Internatonal Journal of Performablty Engneerng Vol. 7, No. 1, January, 2011, pp. 61-76. RAMS Consultants Prnted n Inda Functonal Safety Analyss ncludng Human Factors KAZIMIERZ T. KOSMOWSKI Gdans Unversty of Technology, G. Narutowcza 11/12, 80-233 Gdans, Poland. (Receved on November 18, 2009, revsed on July 29, 2010) Abstract: In ths paper selected aspects of human factors are dscussed that should be taen nto account durng the desgn of safety-related functons for a complex hazardous nstallaton and ts protectons. The layer of protecton analyss (LOPA) methodology s used for smplfed rs analyss based on defned accdent scenaros. To control the rs the safety nstrumented functons (SIFs) are dentfed and ther safety ntegrty levels (SILs) determned based on results of rs assessment. Gven SIF s to be realsed by the electrc/ electronc/ programmable electronc system (E/E/PES) or safety nstrumented system (SIS) and the human-operator. The SIL s to be verfed accordng to requrements and crtera gven n nternatonal standards IEC 61508 and IEC 61511. Some ssues concernng the alarm system (AS) desgnng wth regard to human factors and related human relablty analyss (HRA) are outlned. Keywords: Hazardous plants, functonal safety, human factors, human relablty analyss, layer of protecton analyss, alarm system. 1. Introducton The research on the causes of ndustral accdents ndcate that broadly understood human errors, resultng often from organzatonal nadequaces, are the man determnng factors n 70-90% of cases [22], dependng on ndustral sector and the plant category. Because several defences aganst potental accdents are used n hazardous plants to protect people and envronment, t s clear that multple faults have contrbuted to most of accdents. It has been emphaszed that accdents arose from a combnaton of latent and actve human errors. They are to be commtted durng the desgn, operaton and mantenance [6, 22]. The characterstc of latent errors s that they do not mmedately degrade the safetyrelated functons, but n combnaton wth other events, such as random equpment falures, external or nternal dsturbances and actve human errors, can contrbute to major accdent wth serous consequences. Some categorzatons of human actons and related errors have been proposed, e.g., by Swan and Guttmann [30], Rasmussen [24] Reason [27] and Embrey [6]. Tradtonally, potental human and organsatonal nfluences n ndustral plant are to be ncorporated nto the probablstc models through the falure events wth relevant probabltes evaluated usng selected method of human relablty analyss (HRA) [1, 3, 4, 8, 9, 14, 17, 28, 29, 30]. Careful analyss of expected human behavour (ncludng context orented dagnoss, decson mang and ntentonal actons) and potental errors s an essental prerequste of correct rs assessment and ratonal safety-related decson mang, partcularly n dynamc stuatons [11, 12, 13, 17]. The probabltes of the falure *Correspondng author s emal:.osmows@ely.pg.gda.pl 61
62 Kazmerz T. Kosmows events depend sgnfcantly on varous human, organsatonal, envronmental and techncal factors beng categorsed as a set of performance shapng factors (PSFs) relevant to the stuaton under consderaton [6, 18, 19, 20, 26]. The PFSs are dvded nto nternal, stressor and external ones [30]. Lately some new approaches have been proposed by Carey [2], Hclng et al. [10], Froome and Jones [7], and Kosmows [20, 21] how to deal wth the ssues of human factors n the functonal safety analyss and management [15, 16]. The human errors can be commtted n entre lfe cycle of the plant, from ts desgn stage, nstallaton, commssonng, and operaton to decommssonng. Durng operaton phase the humanoperator nterventons nclude the supervson and control actons n cases of transents, dsturbances and faults as well as the dagnostc actvtes, the functonalty and safety ntegrty tests, planned mantenance actons and repars after faults [2, 5, 22]. Nowadays the operators supervse the process and mae decsons based on nformaton from the alarm system (AS) and decson support system (DSS) [5, 7, 11, 25], whch should be desgned especally carefully for abnormal stuatons and potental accdents, also for cases of partal faults and dangerous falures wthn the electrc, electronc and programmable electronc systems (E/E/PESs) [15] or the safety nstrumented systems (SISs) [16]. The AS and DSS, when properly desgned, wll contrbute to decreasng the human error probablty n varous plant states and reducng the rs of potental accdents wth serous consequences. 2. Functonal Safety and Human Factors 2.1 Prncples of functonal safety Modern ndustral nstallatons are extensvely computersed and equpped wth complex programmable control and protecton systems. In desgnng of the control and protecton systems the functonal safety solutons [15] are more and more wdely of nterest and mplemented n varous ndustral sectors, e.g. the process ndustry [16]. However, there are stll methodologcal challenges concernng the functonal safety management n the lfe cycle. They related also to ssues of human and organsatonal factors [20, 21]. The am of functonal safety management s to reduce the rs assocated wth operaton of hazardous nstallaton to an acceptable or tolerable level ntroducng a set of safety-related functons (SRFs) that are mplemented usng the programmable control and protecton systems. The human-operator contrbutes to realzaton of gven SRF through relevant HMI (human machne nterface) n relaton to the SCADA (supervsory control and data acquston) system or DCS (dgtal control system). In the standard [16] two nds of systems are dstngushed, namely BPCS (basc process control system), and SIS (safety nstrumented system) desgned accordng to the techncal specfcaton and procedures developed for abnormal stuatons, especally for emergences [11, 22, 30]. An mportant term related to the functonal safety concept s the safety ntegrty [15], understood as the probablty that gven safety-related system wll satsfactorly perform requred SRF under all stated condtons wthn gven perod of tme. The safety ntegrty level (SIL) s a dscrete level (1 4) for specfyng the safety ntegrty requrements of gven safety-related functon to be allocated usng the electrcal/ electronc/ programmable electronc system (E/E/PES) [15] or safety nstrumented system (SIS) [16]. The safety ntegrty level of 4 (SIL4) s a hghest level, whch requres - when
Functonal Safety Analyss ncludng Human Factors 63 mplemented n ndustral practce - a complex archtecture of E/E/PES consstng of redundant subsystems beng dagnosed on-lne and perodcally tested. For the E/E/PES or SIS performng SRF two probablstc crtera are defned for consecutve SILs (Table 1), namely [15]: - the average probablty of falure to perform the safety-related functon on demand (PFD avg ) for the system operatng n a low demand mode, and - the probablty of a dangerous falure per hour PFH (the frequency) for the system operatng n a hgh demand or contnuous mode of operaton. Table 1: Probablstc Crtera for Safety-related Functons SIL PFD avg PFH [h -1 ] 4 [ 10-5, 10-4 ) [ 10-9, 10-8 ) 3 [ 10-4, 10-3 ) [ 10-8, 10-7 ) 2 [ 10-3, 10-2 ) [ 10-7, 10-6 ) 1 [ 10-2, 10-1 ) [ 10-6, 10-5 ) The SIL for gven SRF s determned n the rs assessment process usng a defned rs matrx, whch ncludes areas for several rs classes, e.g., unacceptable, moderate and acceptable or a rs graph [15, 22]. The E/E/PE safety-related system (see Fgure 1) conssts of followng subsystems: (A) nput devces (sensors, transducers, converters, etc.), (B) programmable logc controllers (e.g., PLC) and (C) output devces ncludng the equpment under control (EUC) [15]. The archtecture of these subsystems s determned durng the desgn process. Each logc controller comprses the central unt (CPU), nput modules (dgtal or analog) and output modules (dgtal or analog). The E/E/PE subsystems have usually KooN archtecture, e.g., 1oo1, 1oo2, 1oo3 or 2oo3. Communcaton A. Input devces B. Programmable Logc Controller(s) C. Output devces K A oon A K B oon B K C oon C Fgure 1: E/E/PE Archtecture for Realzaton of Safety-related Functons 2.2 Determnng SIL of a safety-related functon The rss assocated wth accdent scenaros can be presented on a rs matrx (Fg. 2) wth dstngushng several categores of consequences (N A, N B, ) and frequences (F 0, F -1, ), defned as ntervals wth decreasng exponent of the upper and lower lmts on logarthmc scales. The rs control optons should be carefully consdered durng the desgn or operaton of hazardous ndustral systems [22]. Gven rs control opton (RCO) ncludes a techncal and/or organsatonal soluton, whch dffers from a bass (B) soluton fulfllng some basc requrements. It can be n partcular a safety-related functon (SRF) to be mplemented usng E/E/PES or SIS.
64 Kazmerz T. Kosmows N [loss] F [a -1 ] F 0 N A N B N C N D N E III II I I I F -1 III III a II b I I F -2 IV III II II c d I F -3 IV IV III II II F -4 IV b * b ** IV IV III II Fgure 2: An example of rs analyss results n relaton to categores of frequences and losses for four classes of rs As t can be seen n Fgure 2 n an area of unaccepted rs (class I) and undesred rs (class II) there are four stars denoted a, b, c and d n order of ncreasng losses. The rs reducton wll be consdered on example of pont b. Implementng a protecton measure, e.g., SIS wthn protecton layers [16] moves the rs coordnates n arrow drecton to pont b* wth relevant reducton of the frequency and consequence of gven scenaro. If we assume that ntroducng addtonal protecton wll not reduce the losses, but only the frequency of ths accdent scenaro, then the rs coordnates wll move to pont b**. The am s to reduce the frequency at least of two orders of magntude (to decrease 100 tmes) or better three orders of magntude thans to ntroducng, for nstance, addtonal safety-related functon to be mplemented usng relevant protecton layers (see chapter 3). The mplementaton of gven RCO results n the rs reducton, evaluated for the perod of one year, as follows [22] where: B x; B F N x ; RCO B x; B F ; RCO N ; RCO R = F N (1 r r ), - the frequency [a -1 ] and the consequence x [n unts of consequence] of -th accdent scenaro for the basc soluton B; F RCO r ; (1) - the relatve reducton of the RCO RCO B frequency for -th accdent scenaro after mplementng gven RCO ( F ; r = F / F ); N RCO r ; - the relatve reducton of the consequence x for -th accdent scenaro after N ; RCO x; RCO x; B mplementng gven RCO ( r = N / N ). As consequence x the mortalty or economc losses due to gven accdent scenaro can be consdered. Assumng that the rs reducton to a tolerable level can be acheved mplementng E/E/PES or SIS for the constant consequences (N = const), the relatve rs reducton can be evaluated as follows: R F r = Rt / Rnp = Ft / Fnp = r (2) where: F t s numercal target frequency of potental hazardous event (specfed for a tolerable rs level); F np - the frequency of potental hazardous event that could occur
Functonal Safety Analyss ncludng Human Factors 65 wthout protecton; the relevant rs ndces for these two cases are: R np = F N (N = const). np R = F N and t t In case of E/E/PES or SIS consdered for mplementng wthn the protecton layer for a low demand mode of operaton the value of r F s equvalent to the average probablty of falure on demand PFD avg,.e. PFD avg =r F. Ths value s used for determnng requred SIL of gven safety-related functon to be mplemented usng approprate archtecture of E/E/PES or SIS. In verfyng the SIL, usually some archtectures of E/E/PES or SIS are consdered, and the results of probablstc modellng are to be compared wth nterval probablstc crtera gven n Table 1. 2.3 Human Relablty Analyss The human relablty analyss (HRA) methods are used for assessng the contrbuton of potental human errors n falure events of gven accdent scenaros. However, some basc assumptons made n HRA technques used wthn probablstc safety analyss of hazardous systems are stll a subject of dspute between researchers [3, 12, 13]. Practcally all HRA methods assume that t s meanngful to use the concept of human errors and t s justfed to estmate ther probabltes. Such pont of vew s sometmes questoned due to not fully verfed assumptons concernng human behavour and potental errors. Hollnagel concludes [13] that some HRA results are of lmted value as nput for PSA (probablstc safety analyss), manly because of oversmplfed concepton of human performance and human error. On the other hand, t s obvous that t s valuable to consder requred human actons and potental errors n gven context wth regard to the process dynamc, functons of the control and protecton systems, qualty of HMI (human-machne nterface), etc. Examples of potental human errors n a dynamc system and ther consequences are presented n Fgure 3. Intatng event (I) 1. Intentonaldecsonal error 2. No reacton on tme error 3. Error to complete requred acton Sequence descrpton S. Success q3 X3. No success not corrected error F I q2 X2. No success no reacton on tme q1 q condtonal probablty of -th error X1. No success not corrected ntentonaldecsonal error Fgure 3: Examples of Human-operator Errors and ther Consequences In spte of mentoned crtcsm, watng for a next generaton of HRA methods, the human factor analysts use n PSA some extng HRA methods. Below some HRA methods are shortly characterzed that mght be appled n the context of functonal safety analyss. The rough human relablty assessments based manly on qualtatve nformaton concernng relevant factors can be useful at the desgned stage of safety-related functons and E/E/PE systems mplementng theses functons [2, 22]. It s justfed to emphasse that the functonal safety analyss framewor gves addtonal nsghts n HRA [22, 23].
66 Kazmerz T. Kosmows In performng HRA some basc nowledge concernng concepts of human behavour and error types s necessary. Rasmussen [24, 25] proposes the dstncton of three categores of human behavour. Hs conceptual framewor assumes three cogntve levels of human behavour: sll-based, rule-based and nowledge-based. HRA practtoners now that the dstncton between a sll-based acton and a rule-based acton resultng to errors s not always trval and requres the context orented analyss by experenced expert. Smlar dffculty s also assocated wth the dstncton between a rule-based or nowledge-based behavour and potental errors [22]. Descrbed above behavour types seem to nvolve dfferent error mechansms, whch may mean radcally dfferent human relablty characterstcs. Reason [27] proposes followng classfcaton of human errors: a slp - an attenton falure (for example, an error n mplementng a plan or decson, or an unntended acton); a lapse - a momentary memory falure (for example, an error to recallng a tas step or forgettng ntentons); and a mstae - an error n establshng a course of actons, for example, an error n dagnoss, plannng or decson mang. Thus, mstaes are assocated wth more serous error mechansms as they lead to ncorrect understandng of abnormal stuaton and concevng an napproprate plan of actons. These two framewors can be combned as t s shown n Fgure 4. Three error types are dstngushed: I - sll-based, II rule-based, and III nowledge-based. A sll-based error s assocated wth slps or lapses. Rule- or nowledge-based errors are related to mstaes. Unsafe Unntended actons Slps Phase 3 - Executon Phase 2 - Storage Lapses Omsson Commsson Omsson Commsson Attenton falures Memory falures Error types: I. sll-based acts Intended actons Mstaes Phase 1 - Plannng Volaton Omsson Commsson II. rule-based III. nowledge -based Cogntve forms. Exceptonal or routne volatons Acts of sabotage Fgure 4: Classfcaton of Human Unsafe Acts and Error Types Several HRA technques are used n PSA practce, e.g. THERP [30], developed for the nuclear ndustry, but appled also n other ndustral sectors. Other HRA methods, more often used n ndustral practce are: Accdent Sequence Evaluaton Procedure- Human Relablty Analyss Procedure (ASEP-HRA), Human Error Assessment and Reducton Technque (HEART), and Success Lelhood Index Method (SLIM). These HRA methods are charactersed n varous papers, monographs and reports [1, 3, 8, 14, 17]. In the publcaton [1] fve HRA methods were selected for comparson on the bass of ether relatvely wdespread usage, or recognzed as a contemporary technque, e.g. the SPAR-H method [29]. The results of research ndcate that the HEP (human error probablty) n a dynamc system depend strongly on the tme avalable for the dagnoss, decson mang and actons. In Fgure 5 the results of a nomnal dagnoss model s presented for evaluatng HEP of dagnoss wthn tme T by the control room personnel for one abnormal event.
Functonal Safety Analyss ncludng Human Factors 67 1 H E P.1.01.001.0001.00001 Low er bound U pper bound M edan H EP.000001.0000001 1 10 100 1000 T [m n.] Fgure 5: Human Error Probablty for Dagnoss wthn tme T of one Abnormal Event by the Control Room Personnel [30] The HEP s evaluated when the human falure event s placed nto the probablstc model structure of the system. In the HRA performed wthn PSA only more mportant human falure events are consdered [17, 22, 30]. Then, the abnormal stuaton context and related performance shapng factors (PSFs) are dentfed and evaluated accordng to rules of gven HRA method. As the result a partcular value of HEP s evaluated. Dfferent approaches are used for evaluatng HEP wth regard to PSFs, e.g. assumng a lnear relatonshp for each dentfed PSF and ts weght w, wth constant C for the model calbraton HEP = HEP w PSF C no al + (3) mn or nonlnear relatonshp used n the SPAR-H methodology [29], NHEP PSFcomposte HEP = (4) NHEP( PSF 1) + 1 composte where: NHEP s the nomnal HEP; the NHEP equals 0.01 for dagnoss, and NHEP equals 0.001 for acton. An apprecated method for performng HRA for a set of PSFs s SLIM [14, 17]. The SLIM s orented on success probabltes of events to accomplsh specfed tass. Probablstc modellng n the rs analyss s rather falure orented and t s more convenent to apply a modfcaton of SLIM method named SI-FOM (Success Index - Falure Orented Method) [19]. The equatons ncludng the human falure probabltes HEP and the success ndces SI for j-th tas are as follows j j lg HEP = c SI d (5) + j j SI = w r (6) j where: w - normalsed weght coeffcent assgned to -th nfluence factor ( w = 1), r j - scaled ratng of -th factor n j-th tas (normalsed scalng value s 0 r 1). If for cases consdered the success ndces j SI j are evaluated and two probabltes j HEP j are nown (preferably wth mn and max values of HEP for a category of tass consdered) then coeffcents c and d can be determned and HEP calculated for a partcular tas of nterest n probablstc modelng of events.
68 Kazmerz T. Kosmows 2.4 Human Factors n Functonal Safety Analyss Lately, a framewor [2] was proposed for addressng human factors n IEC 61508. Consderaton was gven to a range of applcatons of the E/E/PE systems n safety-related applcatons. The dversty of ways n whch human factors requrements map on to varous E/E/PE systems n dfferent ndustres and contexts has been hghlghted n ths framewor dependng on the safety ntegrty level (SIL) requred and functons performed by personnel. Obvously, the effort that needs to be placed nto operatons ncludng mantenance n relaton to human factors should be greater as the SIL ncreases, but the types of human factors that need to be addressed vary between the classes of systems. A framewor to be developed for addressng human factors (HFs) wthn IEC 61508 should nclude: - ncorporatng human tass and potental errors nto the hazard and rs assessment, - defnng the human factor requrements for defned safety-related functons to be realzed on determned SILs, - verfyng SIL for consecutve safety related functons for solutons proposed wth regard to hardware, software and human factors. The requrements concernng the scope of analyses fall nto two broad categores: (1) those assocated wth hazard and rs analyss (all relevant ssues of human and organzatonal factors, procedural actons and human errors, abnormal and nfrequent modes of operaton, reasonably foreseeable msuse, clams on operatonal constrants and nterventons, etc.); and (2) those concernng the operator nterface (tae account of human capabltes and lmtatons, follow good human factor practce, be approprate for the level of tranng and awareness of potental users, be tolerant of mstaes, etc.). Thus, the scope of analyses should nclude human and organzatonal factors tang nto account relevant context specfc aspects. Generally, the requrements concernng the analyss of human factors n functonal safety solutons ncrease for hgher SILs of E/E/PE systems. Several categores of such systems can be dstngushed [2, 22]: control and protecton, supervsory control, remote control, dagnostcs, alarms, communcaton, and offlne analyss and support tools. For nstance for SIL 2 followng analyses and requrements are suggested [2, 22]: - ey tass to be performed by operatons and mantenance staff have been dentfed, - typcal operatng envronments have been dentfed and descrbed, - the conceptual desgn of the user nterface s documented as a desgn delverable, - crtcal tass and aspects of the human factors have been dentfed and subjected to systematc, documented revew by the desgn team, - all staff who operate or mantan the equpment have successfully completed tranng that covers all relevant aspects of the equpment and ts applcaton. 2.5 Probablstc Modelng of E/E/PES or SIS for verfyng SIL The probablty of falure on demand PFD avg of the E/E/PE safety-related system (S) s evaluated tang nto account subsystems A, B and C (assumng small values of relevant probabltes) from the formula S A B C PFD PFD + PFD + (7) where A avg B avg C avg PFD avg avg avg avg PFD, PFD, PFD are probabltes of falure on demand for subsystems A, B and C (see Fg. 1). The HEP s evaluated when a human falure event s placed nto the structure of probablstc model of the system. Some attrbutes (factors) of such event are determned
Functonal Safety Analyss ncludng Human Factors 69 accordng to rules of gven HRA method. Then a partcular value of HEP s calculated. In the HRA wthn PSA only more mportant human falure events are consdered for further context specfc analyss [17]. In the case of probablstc modellng of the E/E/PE safety-related system the human falure event and ts probablty s an element of subsystem model as explaned below. For nstance, PFD avg of a E/E/PE subsystem (SUB), operatng n the low demand mode s calculated (for subsystem A, B or C) from formula: SUB FT AT PFD PFD + PFD HEP (8) where + avg avg avg FT PFD avg s average probablty of subsystem falure on demand to be detected n AT perodcal functonal test (FT); PFD the probablty of subsystem falure on demand, avg detected n automatc tests (AT); HEP the human error probablty. Dependng on the subsystem and safety-related functon consdered the human error can be a desgn error (hardware or software related) or an operator error for consdered actvtes of the operator n the control room or at ste wthn mantenance group. For nstance, the probablty of falure on demand for 1oo2 subsystem, ncludng n probablstc modellng the common cause falures and/or human error probablty (HEP), can be calculated from formula 2 2 TI 2 TI PFDavg 1oo2 [(1 β ) λd] ( + TI MTTR + MTTR ) + βλdu ( + MTTR) + HEP (9) 3 2 where β-factor for dependent falures of two channels, λ D a dangerous falure rate of one channel; λ DU a dangerous undetected falure rate, T I - the nterval of perodcal tests; MTTR the mean tme to repar. 3. Layer of protecton analyss ncludng human factors Hazardous ndustral plants are desgned accordng to a concept of defense n depths usng several barrers (protecton layers). Fgure 6 shows typcal layers of protecton of n a hazardous ndustral plant. An nterestng methodology for prelmnary rs analyss and safety-related decson-mang s the layer of protecton analyss (LOPA) methodology [23]. It s mportant to nclude n probablstc modellng of protecton layers potental dependences between events representng equpment falures and human errors. 4. Relef devces / physcal protecton 3. Safety nstrumented system (SIS) 2. Alarm system (AS) and operator actons 1. Control and montorng (BPCS) 0. Installaton / PROCESS Fgure 6: Typcal Protecton Layers n Hazardous Industral Installaton The protecton layers n Fgure 6 nclude: basc process control system (BPCS), the alarm system (AS) / human-operator nterventons and safety nstrumented system (SIS) as layers: 1, 2 and 3 respectvely. These systems should be functonally and physcally ndependent; however, t s not always achevable n practce. The protecton layers shown n Fgure 7 nclude:
70 Kazmerz T. Kosmows - PL1 the basc process control system (BPCS), - PL2 the human-operator (OPERATOR), who supervses the process and ntervene n cases of abnormal stuatons and durng emergences that are ndcated by the decson support system (DSS) or the alarm system (AS), - PL3 the safety nstrumented system (SIS), whch can perform an emergency shutdown (ESD) functon. PL1 BPCS PL2 OPERATOR PL3 SIS / ESD AS / DSS Hazardous ndustral nstallaton Fgure 7: OPERATOR and Alarm System (AS) as elements of Protecton Layers These layers should be ndependent what requres approprate techncal and organzatonal solutons. In case of PL1 and PL3 t can be acheved usng separate measurement lnes (nput elements), modules for nformaton processng (PLCs) and actuators (fnal elements). Requred SIL of BPCS and SIS for gven safety-related functon can be acheved by desgnng approprate archtectures of ther subsystems (see Fgure 1) tang nto account the probablstc crtera gven n Table 1 for verfyng SIL of SIS. If the rs reducton requrement concerns the protecton layers accordng to formula (2) the requred rs reducton should be properly dstrbuted between BPCS, OPERATOR and SIS, e.g. f 10-4 s for all layers then t should be s dstrbuted as follows: 10-1 (SIL1), 10-1 (HEP-SIL1) and 10-2 (SIL2), whch are values achevable wthout dffculty n ndustral practce. There s, however, a consderable problem n some cases concernng the layer PL2,.e., OPERATOR who obtans nformaton through relevant HMI from the alarm system (AS) and/or decson support system (DSS). Only n case of ndependence of these layers the frequency of -th accdent scenaro F can be calculated form the formula F I I = F PFD; PL1 PFD; PL 2 PFD; PL 3 = F PFD (10) I where F s the frequency of th ntatng event I [a -1 ] and PFD ; PLj are probabltes of falure on demand of j-th protecton layer shown n Fgure 7. In case of the second layer PFD = HEP and relevant HEP s evaluated usng approprate HRA method. ; PL 2 ; PL 2 Generally, the frequency of accdent scenaros for layers consdered should be evaluated usng a formula consstng of condtonal probabltes Z I I Z F = F P( X I) P( X I X ) P( X I X X ) = F PFD (11) ; PL1 ; PL 2 ; PL1 ; PL 3 ; PL1 ; PL 2 where: X ;PLj denote events that represent falure n performng safety-related functons on demand by consecutve protecton layers (j = 1, 2, 3) that should be consdered for -th ntatng event. The results of analyses have shown that assumng dependences of layers n probablstc modelng sgnfcantly ncreases the falure probablty on demand at least an Z order of magntude, thus PFD >> PFD - see formulas (10) and (11). Sgnfcant meanng n reducng dependences of mentoned layers has approprate desgnng of the
Functonal Safety Analyss ncludng Human Factors 71 alarm system (AS) and decson support system (DSS) as well as the qualty of HMI characterzed by relevant factors that are assessed when performng the HRA. 4. Requrements and Crtera concernng the Alarm System and Operator Interface As t s mentoned n nternatonal standards [15] and [16], there s not clear gudance how to nclude human and organzatonal factors n functonal safety analyss. They should be, however, ncluded n desgnng the human - machne nterface (HMI), e.g., wthn the decson support system (DSS) and especally the alarm system (AS). Some suggestons are gven n a report [2], gude [5] and the HSE boo [7]. The alarm system refers to a complete system for generatng and handlng alarms ncludng feld equpment, sgnal condtonng and transmsson, alarm processng and alarm dsplay. It also ncludes hardware, software and supportng nformaton, e.g., alarm response procedures and management controls. The alarm s defned as an audble or vsble means of ndcatng to the operator the equpment or process malfuncton or abnormal condton. The alarm trp pont s a threshold value or dscrete state of a process varable that trggers the alarm. The alarm flood (overload) s the stuaton where more alarms are receved than can be physcally addressed by a sngle console operator [5]. The attenton should be focused on tass that operator must perform n relaton to cope wth controllng upset stuatons accordng to desgned HMI solutons. Dependng on complexty of the tass and requred relablty of the protecton layers, expressed for nstance by the safety ntegrty level (SIL), requrements for the operator performance can vary and ncrease for hgher SIL. After mang decson durng abnormal stuaton the operator must execute some actons correctly accordng to prescrbed procedures or establshed practce. All tass performed or executed by operator can be supported by DSS, whch should be an ntegrated part of HMI related to BPCS, SIS and/or AS. In case of ncorrect dagnoss or no reacton on tme (see the event sequences n Fgure 3) durng an abnormal event, e.g. due to complexty or fast dynamc of the process, the ESD (emergency shutdown) system should operate wthout operator nterventon to stop technologcal process by executng requred functons to mtgate the consequences. The basc ssue n desgnng an alarm system s consderng ts functonalty n relaton to dentfed dagnostc dffcultes and characterstcs of techncal solutons. In partcular the answers for two basc questons are of nterest [5]: (1) Whether the AS should be classfed as safety related accordng to the defnton gven n the functonal safety standard [15]? and (2) Whether t should be mplemented as a stand-alone system ndependent of the basc process control system? The decson whether AS s safety-related wll be nfluenced by natonal legslaton or by exstng practces wthn gven ndustral sector. For alarms that are safety-related, accordng to defnton n the standard [15], should be gven specal consderaton n terms of desgnng HMI and DSS. If the alarm system s safety-related, t should be ndependent and separate from the process control system, unless the process control system has been tself dentfed as safety-related and mplemented n approprate manner [15, 16]. The rs assessment provdes a startng pont n the desgn process of DSS ncludng alarms. The rs reducton to be acheved by the alarm system soluton depends on: - the relablty of equpment (.e., feld nstrumentaton and alarm processng system), - the relablty of the operator respondng to the alarm wth approprate acton.
72 Kazmerz T. Kosmows The relablty of the human-operator (or a team of operators) performng tass wll n turn depend on such factors as: - the way n whch alarms are presented (techncal soluton and ergonomcs), - the tme avalable for the operator to dagnose the stuaton, elaborate decsons and undertae actons, - the stress level, - other factors, e.g., dstracton, forgetfulness, neglgence [14, 27, 29, 30]. The experence shows that majorty of AS falures derve from human falures rather than from hardware falures [5]. In practce, the rs reducton benefts are generally more easly derved from mprovng functonalty and usablty than from mprovng hardware ntegrty. Thus, n the context of alarm system functons: - the operator should not be overloaded wth alarms presented by the chosen dsplay arrangement, ether n normal operaton or upsets, - the AS performance should be regularly checed to ensure that alarm overload s not occurrng, - the alarms presented by the chosen dsplay arrangement should be operatonally useful wth sgnfcant lmtaton of spurous annuncatons, - the alarms should be properly prortzed, - the operator should be traned n usng the AS. Fgure 8 presents an example of qualtatve approach for decdng about a basc soluton of the alarm system (AS) whch mght be mplemented wthn the basc process control system (BPCS) or desgned as a stand-alone safety-related AS. Dependng on the rs parameters: the expected consequences (from S1 to S5) and dagnoss dffcultes of hazardous nstallatons n a short tme T0 or T1 (T0 quc response essental 5 mn.; T1 slow response adequate > 5 mn.) an alarm system suggested soluton s selected from approprate column: N not sutable as alarm, L lmted beneft, C an alarm wthn basc control system recommended, P the alarm ether n stand-alone or control system acceptable, S the alarm wthn stand-alone system recommended. It s worth to menton that a threshold value of 5 mnutes assumed n defnng T0 and T1 s related to dffcultes to dagnose abnormal stuaton n a dynamc system n relatvely short tme wth a hgh probablty to commt error (see Fgure 5). S1 - nformaton only S2 pre-alarm to trp T1 N C T0 N L Expected consequences S3 damage to plant (economc losses) Low rs Hgh rs C C C P S4 envronmental damage S5 njury / mortalty Low rs Hgh rs Low rs C P C S Hgh rs S S Fgure 8: The Rs related Parameters and ther Influence on Assumptons of the Alarm System Desgn (adapted from [5]) For the safety-related alarm system more strngent relablty requrements should be mposed on both equpment and expected human performance summarzed n Table 2.
Functonal Safety Analyss ncludng Human Factors 73 Table 2: Relablty Requrements concernng the Safety-related Alarm System and Human Operator (adapted from [5]) Clamed AS ntegrty / relablty Human relablty requrements PFD avg > 10-1 Standard AS, may be ntegrated nto BPCS (10-2, 10-1 ] AS desgned as safetyrelated for SIL1 [15]; t should be ndependent from BPCS (unless ths s desgned also as safetyrelated) 10-2 AS desgned as safetyrelated for SIL2 [15]; No specal requrements the AS should be operated and mantaned wth regard to good engneerng practce [5] The operator should be well traned for specfc expected plant falures that the alarm system ndcates. The operator should have clear response procedures for mportant alarms and clamed operator performance should be audted. It s not recommended to clam HEP below 10-2 for any operator acton even f t s multple alarmed and relatvely smple to perform. It s recommended that for all credble accdent scenaros the desgner should demonstrate that total number of safety-related alarms and ther maxmum rate of presentaton does not overload the operator. It mght be nterpreted as requrement that no credble accdent generates more than a certan number of safety-related alarms wthn specfed perod. There s a general gudance on alarm rate followng an upset condton of the nstallaton, expressed as a number of alarms dsplayed n 10 mnutes followng a major plant upset [5]: - more than 100 defntely excessve and t s very lely to lead to the operator abandonng the alarm system, - between 20 and 100 t s hard to cope wth, - under 20 should be manageable, but may be dffcult f several alarms requre a more complex operator response. From Fgure 8 and Table 2 some basc assumptons for desgnng the AS mght be derved. In case of a hgh rs and quc response requred the AS should be safety-related and stand-alone. Desgnng of such system accordng to functonal safety prncples s generally descrbed n nternatonal standard IEC 61508 [15]. Some suggestons for the human relablty analyss n relaton to functonal safety concept can be found n report [2] and monograph [22]. In the layer of protecton analyss usng of formula (10) s justfed only f the AS was desgned as separate and ndependent from BPCS (see Fgure 7). The AS, f carefully desgned wth good HMI and DSS functons, wll certanly contrbute to reducton of the human error probablty [5, 8, 22]. As t was mentoned n evaluaton of the human-operator relablty, varous methods have been used n practce, e.g., THERP [30], HEART and SLIM [14, 17]. However, sgnfcant problems emerge when cogntve aspects of human-operator behavor and decson mang are consdered [22], for nstance n cases when latent falures contrbute to the actve falure probablty and n cases of potental multple falures. Such challengng problems requre further research to be orented on developng an ntellgent DSS and effectve AS contrbutng to the rs reducton assocated wth the operaton of hazardous ndustral plants. Another ssue that requres further research s developng the methodology for desgnng and assessng the advsory software for supportng on-lne safety-related decson mang. It should comply wth the requrements of functonal safety standards [7,
74 Kazmerz T. Kosmows 15]. The basc prncple concernng the safety-related functons of such software can be stated as follows: t must not mslead the user (human-operator) to undertae decsons that could contrbute to deteroratng abnormal plant states. Obvously, relevant advsory system should be ntutve for operators wth advanced and safe nteractve mechansms to support effectvely dagnoss of abnormal plant states ncludng spurous operaton of the control and protecton systems. Thus, the functonal safety analyss framewor for the safety-related control and protecton systems provdes addtonal nsght for performng human relablty analyss and determnng more mportant factors nfluencng the rss. 5. Concluson In ths paper an approach s outlned that ncludes selected aspects of the functonal safety analyss n hazardous nstallatons ncludng the protecton layers. In partcular the role of alarm system s emphaszed, whch requres approprate desgnng wth regard to careful treatng of human factors. Nowadays ssues concernng the functonal safety management n ndustral hazardous plants wth regard to the human and organzatonal factors become mportant due to necessty to desgn human orented solutons. They nclude the human-operator support system and especally the alarm system. If the alarm system s safety-related, t should ndependent and separated from the basc process control system. It s requred to manage the functonal safety n entre safety lfecycle eepng the rs level of potental hazardous events at acceptable levels. Thus, t s essental to mprove, when justfed, the basc process control system (ncludng SCADA and DCS solutons) and other safety-related solutons ncludng the alarm system and decson support system. The safety management has to be carred out n the lfe cycle based on relablty data and experence from the plant operaton and perodcal rs assessments. It s essental to consder carefully the human and organzatonal factors usng relevant HRA methods to mantan adequate rs assocated wth operaton of partcular hazardous plant. The functonal safety orented framewor offers addtonal possbltes for more comprehensve human relablty analyss wth emphass on contextual human-operator behavour n abnormal stuatons, also those related to danger falures of the control and protecton systems. Such analyss provdes understandng how to desgn the safety-related hardware solutons and functons to be mplemented by means of the basc process control system, the alarm and decson support system, and the safety nstrumented systems. Ther ntegrated desgn should be human-centred. Such desgn process requres an ntegrated approach wth regard to requrements and crtera related to ergonomcs, human factors and functonal safety of the control and protecton systems. Addtonal research s needed to obtan more comprehensve nsghts related to the relablty and safety aspects useful for desgnng human-centred nteractve solutons wthn hazardous dynamc systems. Acnowledgements: The author wshes to than the Mnstry for Scence and Hgher Educaton n Warsaw for supportng the research and the Central Laboratory for Labour Protecton Natonal Research Insttute (CIOP-PIB) n Warsaw for co-operaton n the preparaton of the research project 5.R.02, concernng the safety management n ndustral hazardous plants ncludng functonal safety aspects, beng carred out wthn a multyear research programme.
Functonal Safety Analyss ncludng Human Factors 75 References [1] Byers, J. C., D.I. Gertman, S.G. Hll, H.S. Blacman, C.D. Gentllon, B.P. Hallbert and L.N. Haney. Smplfed Plant Analyss Rs (SPAR) Human Relablty Analyss (HRA) methodology: comparson wth other HRA methods. Internatonal Ergonomcs Assocaton and Human Factors & Ergonomcs Socety Annual Meetng 2000, July 31 August 4. [2] Carey, M. Proposed Framewor for Addressng Human Factors n IEC 61508. Prepared by Amey VECTRA Ltd. for Health and Safety Executve (HSE), U.K. 2001; Contract Research Report 373. [3] Crtcal Operator Actons Human Relablty Modelng and Data Issues. Nuclear Safety, NEA/CSNI/R; OECD Nuclear Energy Agency 1998. [4] Dougherty, E.M. and J.R. Fragola. Human Relablty Analyss: A Systems Engneerng Approach wth Nuclear Power Plant Applcatons. A Wley- Interscence Publcaton, New Yor: John Wley & Sons Inc. 1988. [5] EEMUA, Publcaton 191: Alarm Systems, A Gude to Desgn, Management and Procurement (Edton 2). London: The Engneerng Equpment and Materals Users Assocaton 2007. [6] Embrey, D.E. Incorporatng Management and Organsatonal Factors nto Probablstc Safety Assessment. Relablty Engneerng and System Safety 1992; 38(1-2): 199-208. [7] Froome, P. and C. Jones. Developng Advsory Software to comply wth IEC 61508. Contract Research Report 419. HSE Boos 2002. [8] Gertman, I.D. and H.S. Blacman. Human Relablty and Safety Analyss Data Handboo. New Yor: A Wley-Interscence Publcaton 1994. [9] HERA. Short Report on Human Performance Models and Taxonomes of Human Error n ATM. European Organzaton for the Safety of Ar Navgaton. Brussels: EATMP Infocentre, Eurocontrol Headquarters 2002. [10] Hclng, E.M., A.G. Kng, and R. Bell. Human Factors n Electrcal, Electronc and Programmable Electronc Safety-Related Systems. A wor supported by Health and Safety Executve (HSE), U.K. 2006. [11] Hollnagel, E. Informaton and reasonng n ntellgent decson support systems. Int. J. Man-Machne Studes 1987; 27(5-6): 665-678. [12] Hollnagel, E. The relablty of man-machne nteracton. Relablty Engneerng and System Safety 1992; 38(1-2): 81-89. [13] Hollnagel, E. Human relablty assessment n context. Nuclear Engneerng and Technology 2005; 37(2): 159-166. [14] Humphreys, P. (Ed.). Human Relablty Assessor Gude. RTS 88/95Q, Safety and Relablty Drectorate, U.K. 1988. [15] IEC 61508. Functonal Safety of Electrcal/ Electronc/ Programmable Electronc Safety-Related Systems, Parts 1-7. Internatonal Electrotechncal Commsson, Geneva 2000. [16] IEC 61511. Functonal safety: Safety Instrumented Systems for the Process Industry Sector. Parts 1-3. Internatonal Electrotechncal Commsson, Geneva 2003. [17] Kosmows, K.T., G. Degen, J. Mertens and B. Reer. Development of Advanced Methods and Related Software for Human Relablty Evaluaton wthn Probablstc Safety Analyses. Jülch: Berchte des Forschungszentrum 2928, 1994. [18] Kosmows, K. T. Issues of the human relablty analyss n the context of
76 Kazmerz T. Kosmows probablstc studes. Internatonal Journal of Occupatonal Safety and Ergonomcs 1995; 1(3): 276-293. [19] Kosmows, K.T., Kweselewcz M. Herarchcal nfluence dagrams for ncorporatng human and organsatonal factors n rs assessment of hazardous ndustral systems. Rs Decson and Polcy 2002; 7(1): 25-34. [20] Kosmows, K.T. Incorporaton of human and organzatonal factors nto qualtatve and quanttatve rs analyses. Proceedngs of the Internatonal Conference on Probablstc Safety Assessment and Management (PSAM 7 - ESREL 04), Berln: Sprnger 2004; 3: 2048-2053. [21] Kosmows, K.T. Functonal Safety Concept for Hazardous System and New Challenges. Journal of Loss Preventon n the Process Industres 2006; 19(1): 298-305. [22] Kosmows, K.T. (Ed.). Functonal Safety Management n Crtcal Systems. Gdans Unversty of Technology. Wydawnctwo: Fundacja Rozwoju Unwersytetu Gdańsego. Gdans 2007. [23] Layer of Protecton Analyss, Smplfed Process Rs Assessment. Center for Chemcal Process Safety. New Yor: Amercan Insttute of Chemcal Engneers 2001. [24] Rasmussen, J. Slls, rules, nowledge; sgnals, sgns and symbols and other dstnctons on human performance models. IEEE Transacton on Systems, Man and Cybernetcs 1983; 13(3): 257-266. [25] Rasmussen, J. & L.P. Goodsten. Decson support n supervsory control. IFAC Man-Machne Systems. Varsese, Italy 1985. [26] Rasmussen, J., Svedung I. Proactve Rs Management n a Dynamc Socety. Swedsh Rescue Servces Agency, Karlstad 2000. [27] Reason, J. Human Error. Cambrdge Unversty Press 1990. [28] Rche, A., Koch M.K. & Unger H. Applcaton of the procedure HEROS fort he evaluaton and optmzaton of a man-machne-system wthn the PSA for NPP. Safety and Relablty, Schuëller & Kafa (Eds), Balema, Rotterdam 1999. [29] SPAR-H. Human Relablty Analyss (HRA) Method, NUREG/CR-6883, INL/EXT-05-00509, USNRC 2005. [30] Swan, A.D. and H.E. Guttmann. Handboo of Human Relablty Analyss wth Emphass on Nuclear Power Plant Applcaton. NUREG/CR-1278 1983. Kazmerz T. Kosmows s Professor and Head of Automatcs Department at the Faculty of Electrcal and Control Engneerng of the Gdans Unversty of Technology. Hs feld of nterest ncludes mathematcal modelng of safety and relablty of complex techncal systems and processes ncludng human factors. He has publshed over 190 scentfc wors. He s the vce charman of Polsh Safety and Relablty Assocaton.