Analysis and Realization: Done. Let’s Start Operation… What’s Next?

Viewed 1090 times

Congratulations! You’ve completed the Analysis and Realization phases of the Safety Lifecycle, and are about to begin the Operation phase, but what’s next? Well obviously you need to do proof testing, but is there anything else? You may be familiar with the figure below:

The functional safety standards require that you record any demands and failures that occur during normal operation, as well as the results of all your proof testing. Furthermore, you are expected to periodically compare your actual performance with your assumed performance. In other words, do demands occur as frequently as you expected? More frequent means that the risk is higher than you had estimated; less frequent means the actual…

Continue Reading >>

Software • (0) Comments • Permalink

Why should I get my mechanical device certified per IEC 61508?

Viewed 1910 times

I was recently approached with a question regarding why it would be necessary to certify mechanical devices, such as valves, per IEC 61508 when it is not clearly stated in the standard that the standard is applicable to such devices.  After looking through IEC 61511 and IEC 61508 regarding the application of the standards to mechanical components, I came to the conclusion that mechanical components are not specifically mentioned but are also not specifically excluded from the requirements of the standards. 

The IEC has addressed this very issue in a FAQ for Edition 2 of 61508.  The question posed was “How does IEC 61508 apply where E/E/PE technology makes up only a small part of the safety-related system?”  The…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

Relating Test Data to Operating Modes & “Proven in Use”

Viewed 1485 times

Everyone wants data, and generally everyone agrees high quality proven in use data is the best. Properly designed experimental testing is one means to simulate actual operation. That is what we all learned as far back as high school during our chemistry and physics labs. These tests can be set up by manufacturers or end users.

For end users, they need to leverage a good quality assurance plan that ensures capture of inspection, repair, and test data. A good place to start looking at how to do this is by checking into the Center for Chemical Process Safety Process Equipment Reliability Database (PERD) initiative.

It is a little more difficult for manufacturers. They do…

Continue Reading >>

Failure Data • (0) Comments • Permalink

A False Sense of Security

Viewed 1467 times

About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal.  Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people.  I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode. 

I was brought to the facility by a control system integrator who had been working onsite and had concerns about the cyber security of the control and safety systems and the potential risk that it represented.  They wanted me to discuss options…

Continue Reading >>

Control System Security • (0) Comments • Permalink

(Almost) FREE Security Training

Viewed 1391 times

The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your travel…

Continue Reading >>

Control System Security • (0) Comments • Permalink

DANGER, DANGER, DANGER!

Viewed 2188 times

Assumed 10 Demands Per Year

During a SIF verification calculation review this week, the engineer pulled out a safety certificate with very low failure rates for a solenoid valve.  Certificate No. V139 2009 C4-4 [1] states that a solenoid valve has a dangerous failure rate of 4.57 E-10 failures per hour.  The exida safety certificate for this same solenoid valve shows a dangerous failure rate of 1.88E-7.  The ratio of these numbers is over 400X! How can this be?

The key is a statement on V139 2009 C4-4 which states “Assumed demand rate per year / 10.”  What process industry application has a demand rate of at least 10 times per year?  Every company I know of would re-design…

Continue Reading >>

Failure Data • Functional Safety Certification • (0) Comments • Permalink

“Building Security In”

Viewed 986 times

Cyber Security continues to be a big problem for the world at large and for control systems specifically.  The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling.  No matter how up-to-date the security patches are, however, and no matter how well the network was designed, there will still be security vulnerabilities in the system.  Why is this?  This is because of the large number of security vulnerabilities in the underlying software used throughout the system. 

At the time when most of today’s control systems were developed, the software engineers were not aware of the root causes of security…

Continue Reading >>

Control System Security • (0) Comments • Permalink

The Battle of the Failure Rates

Viewed 2620 times

Site Specific vs. Product Specific

During a field failure analysis study, it was discovered that the calculated failure rate of a specific device varied by more than 4X depending on installation site.  Particularly, it was one specific site with a high failure rate.  While any reliability engineer would say of course, the environment is different; stress factors are different.  But in this study the environments were almost identical!  What is going on here?

An engineer visited the site with the high failure rates, and one member of the maintenance team demonstrated the test process.  A DC input module was stimulated with a 115 VAC power plug.  As one might expect, every module tested failed, often with a puff of black…

Continue Reading >>

Failure Data • (0) Comments • Permalink

I Don’t Want No D*** Diagnostics!

Viewed 3082 times

After a false trip incident, I heard a control engineer express his displeasure with the automatic diagnostics in a new safety rated transmitter.  The transmitter diagnostics were annunciated by sending the analog current out of range.  In this case, the current went to 3.6 milliamps.  The problem was that the logic solver was configured for a low trip and did not recognize out of range signals as a diagnostic alarm.  It interpreted the signal as a trip condition.  The safety instrumented function (SIF) worked perfectly.  It did the job for which it was programmed.

I can see how the diagnostics are blamed for the problem, but how could anyone not want a product that can tell them when it fails? …

Continue Reading >>

Failure Data • (1) Comments • Permalink

The Safety Lifecycle as a Risk Control Loop

Viewed 1521 times

I have been doing a number of recent projects introducing the safety lifecycle to companies that are new to the field. As a result I have been playing with various ways to think about the overall safety lifecycle philosophy. As many of the more experienced readers are aware, the overall safety lifecycle ideas are not new. But, it is worth looking at these ideas in a variety of ways to ensure we are implementing them as effectively and clearly as possible.

Today’s blog supports this goal. It presents the safety lifecycle as a basic feedback and control loop to achieve a set point value for risk as shown in the figure.

In this risk management…

Continue Reading >>

Risk Communication • (0) Comments • Permalink

Too Good to be True

Viewed 2092 times

A.K.A You’re About to Severely Under-Design your SIF and Put your People at Risk.

Twice this week alone, and much more often than I like to remember, I’ve had safety system designers blindly follow certificates that contain data that simply cannot be true. They get a certificate from an equipment supplier and stamped by a 3rd party assessor that states the valve or actuator can meet SIL 3 requirements with no redundancy. One certificate actually listed the dangerous failure rate at 3.06 FITS for a scotch yoke actuator, which translates into an average of one dangerous failure in over 37,000 years! Any experienced safety or process engineers should know from experience that this type of performance is not even close…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

To Be an Alarm…Or Not to Be?

Viewed 1702 times

That is the question.

When your alarm does not meet the definition as defined in the ISA-18.2 standard and/or the criteria established in your alarm philosophy document, it is not an alarm.

By ISA-18.2 definition “an alarm is an audible and /or visible means of indicating to the operator an equipment malfunction process deviation, or abnormal condition requiring a response.” This means that alarms should only be used to indicate when something is wrong (not an expected event) and that if a (timely) operator response is not required (other than acknowledging it), then the point should not be an alarm.

How about “alarms” that don’t meet the definition for being an alarm? These are called “non-alarms.” The…

Continue Reading >>

Alarm Management • (0) Comments • Permalink

We’re Only Human

Viewed 1481 times

We’re only human.  Most of the time, that is a good thing.  But humans seem to accept more risk over time when nothing bad has happened.  We lose our vigilance.  We take more chances.  A close call might only be remembered as an unusually rare anomaly instead of a call to action. 

I was on a flight from PHL to PHX recently.  The flight had taken off late for a number of reasons.  The pilot tried to keep passengers informed about the estimated arrival time because many folks had tight connecting flights.  I got the sense that the pilot was very intent to arrive as soon as possible.  As we finally approached the landing strip, our wheels no sooner…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink

Do you have class?

Viewed 1688 times

Are alarm classes defined in your alarm philosophy document (APD) as required by the ISA-18.2 standard? The use of classes (classification) is a new alarm management concept for many. If your APD was created before June 2009, chances are alarm classes are not defined.

Alarm classification is a method for organizing alarms based on common characteristics and requirements (e.g., testing, training, management of change, reporting).  Certainly an alarm that is identified as safeguard in a hazard and operability study (HAZOP), or as an independent protection layer (IPL)  in a LOPA will have more stringent requirements for testing and operator training than the “average” process alarm.  Classification helps to manage groups of alarms and ensure that their unique requirements are being…

Continue Reading >>

Alarm Management • (0) Comments • Permalink

7 Ways to Keep your Auditor Happy

Viewed 1652 times

1. Name your files to make auditing easier; a filename with cryptic job numbers and abbreviations that are used within the company may not be easily understood or cataloged by an auditor

2. Give the auditor the ‘secret decoder ring’ for cryptic company acronyms and abbreviations

3. Have clear references to connect the dots between documents. Most people don’t want to duplicate information in multiple documents, but references to another document should relate to a particular section in the reference

4. Have a hierarchy to your documents

5. Don’t drown your auditor in paperwork; piecemeal feeding by topic works better

6. Identify and record action items and show follow-up to resolutions

7. Notify the auditor promptly when document revisions occur…

Continue Reading >>

Functional Safety Certification • (0) Comments • Permalink