Introduction
As an engineer involved in the design of electronic and programmable safety systems back in the 90’s
for a large system integrator, who was involved in some of the biggest projects in the UK and Middle
East for both the oil & gas and nuclear industries, I can honestly state that regulations, standards and
guidelines were around but certainly not followed to the letter and treated as in no way mandatory
around that period.
Requirements capture that defined the functionality of such systems would be derived from a
combination of End User, EPC and Systems Integrators interpretation of process narratives, P&IDs
and flow diagrams. No bad thing, a team effort, one could say, but what of the risk?
Although I may have been aware on certain projects that something resembling a HAZOP may have
taken place there didn’t seem to be a connection to the (functional) safety requirements. No
verification of the output of such a meeting or validation that the integrated system met the original
design intent.
A recent post on LinkedIn questioned the accuracy and usefulness of Cause & Effect diagrams for
safety system design. The post, entitled; “Cause and Effects – The Good, The Bad and The Ugly” was
widely viewed and received numerous comments all agreeing what a poor communication tool these
diagrams are. That unfortunately is still the state of the industry today – a 2-dimensional matrix view
of logical requirements with no substantial improvement in functional and performance specification
and assurance in the last 20 years.
But that was more safety engineering and not functional safety or at least not as we may understand it
today i.e. it was safe, but was it safe enough? There was definitely a lack of continuity and
communication between activities and stakeholders. Risk assessment was a tick in a box with often a
subjective or unexplainable target, thereafter did the allocated protection layers and in particular the
SIS fulfil the requirements for risk reduction. Did it meet the requirements of the risk assessment for
safe operation? A FAT would be driven by the accuracy with which it met the logic of a Cause &
Effect sheet. Bypass and override philosophy was taken from an End User company-wide
specification. Process safety times? Identified safety instrumented functions? No, sorry, no real
management (never mind lifecycle) in the mid 90’s.
If we take a leap forward to circa 2005, IEC61508 has been in circulation for around 5 years and
IEC61511 for two. Enterprising individuals had jumped well and truly on the ‘risk assessment’ band
wagon offering services and even software tools. SIL and SIF had become common place acronyms.
SRS? not so much. Where were these early pioneering consultants plying their considerable talents?
The end users? Well surely not, the End Users had clung tightly on to the ‘grandfather’ clause and of
course the standards weren’t mandatory, were they?
In other words, there was no real reason (regulatory, commercial or otherwise) for End Users to get
too hot under the collar about functional safety or safety compliance. All the same, specifications
started to appear with statement such as ‘safety system shall be SIL3’. Not as the result of a SIL
determination report but more of a ‘better make sure we’re covered’ stand point. In fact specified SIL
levels took a downward trend from 3 to 2 to 1 when the end user realised there was possible a huge
difference in costs, especially life time costs.
In fact, in those dark days’ suspicion was widespread that consultants were being leant on to use
methods such as LOPA and allocation of protection layers to arrive at an outcome more in line with
the budget than the risk reduction required.
If we think of the safety lifecycle as a pie chart what percentage of time and effort is the risk
assessment slice? This isn’t really a question that can be answered because in real terms once we feel
we have arrived at defined SIL and allocated our protection layers, nearly the rest of the lifecycle is