A question of probability
Pragmatic implementation of the IEC 61511 international safety standard

Technical faults in the chemical and pharmaceutical industries have become quite rare, but they will probably never be eliminated altogether. Process control technology is the primary tool that operators use to manage their systems. This, together with mechanical protection systems, ensures that chemical facilities are safe. The introduction of IEC 61511 will bring about some changes.

Needless to say, there are rules that apply to process control equipment, and this is particularly true if the equipment is used to perform safety-related functions. In the past, this domain was covered in Germany by two national standards: VDI/VDE Directive 2180 and DIN V 19250/51. These standards contain a qualitative description of technical and organizational measures that must be implemented for process safety instrumentation in order to provide a tolerable minimization of risk. International harmonization of standards extends into the world of safety standards. IEC 61508 and draft standard IEC 61511 will soon go into effect. IEC 61508, “Functional safety of electrical/electronic/programmable electronic safety related systems”, is primarily directed at manufacturers. It has seven parts, five of which have already been integrated into the standards. IEC 61511, “Functional safety – Safety instrumented systems for the process industry sector”, is based on IEC 61508 and covers the process equipment sector. It is primarily of interest to users, and many operators are currently focusing their attention on it. Safety strategies may have to be totally reanalyzed, evaluated and implemented. The international standards take a completely different approach to the world of safety. Up to now, the common approach in Germany has been qualitative, but the international standards are the first to require attainment of concrete quantitative results in the process industry. Not only that: these minimal numeric requirements apply to probable failure rates of process safety instrumentation depending on the intended safety objective.

Noteverything is new
IEC 61511 has three parts. The first covers management of functional safety, and includes evaluation of the risks to be addressed, definition of resulting requirements and identification of measures that need to be taken. The second part looks at the safety life cycle. The third part associates technical safety functions with safety levels. In the past, there were eight requirement classes as defined in DIN 19250. Now operators must condense these classes into four safety integrity levels (SIL). This is normally not a problem, but a failure probability must be assigned to the SILs. This methodology differs from current practice.
The problem that many users have with the new safety standard is not “if” but “how”. In contrast to other branches of industry where process control equipment operates under comparable conditions such as the petrochemical industry (e.g. the OREDA database), nuclear technology or offshore operations, it is difficult to provide calculated evidence for process equipment in the chemical and pharmaceutical industries. Because of wide variations in operating conditions, there are simply no statistically validated data on individual failure rates for process safety instrumentation. Each individual valve operates under a wide variety of conditions at one and the same facility, affecting parameters such as vibration, contamination and moisture or corrosive substances.
A pragmatic approach,
based on four steps
Providing assurance for every type of usage and every risk for a process safety device would require enormous effort by a company. To address this problem,
Namur recommendation NE 93 was developed, based on four steps:
jAssumption: all process safety devices are planned, installed and operated in accordance with applicable technical standards (for example VDI/VDE 2180, DIN V 19250 and at a later date IEC 61511).
- Action: failure analysis is performed on all process safety devices.
- Objective: SIL requirements are fulfilled collectively for the equipment.
- Result: this verifies the safety strategy in practical application.
In order for this method to succeed (not least because the authorities must be convinced that this approach is valid), all process safety instrumentation must be regularly monitored and all failures must be analyzed. Also, as many companies as possible must participate in this exercise. The Namur working group appears to have succeeded in convincing enough people, as there are now sufficient data available to provide a statistically valid base. These results were presented at a Dechema colloquium held jointly with Namur. The bottom line was presented by Pirmin Netter, who is responsible for Occupational Health and Safety at InfraServ Höchst and Chairman of the Namur working group – and the results confirmed expectations. To cite only a few numbers, incoming reports covering 4,843 single-channel systems showed 13 passive failures. MTBF was calculated to be 375. There were four passive errors on 8,628 dual-channel systems, so the MTBF was 2150a. As expected, availability was higher on dual-channel systems, but the investment involved for this type of system would run into the millions.
Experience in practical
application
Peter Brusa, from the pharmaceutical manufacturer Lonza, demonstrated what the approach actually looked like in practice. In his view, the project was very important, especially considering the fact that every company wants to continue using the equipment it has been using successfully, and would prefer to avoid going through new certification. Since 1994, separate documentation has been kept for every safety-relevant device on every system at Lonza AG. Information recorded includes tag number, process control point designator, measurement range or threshold, deviation tolerance, safety classification (Z1-Z6) and checking interval in days. “We expected about 50 failures per year”, explained Brusa. “We were confident that the organizational effort was manageable.” However, to ensure that failure reporting was both reliable and complete, an intensive effort was made to convince the operating units affected (process control engineering, plants, workshops) of the need to collect data and to secure their agreement. The second step was to provide comprehensive training to employees involved. The failure data collection sheet was explained in detail, and exercises were conducted using practical examples. Despite these intensive preparations, it turned out that each individual failure report had to be checked by an expert, and following consultation the author had to expand or correct the report. The psychological aspect was also important. Brusa continued: “We had to provide specific information to those responsible for process control equipment about failure events and work together with them to identify corrective action.” To maintain employee motivation, it was also essential that all failure reports reached the proper destination and were carefully processed. In 2002, despite the effort involved, 42 failure reports (none of which involved a critical safety problem) from 2,690 process safety devices were successfully forwarded to the Namur working group.
Ultimately, numbers are not everything. Users and operators would be well advised to internalize this apparently trivial insight. The question of how to define risk will undoubtedly remain open. A manufacturer’s certificate has little meaning when an overfill protection device has not been installed properly. It is also usually the case that manufacturer’s data are based on tests in an environmental chamber. Only practical application shows how a device functions in a process when it comes into contact with the medium. When documentation is being generated, it would be a good idea to check up front whether a high-precision device will be used to perform a monitoring, safety or failure prevention function. It might be possible to identify additional optimization potential at that stage. IEC does not require the use of dual-channel systems per se. It would be unwise in general to overestimate the importance of process control equipment. Only two to three percent of measurement and control devices are safety relevant. The rest are there to facilitate the process. Regulatory authorities and experts now support this approach. The challenge is to try to get more companies to take the same approach. Since 1985, at the 84 member firms of Namur, no failures have been caused by a fault in a process safety device. This is perhaps the most compelling evidence demonstrating that this is the right strategy