A common question in the process industry is whether operators can be part of safety instrumented functions? The answer is yes. The IEC 61511 standard (both the new and 2003 edition) allow the operator to be part of the safety function. Safety instrumented functions that include the operator, initiate a visual and/or audible alarm. Based on this alarm the operator is required to take the appropriate action to bring the process to a safety state. And this, makes the operator a critical element in the safety chain.
Just like any piece of equipment part of the SIF can fail, also an operator can fail. When we discuss operator failures we usually speak about Human Error. A Human Error is a deviation from the expectation. It was not intended by the operator but he did it anyway. Human Errors are not the same as for example programming mistakes. Even though programming mistakes are also made by humans.
In the functional safety world when ever work is done, verification needs to be done. When an operator is programming, for example, the trip limit, he or she can make a mistake. In theory this is not a problem, because independent verification should take place. And when it does, the mistake should be found and corrected.
The Human Error problem is different in nature. The alarm goes off and the operator takes the wrong action upon demand. But how can that be? We trained the operator. He has procedures, and the procedures are correct. How can the operator make a mistake? Well he or she is human after all and humans make mistakes. The only problem is when the operator needs to take action upon demand there is no time for verification. It needs to be the correct action the first time. The operator should not fail upon demand, but it can happen anyway. May be the operator had a rough night and is not so focused today. May be the operator is distracted while reading Facebook pages. Who knows why the operator makes the mistake that day. All we know is, it does happen and we need to minimise how often it happens.
The PFD of an Operator
Another common question is whether the operator has a PFD? Yes, operators have a probability of failure on demand. You will find plenty of PhD studies telling you what the failure rate of a human is. You might find publications with the PFD of an operator. But does that all make sense?
I think it is not really useful to take into account the PFD of an operator. Humans do not act like hardware equipment, software or mother nature (lightning strike, flooding, etc.). We can train operators as much as we want and theoretically the PFD should go down. But although people can fail randomly and systematically, there is an extra dimension. People have emotions. And some control them better than others. Some perform well under pressure (when the high high alarm goes off), others aren’t. Some are good at multi tasking (playing on the phone while taking care of the alarm) others aren’t. Some have lots of experience, others don’t. All these factors do not influence the hardware or software in the field. But they do influence the way operators work.
Therefore my advice is to not take into account the probability of failure of an operator. This is just a number. And we can find any kind of number and even justify it if we need to. But does that make our safety instrumented function more safe? I think we better focus on what the operator is supposed to do, how he is supposed to do it and how we make sure he actually does that. And this is management stuff, functional safety management to be more precise.
Operators and Safety Instrumented Functions
The challenge in our industry is to design in such way that we do not depend on human factors. The ideal safety instrumented function is a fully automated and autonomous function. If we achieve that then we do not depend on humans. A fully automated and autonomous safety instrumented function does not care whether it is snowing outside, or whether the temperature is fifty degrees C, or whether the operator had a rough night. It will always act when needed.
If we do need to make a safety function where operators are needed then we need to make sure that we have:
- Procedures in place that are correct and fit for purpose,
- Train our operators on these procedures, and
- Audit periodically that they actually (know how to) follow these procedures.
This is far more important than trying to put a number on the PFD of an operator. We don’t like to do safety by numbers, we like solid hardware and software solutions. Take care of qualitative measures like redundancy and voting, safety by design. And when an operator is involved, create a solution that the operator can work with.
Is it a good idea to involve the operator?
The ideal safety instrumented function is a fully automated one. But there are of course always exceptions. It is possible to use operators as part of the safety function when the process safety time is very long. Take for example a tank farm with overfill prevention systems. Overfilling a tank is a hazardous situation that can easily go terribly wrong, see the Buncefield and Jaipur accidents. But filling up an oil tank is an activity that usually takes hours. The buffer between the high high limit and actually overfilling the tank can easily be over 1 hour. In other words when the high high condition is reached, we have plenty of time to take corrective action.
Lets assume that in this case overfilling does take indeed more than 1 hour. If we make a procedure which assures that the operator takes action within 15 minutes after the alarm sounds then we have plenty of time to take control of the situation. This can only be achieved if we can assure that operators are always present, that they have been trained on the procedures, that they prove that they know the procedure and can execute it, and that we audit them periodically.
Please note that in this case safety depends on the equipment measuring the overfill condition AND activating the alarms AND the operators taking the right action. Functional safety management always plays an important role but in this case it is absolutely critical because operators are involved. The competence of the operators is now the deciding factor whether functional safety is achieved or not.