In the 10 minutes before the fire and explosion at Texaco’s Milford Haven refinery in 1994, operators had to handle 275 alarms. Needless to say, their efforts were in vain. But the incident highlighted the increasing complexity of process control systems and gave an added push to the development of an international standard for best practice in safety-related control system design.
That standard, Electrochemical Commission IEC 61508, is set for adoption this autumn. Its roots, however, go back a long way.
In the late 1970s and early 1980s, safety functions were usually carried out by electromechanical devices or solid-state electronic systems, with the main failures coming from random hardware faults. Little attention was paid to systematic failures in the design process.
Dr Phil Bennett, chief executive of consultant CSE International, explains: `In 1984, there was a big push in Europe for product liability. And it was realised that computer systems could kill people. But one of the problems with attaching product liability to safety-related systems was that best practice had to be defined.’
Bennett is professor of safety-critical systems at the University of York and is chairman of one of the two expert working groups responsible for developing the standard.
CSE International, which Bennett founded, specialises in assessment of safety-critical systems, quality assurance, project management, industrial automation and in the management of software development.
IEC 61508 is split into seven parts, including requirements, examples and guidelines. The standard aims to provide a technically sound, systems-based approach which is flexible enough to allow for future developments. It uses a risk-based approach to determine safety performance. The IEC hopes it will give users and regulators confidence when using computer-based technology.
The standard will not be retrospective. Companies will not have to re-evaluate their systems and Bennett does not advise altering a safety system for the sole purpose of meeting the standard. But if some modification to a process is being carried out, he believes it would be wise to work to the standard. `Retrofits can be classed as new systems,’ he warns.
The new standard aims to achieve `functional safety’ – defined as the safety of a system as opposed to that of an individual piece of equipment – by dealing with potential failures throughout the whole life cycle of complex systems (see diagram). The standard defines safety as `freedom from the unacceptable risk’.
In the Health and Safety Executive’s investigation of 34 incidents involving safety-related control systems, 60% of failures were found to be designed into the faulty system. To avoid this, IEC 61508 places emphasis on three key areas: management of functional safety, technical requirements, and the competence of the people involved in the safety system’s production, use and maintenance.
The standard assesses the potential risks associated with a safety-related system and assigns it one of four safety integrity levels (SILs). The higher the SIL, the more stringent the safety requirements that have to be met. One requirement is for independent assessment of safety decisions, with the level of independence rising from scrutiny by an independent team within the same company, or an independent company within the same group, to a totally separate company, as the SIL increases.
However, Ron Bell, head of the electrical and control systems unit in the HSE’s directorate of science and technology, and chairman of the other expert working group on the standard, says: `IEC 61508 is a voluntary standard which does not impose certification. It does not, for example, say that anybody wishing to sell a safety-related system has to have had it certified by a third party.’
In any case, most chemical operations will have a SIL rating of two or three, which does not require safety assessment by an independent organisation.
IEC 61508 sets out a framework for all phases of a safety system’s installation and use – from concept, design and implementation through to maintenance and functional safety assessment.
For all phases, it specifies the objectives to be achieved, the requirements to meet the objectives, the scope of the phase, and the required inputs and outputs for the phase.
Once the SIL has been determined for a particular system, it forms the basis of the requirement for the safety integrity part of the design. Failures tackle both random hardware and systematic failures.
As with any system, human error can be a factor in failure. IEC 61508 addresses the competence of not only the designers of a safety system, but also the staff who maintain and control it. This could mean having access either to staff on site or staff of the system supplier when the plant is operational.
One of the main aims of IEC 61508 is to enable the development of standards for specific industrial sectors. Work has started on standard IEC 61511 for the process industries, IEC 61513 for nuclear industries and IEC 62061 for the machinery sector.
The IEC hopes that by having common underlying principles, the efficiency of the supply chain for suppliers of sub-systems and components will improve.
The Texaco explosion injured 26 people – the blast was heard 30 miles away – and destroyed much of the fluidised catalytic cracking unit of the Texaco-Gulf joint venture, Pembroke Cracking Company. The HSE’s investigation, and its publication Out of control, highlighted more such accidents. Standard IEC 61508 should help ensure that the book does not have a sequel.