The Illusion of Past Safety

04.11.2013 Kent Berry & Malcolm Newman

So your 15 year old plant safety shutdown system has reached the point of obsolescence. The vendor can no longer make or repair the electronic modules for the system (the component chips aren't made anymore), and the programming software won't run on current computers (even with the best virtualisation software). But that's okay, because the vendor has a new product which can directly replace the older system. It's simple, import the old program, re-attach the old wiring harnesses to the new modules, and press start. Just hand over the money, and you're as safe or safer than you were, right?

Unfortunately, new isn't always better. This apparently straighforward approach is flawed - and often borders on negligence - for a range of reasons, including:

  • It contradicts workplace safety regulations in most jurisdictions as well as normative guidelines set down in applicable standards.
  • It presumes that your old system was safe in the first place (i.e. when it was installed).
  • It further presumes that nothing has changed to affect that safety from the time of the system installation to your plant process.
  • It deprives the enterprise of the opportunity to unlock significant asset value through re-examination of plant operating safety requirements, which consistently deliver superior production outcomes.

A quick summary of the context is appropriate.

Modern manufacturing plants are replete with safety shutdown systems for the protection of personnel, the environment, and business assets. Most of these systems have transitioned in the past two decades to electrical / electronic / programmable electronic (E/E/PE) technologies. The lifecycle management for safety shutdown systems is now broadly classified under the discipline of Functional Safety engineering, with the individual systems referred to as Safety Intrumented Systems (SIS). International standards and sovereign regulations have also evolved during that period. The IEC 61508 standard (Functional Safety of E/E/EP Systems) is internationally accepted as the common basis for functional safety engineering, with virtually all other more specialised standards being traceable to the principles and techniques laid out therein.

When you boil all this down to first principles, it turns out that from an SIS perspective there are only 2 possible reasons for a safety related incident to occur. (These are not mutually exclusive either):

  1. A random failure (inherent in the device) of a physical component somewhere in the SIS related equipment
  2. A systematic error (i.e. caused directly by human) somewhere in the various activities relating to the lifecycle management of the SIS, including design, installation, commissioning, operation, testing, maintenance, programming

Let's match these root causes against the concerns raised earlier as well as some common arguments in favour of the drop-in replacement approach for existing functional safety systems.

The first argument expressed is similar to; "We've never had any safety incidents for 20 years with this system". The 'proven in use' requirements of functional safety standards makes this argument invalid for all but a tiny percentage of plants and enterprises. These rare instances have independently verified capability and maturity of functional safety related processes, and comprehensive documented records of component operations over extended durations. Without such records this argument would only be plausible if plants have operated with a perfect safety record over 500 years, and in more severe cases, well over 1,000 years.

Another common argument is similarly stated; "We've done a SIL analysis, and the calculation tool shows our SIS is adequate for the task". The underlying problem here is the predilection of engineers to focus on the random failure component of functional safety and give less attention to systematic error concerns. This bias is well illustrated by the lessons of history. Of the 35 major safety incidents in plants worldwide from 1987 to 2012, 33 (over 90%) of them were caused by systematic failures - only 2 (less than 10%) were caused by random failures.

So based on these statistics, when the SIS vendor comes along with the offer of a new drop-in replacement for your aging functional safety system, they are at best addressing less than 10% of your functional safety risk. What about the rest?

This is why standards and workplace safety regulations have evolved to place a far greater emphasis on systematic capabilities. In most jurisdictions the basic safety lifecycle guidelines mandate careful attention to continuous review and risk assessment of plants and processes to ensure functional safety systems continue to protect against the actual threats rather those that may only arise from weaker supposition. The latest (and only second version since its inception in 2000) edition of IEC 61508 (2010) has new and more stringent requirements for quantitative systematic capability to ensure that this hitherto underserved area receives appropriate attention in the functional safety management lifecycle.

Lastly, there is the myopically stated cost argument; "We can't afford to do anything else". Apart from the serious moral and ethical implications of this stance (it directly contravenes most normative safety standards and regulations), there is a significant opportunity cost involved. The overwhelming evidence from worldwide application of modern functional safety engineering practice is that when done properly, overall plant productivity gains far exceed the costs of safety systems. This happens because disciplined review of plant operations from a safety standpoint inevitably reveals underlying constraints to plant performance. These can then be targetted and refined to optimise productivity, while inherently reducing risk by application of safety lifecycle best practices.

So before your existing plant SIS starts to exhibit end-of-life symptoms, get independent competent functional safety engineers involved to help sort out the true picture for your safety related systems. Look upon it as an opportunity to make a net gain for the enterprise, in safety and productivity. Sleep better knowing you've really made your workplace safer ...