Linking Risk and Reliability Mapping the output of risk assessment tools to functional safety requirements for safety related control systems.

Size: px
Start display at page:

Download "Linking Risk and Reliability Mapping the output of risk assessment tools to functional safety requirements for safety related control systems."

Transcription

1 Mapping the output of risk assessment tools to functional safety requirements for safety related control systems. 5 August 2015 Authors: Douglas S. G. Nix, C.E.T., SM-IEEE* 1, Yuvin Chinniah, Ph.D. 2, Federico Dosio, Ph.D. 3, Mark Fessler, MS, FS Eng. 4, Frank Schrever, B. App. Sc. 5 Abstract: The increased focus on controls systems for risk reduction in machinery requires controls systems designers, and safety engineers, to have a much deeper understanding of the risk related to machinery, and the relationship between the required risk reduction and the reliability of the control systems used to protect users. Immediately following risk assessment, risk reduction measures are specified to effectively control significant risks. The linkage between the assessed risk and the required integrity (reliability) of the safety-related controls is fraught with confusion for many practitioners. This paper addresses this confusion by providing to broad approaches to mapping risk to reliability requirements either directly, or by mapping the relevant risk parameters used to assess the risk to those relevant to assignment of integrity requirements. Keywords: risk, reliability, functional safety, mapping, control system Introduction The relationship between the outcome of machinery risk assessment (i.e. risk indexes) and the safety related reliability (SRR) of control systems (i.e. functional safety) is unclear. However, this relationship is increasingly important to machine builders, since many risk reduction techniques rely on advanced safety related control system technologies. Despite the importance of this relationship and the inclusion of examples of tools for determining the required SRR levels in some standards, many designers and users remain confused about this relationship. Theoretically, the output from any risk assessment tool can be mapped to any SRR scale. This paper illustrates approaches that can be used to map risk to SRR, establishing this critical relationship. 1 Compliance InSight Consulting Inc., * Corresponding Author 2 École Polytechnique de Montréal 3 Studio Tecnico Dott. Ing. Federico Dosio 4 Tokyo Electron U.S. Holdings, Inc. 5 Machine Safety By Design Pty. Ltd.

2 The Relationship Between Risk and Safety Related Reliability (SRR) To understand the basic relationship between risk in safety of machinery and the reliability of safety related controls, the fundamental concepts of safety, risk and reliability must be understood. ISO Guide 2 [1] defines safety as freedom from unacceptable risk of harm. Within the scope of this paper, the use of the term safe implies that the safety function provides acceptable risk mitigation, thereby reducing the residual risk to at least a tolerable level. ISO [9] defines risk as combination of the probability of occurrence of harm and the severity of that harm, and further breaks the probability factors down to include the exposure of persons to the hazard, occurrence of the hazardous event, and the technical and human possibilities to avoid or limit harm. Reliability is the probability of a system functioning correctly, or conversely, the probability of a failure occurring. It must also be appreciated that a reliable system (e.g. a safety function) may not be adequate to mitigate the risk if the risks have not been properly understood and appropriate control measures selected. Conversely, an unreliable system can still provide adequate risk mitigation if sufficient redundancy and fault detection (e.g., diagnostic coverage) is provided. Neither of these situations is acceptable, since reliable unsafe systems have not achieved the necessary risk reduction and safe unreliable systems adversely impact productivity and are likely to be manipulated (bypassed, disabled, etc.). Therefore safe, reliable systems must always be the objective. In this context the discussion of reliability assumes that the risks have been properly analysed and understood and the reliability of the safety related control system must map correctly to the level of risk. Reliability is also commonly expressed as a rate, the probability of a failure occurring over a period of time. From the perspective of safety, an increasing risk level requires an increasing level of reliability from the safety related control systems. This idea is illustrated in Figure 1. 2

3 Figure 1 - The fundamental relationship between risk and reliability Risk is considered to be a dimensionless value that extends from 0 to 1, where 0 represents impossibility, and 1 represents certainty. Neither boundary condition commonly occurs, while most events occur somewhere in the middle. The risk vector in Figure 1 could be the median value of a bell curve representing the probability of any truly random event. Reliability can also be expressed in the same way, with 0 representing a system that never operates as intended, and 1 representing a system that never fails. These two concepts are drawn together as functional safety, the ability of a control system with a safety function to operate without dangerous failure over a period of time. The greater the risk reduction relying on the safety related control system, the greater the required safety related reliability of the control system. Logically, the higher the severity of harm and the higher the probability of occurrence of that harm, the greater the safety related reliability of the safety related control system responsible to reduce the probability of occurrence of the hazardous event to the lowest possible level. The reliability of a safety related control system affects only the probability of occurrence of hazardous event in machinery risk assessment, the hazardous event being the failure of the safety related control system (i.e. the safety function is not achieved). When expressing the reliability of a safety function as a failure rate, the failure rate is expressed as a fraction per hour of operation of the equipment. IEC [2] introduced the concept of Probability of Dangerous Failure per Hour, (PFH d ), the factor now commonly used. PFH d is actually the inverse of reliability rather than expressing how likely the system is to operate correctly per hour, it expresses the likelihood of the system to fail per hour. How does this relate to risk? Figure 2 illustrates this idea. 3

4 Figure 2 - Inverse relationship between Risk and PFH d. Increasing levels of risk, shown as the red vector, require correspondingly lower values of PFH d in order to achieve effective risk control. When considering reliability in terms of machinery safety, engineers normally need to know the reliability rate, that is the probability of a failure over a certain period of time, and this is further refined to be the probability of a dangerous failure over a period of time. PFH d expresses the failure rate in terms of failures per hour of operation. PFH d underlies the Safety Integrity Levels (SIL) used in all of the IEC functional safety standards (i.e., IEC [2], and IEC [3]), and the Performance Levels (PL), used in ISO :2006 [4]. Each SIL or PL covers a specific range of PFH d values. This can be seen in detail in [4, Annex K]. Risk Reduction via the Control System The concept of risk reduction using the control system can be illustrated by the following example. Suppose that a machine or a process has a dangerous situation occur once per year (F ds = 1/a). This is not considered acceptable, but a reduced rate not exceeding once every 100 years (F s =1/100 a) would be acceptable. The process risk reduction can be represented as shown in Figure 3. F ds = Frequency of the Dangerous Situation F s = Frequency of the Dangerous Situation, after control 4

5 Figure 3 - Risk Reduction via the Control System It could be said that the control system provides a risk reduction factor (RRF) greater than or equal to 100, as shown in Eq. 1. RRF = F ds /F s 100 (Eq. 1) An RRF of 100 means that the safety related control system will not fail more once every 100 years. This can also be stated as an average probability of dangerous failure as shown in Eq. 2. where PFD avg is related to the RRF by the following relationship PFD avg = 1/100 = 1x10-2 (Eq. 2) PFD avg = 1/RRF (Eq. 3) In the machinery sector, dangerous occurrences happen much more often than once per year; it is more common to have a dangerous occurrence every hour. Considering that in one year there are hours, rounded up to h for ease of calculation, results in a PFH d of approximately 1x10-4 /h, as shown in Eq. 4, expressed as the probability of dangerous failure per hour. PFH d = F s / = 1x10-4 /h (Eq. 4) A scale of risk reduction factors like that used in [2] or [4], are more useful if the range of PFH d values is broken up into smaller bands, e.g., PL a, b, c, d, e, or SIL 1, 2, 3. In cases like this where more than one level of RRF is needed, it is possible to fix the number of levels of risk and the corresponding levels of RRF using a multiple of 10, creating a relationship between risk and RRF; if for example it is decided to use 5 levels of risk, the scale might look like Figure 4. 5

6 Figure 4 - Risk mapped to RRF Grouping results into bands like those shown in Fig. 4 helps to alleviate precision bias [5], the tendency for people to believe that apparently precise numbers also represent true, or accurate quantities. The probabilities discussed commonly in machinery risk assessments cannot be considered more than estimates, and therefore cannot be either precise or highly accurate. Risk is commonly assessed qualitatively or semi-quantitively, because there is often very little real data available that could be used for purely quantitative analysis of risk. Conversely, reliability is normally quantitative in nature, since the data provided by manufacturers for the lifetime of their products is based on testing, resulting in quantitative data. This poses a conceptual problem, since mapping a qualitative output from the risk-assessment scoring tool to a quantitative reliability requirement appears to be very difficult. This is actually simple to do if the magnitudes of the two factors, risk and reliability, can be understood. Method 1: Mapping Any Risk Scale to Any Reliability Scale Risk-estimation, or risk-scoring tools have some common properties: two or more parameters are included. As a minimum, these are Severity of Harm, and Probability of Harm. The Probability of Harm parameter is commonly broken down into three additional parameters: Frequency and Duration of Exposure, Probability of the Hazardous Event, and the Probability of Avoiding or Limiting Harm [9]. the output is expressed in terms of risk The tool may use a graphical approach, like that shown in Figure 5 [6, Fig. A.3], or in a matrix format like that shown in Table 1. 6

7 Figure 5 - Risk graph for risk estimation [6, Fig. A.3]. The variables used in Figure 5 follow in Table 1. 7

8 Table 1 - Risk Parameter Scales used in Figure 5. Variable Severity of harm: S Frequency and/or duration of exposure to hazard: F Probability of occurrence of the hazardous event: O Division Description Slight injury (usually reversible), for example, scratches, S1 laceration, bruising, light wound requiring first aid). Serious injury (usually irreversible, including fatality), for example, broken or torn-out or crushed limbs, fractures, S2 serious injuries requiring stitches, major musculoskeletal troubles (MST), fatalities. Twice or less per work shift or less than 15 min cumulated F1 exposure per work shift. More than twice per work shift or more than 15 min F2 cumulated exposure per work shift. Mature technology, proven and recognized in safety O1 application; robustness. Technical failure observed in the two last years: Inappropriate O2 human action by a well-trained person aware of the risks and having more than six months experience on the work station. Technical failure regularly observed (every six months or less): inappropriate human action by an untrained person having less than six months experience on the work O3 station; similar accident observed in the plant in the preceding ten years. Possibility of avoidance or reduction of harm: A A1 A2 Possible under some conditions: if parts move at a speed less than 0,25 m/s AND the exposed worker is familiar with the risks and with the indications of a hazardous situation or impending hazardous event; depending on particular conditions (temperature, noise, ergonomics, etc.); Impossible. 8

9 Table 2 ANSI B11-TR3 Risk Assessment Matrix [7, Table 1] Probability of Severity of Harm Occurrence of Harm Catastrophic Serious Moderate Minor Very Likely High High High Medium Likely High High Medium Low Unlikely Medium Medium Low Negligible Remote Low Low Negligible Negligible The definitions for the variables used in Table 2 follow. Table 3 - Variables used in Table 2. Parameter Description Definition Catastrophic death or permanently disabling injury or illness (unable to return to work) Severity of harm Serious severe debilitating injury or illness (able to return to work at some point) Moderate significant injury or illness requiring more than first aid (able to return to same job) Minor no injury or slight injury requiring no more than first aid (little or no lost work time) Very likely near certain to occur Probability of Likely may occur occurrence of Unlikely not likely to occur harm Remote so unlikely as to be near zero It can be argued that the matrix covers a broader range of factors than the risk graph. The probability of occurrence of harm shown in Table 2 includes consideration of the following factors [7]: exposure to a hazard personnel who perform tasks machine/task history workplace environment human factors reliability of safety functions 9

10 possibility to defeat or circumvent protective measures ability to maintain protective measures Another type of risk analysis tool is the nomogram shown in Figure 6. Note that this tool does not include all four risk parameters outlined in ISO 12100, as the Possibility to Avoid or Limit Harm parameter is absent. Figure 6 - Risk Nomogram [8] In this diagram, the RED line represents the first pass through the risk assessment, assuming that there are no risk controls present. The GREEN line represents the second pass through the risk assessment, considering the selected risk controls. Starting at the appropriate level on the Probability scale on the left, a straight index line is drawn through the appropriate point on the Exposure scale to the Tie Line. A second straight line is then drawn from the point where the Index Line and the Tie Line meet, through the Possible Consequences scale at the appropriate value, terminating on the Risk Score line. The termination point of the second line gives the risk score for the particular hazard being considered. Worth noting in this example, is that only the Probability of the Hazardous Event has been changed from the initial assessment to the final assessment. The crossing points on the Exposure and Consequence scales unchanged, and yet the final risk falls from 300 to 15, for an RRF of 20 using Eq. 1 (RRF = 300 / 15 = 20). 10

11 Figure 7 shows the output scales of the Figure 5 and Table 2 methods normalized to a 0 to 1 scale, with the addition of the output scale from [10], which uses the product of four numerically scaled factors, i.e. Degree of possible harm, Frequency of Exposure, Likelihood of occurrence, and Number of persons at risk. The normalization shown in Figure 7 maps the risk index obtained from the ISO and ANSI tools on a 0 to 1 risk scale. It is based on the assumption that the maximum risk is 1 and each scale covers the range of risk from 0 to 1, although the apparent scales do not appear similar. Figure 7 - Normalized Risk Scales Since any qualitative or semi-quantitative risk scale may be normalized in this way, the next step is to map the reliability scales to risk. Quantitative risk scales require additional analysis to determine the appropriate mapping to other risk scales, as there may be limits imposed on these scales that limit the scope of their output. Method 2: Direct Mapping When mapping from any given risk-scoring tool to any reliability scale, only one risk scale and one reliability scale may be addressed at a time. In some cases, like systems integration, it may be advantageous to apply ISO [5] to one portion of the design and IEC [4] to 11

12 another portion of the design. In this case, either the relevant risk must be mapped separately to each reliability scale, or the two reliability scales must first be normalized and then that result mapped to the risk scale. One approach to direct mapping is that shown in Figure 8. This method is taken from [4, Fig. A.1], and shows a decision tree that can be used to determine the PL r value used in this standard. Starting at point 1, the user follows the decision tree, deciding at each juncture what the value of the relevant risk parameter is for the hazard being considered. At the end of the process the user will be guided to one of five possible reliability levels, a through e. Figure 8 ISO "Risk Graph" Figure 8 is identified in [4] as a Risk Graph, but this is in fact incorrect, as the tool cannot be used for risk assessment despite its use of risk parameters. More correctly, it should be identified as a PL Selection Tool, since it is designed to assist the user in selecting an appropriate target PL for design. The risk parameters used in Figure 8 are shown in Table 4. Aside from the description of each variable selection being different from that in Table 1, the other significant omission is the variable for O, the occurrence of the hazardous event. This is a significant variable, and the omission of this variable has been the topic of considerable discussion. If the assumption is made that the value of O should taken to be 1, or 100%, then the assumption is that the hazardous event will occur whenever exposure occurs. Some have argued that this is not the case, but that leaves the authors to wonder what value should be assumed for this variable if it is not taken to be 1. 12

13 If the Probability of the Hazardous Event is ignored, this brings a problem with conformity to [9], which requires consideration of this variable. Table 4 - Variables used in Figure 8 Variable Division Description Severity of injury: S S1 slight (normally reversible injury) S2 serious (normally irreversible injury or death) seldom-to-less-often and/or exposure time is F1 Frequency and/or exposure short to hazard: F frequent-to-continuous and/or exposure time F2 is long Possibility of avoiding P1 possible under specific conditions hazard or limiting harm: P P2 scarcely possible Another problem with the Figure 8 tool, is the definition for the P parameter. When compared with the A parameter in Table 1, the definitions are seen to be similar. The use of a different parameter name that could be confused with the O parameter may lead to errors in selection of the value from the scale. One more problem brought by the Figure 8 tool: it cannot be used for risk analysis. ISO requires risk to be analyzed before controls are implemented, to establish the intrinsic risk related to each hazard. Controls are implemented, and the risk is analyzed again to determine the residual risk. The residual risk is then compared against legislative, regulatory and social requirements to determine if the risk has been reduced to a tolerably low level. In the European Union, the residual risk(s) must be described in the Information for Use provided to the user. Without the capability to determine the degree of residual risk, the tool is useless in this context. The Figure 8 tool cannot describe residual risk because it does not have an output in terms of risk, but rather in terms of reliability bands. In order to meet the requirements of ISO 12100, the user must use one tool to determine the intrinsic and residual risk and the Figure 8 tool to determine the reliability requirement. This effectively doubles the effort for every hazard, since the risk parameters must be considered twice, and confusion ensues because the definitions for the parameters are different, and the probability of the hazardous event is not considered. The focus of this paper is the elimination of this confusion by showing methods of mapping directly from risk to reliability using consistent scales that meet ther requirements of [6]. The methods that follow show this approach. Direct mapping refers to the process of mapping only the output scale of the risk-scoring tool to the output scale of the reliability requirements selection tool. This avoids the need to rationalize the various input parameters used in each scale, and is based on the assumption that, since the risk scale covers the full range of risk possible and the reliability scale covers the full range of practicable reliability values, the two scales can be directly compared, as illustrated in Figure 2. 13

14 To further develop this idea, the output scale from [4, Fig. A.3] is mapped to the input scale from [4], see Figure 9 below. Figure 9 Risk mapped to reliability As Figure 9 shows, the subdivisions in the scale rarely meet up exactly, and therefore some interpolation of the results is required. Since the risk scale is subjective, no precision can be assumed for the results. Sound engineering judgement must be applied when assigning a Performance Level, or a SIL, in this manner. Method 2: Parameter Scale Mapping The parameter scale mapping process requires that the risk and reliability scales have the same input variables, although the scales may be subdivided differently. If the scales are subdivided differently, care must be taken when establishing the boundaries of each level for every parameter. The methodology described below was first suggested in a paper discussing challenges with a common safeguarding selection tool [10]. Risk Scoring Methodology Table 5 and Table 6 show an example risk-scoring matrix. Details of the method follow the Tables. The parameter definitions are adopted from [2, Annex A]. Guidance for using the parameters is provided in [2], and reproduced here for clarity. 14

15 Table 5 - Risk Scoring Matrix Probability of Injury Class [Pr x (Fr+Av)] Severity Table 6 - Approximate Risk Ranges Approximate Risk Ranges Very Low Low Moderate High Very High Note that there are overlapping areas between the approximate risk ranges. User judgment is required in these areas to determine if the risk should be scored in the lower of the two ranges. Risks should be prioritized based on the level of severity, i.e., two risks are scored at 90. One has a severity score of 3, the other a severity score of 4. This risk with severity level 4 should be binned into the High risk bin, rather than Moderate, based on the higher severity level. Scoring Algorithm The Risk Scoring Algorithm is weighted to give the Severity and Probability of the Hazardous Event parameters greater effect on the final risk score than either the Frequency and Duration of Exposure or Possibility of Avoidance parameters. The weighting was chosen in this way to prioritize risks with high-severity of injury consequences, and to give the Probability of the Hazardous event greater impact. In continuous exposure conditions, i.e., when Pr = 100 %, the Frequency (Fr) and Possibility to Avoid (Av) parameters become dominant, as would be expected based on observation of real-world work conditions. In other words, when a worker is continually exposed to the hazardous situation (Pr approaches 1), then the frequency of interaction with the hazard, Fr, and the worker s ability to avoid or limit harm during those exposures, Av, are what determine the likelihood of injury. The Probability of the Hazardous event is very significant in OHS applications. This parameter can be used to account for a number of real-world effects, including: Predictability of the behaviour of component parts of the machine relevant to the hazard in different modes of use (e.g. normal operation, maintenance, fault finding). Probability of unexpected start-up of the machine Reliability of the Safety Related Control System Non-routine, non-repetitive tasks, such as unexpected repairs 15

16 The basic algorithm is shown in Equation 5. where R represents Risk Se represents the Severity of Injury Pr represents the Probability of the Hazardous Event Fr represents the Frequency and Duration of Exposure Av represents the Possibility to Avoid or Limit Harm R = Se [Pr (Fr + Av)] (Eq. 5) The sum of the Fr and Av terms limits their overall impact on the final risk score when Pr is less than 1, and aggregates them since they normally occur together in the real world. The Pr term multiplies the impact of the (Fr,Av) term based on the likelihood that a person will be exposed, and the whole probability term is multiplied by the Se term to derive the Risk score. The use of the Pr term must be carefully considered. The probability of occurrence of hazardous event should be estimated independently of other related parameters Fr and Av. A worst-case assumption should be used for each probability parameter to ensure that risk is not inadvertently scored lower than it should be. To prevent this occurring, task-based analysis is strongly recommended to ensure that proper consideration is given to estimation of the probability of occurrence of the hazardous event. Very high probability of occurrence of a hazardous event should be selected to reflect normal production constraints and worst-case considerations. If the hazard being analyzed is due to the normal operation or motion of the machine, then it is 100% probable that it will occur, and should be scored at the highest level. Positive reasons (e.g. well defined application and knowledge of high level of user competences) are required for any lower values to be used. The probability factors are calculated first, to provide a series of risk classes, which are then combined with severity in matrix form. This is done to simplify the risk matrix. Equation 4 is shown in a matrix form in Table 9, with approximate risk bands shown in Table 10. These risk bands provide five bins that will generally group the assessed risks, helping to avoid precision bias. Note that there is significant overlap at the edges of the bands. This is also reflective of real-world conditions, as there are no well-defined break points between risk bands in real life. 16

17 Risk Parameter Scale Definitions Severity (Se) Parameter Severity of injuries or damage to health can be estimated by taking into account reversible injuries, irreversible injuries and death. Consider the most probable degree of injury expected for the exposure, i.e., slip and fall injuries can be fatal, but not all are fatal all the time. A fall to the same level is less likely to cause a fatality, than a fall to a lower level 20 m below. Choose the appropriate value of severity from Table 11 based on the most probable consequences of exposure to the hazard, where: 4 means a fatal or a significant irreversible injury such that it will be very difficult to continue the same work after healing, if at all. Includes significant lost time, more than 1 month; 3 means a major or irreversible injury in such a way that it can be possible to continue the same work after healing. It can also include a severe major but reversible injury such as broken limbs. Includes limited duration lost time, where more than 1 week but less than one month is lost; 2 means a reversible injury, including severe lacerations, stabbing, and severe bruises that requires attention from a medical practitioner. Includes lost time where 1 week or less is lost; 1 means a minor injury including scratches and minor bruises that require attention by first aid. No lost time. Table 7 - Severity Parameter Weights Consequences Severity (Se) Irreversible: death, losing an eye or arm 4 Irreversible: broken limb(s), losing a finger(s) 3 Reversible: requiring attention from a medical practitioner 2 Reversible: requiring first aid 1 Probability of occurrence of harm The probability of the occurrence of harm is the aggregate probability of an injury occurring. The probability of the occurrence of harm parameter (P), is made up of three probability parameters: Probability of the Hazardous Event (Pr), Frequency and Duration of Exposure (Fr), and the Possibility to Avoid or Limit Harm (Av), Equation 6. P f (Pr, Fr, Av) (Eq. 6) 17

18 Each of the three parameters of probability of occurrence of harm (i.e. Pr, Fr, and Av) should be estimated independently of each other. A worst-case assumption needs to be used for each parameter to ensure that the assessed risk is not scored lower than it should be. Generally, using some form of task-based analysis is strongly recommended to ensure that proper consideration is given to estimation of the probability of occurrence of harm. Probability of occurrence of a hazardous event Generally, consider whether the machine or material being processed has the propensity to act in an unexpected manner. Machine behaviour will vary from very predictable to not predictable, but unexpected events cannot be discounted. Predictability is often linked to the complexity of the machine function. This parameter can be estimated by taking into account the: Predictability of the behaviour of component parts of the machine relevant to the hazard in different modes of use (e.g. normal operation, maintenance, fault finding). Probability of unexpected start-up of the machine Reliability of the Safety Related Control System Non-routine, non-repetitive tasks, like unexpected repairs This will necessitate careful consideration of the control system regarding the risk of unexpected start up. Do not take into account the protective effect of any Safety Related Control System (SRCS). This is necessary in order to estimate the amount of risk that will be exposed if the SRCS fails. Protective effects can be assessed when the risk reducing effects of the potions of the Hierarchy of Controls are considered. It is also important to take into account intended and foreseeable human behaviour when interacting with the machine relevant to the hazard. Some factors to consider include: stress (e.g., due to time constraints, work task, perceived damage limitation); and/or lack of awareness of information relevant to the hazard. This will be influenced by factors such as skills, training, experience, and complexity of machine/process. A task analysis will reveal activities where total awareness of all issues, including unexpected outcomes, cannot be reasonably assumed. Select the appropriate row for probability of occurrence of hazardous event (Pr) of Table 8. Table 8 - Probability of Occurrence of the Hazardous Event (Pr) Weighting Probability of Occurrence Probability (Pr) Very High* 5 Likely 4 Possible 3 Rarely 2 Negligible 1 18

19 * Very high probability of occurrence of a hazardous event should be selected to reflect normal production constraints and worst case considerations. Positive reasons (e.g. well defined application and knowledge of high level of user competences) are required for any lower values to be used. Frequency and duration of exposure (Fr) Consider the following aspects to determine the level of exposure: need for access to the danger zone based on all modes of use, for example normal operation, maintenance; and nature of access, for example: manually feeding material, setting, lubrication. It should then be possible to estimate the average interval between exposures and therefore the average frequency of access. It should also be possible to foresee the duration, for example if it will be longer than 10 min. Where the duration is shorter than 10 min, the value may be decreased to the next level. This does not apply to frequency of exposure 1 h, which should not be decreased at any time. Select the appropriate row for Frequency and Duration of Exposure (Fr) from Table 9. Table 9 - Frequency and Duration of Exposure (Fr) Weighting Frequency of Exposure Duration >10 min Frequency (Fr) 1 h 5 1 h to 1 day 5 > 1 day 2 weeks 4 > 2 weeks 1 year 3 > 1 year 2 Probability of avoiding or limiting harm (Av) This parameter can be estimated by taking into account aspects of the machine design and its intended application that can help to avoid or limit the harm from a hazard. These aspects include, for example sudden, fast or slow speed of appearance of the hazardous event; spatial possibility to withdraw from the hazard; 19

20 the nature of the component or system, for example a knife is usually sharp, a pipe in a dairy environment is usually hot, electricity is usually dangerous by its nature but is not visible; and possibility of recognition of a hazard, for example electrical hazard: a copper bar does not change its aspect whether it is under voltage or not; to recognize if one needs an instrument to establish whether electrical equipment is energized or not; ambient conditions, for example high noise levels can prevent a person hearing a machine start; presence of any Complementary Protective Measures, i.e., emergency stop, enabling devices, hold-to-run controls, etc. Select the appropriate row for probability of avoidance or limiting harm (Av) of Table 10. Table 10 - Possibility to Avoid or Limit Harm (Av) Weighting Possibility to Avoid or Limit Harm Avoidance (Av) Impossible (Probability approaches 0%) 5 Rarely (Probability < 50%) 3 Probable (Probability approaches 100%) 1 The Risk Matrix presented in this paper is consistent with sound scaling theory, provides an output in terms of Risk, and provides a means to map risk to functional safety Performance / Safety Integrity Levels that is consistent with ISO , Amd. 1 when published in 2015, as well as the current edition of IEC Functional Safety Mapping The risk scoring methodology discussed above uses risk parameter scales that are unchanged from their source in IEC This provides a unique advantage, in that direct parameter mapping is automatically provided. No additional mapping from the risk scoring methodology to the functional safety integrity level scoring is required, only recalculation using the IEC algorithm. For example, consider a risk scored as follows: Se = 4, Irreversible: death, losing an eye or arm Pr = 5, Very high Fr = 5, 1 h Av = 3, Rarely (Probability < 50%) 20

21 Substituting into Equation 5, the risk score would be R = 4 x [5 x (5+3)] = 160 Using Table 11, the SIL requirement can be determined without needing to re-score the individual risk parameters. To determine the Class (Cl), Equation 7 is used. Substituting into Eq. 7: Cl = Fr + Pr + Av (Eq. 7) Cl = = 13 Using Table 11, the SIL selection matrix, SIL 3 is located at the intersection of Se 4 and Cl 11-13, as shown below. This would not be an unreasonable reliability requirement for this severity of risk. Table 11 - SIL Selection Matrix [2, Table A.6] Class (Cl) (Pr + Fr + Av) Severity (Se) SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 3 (OM) SIL 1 SIL 2 SIL 3 2 (OM) SIL 1 SIL 2 1 (OM) SIL 1 In Table 11, (OM) stands for Other Measures ; since the reliability levels possible using ISO Cat. B architecture fall below the lower limit of SIL 1, systems designed using this architecture can be considered Other Measures. If the functional safety requirement is preferred in PL, reference to Table 12, provides this direct mapping. Using Table 12, SIL 3 maps to PL c. Table 12 - Relationship between performance level (PL) and safety integrity level (SIL) [12, Table 4] SIL PL (IEC , for information) high/continuous mode of operation a No correspondence b 1 c 1 d 2 e 3 21

22 This process is suitable for simple automation, e.g. using a spreadsheet with logical calculations. While theoretically possible to score manually, the mapping increases the likelihood of transposition errors. Conclusions Direct mapping provides a simple approach to linking risk and reliability, however there may be difficulty encountered when attempting to determine the break points in the matched variables, particularly if the two scales do not use the same number of divisions in the respective scales. Factor mapping deals with the assignment of breakpoints more effectively, but is best suited for semi-automated or automated scoring systems. Manual use of these maps leads to transposition errors. Consideration for legislative requirements is also important when assigning the break points between the scales. Although there is general agreement between jurisdictions regarding the degree of injury considered reportable, the exact details often fail to match. This failure can result in under or over-stating the risk of a given injury, and possibly over-designing the reliability of the safety related control system. Acknowledgement The authors would like to acknowledge the support of their employers in the development of this paper, who have generously provided the time and resources necessary to permit their involvement. Definitions functional safety absence of unreasonable risk (1.136) due to hazards (1.57) caused by malfunctioning behaviour (1.73) of E/E systems (1.31). [11] harm part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safetyrelated systems and external risk reduction facilities. [12] physical injury or damage to health [9, 3.5] hazard potential source of harm NOTE 1 The term "hazard" can be qualified in order to define its origin (for example, mechanical hazard, electrical hazard) or the nature of the potential harm (for example, electric shock hazard, cutting hazard, toxic hazard, fire hazard). NOTE 2 The hazard envisaged by this definition either is permanently present during the intended use of the machine (for example, motion of hazardous moving elements, electric arc 22

23 during a welding phase, unhealthy posture, noise emission, high temperature), or can appear unexpectedly (for example, explosion, crushing hazard as a consequence of an unintended/unexpected start-up, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration). NOTE 3 The French term "phenomime dangereux" should not be confused with the term "risque", which was sometimes used instead in the past. [9, 3.6] hazardous event event that can cause harm NOTE A hazardous event can occur over a short period of time or over an extended period of time. [9, 3.9] hazardous situation circumstance in which a person is exposed to at least one hazard NOTE The exposure can result in harm immediately or over a period of time. [9, 3.10] mode of operation way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it, which may be either - low demand mode: where the frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof-test frequency; - high demand or continuous mode: where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof-test frequency NOTE 1 - High demand or continuous mode covers those safety-related systems which implement continuous control to maintain functional safety. NOTE 2 - The target failure measures for safety-related systems operating in low demand mode and high demand or continuous mode are defined in [11, ] Probability of dangerous Failure per Hour (PFH d ) average probability of dangerous failure within 1 h NOTE PFH d should not be confused with probability of failure on demand (PFD). [4] 23

24 risk combination of the probability of occurrence of harm and the severity of that harm [9, 3.12] residual risk risk remaining after protective measures have been implemented NOTE 1 This International Standard distinguishes the residual risk after protective measures have been implemented by the designer, the residual risk remaining after all protective measures have been implemented. [9, 3.13] risk estimation defining likely severity of harm and probability of its occurrence [9, 3.14] risk analysis combination of the specification of the limits of the machine, hazard identification and risk estimation [9, 3.15] risk assessment overall process comprising a risk analysis and a risk evaluation [9, 3.17] References [1] 'Standardization and related activities General vocabulary. ISO Guide 2.', International Organization for Standardization (ISO), Geneva, [2] 'Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC ', International Electrotechnical Commission (IEC), Geneva, [3] 'Functional Safety of Electrical / Electronic / Programmable Electronic Safety- Related Systems Part 1: General requirements. IEC ', International Electrotechnical Commission (IEC), Geneva, [4] 'Safety of machinery Safety-related parts of control systems Part 1: General principles for design. ISO ', International Organization for Standardization (ISO), Geneva, [5] Wikipedia, 'Precision bias', [Online]. Available: [Accessed: 19- Jul- 2015]. [6] 'TECHNICAL REPORT Safety of machinery Risk assessment Part 2: Practical guidance and examples of methods. ISO/TR ', International Organization for Standardization (ISO), Geneva,

25 [7] 'ANSI Technical Report for Machine Tools Risk assessment and risk reduction A guide to estimate, evaluate and reduce risks associated with machine tools', American National Standards Institute, Inc., McLean, Virginia, [8] G. Kinney and A. Wiruth, 'Practical Risk Analysis for Safety Management', Naval Weapons Center, China Lake, [9] 'Safety of machinery - General principles for design - Risk assessment and risk reduction. ISO 12100', International Organization for Standardization (ISO), Geneva, [10] D. Nix, 'Evaluation of Problems and Challenges in CSA Z Annex DVA Task-Based Risk Assessment Methodology', Compliance insight Consulting In., Kitchener, [11] 'Functional safety of electrical/electronic/ programmable electronic safetyrelated systems - Part 4: Definitions and abbreviations. IEC ', International Electrotechnical Commission (IEC), Geneva,

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508 DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508 Simon J Brown Technology Division, Health & Safety Executive, Bootle, Merseyside L20 3QZ, UK Crown Copyright

More information

Understanding safety life cycles

Understanding safety life cycles Understanding safety life cycles IEC/EN 61508 is the basis for the specification, design, and operation of safety instrumented systems (SIS) Fast Forward: IEC/EN 61508 standards need to be implemented

More information

The Best Use of Lockout/Tagout and Control Reliable Circuits

The Best Use of Lockout/Tagout and Control Reliable Circuits Session No. 565 The Best Use of Lockout/Tagout and Control Reliable Circuits Introduction L. Tyson Ross, P.E., C.S.P. Principal LJB Inc. Dayton, Ohio Anyone involved in the design, installation, operation,

More information

New Thinking in Control Reliability

New Thinking in Control Reliability Doug Nix, A.Sc.T. Compliance InSight Consulting Inc. New Thinking in Control Reliability Or Your Next Big Headache www.machinerysafety101.com (519) 729-5704 Control Reliability Burning Questions from the

More information

Session: 14 SIL or PL? What is the difference?

Session: 14 SIL or PL? What is the difference? Session: 14 SIL or PL? What is the difference? Stewart Robinson MIET MInstMC Consultant Engineer, Pilz Automation Technology UK Ltd. EN ISO 13849-1 and EN 6061 Having two different standards for safety

More information

Ultima. X Series Gas Monitor

Ultima. X Series Gas Monitor Ultima X Series Gas Monitor Safety Manual SIL 2 Certified " The Ultima X Series Gas Monitor is qualified as an SIL 2 device under IEC 61508 and must be installed, used, and maintained in accordance with

More information

Solenoid Valves used in Safety Instrumented Systems

Solenoid Valves used in Safety Instrumented Systems I&M V9629R1 Solenoid Valves used in Safety Instrumented Systems Operating Manual in accordance with IEC 61508 ASCO Valves Page 1 of 7 Table of Contents 1 Introduction...3 1.1 Terms and Abbreviations...3

More information

RISK ASSESSMENT. White Paper.

RISK ASSESSMENT. White Paper. RISK ASSESSMENT White Paper www.leuze.com White Paper RISK ASSESSMENT IN HARMONY The European Machinery Directive as well as its implementations on a national level (in Germany ProdSG and 9 ProdSV) require

More information

Safety-critical systems: Basic definitions

Safety-critical systems: Basic definitions Safety-critical systems: Basic definitions Ákos Horváth Based on István Majzik s slides Dept. of Measurement and Information Systems Budapest University of Technology and Economics Department of Measurement

More information

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual Double Block & Bleed (DBB) Knife Gate Valve Safety Manual Manual D11044 September, 2015 Table of Contents 1 Introduction... 3 1.1 Terms... 3 1.2 Abbreviations... 4 1.3 Product Support... 4 1.4 Related

More information

DeZURIK. KSV Knife Gate Valve. Safety Manual

DeZURIK. KSV Knife Gate Valve. Safety Manual KSV Knife Gate Valve Safety Manual Manual D11035 August 29, 2014 Table of Contents 1 Introduction... 3 1.1 Terms... 3 1.2 Abbreviations... 4 1.3 Product Support... 4 1.4 Related Literature... 4 1.5 Reference

More information

PL estimation acc. to EN ISO

PL estimation acc. to EN ISO PL estimation acc. to EN ISO 3849- Example calculation for an application MAC Safety / Armin Wenigenrath, January 2007 Select the suitable standard for your application Reminder: The standards and the

More information

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual KGC Cast Knife Gate Valve Safety Manual Manual D11036 August 29, 2014 Table of Contents 1 Introduction... 3 1.1 Terms... 3 1.2 Abbreviations... 4 1.3 Product Support... 4 1.4 Related Literature... 4 1.5

More information

Managing for Liability Avoidance. (c) Lewis Bass

Managing for Liability Avoidance. (c) Lewis Bass Managing for Liability Avoidance (c) Lewis Bass 2005 1 Staying Safe in an Automated World Keys to Automation Safety and Liability Avoidance Presented by: Lewis Bass, P.E. Mechanical, Industrial and Safety

More information

Hydraulic (Subsea) Shuttle Valves

Hydraulic (Subsea) Shuttle Valves SIL SM.009 0 Hydraulic (Subsea) Shuttle Valves Compiled By : G. Elliott, Date: 11/3/2014 Contents Terminology Definitions......3 Acronyms & Abbreviations..4 1. Introduction 5 1.1 Scope 5 1.2 Relevant Standards

More information

Workshop Functional Safety

Workshop Functional Safety Workshop Functional Safety Nieuwegein 12 March 2014 Workshop Functional Safety VDMA 4315 Part 1 page 1 Agenda VDMA Working Group on Functional Safety Functional Safety and Safety Lifecycle Functional Safety

More information

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION SIL explained Understanding the use of valve actuators in SIL rated safety instrumented systems The requirement for Safety Integrity Level (SIL) equipment can be complicated and confusing. In this document,

More information

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions SIL SM.018 Rev 1 FP15 Interface Valve Compiled By : G. Elliott, Date: 30/10/2017 FP15/L1 FP15/H1 Contents Terminology Definitions......3 Acronyms & Abbreviations...4 1. Introduction...5 1.1 Scope.. 5 1.2

More information

Bespoke Hydraulic Manifold Assembly

Bespoke Hydraulic Manifold Assembly SIL SM.0003 1 Bespoke Hydraulic Manifold Assembly Compiled By : G. Elliott, Date: 12/17/2015 Contents Terminology Definitions......3 Acronyms & Abbreviations..4 1. Introduction 5 1.1 Scope 5 1.2 Relevant

More information

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0 Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0 ~ 2 ~ This document is an informative aid only. The information and examples given are for general use

More information

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions SIL SM.0010 1 Pneumatic QEV Compiled By : G. Elliott, Date: 8/19/2015 Contents Terminology Definitions......3 Acronyms & Abbreviations..4 1. Introduction 5 1.1 Scope 5 1.2 Relevant Standards 5 1.3 Other

More information

Solenoid Valves For Gas Service FP02G & FP05G

Solenoid Valves For Gas Service FP02G & FP05G SIL Safety Manual SM.0002 Rev 02 Solenoid Valves For Gas Service FP02G & FP05G Compiled By : G. Elliott, Date: 31/10/2017 Reviewed By : Peter Kyrycz Date: 31/10/2017 Contents Terminology Definitions......3

More information

TEST REPORT Safety Laboratory-MD Team Report No.: RA/2013/90003

TEST REPORT Safety Laboratory-MD Team Report No.: RA/2013/90003 Page: 1 of 16 SHUN HU TECHNOLOGY CO., LTD. No.21, Zhonggong Rd., Xihu Township, Changhua County 514, Taiwan The following merchandise was submitted and identified by the vendor as: Item Information Product

More information

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards. Instruction Manual Supplement Safety manual for Fisher Vee-Ball Series Purpose This safety manual provides information necessary to design, install, verify and maintain a Safety Instrumented Function (SIF)

More information

A quantitative software testing method for hardware and software integrated systems in safety critical applications

A quantitative software testing method for hardware and software integrated systems in safety critical applications A quantitative software testing method for hardware and software integrated systems in safety critical applications Hai ang a, Lixuan Lu* a a University of Ontario Institute of echnology, Oshawa, ON, Canada

More information

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed) Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed) ICAO MID Seminar on Aerodrome Operational Procedures (PANS-Aerodromes) Cairo, November 2017 Avner Shilo, Technical officer

More information

Introduction to Machine Safety Standards

Introduction to Machine Safety Standards Introduction to Machine Safety Standards Jon Riemer Solution Architect Safety & Security Functional Safety Engineer (TÜV Rheinland) Cyber Security Specialist (TÜV Rheinland) Agenda Understand the big picture

More information

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions SIL SM.015 Rev 0 Eutectic Plug Valve Compiled By : G. Elliott, Date: 19/10/2016 Contents Terminology Definitions......3 Acronyms & Abbreviations...4 1. Introduction..5 1.1 Scope 5 1.2 Relevant Standards

More information

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL Per IEC 61508 and IEC 61511 Standards BRAY.COM Table of Contents 1.0 Introduction.................................................... 1 1.1 Terms and Abbreviations...........................................

More information

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT SYDNEY TRAINS SAFETY MANAGEMENT SYSTEM OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT Purpose Scope Process flow This operating procedure supports SMS-07-SP-3067 Manage Safety Change and establishes the

More information

Safety manual for Fisher GX Control Valve and Actuator

Safety manual for Fisher GX Control Valve and Actuator Instruction Manual Supplement GX Valve and Actuator Safety manual for Fisher GX Control Valve and Actuator Purpose This safety manual provides information necessary to design, install, verify and maintain

More information

Safety Manual OPTISWITCH series relay (DPDT)

Safety Manual OPTISWITCH series relay (DPDT) Safety Manual OPTISWITCH series 5000 - relay (DPDT) 1 Content Content 1 Functional safety 1.1 In general................................ 3 1.2 Planning................................. 5 1.3 Adjustment

More information

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60 Safety Manual VEGAVIB series 60 NAMUR Document ID: 32005 Contents Contents 1 Functional safety... 3 1.1 General information... 3 1.2 Planning... 4 1.3 Adjustment instructions... 6 1.4 Setup... 6 1.5 Reaction

More information

A study on the relation between safety analysis process and system engineering process of train control system

A study on the relation between safety analysis process and system engineering process of train control system A study on the relation between safety analysis process and system engineering process of train control system Abstract - In this paper, the relationship between system engineering lifecycle and safety

More information

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS Page 1 of 7 INTRODUCTION Although it is not often referred to as such, the development and implementation of a documented safety management system is an exercise

More information

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511 PROCESS AUTOMATION Manual Safety Integrity Level SIL Edition 2005 IEC 61508/61511 With regard to the supply of products, the current issue of the following document is applicable: The General Terms of

More information

SPR - Pneumatic Spool Valve

SPR - Pneumatic Spool Valve SIL SM.008 Rev 7 SPR - Pneumatic Spool Valve Compiled By : G. Elliott, Date: 31/08/17 Contents Terminology Definitions:... 3 Acronyms & Abbreviations:... 4 1.0 Introduction... 5 1.1 Purpose & Scope...

More information

To comply with the OHS Act, the responsible manager must carry out and document the following:

To comply with the OHS Act, the responsible manager must carry out and document the following: Owner: Manager Health, Wellbeing and Safety Last Update: 10 January 2018 Contents 1. Purpose... 1 2. Minimum Compliance Requirements... 1 3. Definitions... 2 4. Legislative requirements under the OHS Act

More information

Advanced LOPA Topics

Advanced LOPA Topics 11 Advanced LOPA Topics 11.1. Purpose The purpose of this chapter is to discuss more complex methods for using the LOPA technique. It is intended for analysts who are competent with applying the basic

More information

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Understanding the How, Why, and What of a Safety Integrity Level (SIL) Understanding the How, Why, and What of a Safety Integrity Level (SIL) Audio is provided via internet. Please enable your speaker (in all places) and mute your microphone. Understanding the How, Why, and

More information

CENELEC GUIDE 32. Guidelines for Safety Related Risk Assessment and Risk Reduction for Low Voltage Equipment. Edition 1,

CENELEC GUIDE 32. Guidelines for Safety Related Risk Assessment and Risk Reduction for Low Voltage Equipment. Edition 1, CENELEC GUIDE 32 Guidelines for Safety Related Risk Assessment and Risk Reduction for Low Voltage Equipment Edition 1, 2014-07 CENELEC decided to adopt this new CENELEC Guide 32 through CLC Decision D147/C137.

More information

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60 Safety Manual VEGAVIB series 60 Contactless electronic switch Document ID: 32002 Contents Contents 1 Functional safety... 3 1.1 General information... 3 1.2 Planning... 4 1.3 Adjustment instructions...

More information

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons Faeq Azam Khan & Dr. Nihal A. Siddiqui HSE Department, University of Petroleum & Energy Studies, Dehradun, Uttarakhand,

More information

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis Mary Ann Lundteigen and Marvin Rausand mary.a.lundteigen@ntnu.no RAMS Group Department of Production and Quality Engineering

More information

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1* Safety Manual Process pressure transmitter IPT-1* 4 20 ma/hart Process pressure transmitter IPT-1* Contents Contents 1 Functional safety 1.1 General information... 3 1.2 Planning... 4 1.3 Instrument parameter

More information

Accelerometer mod. TA18-S. SIL Safety Report

Accelerometer mod. TA18-S. SIL Safety Report Accelerometer mod. TA18-S SIL Safety Report SIL005/11 rev.1 of 03.02.2011 Page 1 of 7 1. Field of use The transducers are made to monitoring vibrations in systems that must meet particular technical safety

More information

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS Chinnarao Mokkapati Ansaldo Signal Union Switch & Signal Inc. 1000 Technology Drive Pittsburgh, PA 15219 Abstract

More information

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company TRI LOK TRI LOK TRIPLE OFFSET BUTTERFLY VALVE SAFETY MANUAL The High Performance Company Table of Contents 1.0 Introduction...1 1.1 Terms and Abbreviations... 1 1.2 Acronyms... 1 1.3 Product Support...

More information

Using what we have. Sherman Eagles SoftwareCPR.

Using what we have. Sherman Eagles SoftwareCPR. Using what we have Sherman Eagles SoftwareCPR seagles@softwarecpr.com 2 A question to think about Is there a difference between a medical device safety case and any non-medical device safety case? Are

More information

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis Failure Modes, Effects and Diagnostic Analysis Project: Solenoid Drivers KFD2-SL2-(Ex)1.LK.vvcc KFD2-SL2-(Ex)*(.B).vvcc Customer: Pepperl+Fuchs GmbH Mannheim Germany Contract No.: P+F 06/09-23 Report No.:

More information

Safety Critical Systems

Safety Critical Systems Safety Critical Systems Mostly from: Douglass, Doing Hard Time, developing Real-Time Systems with UML, Objects, Frameworks And Patterns, Addison-Wesley. ISBN 0-201-49837-5 1 Definitions channel a set of

More information

Achieving Compliance in Hardware Fault Tolerance

Achieving Compliance in Hardware Fault Tolerance Mirek Generowicz FS Senior Expert (TÜV Rheinland #183/12) Engineering Manager, I&E Systems Pty Ltd Abstract The functional safety standards ISA S84/IEC 61511 (1 st Edition, 2003) and IEC 61508 both set

More information

Risk Management Qualitatively on Railway Signal System

Risk Management Qualitatively on Railway Signal System , pp. 113-117 The Korean Society for Railway Ya-dong Zhang* and Jin Guo** Abstract Risk management is an important part of system assurance and it is widely used in safety-related system. Railway signal

More information

HS329 Risk Management Procedure

HS329 Risk Management Procedure HS329 Risk Management Procedure Work Health and Safety Act 2011 Policy hierarchy link Work Health and Safety Regulation 2011 Work Health and Safety Policy Code of Practice How to Manage Work Health and

More information

in Australian Workplaces

in Australian Workplaces Copyright 2011 - OnGuard Safety Training Pty Ltd 1 of 7 in Australian Workplaces Introduction Part 2 Part 3 Part 4 Part 5 SafeWork SA Introduction Hazard identification is the process used to identify

More information

Valve Communication Solutions. Safety instrumented systems

Valve Communication Solutions. Safety instrumented systems Safety instrumented systems Safety Instrumented System (SIS) is implemented as part of a risk reduction strategy. The primary focus is to prevent catastrophic accidents resulting from abnormal operation.

More information

Every things under control High-Integrity Pressure Protection System (HIPPS)

Every things under control High-Integrity Pressure Protection System (HIPPS) Every things under control www.adico.co info@adico.co Table Of Contents 1. Introduction... 2 2. Standards... 3 3. HIPPS vs Emergency Shut Down... 4 4. Safety Requirement Specification... 4 5. Device Integrity

More information

Marine Risk Assessment

Marine Risk Assessment Marine Risk Assessment Waraporn Srimoon (B.Sc., M.Sc.).) 10 December 2007 What is Risk assessment? Risk assessment is a review as to acceptability of risk based on comparison with risk standards or criteria,

More information

The modern, fast and easy to use risk analysis tool. Advanced Features. Using HAZID in BowTie Pro

The modern, fast and easy to use risk analysis tool. Advanced Features. Using HAZID in BowTie Pro The modern, fast and easy to use risk analysis tool Advanced Features Using HAZID in BowTie Pro Enterprise Business Centre Admiral Court Poynernook Road Aberdeen, AB11 5QX, UK Tel: +44 (0) 1224 51 50 94

More information

Risk Assessment Procedure

Risk Assessment Procedure Voltage, current testing, troubleshooting Infrared inspection Visual inspection, data collecting Risk Register ES Acc 6 4 1 1 6 36 ES < Acc 6 4 3 3 10 60 AF/AB 40 Acc 8 3 2

More information

Hazard Management Making your workplace safer

Hazard Management Making your workplace safer Hazard Management Making your workplace safer A Guide to Hazard Identification, Risk Assessment, Control and Reviewing 1 What is a hazard? A hazard is something which has the potential to harm the health,

More information

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS Steve Sherwen Senior Consultant, ABB Engineering Services, Daresbury Park,

More information

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018 Why do I need dual channel safety? Pete Archer - Product Specialist June 2018 To answer this, we need some basic background information. First why is safety needed? Here are 4 good reasons. 1. To Protect

More information

T71 - ANSI RIA R15.06: Robot and Robot System Safety

T71 - ANSI RIA R15.06: Robot and Robot System Safety - 5058-CO900H T71 - ANSI RIA R15.06: Robot and Robot System Safety PUBLIC ANSI/RIA R15.06-2012 RIA (print) www.robotics.org + old stds & technical reports ANSI (PDFs): note the TRs are NOT available from

More information

Section 1: Multiple Choice

Section 1: Multiple Choice CFSP Process Applications Section 1: Multiple Choice EXAMPLE Candidate Exam Number (No Name): Please write down your name in the above provided space. Only one answer is correct. Please circle only the

More information

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents Abstract Session Fifteen: Protection Functions as Probabilistic Filters for Accidents Andreas Belzner Engine Functional Safety Gas Turbine, Alstom A generalized model is developed for the risk reduction

More information

Transmitter mod. TR-A/V. SIL Safety Report

Transmitter mod. TR-A/V. SIL Safety Report Transmitter mod. TR-A/V SIL Safety Report SIL003/09 rev.1 del 09.03.2009 Pagina 1 di 7 1. Employ field The transmitters are dedicated to the vibration monitoring in plants where particular safety requirements

More information

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6 ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases SIL Safety Manual Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6 ULTRAMAT 6F 7MB2111, 7MB2117, 7MB2112, 7MB2118 ULTRAMAT 6E

More information

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance Mary Ann Lundteigen and Marvin Rausand mary.a.lundteigen@ntnu.no RAMS Group Department of Production and Quality Engineering NTNU

More information

ISO INTERNATIONAL STANDARD. Ergonomics Manual handling Part 1: Lifting and carrying

ISO INTERNATIONAL STANDARD. Ergonomics Manual handling Part 1: Lifting and carrying INTERNATIONAL STANDARD ISO 11228-1 First edition 2003-05-15 Ergonomics Manual handling Part 1: Lifting and carrying Ergonomie Manutention manuelle Partie 1: Manutention verticale et manutention horizontale

More information

Available online at ScienceDirect. Jiří Zahálka*, Jiří Tůma, František Bradáč

Available online at  ScienceDirect. Jiří Zahálka*, Jiří Tůma, František Bradáč Available online at www.sciencedirect.com Scienceirect Procedia Engineering 69 ( 204 ) 242 250 24th AAAM International Symposium on Intelligent Manufacturing and Automation, 203 etermination and Improvement

More information

Accident Investigation and Hazard Analysis

Accident Investigation and Hazard Analysis Accident Investigation and Hazard Analysis June 18, 2015 Objectives: Accident Investigation Define accidents Review why accident investigations are important Review the purpose of accident investigations

More information

Quantitative Risk Analysis (QRA)

Quantitative Risk Analysis (QRA) Quantitative Risk Analysis (QRA) A realistic approach to relief header and flare system design Siemens AG 2017, All rights reserved 1 Quantitative Risk Analysis Introduction Most existing pressure relief

More information

Safety Analysis Methodology in Marine Salvage System Design

Safety Analysis Methodology in Marine Salvage System Design 3rd International Conference on Mechatronics, Robotics and Automation (ICMRA 2015) Safety Analysis Methodology in Marine Salvage System Design Yan Hong Liu 1,a, Li Yuan Chen 1,b, Xing Ling Huang 1,c and

More information

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System Presented to: EUROCONTROL Safety R&D Seminar By: Dino Piccione Date: October 23, 2008 Project Objectives Forge a link between

More information

Employ The Risk Management Process During Mission Planning

Employ The Risk Management Process During Mission Planning Employ The Risk Management Process During Mission Planning TSG 154-6465 Task(s) TASK NUMBER TASK TITLE Taught or 154-385-6465 Employ The Risk Management Process During Mission Planning Supported Task(s)

More information

CT433 - Machine Safety

CT433 - Machine Safety Rockwell Automation On The Move May 16-17 2018 Milwaukee, WI CT433 - Machine Safety Performance Level Selection and Design Realization Jon Riemer Solution Architect Safety & Security Functional Safety

More information

Safety Guidelines for Live Entertainment and Events I Part 2. Hazard Identification and Risk Management 1

Safety Guidelines for Live Entertainment and Events I Part 2. Hazard Identification and Risk Management 1 Safety Guidelines for Live Entertainment and Events Part 2. Hazard Identification and Risk Management Contents Disclaimer... 1 1. Principles of Risk Management... 2 2. The Risk Management Process... 2

More information

The IEC61508 Operators' hymn sheet

The IEC61508 Operators' hymn sheet The IEC61508 Operators' hymn sheet A few key points for those Operators of plant or equipment that involve SIL rated safety functions*, trips or interlocks by The 61508 Association SAFETY INSTRUMENTED

More information

Rosemount 2130 Level Switch

Rosemount 2130 Level Switch Rosemount 2130 Level Switch Functional Safety Manual Manual Supplement Reference Manual Contents Contents 1Section 1: Introduction 1.1 Scope and purpose of the safety manual.............................................

More information

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY Jinhyung Park 1 1 Yokogawa Electric Korea: 21, Seonyu-ro45-gil Yeongdeungpo-gu, Seoul, 07209, Jinhyung.park@kr.yokogawa.com Safety Integrity Level (SIL) is

More information

Risk Management Guide

Risk Management Guide What is health and safety risk management? Risk Management Guide Risk Management is a proactive, logical and systematic approach of managing the uncertainty relating to potential risk, rather than responding

More information

High Integrity Pressure Protection Systems HIPPS

High Integrity Pressure Protection Systems HIPPS High Integrity Pressure Protection Systems HIPPS HIPPS > High Integrity Pressure Protection Systems WHAT IS A HIPPS The High Integrity Pressure Protection Systems (HIPPS) is a mechanical and electrical

More information

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI Identification and Screening of Scenarios for LOPA Ken First Dow Chemical Company Midland, MI 1 Layers of Protection Analysis (LOPA) LOPA is a semi-quantitative tool for analyzing and assessing risk. The

More information

HAZARD RECOGNITION EVALUATION and CONTROL

HAZARD RECOGNITION EVALUATION and CONTROL What is a hazard? HAZARD RECOGNITION EVALUATION and CONTROL Hazard - a dangerous object, event, behaviour or condition (in the workplace) which has the potential to cause injury, illness or property damage.

More information

Hazard Assessment & Control. Faculty of Veterinary Medicine

Hazard Assessment & Control. Faculty of Veterinary Medicine Hazard Assessment & Control Faculty of Veterinary Medicine Emergency Evacuation In the event of an emergency Primary exit is to the. Secondary exit is to the. Assembly point is at. Campus Security Emergency

More information

Aeronautical studies and Safety Assessment

Aeronautical studies and Safety Assessment Aerodrome Safeguarding Workshop Cairo, 4 6 Dec. 2017 Aeronautical studies and Safety Assessment Nawal A. Abdel Hady ICAO MID Regional Office, Aerodrome and Ground Aids (AGA) Expert References ICAO SARPS

More information

Safety in pneumatic automation

Safety in pneumatic automation Safety in pneumatic automation Pharm connect congress 2014 Budapest Feb. 26. 27. Thomas Schulz Head of ISM and KAM Biotech/Pharma Phone: +49-711/347-52192 Mail: thss@de.festo.com Thomas Schulz / CP-KB

More information

RISK ASSESSMENT HAZARD IDENTIFICATION AND RISK ASSESSMENT METHODOLOGY

RISK ASSESSMENT HAZARD IDENTIFICATION AND RISK ASSESSMENT METHODOLOGY RISK ASSESSMENT HAZARD IDENTIFICATION AND RISK ASSESSMENT METHODOLOGY A) RISK Risk concerns the deviation of one or more results of one or more future events from their expected value. Risk related to

More information

Safe High Pressure Water Washing (HPWW) Requirement

Safe High Pressure Water Washing (HPWW) Requirement Safe High Pressure Water Washing (HPWW) Requirement Index Page Introduction 3 Flow chart of process steps 4-5 Responsibilities 6 Risk assessment process 7-9 Job safety analyses considerations 10-11 Compliance

More information

Analysis of hazard to operator during design process of safe ship power plant

Analysis of hazard to operator during design process of safe ship power plant POLISH MARITIME RESEARCH 4(67) 2010 Vol 17; pp. 26-30 10.2478/v10012-010-0032-1 Analysis of hazard to operator during design process of safe ship power plant T. Kowalewski, M. Sc. A. Podsiadło, Ph. D.

More information

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE R. L. Maguire MIMechE MSaRS RS2A Limited Swindon, UK 07505 743 725 rlm@rs2a.com Keywords: POSMS, POEMS, Alignment,

More information

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395 Safety Standards Acknowledgement and Consent (SSAC) CAP 1395 Contents Published by the Civil Aviation Authority, 2015 Civil Aviation Authority, Aviation House, Gatwick Airport South, West Sussex, RH6 0YR.

More information

Section 1: Multiple Choice Explained EXAMPLE

Section 1: Multiple Choice Explained EXAMPLE CFSP Process Applications Section 1: Multiple Choice Explained EXAMPLE Candidate Exam Number (No Name): Please write down your name in the above provided space. Only one answer is correct. Please circle

More information

The Key Variables Needed for PFDavg Calculation

The Key Variables Needed for PFDavg Calculation Iwan van Beurden, CFSE Dr. William M. Goble, CFSE exida Sellersville, PA 18960, USA wgoble@exida.com July 2015 Update 1.2 September 2016 Abstract In performance based functional safety standards, safety

More information

Required Courses. Total Hours 39

Required Courses. Total Hours 39 Public Sector Safety & Health Fundamentals Certificate Program for Construction Participants must complete a minimum of seven courses, comprised of required and elective courses, that include a minimum

More information

COMPLETION OF PROCEDURE ASSESSMENT FORM (COSHH RELATED) GUIDANCE NOTES (Version 3)

COMPLETION OF PROCEDURE ASSESSMENT FORM (COSHH RELATED) GUIDANCE NOTES (Version 3) COMPLETION OF PROCEDURE ASSESSMENT FORM (COSHH RELATED) GUIDANCE NOTES (Version 3) The following guidance notes accompany the College Procedure Assessment form (COSHH-related). Please complete all applicable

More information

Partial Stroke Testing. A.F.M. Prins

Partial Stroke Testing. A.F.M. Prins Partial Stroke Testing A.F.M. Prins Partial Stroke Testing PST in a safety related system. As a supplier we have a responsibility to our clients. What do they want, and what do they really need? I like

More information

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Functional Safety SIL Safety Instrumented Systems in the Process Industry Products Solutions Services Functional Safety SIL Safety Instrumented Systems in the Process Industry BASF - Press Photo 2 section Foreword rubric 3 Foreword has come into focus since the publication of

More information

HEALTH AND SAFETY RISK ASSESSMENT POLICY Harmer Street Gravesend Kent DA12 2AX

HEALTH AND SAFETY RISK ASSESSMENT POLICY Harmer Street Gravesend Kent DA12 2AX HEALTH AND SAFETY RISK ASSESSMENT POLICY 42 44 Harmer Street Gravesend Kent DA12 2AX CONTENTS 1. General Policy on Health and Safety Risk Assessment... 1 2. Scope... 1 3. Authorisation... 1 4. Responsibility...

More information