Everything we do implies risks. These risks involve consequences from milder (and even imperceptible) to the most serious ones, when, sometimes, the lives of persons are at stake.
In a factory it is not different. And the consequences do not involve only physical harm to employees, but also damages to the facilities, the environment and the company finances.
What to do, then, to reduce these risks? Is it possible to avoid them?
Yes and no. A risk, according to the IEC 61508 standard, is the product between the frequency in which these hazardous situations occur and their consequence.
Both frequency and consequence can be measured, according to certain criteria, to find out the risk involved in a given process.
So, just imagine how difficult is to reduce the frequency of the consequence to zero. It is an almost impossible and unfeasible task.
In practice, risks will always exist. The question is: to what extent they should be minimized, what acceptable levels they should reach? Moreover: how much would it cost, how long would it take to be implemented? And perhaps the most important question: can the system implemented be activated whenever the hazardous situation happens? In other words, will it always be available?
These decisions will be up to the investor, the project owner, to make. Specialists in industrial safety may use a string of quantitative, qualitative, semi-quantitative techniques to reach desirable safety levels.
Therefore, SIS are systems that enable pre-established safety levels to work and, if a hazardous situation occurs, allow that everything is within safe limits.
To make this effective, there are safety instrumented functions, described as SIFs. This is what will be covered in the second part.
As above seen, the Instrumented Safety System (SIS) function is to prevent or attenuate hazardous events, bringing one or more processes to a level previously determined as safe.
Specialists in safety throughout time began working on the installation, scheduling and use of safety devices, to attenuate the risks related to industrial processes. However, they happened to be punctual tasks, with no established standards, inclusive for performance. There came then standards like the IEC61508 and the IEC 61511, with emphasis on the quantitative reduction of the risk, considerations on the system lifespan, etc. So, the conclusion is that when the PLC, sensors and final elements meet the requirements of these standards, the result is the Functional Safety, and the process risk is reduced to a pre-determined level.
Through the use of risk analysis methodologies, many accidents can be prevented in a SIS.
The risk analysis that conducts to the Functional Safety can be achieved by multiple technologies. One of them, for example, is the qualitative analysis of the probability of occurrence and consequences, as shown below.
|Category||Definition||Range(failures per year)|
|Frequent||Too many times during the system lifespan||>10-3|
|Probable||Several times during the system lifespan||10-3 to 10-4|
|Occasional||One time during the system lifespan||10-4 to 10-5|
|Remote||Hardly will happen during the system lifespan||10-5 to 10-6|
|Improbable||Very hardly will happen during the system lifespan||10-6 to 10-7|
|Impossible||It is not believed to happen||< 10-7|
|Catastrophic||Multiple losses of lives|
|Critical||Loss of a life|
|Marginal||Severe wounds to one or more persons|
And so the combined results of both matrices in a final Class of Risk Matrix are:
The Functional Safety will be represented by the Safety Instrumented Functions, or SIFs. PLCs, sensors and final elements combined make these functions possible. A SIS may have one or more SIFs.
Each SIF in a SIS has a Safety Integrity Level based on the probability of failures, as shown on the above table. Next week, we will examine these levels.
It is determined through several methods. Normally, risk matrices and graphs combined are used with Layers of Protection Analysis, known as LOPA.
In short, LOPA is a risk level analysis that extends from the basis (safer and easier to handle, whose control system alone guarantees the safety of the process) to the top, where there is an emergency response layer and the goal is to attenuate the effects of accidents related to the risks surveyed.
But this represents only the SIL evaluation on a process. The equipment in question must also undergo a hardware evaluation. This probabilistic analysis is performed by competent entities, like the German TÜV in association with the hardware maker. The important requirement is that both the equipment and the system comply with the related SIL.
As an example, consider that an equipment about to undergo a SIS is in operation. In case of failure and if required by a PLC (and if the chance for it to fail is between 1/10.000 and 1/1million) it is said to be a SIL 1, according to standard IEC 61508. If the probability is a failure between one million and ten millions it will be SIL 2, and so on.
The goal is that the risks on a control system be attenuated to acceptable levels, which are said to be safety requirements and are represented by the SIL, according to the probabilities of hazardous failures above examined.
According to CASSIOLATO (2010), what occurs in practice is that users acquire equipment with SIL certification to be applied on control systems but without the safety function. There still is some degree of misinformation, as many believe that by acquiring a SIL certified-transmitter the entire system is protected and risks no longer exist. Therefore, users pay more for a certified transmitter that do not provide the expected benefits. When purchasing the equipment, it is supposed to offer a certified, safe control system and many times SIS and explosion-proof installations concepts are mixed with intrinsic safety – when, actually, the user is just acquiring a controller or nothing but an equipment with certified safety functions.