Any company that uses hazardous materials in their facilities needs to consider the requirements for their safe handling. In most cases, sensors and interlocks are used to prevent the accidental release of these materials. From a safety standpoint, a release can cause injury or death to facilities personnel, as well as cause serious damage to process equipment.
The sensors and interlocks that prevent the accidental release make up a Safety Related System (SRS). A SRS is a system designed to respond to hazardous and potentially hazardous plant conditions and is designed to take the process to a safe state when predetermined conditions are violated.
In an effort to assist companies to implement Safety Related Systems (SRS) the IEC (International Electrotechnical Commission) developed Functional Safety standard IEC-61508.
What is Functional Safety?
Let’s begin with a definition of Safety. Safety is freedom from the occurrence or risk of injury or loss.
Functional Safety, as defined by the IEC, is part of the overall safety that depends on a system or equipment operating correctly in response to inputs.
Putting a high-level indication switch in a gasoline storage tank connected to a safety PLC that shuts off a fill process and prevents the tank from overflowing, is an instance of Functional Safety. Building a dike around the tank to contain a spill is not an instance of functional safety (although it is still a safety feature and may be considered in the overall risk assessment).
Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact.
Safety Functions and Safety Integrity
The term Safety Related is used to describe systems that are required to perform a specific function or functions to ensure risks are kept at an acceptable level. Such functions are, by definition, safety functions. Two types of requirements are necessary to achieve functional safety:
● Safety Function Requirements (what the function does)
● Safety Integrity Requirements (the likelihood of a safety function being performed satisfactorily)
The safety function requirements are derived from a hazard analysis of the process. That is, what functions are you implementing to keep the process safe? The safety integrity requirements are derived from a risk assessment. That is, what is the risk of a dangerous failure? The higher the risk of a dangerous failure, the higher the Safety Integrity Level required.
Any system, that carries out safety functions, is a Safety Related System. IEC and ISA recommend that a Safety Related System be separate from the process control system, although there are many exiting examples of the process control system performing safety functions.
Example of Functional Safety
Let’s look at our gasoline storage tank again. A high level shut off switch is mounted in the top of the tank. The switch is connected to a safety PLC, which shuts a fill valve when the gasoline reaches the sensor. In this way, the gasoline is prevented from overfilling the tank.
In order to ensure that safety is achieved, both hazard analysis and risk assessment are necessary.
Identifies the hazards associated with filling the tank and what needs to be done to prevent the hazard. For this tank, it may indicate that the gasoline should stop filling when it reaches a point one meter from the top. The analysis may also indicate that the fill valve should close within 10 seconds of the solenoid activating. This analysis identifies the safety function.
Determines the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure that no one is exposed to an unacceptable risk associated with a hazardous event.
The harm associated with a failure of the safety function could be exposure to gasoline vapors or, it could be death from a resulting fire. The risk also depends on the frequency that the tank is filled, which could be several times a week or only once every few months. The level of safety integrity required increases with the severity of the injury and the frequency of exposure to a potential hazardous event.
The safety integrity of the safety function will depend on all the equipment required to carry out the safety function correctly. In our gasoline tank example that would include the high level sensor, the safety PLC, the valve and the associated electrical circuitry and power supply. The Safety Integrity Level of a Safety Related System is determined by a complete risk assessment.
The assessment includes the potential risk associated with a failure along with the number of opportunities the failure could take place. This risk is reduced by layers of protection designed into the process. There are four Safety Integrity Levels (SIL) with #1 being the lowest integrity level and #4 being the highest.
IEC61508 specifies the techniques and measures recommended to achieve the required integrity level. There are also software tools available to assist in determining the Safety Integrity Level required for a given process.
To summarize, the hazard analysis identifies what has to be done to avoid the hazardous event associated with overfilling the gasoline tank. The risk assessment gives the safety integrityrequired of the interlocking system for the risk to be acceptable. These two elements, “What safety function has to be performed” (Safety Function Requirements) - and “what degree of certainty is necessary that the safety function will be carried out” (Safety Integrity Requirements) are the foundations of functional safety.