Operators and Safety Instrumented Functions (SIF)
2018-03-24
HUMAN ERRORS
The IEC 61511 standard (both the new and 2003 editions) allows the operator to be part of the safety function. Safety instrumented functions that include the operator can initiate a visual and/or audible alarm. Based on this alarm, the operator must take the appropriate action to bring the process to a safe state. And this makes the operator a critical element in the safety chain.
Just like any piece of equipment, that is part of the SIF, can fail; also an operator can fail. When we discuss operator failures, we usually speak about Human Error. A Human Error is a deviation from expectation. It was not intended by the operator, but they did it anyway. Human Errors are not the same as, for example, programming mistakes. Even though humans also make programming mistakes.
In the functional safety world, whenever work is done, verification needs to be done. When an operator is programming, for example, the trip limit, he or she can make a mistake. In theory, this is not a problem, because independent verification should take place. And when it does, the mistake should be found and corrected.
Reference John Kleeman – Questionmark
The Human Error problem is different in nature. The alarm goes off, and the operator takes the wrong action upon demand. But how can that be? We trained the operator. He has procedures, and the procedures are correct. How can the operator make a mistake? Well, they are human, after all, and humans make mistakes. The only problem is when the operator needs to take action upon demand, there is no time for verification. It needs to be the correct action the first time. The operator should not fail upon demand, but it can happen anyway. Maybe the operator had a rough night and is not so focused today. Maybe the operator is distracted while reading Facebook pages. Who knows why the operator made a mistake that day? All we know is, it does happen, and we need to minimise how often it happens.
THE PFD OF AN OPERATOR
Another common question is whether the operator has a PFD? Yes, operators have a probability of failure on demand. You will find plenty of PhD studies telling you what the failure rate of a human is. You might find publications with the PFD of an operator. But does that all make sense?
I think it is not really useful to take into account the PFD of an operator. Humans do not act like hardware equipment, software or mother nature (lightning strike, flooding, etc.). We can train operators as much as we want, and theoretically, the PFD should go down. But although people can fail randomly and systematically, there is an extra dimension. People have emotions. And some control them better than others. Some perform well under pressure (when the high-high alarm goes off), while others aren’t. Some are good at multi-tasking (playing on the phone while taking care of the alarm) others aren’t. Some have lots of experience, others don’t. All these factors do not influence the hardware or software in the field. But they do influence the way operators work.
Therefore my advice is to not take into account the probability of failure of an operator. This is just a number. And we can find any number and even justify it if necessary. But does that make our safety instrumented function safer? I think we better focus on what the operator is supposed to do, how he is supposed to do it and how we make sure he actually does that. And this is management stuff, functional safety management, to be more precise.
OPERATORS AND SAFETY INSTRUMENTED FUNCTIONS
The challenge in our industry is to design in such a way that we do not depend on human factors. The ideal safety instrumented function is a fully automated and autonomous function. If we achieve that, then we do not depend on humans. A fully automated and autonomous safety instrumented function does not care whether it is snowing outside, whether the temperature is fifty degrees C, or whether the operator had a rough night. It will always act when needed.
If we do need to make a safety function where operators are needed then we need to make sure that we have the following:
- Procedures in place that are correct and fit for purpose,
- Train our operators on these procedures, and
- Audit periodically that they actually (know how to) follow these procedures.
This is far more important than trying to put a number on the PFD of an operator. We don’t like to do safety by numbers, we like solid hardware and software solutions. Take care of qualitative measures like redundancy and voting, and safety by design. And when an operator is involved, create a solution that the operator can work with.
IS IT A GOOD IDEA TO INVOLVE THE OPERATOR?
The ideal safety instrumented function is a fully automated one. But there are, of course, always exceptions. It is possible to use operators as part of the safety function when the process safety time is very long. Take, for example, a tank farm with overfill prevention systems. Overfilling a tank is a hazardous situation that can easily go terribly wrong, see the Buncefield and Jaipur accidents. But filling up an oil tank is an activity that usually takes hours. The buffer between the high-high limit and actually overfilling the tank can easily be over 1 hour. In other words, when the high-high condition is reached, we have plenty of time to take corrective action.
Let's assume that overfilling, in this case, takes more than 1 hour. If we make a procedure which assures that the operator takes action within 15 minutes after the alarm sounds, then we have plenty of time to take control of the situation. This can only be achieved if we can ensure that operators are always present, that they have been trained on the procedures, that they prove that they know the procedure and can execute it and that we audit them periodically.
Please note that in this case, safety depends on the equipment measuring the overfill condition AND activating the alarms AND the operators taking the right action. Functional safety management always plays an important role, but in this case, it is absolutely critical because operators are involved. The competence of the operators is now the deciding factor in whether functional safety is achieved or not.