Why 90% of Safety Functions Fail to Meet Functional Safety Standards
2020-06-17
In different industries, end users and their suppliers need to comply with functional safety standards like IEC 61508, IEC 61511, EN 50128, DO-178C, IEC 62061, ISO 13849, ISO 26262, ISO 25119, ISO 10993 and many more. These standards are not easy to comply with. And many stakeholders struggle with compliance. This alarming reality calls for a deep dive into the top 10 reasons behind this disheartening trend. Let's explore why these safety functions consistently miss the mark and what can be done to rectify the situation.
1 - Lack of Functional Safety Management (FSM)
This is the number 1 reason. Without a well-defined and robust FSM system in place, organisations struggle to ensure that safety-related activities are carried out consistently and effectively throughout the lifecycle of their projects. The absence of an FSM approach undermines the foundation of functional safety, leading to subpar safety functions.For example, at Risknowlogy, we once dealt with an EPC that did not have an FSM system in place. Inadequate competence among personnel results in inconsistent hazard and risk analysis and poor documentation. Ultimately the end user ended up with missing and wrongly specified safety functions. Wrong procedures, lack of training, and inadequate tools were the main contributors to this non-compliance.
2 - Insufficient Competence of Personnel
Although competence is an aspect of FSM we mention it here separately because it is so important. Functional safety demands high expertise from individuals responsible for identifying, designing, implementing, and maintaining safety functions. Unfortunately, a lack of competence in key areas such as hazard analysis, risk assessment, and functional safety on hardware and software levels and the lack of understanding during operation, maintenance and repair hampers the goal of compliant safety functions.At Risknowlogy, we often need to certify the work of System Integrators. Our experience is that only a few system integrators know how to develop SIL-compliant application software. In most cases, the programmer is self-thought and never received any formal safety PLC training. The lack of training, knowledge and practical experience to effectively implement safety-related software requirements results in critical vulnerabilities that compromise the overall safety performance of the system. End the end user does not know that they end up with non-compliant application software. All they know is that the FAT was successful but the system is not compliant.
3 - Inadequate Hazard and Risk Analysis
The hazard and risk analysis must be correct for the end user to get the correct safety functions. A thorough hazard and risk analysis is the backbone of functional safety. However, many safety functions fall short due to superficial or incomplete analyses failing to adequately identify and address potential hazards and risks.A popular technique, for example, in the process industry is HAZOP. At Risknowlogy, we see that the industry feels that HAZOP is expensive and thus under pressure. And this leads to the wrong people performing the HAZOPs in the wrong way resulting in the wrong safety functions. HAZOP is a great technique, but is it becoming the worst technique ever?
Another example we experience at a medical device manufacturer. They overlooked certain failure modes during the hazard analysis process, leading to unanticipated failures and jeopardising patient safety in the end.
4 - Absence or Inadequacy of Safety Requirements Specification (SRS)
Hazard and risk analysis (HRA) is the basis of identifying which safety functions the end user needs. The SRS is the end result of the HRA. If the HRA is wrong, the SRS is wrong. But even if the HRA is correct, it is our experience that the SRS is wrong or even completely missing.The SRS serves as a blueprint for designing and implementing safety functions. Its absence or incompleteness leads to clarity, understanding, and effective safety measures.
We were once asked to review an underwater safety system that was already built but not installed yet. The SRS did not specify how fast the safety function should be. When we asked about this, the answer was, "We tested it, and the valve closes within 30 seconds". The 30 seconds is what you have designed, but how fast does it need to be? After some research and a delay of 4 weeks, they concluded that it needed to be faster than 20 seconds. This was a 1 million plus dollar project. "Luckily", it went wrong at the design stage. This non-compliance could have been worse if the safety function had been installed as is in the field. The damage would have been much greater.
5 - Poor Selection of Safety Equipment
Choosing the right safety equipment is crucial for achieving functional safety. However, inadequate evaluation and selection of safety devices, such as sensors, controllers, and actuators, can render safety functions non-compliant. One of the industry's problems is that many so-called SIL Certified devices out there claim to be SIL compliant but often need to be, despite the certificate.A real-life example we experienced once at one of our clients is that the engineering department identified the correct and SIL-compliant device, but that the purchasing department decided there was a similar but cheaper device out there. But it needed to be SIL-compliant. The plant opted for lower-cost safety devices without considering their SIL suitability, leading to non-compliance. And this will be a major liability should an accident happen. Guilty as charged.
6 - Flawed System Architecture
The architecture of a safety system directly impacts its reliability and effectiveness. A poorly designed or overly complex architecture can introduce unnecessary complexity, increasing the likelihood of undetected faults and jeopardising overall safety performance. And just because you have SIL-compliant devices does not mean you have a SIL-compliant architecture.The correct architecture is, of course, important from a functional safety point of view. But one of our clients did not understand functional safety nor process availability. They ended up with an architecture that was not SIL compliant and caused spurious trips. And that at a rate of 2 million EUR per day.
7 - Inadequate Software Development Practices
Safety functions that are built without software are getting extinct. Safety-related software plays a vital role in many safety functions. However, inadequate software development practices, including poor coding standards, insufficient testing, and lack of formal verification, contribute to non-compliant safety functions. But we did a FAT!A FAT is not a software test. A FAT is a validation test that tests that the hardware and software work together as they should. Compliant software is not proven through a FAT. The most famous accident related to not properly specifying software and testing it is the explosion of the Ariane 5 rocket. A 360+ Million non compliance disaster.
8 - Insufficient Validation Testing
Proper validation testing ensures that the integrated hardware and software of safety functions operate as intended under different operating conditions and scenarios. Inadequate or incomplete validation testing fails to uncover potential shortcomings and compromises overall functional safety.An average FAT or iFAT does what Risknowlogy calls Happy Flow testing. The safety function is supposed to do this, which is what we test. Now you tested what the safety function is supposed to do under normal conditions. Most FATs lack what we call robustness testing. How does the safety function perform under unusual conditions? Because unusual conditions are usually the conditions when things go wrong.
9 - Neglect of Operation, Maintenance, and Repair
Functional safety must be maintained throughout the lifecycle of a system. Neglecting proper procedures and competence during operation, maintenance, and repair activities compromises functional safety and the SIL level, thus introducing unnecessary risks.Please look at the following example; this has happened so often that we stopped counting. The end user buys a new SIL-compliant safety system, has it installed, and starts the facility. The safety system is never touched again. Oh, you mean we need to do something to maintain SIL? Yes, indeed.
When we audit end users, we focus on the procedures dealing with the installed safety functions. Often the procedures are missing or lacking. But even more, the professionals having to implement the procedures have yet to learn they are dealing with SIL. The operators and technicians need to be trained in functional safety, and they need to learn how it affects their job. And management does not train them. This is ought. We do not train the people who must operate, maintain and repair the safety functions that exist for the next 10, 20, or 30 years. Interesting and thus non-compliant.
10 - Lack of Proof Testing
One of the maintenance aspects is proof testing. Proof testing is a crucial (re)verification step to ensure that safety functions operate within the specified safety parameters. Neglecting or inadequately performing proof testing can lead to undetected failures and compromises the overall safety performance. And not following procedures and safety manuals is non-compliance.Conclusion
The alarming reality that 90% of safety functions fail to meet functional safety standards demands immediate attention and action. Organisations can elevate their safety practices, minimise risks, and protect lives by addressing the key reasons behind this widespread non-compliance. By embracing a comprehensive FSM approach, investing in competence development, conducting thorough hazard and risk analysis, creating robust SRS, selecting appropriate safety equipment, designing sound system architectures, implementing robust software development practices, conducting rigorous validation testing, prioritising operation and maintenance procedures, and emphasising the importance of proof testing, organisations can break free from the prevalent non-compliance trap and set new benchmarks in functional safety.Remember, the responsibility lies with all stakeholders involved in functional safety projects. Together, we can overcome these challenges and pave the way for a safer and more reliable future.
Challenge yourself: How can you contribute to improving functional safety practices in your organisation? What steps can you take to ensure compliance with functional safety standards? Send us an email. Let's inspire each other towards functional safety excellence!