|
If you have Adobe Reader you can also download a .pdf version. 
AN OPEN PAPER
IEC 61508 AND RELATED GUIDANCE – USES AND ABUSES
DAVID J SMITH
THE BACKGROUND TO FUNCTIONAL SAFETY
For over fifteen years the IEC 61508 guidance has spawned a raft of industry specific documents disseminating much the same
theme. The effect has been to outline the major aspects of targeting and assessing risk and to radically enhance the awareness of
this branch of engineering. It is now almost unheard of for a major project not to include the identification of hazards and the
subsequent risk engineering activities called for in the above guidance. This has led to risk targets (usually misleadingly referred
to as “SILs”) being placed on most of the elements of the supply chain from the systems integrators down to the suppliers of equipment and instrumentation.
On the plus side there is now almost universal attention to safety integrity and a widening of assessment to encompass non
-quantitative as well as quantitative factors. Cost is seen in better perspective due to the application of the ALARP principle and there is a wider availability of quantification tools.
On the negative side there is an obsession with the SIL “word” without understanding its limited meaning as a metric for the
application of non-quantitative assessment. There has been a dumbing down of targeting methodology to enable all and sundry to
“have a go”. This seems strange when all other branches of engineering recognise the role of the specialist to whom the
calculations are entrusted. Not so with safety-integrity. Certification and the application of SIL targets is often taken to too low a
level such that “bells and buzzers” are procured with integrity targets. Also there is a frequent lack of focus in the choice of rigour
which leads to the “paragraph by paragraph” mentality addressing each and every statement in a standard with equal rigour, thus loosing sight of priorities.
DESIRABLE OUTCOMES
Universal attention to safety integrity
Prior to the development and publication of IEC 61508 quantified risk assessments were carried out in many industries. They
involved the methods and tools described in the text books of that time and, in some cases, made use of in-house guidance and procedures.
The motivation for this work was to some extent voluntary and driven by realisation, within an industry or organisation, that
potentially hazardous events required analysis and prediction leading to some visible attempt at mitigation.
Following Flixborough (1974) and Seveso (1976) various aspects of legislation and guidance (Reference 1) provided additional
impetus culminating in the CIMAH (later COMAH) regulations in the UK. However, those regulations apply only to major industrial
hazards and not the vast range of industrial product areas and applications. IEC 61508 (2000 and now 2010 version) has become
so widely known that it is now rare for a product or process not to involve functional safety issues. Hazards are routinely identified,
targets are set and assessments carried out to establish if those targets are met.
Widening of assessments to encompass non-quantitative factors
Earlier assessments did not always involve establishing a target (ie risk of fatality) such that the assessment result could be
deemed “satisfactory” or otherwise.
Furthermore, assessments were largely quantitative. That is to say they predicted the frequency of the event in question using
available component failure rate data. Whilst this might have been an adequate approach in the 1970s and early 1980s it has long
been understood that such an assessment of “random hardware failures “ alone represents only part of the picture. The growth of
complexity over the last 3 decades has led to the dominance of “systematic” failures which cannot be predicted and assessed by
quantitative techniques alone. IEC 61508 has established and codified the need for a raft of techniques and measures, throughout the lifecycle, to minimise these systematic failures.
Awareness of human factors
A particular benefit, which has arisen from the last 25 years’ work in this area, is the understanding of the role of human factors in
major incidents. A mass of empirical human error data has led to robust prediction models and the limitation of the degree of risk reduction claimed by manual responses to alarms.
Understanding of cost limitations (eg ALARP)
Although only covered as guidance in IEC61508 the practice of setting quantitative integrity targets has led to the concept of
ALARP (as low as reasonably practicable). Because meeting a quantified target has become the object of an assessment then the question arises as to by what margin.
The ALARP concept follows with the idea that further risk reduction should only be carried out until the cost becomes
disproportional (References 2 and 5) at which point, it is argued, additional resources are not justified and could more fruitfully be employed in risk reduction elsewhere.
Wider availability of quantification tools
The almost universal application of risk assessment has provided the market impetus for the development of a wide range of
failure data and calculation tools. These greatly reduce the time and effort needed to carry out assessments and therefore the number carried out increases for the same amount of manpower.
UNDESIRABLE OUTCOMES
Inappropriate use of the “SIL” term
Obsession with the “SIL” word has grown amongst a very large number of people (including many so called “experts”) without
understanding its meaning. It is, in fact, ONLY an arbitrary metric invented in order to classify the QUALITATIVE techniques and
procedures throughout the life cycle which are deemed to minimise systematic failures. Integrity targeting (NOT ‘SIL targeting’ as it
is widely described) should establish maximum tolerable risks and failure rates as targets for the quantitative assessment.
SIL (safety integrity level) is a necessary and useful concept but ONLY as a secondary consideration during the integrity targeting process.
Only because of the QUALITATIVE activities does it become necessary to have “bands” of rigour instead of numerical targets.
The choice of 4 “SILS” is again arbitrary and they might just as well have been labelled bronze, silver, gold and platinum. The
impression of numeracy, given by the terms SIL 1 to SIL 4, is potentially misleading.
Nevertheless integrity studies are referred to as “SIL” studies. Integrity targets as “SIL” targets and so on. Sadly this trend is
worsening as the misunderstanding widens. This is not helped by consultancies and products seeking to incorporate the “SIL” mnemonic into their titles.
Ascribing SILs to hardware rather than to functions
There has become an almost universal practice of describing every aspect of an instrumented loop and its procurement by means
of the SIL. Although theoretically not wrong it promotes the idea that a piece of hardware (and its software) has a safety integrity
level. It DOES NOT. It is functions which have SILs and the elements of a safety related system need “SUITABILITY” for use at a particular SIL and ONLY in respect of a defined failure mode.
The plethora of misunderstanding embraces the idea that an item can have a SIL without any mention of how it might fail. It may
fail in many ways, each of which relates to a different potential safety function. Since its rate of failing and proportion of hazardous
failures will be different for each mode it will potentially have a different SIL for each mode.
Dumbing down of targeting methodology
The spread of misunderstanding, emphasised in the earlier sections of this paper, is largely due to a phenomenon which does not
seem to apply to other disciplines within engineering.
That is, the obsession that everyone must have a “say” and a “part” in the safety assessment process. As a result there has been a
disturbing trend to dumb down the processes by creating pocket “methodologies” that allow non-experts to replace experts. The
most appalling example is the use of risk graphs which enable amateurs to establish so called ‘SIL targets’ with no need to
establish failure mode details or proper quantified risk targets. Worse still they, and other makeshift techniques, are so widely
used and taught that it is possible to attend courses in their use and obtain certification giving the impression of expertise in the
subject without any proper understanding of the underlying principles and mathematics involved. Furthermore, as with other
disciplines, experience gained over many years is vital in order to make effective judgments.
The author frequently encounters “experts” who can neither explain the difference between a rate and a probability nor establish an
appropriate maximum tolerable risk and calculate the maximum PFD required of a risk reduction function.
Certification and SIL application to too low a level
Misunderstanding of the SIL term, in its application to simple devices/components, has led to requests for it to be demonstrated at
component levels. The only parameter, related to functional safety, for an electromechanical relay is its failure rate and the
proportion of ‘fail to open’ and ‘fail to close’ modes. To ascribe a “SIL” at this component level is both unnecessary and
misleading. Any question of SIL relates to the safety function in which it is used. However, more complex items (eg field detectors)
may claim a SIL capability based on safe failure fraction and design cycle rigour.
The author has been requested (on many occasions) to certify a SIL 2 capability for a sounder or beacon. Anyone with
appropriate expertise knows that these components can only be part of a “human response” function which should never claim
more than SIL 1. An example of lack of knowledge and of understanding.
Lack of focus in the choice of rigour
Having already covered the reasons why IEC 61508 (Reference 3) has been an excellent innovation in principle it has
nevertheless to be said that the document is extremely lengthy, verbose, repetitive and poorly structured. IEC 61511 (Reference 4)
, despite being couched in the usual lengthy style of standards, nevertheless achieves a great deal by way of a simpler approach.
This, together with the “page by page” mentality of many users, often leads to slavish rigour to written clauses in the belief that this
achieves a robust review.
It needs to be realised that (along with the ALARP principle) there is an optimum resource for any assessment. Thus a “page by
page” approach is in danger of losing overall perspective and of watering down the effort in areas where it matters. A robust
approach involves an informed selection of key areas of criticality and then applying the assessment effort accordingly.
Proliferation of guidance
There seems to be a compulsion for bodies to write their own version of the standard. Most documents become a re-iteration of
the same text with slightly different terminology, headings and layout. Hence the nightmare of comparing vast quantities of
guidance which essentially say the same thing whilst differing in respect of enormous quantities of trivial detail. This task of keeping up with the totality of 2nd tier guidance is therefore considerable but adds little to actual safety.
THE WAY FORWARD
Everyone to his own expertise
Industry (and its safety related fraternity) should discourage the practice of non-expert participation and promote training with
some academic content to qualifications. This must therefore include an understanding of probability and statistics and its
underlying mathematics (Reference 6) and only persons with appropriate aptitudes, along with adequate experience, should seek to represent themselves as experts in this area.
Have one central standard
Industry should discourage the wasteful use of effort in writing guidance after guidance on a subject which is already over
documented. This effort would be better employed improving the presentation of the existing standard and, also, in actually carrying out assessments.
References
1. Reliability, Maintainability and Risk, 8th Edition, D J Smith, Elsevier (Butterworth Heinemann) ISBN 9780080969022.
2. The Safety Critical Systems Handbook (A straightforward guide to functional safety IEC61508) 3rd edition, 2010, Smith DJ and
Simpson KGL, Butterworth Heinemann ISBN 9780080967813
3. IEC Standard 61508, 2010, Functional safety: safety related systems - 7 Parts.
4. IEC Standard 61511: Functional safety – safety instrumented systems for the process industry sector.
5. R2P2 “Reducing Risks, Protecting People, HSE’s decision making process”, HSE Books, 2001.
6. www.technis.org.uk
Copyright Technis 2011
|
