardous event or extend to the harm posed by the hazardous event. Risk analyses generally begin with a determination of the likelihood that the hazardous event occurs. This is where the process deviation exceeds the safe operating limit of the process resulting in loss of containment, release of hazardous materials, or other undesirable consequence. These analyses require estimation of the likelihood that the initiating event occurs and the probability that the proactive protection layers do not operate as required, allowing the hazardous event to occur. Reactive protection layers and conditional modifiers are considered when the analysis is evaluating the likelihood that harm is caused by the hazardous event.

Consistent consequence severity estimation

Most risk analysis methods rely on a qualitative judgment of consequence severity, regardless of the analysis rigor applied to the estimation of hazardous event frequency. As the risk analysis is dependent on the estimated frequency and consequence severity of the hazardous event, the error associated with the consequence severity estimate directly impacts the estimated risk and ultimately the risk reduction requirements. Overstatement of the consequence severity creates excessive risk reduction requirements. Understatement results in inadequate risk reduction.

Evaluation of uncertainty in safety integrity level calculations

The evaluation of the safety integrity level (SIL) of a new or existing safety instrumented system (SIS) requires detailed calculations based on the failure rates of the device and the planned maintenance‐testing cycle for the system. The failure rates of the devices are taken from standard failure rate tabulations of equipment. The maintenance and testing plans are developed based on plant experience. The quantitative evaluation determines the probability of failure on demand (PFD) for a demand mode SIS and yields the SIL of the SIS. All of the data used in the SIL calculations are uncertain. This article explores the impact of uncertainty on the PFD calculation for a SIS. The “70%” rule of thumb from IEC 61508 is compared to results obtained using probability theory such as variance contribution analysis (VCA). A proposed methodology for handling the uncertainty in the PFD calculations is presented based on the application of the VCA method. An example is worked to demonstrate the methodology.

Safety Management is a Virtue

It is undeniable that safe operation and process reliability are not only compatible but highly interrelated. Reliable production units rarely have safety incidents, whereas unreliable ones tend to repeatedly experience abnormal operation. To prevent incidents, personnel, procedures, and equipment must be aligned to facilitate rapid identification and response to failures of the control system and protective safeguards. Safe and reliable performance requires minimization of the root causes that lead to abnormal and emergency operation. The challenges to accomplishing this in a timely manner are considerable, but not insurmountable.

Cookbook versus performance SIS practices

A safety instrumented system (SIS) is designed to achieve or maintain a safe state of the process when unacceptable process conditions are detected. An SIS is an independent protection layer that is covered by the performance‐based standard ANSI/ISA 84.00.01‐2004. The risk reduction allocated to the SIS determines its target safety integrity level (SIL). ANSI/ISA 84.00.01‐2004 allows a combination of factors to be considered in the verification of the SIL of the SIS. Performance‐based practices provide flexibility to users, yet add complexity to the design process, encouraging project teams to reinvent the wheel for even widely used process equipment.

Quality Assurance in Safe Automation

A perfect process would have no hazards, but perfection is impossible in the real world. Nearly all process units have inherent risk associated with their design and operation. Safe operation is maintained with a risk reduction strategy relying on a wide variety of safety systems. This article focuses on the most common safety systems for managing process deviations during planned operating modes—instrumented safety systems (ISSs), such as safety alarms, safety controls, and safety instrumented systems. Rigorous quality assurance is necessary to achieve real‐world risk reduction, so this article follows the Plan, Do, Check, and Act process to discuss quality assurance and its application to ISS.

Dependent, independent, and pseudo-independent protection layers in risk analysis

Risk analysis is an important tool to provide support for various risk management decisions in hazardous industries. For the last decade, the semiquantitative Layers of Protection Analysis (LOPA) has been the dominating risk analysis technique in the US process industry. One basic assumption in LOPA is that all the protection layers are independent from each other and from the initiating cause; otherwise, no risk reduction credit should be taken in the LOPA. However, many processes do have protection layers, which are dependent to some extent. For these systems, assuming independency may be too optimistic, whereas disregarding the partial risk reduction afforded from a partially dependent protection layer is pessimistic.

Risk assessment challenges to 20:20 vision

Decision makers need reproducible, believable results to support investment decisions. A wide variety of hazard identification and risk analysis methods are available to support process safety decisions. All methods require knowledge in the fundamentals of process design and experience in the process operation under consideration. Every method has uncertainty and no method yields any better reflection of the risk than the level of engagement that the analyst or team has in the assessment. Traditional approaches work well on processes with a long history of operation, but are difficult to apply in the rapidly evolving environment of modern manufacturing. This article discusses the challenges that the risk analysis process is facing in todays work environment. These challenges include understanding that the calculations are only a model for process safety events that harm people, events with low calculated likelihood can still occur, and management systems with metrics are critical to sustain the performance of the identified protection layers. These challenges are met by adapting current tools and work processes for recording process data to also collect data on abnormal operation and protection layer failure.

Safety controls, alarms, and interlocks as IPLs

Layers of Protection Analysis evaluates the sequence of events that first initiate and then propagate to a hazardous event. This semiquantitative risk assessment technique can expose the role that automation plays in causing initiating events and in responding to the resulting abnormal operation. Automation that is specifically designed to achieve or maintain a safe state of a process in response to a hazardous event is now referred to as safety controls, alarms, and interlocks (SCAI).