Recently, we delivered a training course on IEC 61508 and 61511 (the two standards that form the basis for many safety instrumented systems in the process industries). The course was developed by another company, and it does a good job of showing how other “things” supplement safety instrumented systems. One of the best examples from the course was a fence. The fence reduced human access to a dangerous area, and the risk reduction factor was determined to be about 10. This means (if we use SIL terminology for a non-instrumented system) the fence was a SIL 1 safety system.
Now … the standards discuss the need for ongoing proof testing of the safety instrumented systems, in an effort to find “dangerous undetected faults”. These are the faults that can cause the system to not work when it needs to work.
One delegate asked a fantastic question … “how do you proof test a fence?” When you consider that a proof test is not an audit but a performanced based demonstration, and when you consider management of change, it is an outstanding question. And it begs another question … should safety non-instrumented systems be scrutinised to the same level (looking for systematic faults) as safety instrumented systems? And if you answer “yes”, how is it done in a proof-testing environment?
The class was able to create two scenarios where the integrity of the fence could be tested. I am not going to describe the shortcomings, but you will clearly see they are not ideal.
The first scenario involved a “test” of the fence and the permit to work system. It would have to be staged with knowledgeable people to better manage the unusual situation.
The responsible employee (potentially the safety engineer for the owner company) would conceive of the need for a “maintenance activity” inside the fence. The maintenance activity would be pertinent to a warranty.
A group of people would show up one day with pertinent documents, showing authorisation for work to be done inside the fence. These people would be knowledgeabe in the situation, but would pose as normal skilled and unskilled labour personnel.
They would then produce a “tool” that would not fit through the fence gate. This would mean some of the fence would have to be dismantled to use the tool. And, because the tool was required for “warranty” purposes, it becomes extremely important that this tool be used. As the class discussed this issue, it became clear the tool would need to be special – we would not want a small crane to simply lift the tool over the fence. A device permanently mounted to a vehicle could be a good option for this tool.
At the last moment (just before the fence is dismantled, or when the plant manager says the warrantly is no longer worthwhile), the people posing as skilled and unskilled labour would “confess”.
The robustness of the permit to work system, and the fence, would have been proof tested. It is possible a systematic error in a “SIL 1” system would be identified.
Naturally, this will cost money to set up and execute the test. There are some risks, but the cost and risks potentially are of the same order of magnitude as proof testing of safety instrumented systems.
The second scenario involved a project. Again, it would have to be stages with knowledgeable people to manage the situation.
The responsible employee (the owner’s project manager) would have to orchestrate this test. The project design team would need to come up with a reason to move the fence. It could be for installation of a new item required by the project, but the reason would need to be something that would not arouse suspicion.
The project would proceed with the plan to move the fence.
When the project reached a certain milestone (say … during the HAZOP, or during the construction review) and the problem with relocating the fence had not been detected, the responsible employee would “confess”.
The robustness of the project management of change system, and the integrity of the fence would be proof tested. Again, there are costs and risks, but again they potentially are similar to the cost and risk of proof testing safety instrumented systems.
The class then discussed the ethics of these two scenarios. The similarities to hidden camera television shows (such as “Candid Camera”, “Punk’d”, “Just for Laughs Gags”, and “The Jamie Kennedy Experiment”) is very evident. While it is one thing to use this format for entertainment, it is a completely different situation when using this format to test a safety system. How would this method impact the performance of the employees in real situations? Or in normal situations that were practice drills (would they become more cynical)? With safety instrumented systems, these (by analogy) would be called spurious trips. When using people, these would potentially be called something like “management losing the trust of the employees”.
Now … it should be possible to create a culture where these kind of scenario based tests are considered routine – just like fire drills to evacuate a building. There are other emergency response drills that could be considered scenario based, but it is often known in advance that these are exercises and drills, and not “real”.
Proof testing is an accepted part of safety instrumented systems. Why are they not an accepted part of safety non-instrumented systems? Or are they? Tell us how you proof test safety non-instrumented systems. We would love to hear from you.