Kiss Off Safety System Myths

Many misconceptions muddle maneuvers to manage risks.

By Angela E. Summers, SIS-TECH Solutions

1 of 5 < 1 | 2 | 3 | 4 | 5 View on one page

Safety and productivity at process plants suffer because too many engineers believe myths concerning design, implementation and operation of safety instrumented systems (SISs). So, let's dispel the leading myths.

1. Using certified equipment and personnel ensure a safe system. The IEC 61511 international standard doesn't even use the word "certified." There's no requirement for certified equipment or personnel. However, a lot of companies sell safety certification services for both equipment and personnel.

It's important to remember that certification is no substitute for experience, specifically prior-use history for equipment and project background for personnel. Many mistakenly seem to think that taking a certification class makes them an instant expert in the safety lifecycle. Questions and comments on safety discussion lists posted by certified but inexperienced people underscore this fallacy on a weekly basis. Likewise, buying parts with certification to a SIL 3 Claim Limit isn't sufficient to fulfil SIL 3 requirements for a safety function.

For field equipment, the selection guidance in ISA-TR84.00.04 Annex L emphasizes the importance of understanding how well equipment works in the operating environment under its specific mechanical integrity (MI) program. Certified equipment may appear acceptable but you can't assume it will perform dependably in the field.

Simply put, certification is no substitute for experience.

2. Failure detection is more important than failure prevention. The IEC 61508 international standard emphasizes the need to identify and correct dangerous failures that increase the potential for an incident or a near-miss — but short-changes failure prevention. While detecting failures is extremely important, a better approach is to design the SIS with a low total failure rate. This minimizes work orders, spurious trips and the effort required to restore normal operation.

IEC 61508 favors equipment with high diagnostic coverage over equipment with a low failure rate. If Device A has a mean time between failures (MTBF) of 5,000 years with all its failures being dangerous undetected, and Device B has a MTBF of 5 years with 99.9% diagnostic coverage, the IEC 61508 Safe Failure Fraction calculation would indicate that Device B as better.

Thus, IEC 61508 rewards equipment for failing detected rather than working. The failure rate of Device A would meet SIL 3 with minimal spurious trips but, because of its low safe failure fraction, it couldn't be certified above SIL 1. Device B would generate many work orders and significantly increase the potential for spurious trips but could be certified to SIL 3 due to its high safe failure fraction.

Go ahead and use Device A in an SIL 3 function if it is the right device for your process.

3. Vendor-supplied diagnostics can detect all dangerous failures. Often vendor-supplied diagnostics only apply to electronic failure and not to process interfaces. Some diagnostics can detect special conditions like magnetic-flow-meter probe coating.

Unfortunately in most cases, you can't know whether the vendor diagnostics are even working because there're no means to test them. Verification and validation of vendor diagnostic claims and associated data is currently a topic under discussion at the IEC 61511 and ISA-TR84.00.03 working group meetings.

1 of 5 < 1 | 2 | 3 | 4 | 5 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments