What is So Important About Derating?

Viewed 2821 times

Some designs push their operating specifications right up to the limit of the components in the system or device.  (let’s not talk about the designs that try to spec a limit that is beyond the capability of one or more components… phooey on them!)  And if you make a product that is not used in a critical application or in environmental extremes, this may not be a big deal.  But in the safety world, we’re better than that!  Not only should you keep the operating specs below the limits of the components, you should keep the specs at a comfortable margin below those limits.  IEC 61508-2 suggests (but does not mandate) a two-thirds derating factor be applied to components of…

Continue Reading >>

Functional Safety Certification • (2) Comments • Permalink

Lifecycle Analysis: It’s Worth the Effort

Viewed 1993 times

Performing a risk analysis as part of an IEC61508/61511/ISA 84.01 safety lifecycle process can be quite challenging. How can you be sure you get what you need within budget and how can your team provide the best value for money? When these services are brought in from outside, it can be difficult to see high quality and the value of that quality in advance. But it is almost always easy to see the cost. Also the buying decision is often based on the project requirements rather than the overall life of the plant requirements. As a result, this situation can easily lead to a lower quality risk analysis. This problem is what classical economics calls “the market for lemons,” and…

Continue Reading >>

Risk Communication • (1) Comments • Permalink

Functional Safety and Taxes: Are you an expert?

Viewed 1957 times

Today, April 15th, is tax-day in the US.  Ok, the Internal Revenue Service (IRS) has given us a few extra days this year (the tax filing deadline is not until April 18th).

There are a lot of similarities between how you do your taxes and how you handle your functional safety.  As for filing taxes, some choose to:

• Hire an accountant (3rd party)
• Buy a software program to guide them through the process
• Manually complete the required tax forms

When it comes to functional safety, I see the same approach. There are end-users (owners/operators) that:

• Hire a 3rd party to assist
• Buy a software program
• Use an…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

Stepping stones to SIL 3

Viewed 4001 times

Imagine.  Marketing has just approached the engineering department and says your new safety product must have SIL 3 Capable certification instead of SIL 2 to be successful.  You are in the engineering group developing this new product.  Now what?

Let’s assume that the “change request” makes sense and has been approved for the product.  This is an important first step, as changes in requirements and scope creep can wreak havoc on a project.  It’s also important to demonstrate that your modification processes meets the 61508 requirements.  Remember, you don’t want to operate outside the safety lifecycle!

Some of the main differences between SIL ratings involve:

• Hardware Fault Tolerance (HFT)
• Safe Failure Fraction (SFF)
• the techniques…

Continue Reading >>

Functional Safety Certification • (2) Comments • Permalink

Claiming alarms as an independent protection layer (IPL)

Viewed 3809 times

An interesting question arose recently when creating an FSM plan:

Does the ISA-18.2 standard on alarm management address the claiming of the operator’s response to alarms as a layer of protection?

Not specifically, however the ISA-18.2 standard does require that alarms are rationalized, and that alarm system performance is measured and judged against recommended metrics. Both activities in the alarm management lifecycle directly impact the dependability of the operator’s response to alarm as an IPL. Remember, an IPL must be:

• Specific
• Auditable
• Independent
• Dependable

An unrationalized system is likely to have too many alarms, incorrect priorities, and alarms without an operator response. A system without a monitoring and assessment program is…

Continue Reading >>

Alarm Management • (1) Comments • Permalink

Certified to SIL 4 - Cycle Test Failure Data is Dangerous

Viewed 3756 times

I got a copy of the IEC 61508 certificate for a solenoid valve today from an engineer who thought something was wrong.  Although the certificate was from a well known certification company, the certificate gave a “Dangerous Failure Rate” of 1.7 FITS (1.7 * 10-9 failures per hour).  This is less than the value for simple electrical resistor!  Indeed something seems quite wrong. 

The report for the certificate explained how a “Cycle Test” was used to determine the random failure rate.  A number of solenoid were put on test and cycled until 12,000,000 total successful cycles were completed. It was then assumed that the “probability of failure of the safety function on demand” was less than 1/12,000,000. Assuming a…

Continue Reading >>

Failure Data • (1) Comments • Permalink

Getting Good Proof Test Coverage Numbers

Viewed 5906 times

Several years ago we recognized that proof test coverage was an important variable that must be considered when doing PFDavg calculations. We ran some models and discovered that the difference between “perfect” proof test coverage (100%) and a very good 90% could mean a whole SIL level in the result.  The first question I ask is ‘Why do some engineers still use simplified equations that assume perfect proof test coverage?” Unfortunately the answer I get when I ask them is a question, “What is proof test coverage?” Not a good sign that those doing the work have the competency needed.  But that is another topic for another blog.

Given that proof test coverage is so important, how are good numbers…

Continue Reading >>

Proof Testing • (2) Comments • Permalink

What’s the Risk?

Viewed 3048 times

As safety professionals, it is our duty to attempt to educate and explain to the public.  Perhaps the biggest challenge is to explain the concept of risk.  Many times after an accident we have heard a politician say something like “We will do whatever it takes to make sure this never happens again.”  There seems to be no analysis of risk versus cost. Sometimes resources are expended far beyond the risk, and sometimes little is done to prevent future accidents. 

The politicians and the public clearly view risk differently than safety professionals. For example, last year my company car was a Toyota Prius. I read reports and even had an email discussion with someone who had a “sudden unintended…

Continue Reading >>

Risk Communication • (0) Comments • Permalink

A look into the control room of the Fukushima Dai-Ichi Unit 2 reactor!

Viewed 5321 times

I came across an interesting blog post the other day…

Talk about operating blind.  A great picture shows the status of the control room in the Fukushima Dai-Ichi Unit 2 reactor…Nothing is working (besides the lights)!

All of the computer monitors are blank. The clock is dead. None of the equipment status lights and gauges appears to be functional. None of the annunciator windows are lit—and the plant is far from a condition where no parameters are in alarm status.

Compare this to the picture of the NRC’s Boiling Water Reactor (BWR) Control Room simulator (taken in 2009).

It seems as though control rooms in the US Nuclear industry…

Continue Reading >>

Alarm Management • (0) Comments • Permalink

Rationalize Your Alarm Management Problems Away

Viewed 5639 times

Alarm Overload…Nuisance Alarms…Alarm Floods…Incorrectly Prioritized Alarms…. These alarm management problems are all too common in the modern Distributed Control System (DCS).

Why is this?  In the “olden” days (read panel boards and alarm lightboxes), there was considerable thought put into what alarms were necessary because there was limited real estate available and an actual cost to implementing them (approx. $1000 per alarm). Fast forward to today when alarms are “free.” The modern DCS provides alarms galore. A typical analog indication block provides:
• High
• High-high
• Low
• Low-low
• Rate-of-change
• PVBad
• More alarms out-of-the box

It’s simple to enable all alarms available without considering which are really required.…

Continue Reading >>

Alarm Management • (0) Comments • Permalink

The Real Impact of Stuxnet

Viewed 6127 times

Stuxnet has, rightly, generated a significant amount of discussion and concern with the industrial automation community.  Fortunately, unless you operate a uranium enrichment facility using Siemens S7 PLC’s and some very specific variable frequency drives (VFDs) you probably haven’t been directly impacted by the Stuxnet virus.  However, that doesn’t lessen the concern that variants of Stuxnet or “the next Stuxnet” will not be as targeted and may impact a much broader range of industrial applications. 

So, in my opinion the “real” impact of Stuxnet is that it has opened the eyes of many who were either unaware of the dangers of control system insecurity or those that were aware but dismissed the issue as unrealistic.  Ironically, this…

Continue Reading >>

Control System Security • (0) Comments • Permalink

Counterfeit Certificate!

Viewed 7739 times

I am told that plagiarism is a compliment. Since exida is the leading company for IEC 61508 certifications I suppose it was bound to happen. Well it did. exida got an email from our sales representative in China. He asked why this certificate was not listed on the exida Safety Automation Equipment List. An electronic copy of the certificate was sent to me. It was easy to spot that the certificate was forged. Looking closely I see they did a good job. The fonts and spacing were pretty good. But I recognized that this particular certificate was from another customer, Virgo. Virgo has gone through the effort of having their engineering process and manufacturing process audited and inspected. They demonstrated…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

Tales from the Certification Wars - Who certifies the certification agency?

Viewed 6613 times

I have often heard the question “Who says they can issue a certification?”  This is often accompanied by “Why can’t I certify my own product?”  “Who knows our design better than we do?” Good questions.

The IEC 61508 standard does not require certified products for Functional Safety.  However, competency is required and “independent assessment” is required for higher SIL levels.  So what is happening in the market?

Some companies self-certify their products. I have seen certificates usually signed by their quality manager declaring “Suitable for SIL X,” or such language.  I recently asked about the procedure used. This particular manufacturer spoke with a few dozen of their customers and asked if the product was working well.  One had been designing…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

Tales from the Certification Wars - Proven In Use versus Certification

Viewed 7205 times

There have been passionate debates in email and meetings about “Proven In Use” versus IEC 61508 certification. Most debate characterized these evaluation techniques as competing methods.  In 2000 when IEC 61511 was being written there were few IEC 61508 certified products on the market. The alternative justification technique of “proven in use” was often the only option. Fortunately time brings knowledge and progress. More than decade later, there are hundreds of PLC products, process sensors, and final element products available with IEC 61508 certification (See http://www.sael-online.com).  But a question still remains “Does an IEC 61508 certified product need to be proven in use?”

Safety design is serious. Design mistakes could result in an accident. One must select equipment that…

Continue Reading >>

Functional Safety Certification • (3) Comments • Permalink