It’s an interesting fact that many end users and engineering companies that I’ve talked to have not or do not undertake Functional Safety Assessments (FSAs). Why is this? My view is that many do not realize and/or understand the true purpose of and benefit of performing FSAs. The IEC61511 standard identifies 5 FSAs that should be performed with two of them being mandatory. Still, even the mandatory ones are not being conducted when they should be. For example, I was asked by one end user if we could quote to perform an FSA 3 (one of the mandatory FSAs) almost 1 year after starting production! For those who don’t know, the FSA 3 should be conducted prior to startup and not afterwards.
Therefore, what is the benefit of performing FSAs? The primary and fundamental purpose of performing an FSA is to help us identify and fix any systematic issues in the Safety Instrumented System (SIS) design before they become a real problem. They also provide the means for performing an independent cross-functional check on safety up to that point in the lifecycle. In other words, do we have what we need so far?
When I teach our FSE100 class I always emphasize the point that these FSAs are there for a reason and that reason is to help us maintain our risk mitigation via a reliable implementation of the SIS to the Safety Requirements Specification (SRS). Therefore, why would you not want to perform an FSA?
FSA1 is the first FSA that should be performed at the end of the Analysis Phase of the Safety Lifecycle once the initial (Process) SRS is defined. This will ensure that the Hazard and Risk Assessment was performed correctly and that the correct number of Safety Instrumented Functions (SIFs) have been defined for the SIS, together with the correct Safety Integrity Levels (SILs) defined. Here at exida, we often find that when doing SIL verification, the SIFs have been incorrectly identified and either there are too many, not enough or have the wrong SIL assigned. Another important point to remember is that the further along the lifecycle you go, the more expensive it becomes to fix problems.
FSA 2 should be performed at the end of the Design and Implementation Phase of the lifecycle and here again, very few engineering companies do this. Part of the problem is that engineering companies that I have spoken to do not have a defined Functional Safety Management System (FSMS) in place and do not have a Functional Safety Management Plan (FSMP) for the SIS implementation, which is now a requirement under edition 2 of IEC61511. The FSA 2 is to make sure the SIS and its SIFs meet all the SRS requirements up to that point and that the integration testing of the SIS Logic Solver with the Application Software has been properly validated via a Factory Acceptance Test (FAT) or equivalent. Part of the FSA 2 will be to witness this testing and review the results.
FSA 3 is required to be performed once the SIS has been installed and commissioned at site. This is sometimes conducted in parallel or as part of the Pre-Startup Safety Review (PSSR) that is required. This is a very important FSA because it is the very last check to make sure the as-designed, installed, and commissioned SIS and its SIFs meet ALL the requirements of the SRS, together with all the relevant Operation and Maintenance procedures in place for startup and operation. Unless this is done then we have no idea whether the SIS design has met all the requirements. Furthermore, unless the end user is self-insured, then they should check with their insurance company to ensure they will be covered if they start up without completing an FSA 3. We know that most accidents occur during startup and/or maintenance. Insurance companies are now becoming more aware of the need for conducting proper FSA 3 assessments.
FSA 4 is now a mandatory requirement under IEC61511 edition 2. The purpose of FSA 4 is to gather field data for use in comparing the original design goals with actual results. It should not be forgotten that the IEC61511 standard is a performance-based standard, therefore if we don’t measure our performance then how do we know we’re meeting our targets? This will require the identification of Key Performance Indicators (KPIs) that can be measured. The standard does not define the time interval to perform an FSA 4 and leaves it up to the end user as to how often this should be done. Here again, I have found that many end users do not and/or have not conducted FSA 4. The question is why?
The final FSA 5 should be done whenever any changes are required to be made to the SIS and its SIFs. This is where a safety impact analysis is conducted prior to the change to assess the impact on safety, if any, on the SIS and its SIFs. This is another FSA that isn’t always conducted. Again, why?
It should be remembered that most accidents are caused by some fundamental underlying systematic issues, whether due to poor safety culture, not following procedures, poor maintenance of the SIS and its SIFs, lack of training and/or competence, etc. The famous HSE study that was done in 1995 and again in 2003, identified the causes behind accidents involving control and safety systems, with 44% being due to bad specification and approx. 35% after installation. If implemented properly, FSAs can help in finding potential systematic problems before they can cause major problems.
One final thought is that, if implemented properly, functional safety management can help improve overall operational performance and cost. FSAs are a fundamental part of this and should be viewed as part of the “glue” that holds the SIS safety lifecycle together. By not conducting these we can become “unstuck” very quickly.
If this blog has been of interest, then look out for the upcoming webinar on this topic from exida.