How Safe is Safe Enough – Q&A

How Safe Is Safe Enough Webinar - Functional Safety Training - Engineering Safety Consultatns

Watch “How Safe Is Safe Enough Webinar”

Our recent Webinar “How Safe is Safe Enough?“, which was held in collaboration with IChemE’s Process Management and Control “Safety and Loss Prevention Special Interest Groups”, proved to be a hot topic of discussion with an interesting array of comments and questions. As usual, time was short, so here are a few points on the issues that were raised.

If you were not able to attend the Webinar, the video is available to watch on our website:
How Safe Is Safe Enough – Webinar by Ron Bell

Is a Safety Instrumented Functions (SIF) the best way to eliminate risk and prevent a hazardous event?

Although SIFs are designed to be effective in preventing and controlling hazards, they shouldn’t replace what is considered industry good practice with regards to the concept of inherent safety, after all, as Trevor Kletz [1] famously put it ‘What you Don’t have, Can’t leak’. There is a general hierarchy which should be applied as good practice when designing processes; there tends to be many variations, but in general it follows in order of priority:

Inherently Safer Design:
Elimination, Substitution, Moderation and Simplification
Engineering Controls:
Passive Controls and Active Controls (SIFs)
Administrative Controls:
Procedures, Personnel Protection Equipment, Emergency Response etc.

Inevitably no chemical process will be without risk, but processes can be made safer by adopting good practice.

What is Safety Integrity Level (SIL) ‘0’?

The term ‘SIL 0’ or ‘SIL a’ is commonly used to describe the requirement of an instrumented system which is required to reduce the risk by a factor of ≤10.  This indicates that although additional risk reduction is required, the necessary amount of risk reduction is below the SIL 1 range and is thus outside the remit of IEC 61508 [2] and IEC 61511 [3]. However, the view of the HSE [4] is that if the system is implementing a safety function, it should still be subject to certain provisions. For instance, there must be provisions in place for periodic inspections, maintenance and proof testing of the instrumented system.

Can the Basic Process Control System (BPCS) be SIL Rated?

As far as the IEC 61511 [3] standard goes, the maximum risk reduction that can be claimed for a BPCS is a factor of 10, which falls below the SIL 1 band. However, for  a BPCS to carry out Safety Instrument Functions (SIFs) of a specified SIL then you must manage, specify, design, maintain and operate the BPCS in accordance with the requirements in IEC 61511 [3]. This would make the BPCS a Safety Instrumented System (SIS).

Can Conditional Modifiers be applied to all operating modes?

Conditional Modifiers should be assessed for each specific operating mode as they may be valid for one operating mode but not the other. For example, one of the most common issues  relates to the Conditional Modifier ‘Occupancy’. During normal operation personnel may only be present 10% of the time, however during start-up it is likely that the operators will be present for the entire operation, hence the 10% occupancy Conditional Modifier is no longer applicable. The impact of this needs to be assessed as it may leave you short of meeting the Target Risk and hence not achieving the Tolerable Risk which is a legal requirement.

How do you design a ‘SIL rated device’?

Firstly, there is no such concept as a ‘SIL rated device’. This term is sometimes used to characterise a device that has been developed to meet the requirements of IEC 61508 [2] and is to be used in a SIS to carry out a SIF in accordance with IEC 61511. Simply put, the device must meet the SIL requirements both in terms of random hardware failures and Systematic Failures. IEC 61508 addresses these two types of failure as follows:

  • Random Hardware Failures: uses reliability modelling techniques to quantify the dangerous failures to meet the specified SIL; and,
  • Systematic Failures: specifies techniques and measures which should be implemented to avoid and/or control systematic failures to meet the requirements of a specified SIL. If the measures and techniques applied are suitable for a SIF of SIL 1 then the device is said to have a Systematic Capability (SC) of 1. F

Engineering Safety Consultants run a 3 day TÜV accredited Safety Instrumented Systems course which provides an in-depth understanding of the requirements of IEC 61508 and  IEC 61511 and the fundamentals for achieving and maintaining functional safety.

[1] CCPS Inherently Safer Chemical Processes, A Lifecycle Approach, Second Edition, 2009 ISBN 978-0471-77892-9
[2] IEC 61508, Functional Safety of Electrical/ Electronic/ Programmable Electronic Safety Related Systems
[3] IEC 61511, Functional safety – Safety instrumented systems for the process industry sector
[4] UK HSE Document: Management of instrumented systems providing safety functions of low / undefined safety integrity, Oct 2014