Blow it up and they will come

Process Safety BLOG goes Mainstream

Last week I was notified that my blog was getting picked up by a new website dedicated to Safety.  Stay tuned, as www.Safetybase.com will be going live soon.  It’s exciting to be a part of this new educational-based safety website dedicated to serve the safety needs of the general automation industry. 

I’m honored to join this elite group of experts coming together to provide up-to-date ideas and information on for the changing landscape of process safety.
 
The website’s idea is simple, provide a single access point for obtaining critical safety information for both the process and machine industry.  

Its design is community based, so information will be provided and shared by consultants, end-users and vendors to help you stay current on the latest advancements in safety.  Get the safety information you need and enter into discussions with your peers – to leverage your knowledge base and maximize your productivity.  If it’s about automation and machine safety – you’ll find it at SafetyBase.com.
 
Coming to the cyber world soon, check it out – www.SafetyBase.com and let me know what you think.

Update on the ISA84 Main Committee and Working Group meeting

Last week, about 40 process safety enthusiasts attended the spring 2008 S84 meeting in West Palm Beach, Florida.

The main committee meeting generally consists on brief updates on the individual working groups and the maintenance of the current ANSI/ISA S84.00.01 (IEC 61511 modified).

A couple topics that I thought were pretty interesting were the discussion on ongoing hardware fault tolerance requirements.  I’ve blogged on this before and there’s some obvious concern over products that are reaching the market today claiming to have SIL 3 capabilities with no redundancy.  I still think there is much confusion on this as one well respected end-user noted there dissatisfaction while trying a “new” transmitter claiming to provide high SIL levels, but caused them lot’s of problems with nuisance trips. 
I still get aggravated with the misconception of safety and spurious trip rate.   They are separate and have to be treated as such.

I’ll be the first person to say “yes, my company develops SIL 3 certified, non-redundant products, that will most likely have a higher spurious trip rate than a non-redundant, non-SIL certified device.”  The ONLY way to combat the spurious trips is to add redundancy.

The other topic that puzzled me was the inaccurate statement made regarding the status of safety fieldbus.  Again, it was erroneously stated that there was no safety fieldbus today for the process industries.  Luckily, there were a few “informed” safety experts in the room that noted the existence of PROFISAFE and ASI-safe.  I guess some people are still confused since FF-safety, has yet to be approved or released for safety communications.

I spent the rest of the meetings involved in Fire & Gas working group going over comments on the last draft we issued.

Introducing a non-redundant, redundant SIL 3 solution?

Last month, Siemens Energy and Automation released a new safety I/O card that claims to be the first Hart, Analog input, SIL 3
http://www2.sea.siemens.com/News/Industrial/First-SIL-3-Certified-Hart-Analog-Input-Module.htm

Treat your SIS better than Certified pre-owned

Last month we decided it was time to upgrade the old family car.  After searching for several weeks, we decided on a very nice, 3 year-old, certified pre-owned.   While I haven’t purchased a used vehicle in several years, I felt comfortable in this decision as the price was attractive, the warranty was extended, plus I had the assurance that this car had passed the manufactures’ grueling inspection. 

After the first week of owning our new (used) car, I called the dealership to have them install one of those MP 3, auxiliary connections (a result of my purchase negotiations).  While dropping off the car, I happened to mention the brakes were squeaking when lightly applying the brakes.  I figured this was surely the result of new pads wearing in…….  I mean they couldn’t “certify” a car with bad brakes?  I had put less than 200 miles on the car, so it had to be something else, something minor, right? 

The follow up call I got from the service manager answered that question.  “Mr. Fialkowski, we replaced both front and rear brakes for you”.  “No charge, it’s under warranty”.  Boy was I glad to hear that…..

This experience had me wonder how end users in the process industry tackle their own certified Safety Instrumented Systems (SIS) tests.  As most know, when we design an SIS we have to account that they system periodically, MUST BE TESTED.  So how rigorous are we with carrying out these tests, would we allow something as critical as brakes slip under the cracks?  Surely, we have developed exhaustive “punch-lists” that have been reviewed, validated and audited to minimize potential problems? 

I once heard an end user state that when their technician tests their safety valve, it would not be uncommon to bang it with a wrench to “help it along”.  If after this “adjustment” it moves to its “safe” position, he’ll note it as “test-passed”.

Makes me wonder just how my car could have passed this seemingly critical test, or am I just being too sensitive?  I mean it was under warranty….I’m just thankful it wasn’t under critical circumstances.    

Belts and Suspenders?

For so many years we have been trained (brainwashed) to believe more redundancy = more safety.  While for some situations it’s true.  Increase your level of redundancy your system will get better safety performance.  However, if you do it WRONG, it’s a proven fact (not just me spouting off) your safety performance will degrade. 

This week I ran into a very smart person, who just happened to say the dumbest thing all day.  “We needed safety, so we made the thing redundant”.   

My dad used to say to me “It’s like polishing the brass when the ships sinking”.  If your going to do something, make sure its really worthwhile, otherwise you just wasting your time.

Does past experience equal Prior Use?

So you’re faced with the question of whether that trusty old transmitter you’ve been using as part of your safety shutdown system can meet the “prior use” requirements described in Section 11.5.3 of ANSI/ISA-84.00.01-2004 (IEC 61511-1 Mod). 

Prior use, or Proven-in-use, is defined as a documented assessment showing there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system.

Let’s focus on the question “how much operating experience is required to make sure a product has enough safety integrity?”

Lucky for us, IEC 61508 provides specific details on this.

For a given component’s version level IEC 61508 suggests 100,000 unit hours for components targeted for SIL 1 applications and 10 million unit hours for components targeted for SIL 3 applications.  Along with the operating hours, one must also provide documented proof test results for all detected dangerous failures.

Of course there’s a lot more discussion on ISA’s web site in an article written by Bill Goble.  www.isa.org

Not Worth A SFF

In attending last week’s 63rd Annual Texas A&M Instrumentation symposium, I was shocked to hear from a well respected safety expert that SFF (Safe failure fraction) was a failed metric.  No explanation, just that SFF was pretty much useless, followed by a cackle.  I really hate when people make profound statements like this, with no reasoning or justification behind it.  I felt as if the audience was just bullied into this person’s position, and all were just too intimidated to challenge it.  So what’s wrong with SFF?

SFF is defined in ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod), as the fraction of the overall random hardware failure rate of a device that results in either a safe failure or a detected dangerous failure.  It’s sole purpose was to help prevent over optimistic SIL claims by equipment manufactures, and helped to determine the required fault tolerance of your SIS (safety instrumented system). 

While I didn’t get a chance to follow up directly with the individual, I’m pretty sure the argument has something to do with how your system actually responds to a detected dangerous fault.  If your system detects a dangerous fault within itself, does it automatically shutdown your process, or just alarm the operator?  If it’s the latter, than the SFF’s pretty much a failed metric.    

Chose the Right SIL

Did you know that fatal automobile accidents in the USA would drop considerably if drivers (and passengers) wore approved protective headgear and flack jackets?  While that might seem pretty obvious, it’s just not practical.  For years automation suppliers have developed SIL 3 logic solvers, but rarely do they get implemented as such.  I’ve personally witnessed users argue the need to have a triple modular redundant (TMR) SIL 3 safety logic solver only to be configured with a non-redundant, non-certified transmitter and valve.  That’s like putting bicycle tires on your sports car. 

So what SIL level should you chose?  That’s a question NOBODY can just answer, even if they are “claimed” experts on your particular application.  Instead, you will need to treat each application uniquely, evaluating all possible protection layers that exist for that particular unit.  While this may seem tedious, it’s one of the best ways to answer that question.  Even the most hazardous applications, might seem SIL 3 worthy, however a thorough analysis might deem a SIL 2 solution, saving you money on both equipment and maintenance.  A number of study’s I’m familiar with have shown that more often we tend to over design than under design.  Sure it seems safer, but really, who wants to drive around in their fancy sports car wearing their kids skateboard protective gear? 

Wait for the BUS or go Old School

Attention all safety product listings

I received an e-mail inquiring about a product being “listed” or not, which made me stop and think about how far we have come in the past 10 years regarding safety systems and their “type” of certification. 

The term “listed” means equipment or materials included in a list published by an organization engaged in product evaluation, that maintains periodic inspection of production of listed equipment or materials, and whose listing states either that the equipment or material meets appropriate standards or has been tested and found suitable for use in a specified manner.

While “listed” might sound appropriate for some, many safety experts would argue that today, it’s not enough.  Since the release of the International Electrotechnical commission (IEC) 61508 – Functional Safety – Safety Related Systems in 2000, safety performance criteria is now better defined in the terms of SIL (safety integrity levels). 

Hopefully you can appreciate that today’s safety products need to meet two key requirements (i.e. functional and performance).  Functional requirements will describe what the product is supposed to do, while performance requirements define just how well it’s supposed to do it.

What the SIL are you talking about?

Have you had a chance to catch Bill Goble’s Hydrocarbon Processing (October 2007 issue) editorial titled “Still not using a safety PLC?”

Essentially Bill addresses the question of whether you can use conventional equipment (PLC or DCS) in compliance to ISA 84.00.01-2004 (IEC 61511 Mod.)? I think he did a nice job summing it up as follows: 

SIL 3, must be certified to IEC 61508

SIL 2, maybe, if it’s accompanied with a formal assessment (not very practical) SIL 1, okay with justifying documentation

Bottom line, a safety PLC is required for all but SIL 1, and even with that comes baggage, makes one wonder why anyone would elect to go outside the slew of certified offerings.

Running to Destruction

Was not the response I was expecting to hear from an audience member during my presentation on new SIS (safety instrumented system) hardware development at this week’s ISA Expo.  He obviously was concerned over my suggestion that with new SIS technology there’s no degradation of safety when you have a partial shutdown and, well in his words “run to destruction”.  I wasn’t sure how to respond, as my objective during this 30 minute talk, was to address how some new SIS technologies are available that actually increase safety.  As with any new concept, there’s bound to be objections, but this particular phrase just caught me off guard….hmm….so let me try to explain….

In the past, redundant systems were necessary to achieve both safety and availability.  Marketing hype took over, and confused the industry with just how much redundancy (dual, triple or even quadruple) was really necessary, and what were the actual benefits. 

Understanding the history, I wanted to tell a story.  So I started by going back to the 1980’s where TMR (Triple Modular Redundancy) was born, then in the 1990’s with the advances of the microprocessor, it was now possible to get diagnostics allowing you to (arguably) get the same level of safety and availability, with less redundancy, while saving money. 

Regardless of what level of redundancy you bought into, the fact still remained - if your system degraded from triple, to dual, (or dual to single) your level of safety would be negatively impacted.   While it might be well known, there was concern that this mode degraded operation was often overlooked and needed to be addressed within a reasonable amount of time.

Today there are a couple of new SIS’s touting that they offer the highest level of safety (SIL 3) without the need for redundancy.  To avoid a nuisance trip, redundancy could be added to enable the system to become fault tolerant.  So what happens if your system experiences a component failure?  You would hope that it would maintain its safety rating, and expect that somehow, something “else” is degraded, right? 

While I was not suggesting anyone “run to destruction”, I was suggesting that it might be a better scenario to maintain safety at the expense of availability particularly during those short stints when you are running degraded.   

So you went to engineering school to copy others

Ever ask yourself why you went to engineering school?  For some of you it might have been the illusion of a great paying job, for others maybe it was your curiosity of figuring out how things worked, for me it was both.  Today I have the pleasure of explaining the new and unknown to those curious enough to care and make a decent wage from it. 

Next week is the ISA EXPO 2007 at the Reliant Center, Houston TX.  Other than attending the ISA SP 84 meetings thru most of the week, I’m actually more excited about participating in a couple of safety related exchanges going on.  Tuesday, October 2^nd at 3:45pm,  I will present my co-authored white paper with Mr. Dave Deibert titled:  Implementation of a 1oo2 CPU Architecture on a single chip platform.  Wednesday, October 3^rd at 10:00am I will be a panelist along side many well respected safety professions titled:  User-Vendor Coordination for safety instrumented systems.

I’m excited about the opportunity to provide non-commercial, controversial topics exploring new ideas based on proven concepts.  There will be some in the audience who enjoy thinking outside the box, and others that scoff at the mere idea of it.  My goal throughout will be to inspire the engineer inside yourself to think, “Maybe there is a better way”.

Certify This

You would think that the simple word “safety” would be so well understood by now that, …………well……..even a caveman could get it.  Unfortunately, I find we are still struggling to come to a consensus.  If you don’t believe me, attend a trade show, stop by a few booths, and simply ask the person “Is this thing safety rated”?    I’m sure their immediate response will be “of course”.  Follow that up, by asking by whom and to what. 

The problem is that safety spans many industries and many applications.  It may be defined as the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable depending on what industry or application your working in or around.  Huh?

In the world of process safety, we are typically interested in combining several components/products into a system, and ensuring that this system has the ability to perform a specific operation (i.e shut a valve) during the presence of a pre-defined condition.  We call this functional safety.  In 1999 the IEC 61508; Functional safety of electrical/electronic/programmable electronic safety-related systems was released.  This standard had a significant impact on our market as we could now all agree on the “what” while discussing safety certification. 

What continues to cause confusion however is the by who?  As many might just claim, “My system is TÜV certified”.  Well, heck, there’s a good chance if you took a look at the label on your kids stuffed Teddy Bear, it too might just be TÜV certified.  So let’s be clear. 

TUV is a well known, globally recognized certification agency.  Today, there are three (3) competing TUV agencies, TUV Nord, TUV Sud, and TUV Rhineland, that can be hired to offer product or system certification.  Arguably they all perform the same level of excellence, yet you find some product manufacture claiming their TÜV is better.  I chuckle, as that would be similar to me stating my PA driver’s license was better than my buddy’s from NJ license.  I know a lot of NJ folks that would argue that! 

While TUV has maintained a stronghold on this certification market, they are not alone and most likely will be facing some stiff competition from Exida (Excellence in dependable automation).  Exida is not new to the certification process, and claims to have issued the most IEC 61508 certificates (individual components) in our industry, and will soon be offering full system certification.  

I’m excited as this bit of information can officially count as my first industry scoop!  Overall this should be good for our industry, From now on, the proper response should be “My system is certified to IEC 61508” then you can ask the question by whom.