Table of Contents Table of Contents
Previous Page  437 / 975 Next Page
Information
Show Menu
Previous Page 437 / 975 Next Page
Page Background

Functional Safety 2014

4

th

– 5

th

November 2014

Copyright © 2014 by Cenbee Bullock PFS Consulting Ltd

Page 7 of 14

identifies the probability of dangerous systematic failures on demand (PFDsys) of a process plant and

the probability (P) of systematic failures caused by human errors including faults in design, installation,

proof tests and in by-pass mode.

PFDavg = ƩPFDsensor + ƩPFDlogic solver + ƩPFDfinal element + ƩPFDpower supply + ƩPFDsystematic failures

Where PFDsystematic failure = PFDsys-process plant + Psys-human error

And Psys-human error = Pdesign error + Pinstallation + Pproof test error + Pbypassed

Unfortunately, it is not easy to model systematic failures accurately and they are rarely included in the

SIL verificationmodelling. It is due to the difficulties in obtaining the failure rates and in most instances,

systematic failures can be very specific to a particular operation and process plant.

In the 2

nd

edition of IEC61508, there are techniques and measures to control systematic failures under

various stress conditions. Part 2 table A.15 to A.17 recommends some techniques and measures to

demonstrate the systematic capability.

How to minimise systematic failures caused by human error?

Human error is one of main causes of systematic failures. If we refer to some of the research and

studies, human mistakes and errors can occur throughout all the phases of the safety lifecycle.

The Swiss Cheese Model can be used to represent the safety lifecycle activities, with the holes

representing human errors in the various phases (slices) of the activities. (Design, development and

verification of Programmable Electronic Systems will be discussed in more detail in a later section).

Some of the errors and mistakes may seem to be insignificant: for example, assuming competently

trained duty operators would be available to cover all operating hours and are all fully appraised of

the actions required when responding to safety critical alarms.; or, designing a safety instrumented

function with SIL 2 requirement without understanding the implication of no segregation or

independence between the basic process control system and the SIL rated system; or, through

ignorance of environmental influences, installing sensitive electronic devices next to high voltage

equipment. Unless these seemingly insignificant assumptions are addressed, and resolution is

overseen and supported by the management team, these assumptions could lead to a major failure.

1 432 433 434 435 436 437 438 439 440 441 442 443 974-975  FlippingBook