Entering a new era of functional safety

London - The IEC 61508 and IEC 61511 functional safety standards are steadily taking root in the process industries worldwide, according to industry experts. Adoption, however, is providing a number of commercial, technical and legal issues for operators charged with ensuring the safety of their facilities.

Presenters at a recent Safety Users Group (SUG) conference in London highlighted how growing adoption of the standards is fostering a new safety culture via a complete safety-loop approach, which goes all the way from the sensor to the systems that shut down the plant safely.

This risk-assessment based approach, in tandem with the changes being driven by the official reports into the BP Texas City and Buncefield incidents, is providing the process industries with a much better basis for achieving safety. Going forward, speakers emphasised, the process must further involve people at every level of the organisation.

However, the conference also highlighted the challenges faced by end-users and suppliers in the process industries, not least in properly understanding the full requirements of the standards.

“A lot of people are lost in the jungle of safety. They talk about things like SIL [Safety Integrity Level], but when they come to order a safety system they give a specification that does not tell the full story,” said Tino Vande Capelle, director of the functional safety consultancy, Hima, based in Bruehl, Germany. “So when we start to try and build the system we almost have no chance to give them what they really need.”

The Hima consultant went on to describe safety requirement documentation as “the big crack” in the safety industry today, commenting that 90-95% of all projects are falling down in this regard.

Under IEC 61511, a safety requirement specification (SRS) document is required to provide a summary of key decisions that must be made prior to the conceptual design. This is meant to define the envelope of the Safety Instrumented System (SIS) design and encompasses both safety functional and safety integrity requirements.

The SRS, said Capelle, “is still a very poor document” that is leading end-users into blindly believing what sales people are telling them. In particular, he said, the prior-in-use [proof-in-use] clause of IEC 61511 is being widely abused by certain manufacturers.

“If you even started to read between the lines of the failure data from some vendors, you would be afraid to go near the plant. End-users should not blindly believe a piece of paper without proper evidence,” said Capelle. Some manufacturers, he explained, have a long list of instruments installed worldwide that have never had a problem for the last 10 years. But, he said, this information will be misleading to a client with a plant in the Middle East if these installations are all operating in Siberia.

Thomas Steiner, business development manager, Delta V SIS, at Emerson Process Management EMEA, concurred: “Suppliers should not claim prior in use. That is the end-user’s obligation, as he has evidence to prove how successfully this device operated in for a certain temperature range etc, but when it really gets used in the industry there is a different environment.”

On a similar note, Dr Michel Houtermans, safety management consultant at Risknowlogy BV, emphasised the increasingly important need for accurate documentation under the new standards. “If the end-user doesn’t give the engineers and systems integrators the right documentation they don’t build the right safety system.”

To reinforce his point, the Risknowlogy expert is currently an expert witness in three separate court cases where end-users and suppliers are suing each other over issues of compliance with the standards. These cases, said Houtermans, were his first ever involvement in such legal disputes in 13 years of business.

“People are taking it much more seriously and have much more understanding. Suddenly they have realised, hey I have hired you for this task because you gave me the lowest price and said you could do it. Now you don’t know how to do it. This is causing many problems at the moment,” he asserted.

Another emerging issue around the standards relates to the position of certification bodies such as TuV Rheinland. IEC61508 (part 1 clause 6) specifies functional safety management as a demand and yet TuV and other certification bodies have promoted product certification — even though the standard doesn’t require this for anything other than the PLC.

“Businesses are now waking up to the demand for the management of safety to be covered and to new HSE guidelines calling for competency management for safety systems,” said one UK-based observer, noting that the UKAS-accredited CASS method is the only scheme that currently covers this area.

At the London SUG conference this issue was described as an increasingly important commercial matter.

“If you want to provide a bid to a company but don’t meet the competence requirements, then you are off the bid list,” said Ron Bell of Ron Bell Consulting and a former HSE expert, who chaired an IEC working group responsible for developing IEC 61508. Industry increasingly needs to know how one country’s scheme compares with another’s and how the TuV scheme compares with other schemes, said Bell, who currently chairs one of two teams responsible for revising IEC 61508.

For his part, Houtermans noted how the certification companies themselves set the original competency criteria as there were no rules to start with. They then discussed their own-developed rules with industry prior to having them accepted.

“But no one is checking whether TuV’s rules are good rules … Now that is going to change a little bit. The new standards are going to set rules so that if you are going to check someone’s company you have to [meet certain requirements],” the Swiss-based expert said.

Likewise, Bell saw a need for new ground rules towards establishing an overall competence framework throughout Europe and worldwide. End-users, he said, would be better served by agreement by everybody about what is required and what kind of tasks to do, rather than competing schemes. “There is still a debate about whether the IEC could take that on board and develop some overall scheme,” said Bell.

However, the various challenges currently presented by IEC61508 and IEC61511 should be kept in perspective against a background of fundamental improvement that the standards are generating in the process sector.

As Bell put it: “Within the process chemical sector there is a lot of knowledge about this topic. People know about this standard, increasingly so. Yes, there are issues about whether people are doing it correctly, whether people are selling products correctly identified, but at least you can see that there is a process by which that will get better.”

Bell went on to note that IEC61508/61511 is not being adopted so widely outside the process industries, particularly in some of the utility sectors, due in part to the different regulatory regimes in these areas. “In the UK, the regulatory regime that inspects process chemicals plants comes within HSE, which has got a very strong view about IEC61508 and is pushing down that sort of line.” Process industry attendees at functional safety seminars and training courses are almost invariably C&I (control & instrumentation) engineers, said Bell. Chemical engineers who make the biggest input into SIL and hazard and risk analyses at process plants are more noticeable by their absence, he said.

“We run a course and invariably it is the control and instrumentation people; you can bet that 90-95% of people from the process industries will be C&I engineers. You can get people from Huntsman, ICI and BP but, again, you will invariably find that those who want to talk about SIL determination are C&I people,” said Bell, speaking to PE. “That’s great but what I would like is for the chemical engineers to come along.”

Bell suggested that this situation might have arisen because chemical engineers regard SIL as a C&I issue whereas, in fact, SIL determination is all about hazard and risk analysis.

“Process chemical engineers are the experts in hazard analysis of their plants,” Bell stressed. “It is important that they understand what the concept of SIL is because it could be applied to other layers of protection, other mechanical systems. It is just a performance level.”

Against this, Andrew Furlong, IChemE director of policy and communication, said in a written statement: “To suggest that chemical engineers are failing to contribute to such issues is both inaccurate and misleading.” The IChemE, he added, runs “highly successful” courses, seminars and training events dedicated to SIL determination and various hazard and risk related themes.

Bell’s views were, however, reinforced by Clive de Salis, who was the first chair of the UK’s 61508 Association, which organised the launch of the standard for chemical engineers on behalf of the IChemE process control subject group. While most grass-roots engineers are interested in the standard, at more senior level the interest has only been “luke-warm,” according to de Salis. Consequently, much of the promotional effort in the chemical engineering sector has been sparse and, in some cases, misleading.

The industry expert noted how a presentation entitled: “Tell me again — why did you give 61508 to the instrument engineer?” has struck a popular note within process companies across Europe. This, he said, is principally because it explains how SIL assessment is a team exercise led by the process chemical engineers.

“It is process engineers that determine four out of the seven layers of safety to be considered in a SIL assessment and so it is process engineers that ought naturally to take a lead role. Yet it is electrical engineers, the IET, that have taken the lead role for the standard and the IChemE has not really engaged fully with the standard,” de Salis claimed.