On 11 December 2005, at a fuel depot in Buncefield, UK, an overfill switch designed to monitor fuel levels failed as workers pumped fuel into a tank. The fuel spilled over into a bund, vaporised, reached an ignition source, and exploded, resulting in a fire that took four days to extinguish. Twenty white cylindrical fuel tanks collapsed like marshmallows held over a campfire too long. Although there were no fatalities, homes were damaged and residents were evacuated.
A few months earlier on 23 March 2005, in the USA, a pipeline exploded at a BP petrochemical plant in Texas City, killing 14 people.
Not all failures are as spectacular or public as Buncefield or Texas City but they underscore the fact that systems fail, even with apparent safeguards in place. After accidents like these, safety experts pore over the chain of events and do a hazard analysis. IEC functional safety expert Ron Bell says a hazard analysis helps identify what went wrong. Most important, pinpointing the cause helps design control systems to lower the risk of other hazardous events. Bell's professional expertise lies in functional safety. He is principle of Ron Bell Consulting Ltd, a safety consulting firm, and a member of the IEC Advisory Committee On Safety (ACOS) with special responsibilities for functional safety.
Functional safety systems are active rather than passive. For instance, a seatbelt would not be a functional safety system; an airbag would. As the world market continues its shift towards globalisation, Asian markets expand, litigation costs rise and environmental awareness continues to grow, so does the need to establish good practice standards whether you are designing air bags for an automobile, a Ferris wheel, a train or a baby incubator. This has led to more countries adopting safety standards. The market for functional safety, which reached $850million in 2007, is expected to grow by $50million in 2008.
In the world of safety standards, such as the IEC 61508 (Functional safety of electrical, electronic and programmable electronic safety-related systems), 'good practice' has a specific meaning. The idea is to achieve functional safety for safety systems. To do this, it is necessary to consider every phase from initial concept through development of the safety requirements, design, construction and installation, to maintenance and modification. Bell calls this the 'safety lifecycle.' This lifecycle facilitates the building of safety systems to defined safety performance levels and lessens the risk of an accident. Every safety system requires safety functions to be performed and these are carried out through a chain of electronic and sometimes human links. The first step identifies what needs to be done by the safety system. This part of the IEC 61508 standard deals with the safety function. It identifies the starting risk, without safeguards, and identifies what is needed to achieve the target, tolerable risk.
It is the 'tolerable' part that gets difficult from a social point of view, says Bell, because it has to be acknowledged that systems will fail, and the challenge is to be able to maximise the benefit of computer-based technology while achieving tolerable risks for the plant under control. He explains: "The safety systems on petrochemical plants are increasingly computer-based and the failure modes are complex. It is only by adopting a systematic approach to all aspects of the design and application of such safety systems that sufficient confidence can be gained that the target tolerable risks have been achieved."
(cont. part two)
