Utilizing a modified FMEA process to ensure robustness of complex safety systems and to identify and avoid single failures that can prevent safe state or cause spurious trips.

Failure Modes and Effects Analysis (FMEA) was one of the first systematic methods developed to analyze potential failures in technical systems. Since then, the method has been further developed, and is today utilized for numerous applications. It can be used to analyze the criticality of failures based on their probability and consequence (FMECA applications), and to assess the diagnostic capabilities (FMEDA applications), and is often used in these varieties to predict failure rates of components. This article will focus on a modified FMEA process to ensure robustness of complex safety systems and to identify and avoid single failures that can prevent safe state or cause spurious trips. The method includes IEC 61511-1:2016 terms in order to facilitate design of complex fail-as-is safety systems in compliance with IEC 61511 requirements.   Most Safety instrumented systems used in the process industry are relatively simple systems, consisting of one or more initiators, a logic solver and one or more final elements. The systems are normally fail safe, meaning that they go to their safe state if power or motive force is lost. However, for some applications, there is a need for more complex safety systems to avoid incidents. These complex safety systems are often given a SIL requirement, and examples of such systems are:

  • Systems for initiation of deluge
  • Systems for initiation of water mist

The abovementioned systems can be regarded as complex since achieving safe state relies on several components such as fire water pumps, generators, diesel/electrical supply and valves, in addition to auxiliary systems and utilities. Further, in some applications, spurious activation of the safety function is considered to have significantly negative impact, with regards, to cost or safety, and hence there could be strong arguments for implementing design aspects to prevent spurious trips. Examples of such systems are:

  • Workover safety systems
  • BOPs

Common for these systems is that they are not necessarily fail-safe, and may hence rely on pneumatics, hydraulics or electrical power (or a combination there-of) to reach safe state. This increases the complexity of the safety systems, as they are now reliant upon a number of components in the auxiliary systems in order to bring the system or process to a safe state. IEC 61511 puts additional requirements on safety systems that are not fail safe, most notably the requirement in section 11.2.11, that “For any SIS device that on loss of utility (e.g., electrical power, air, hydraulics or pneumatic supply) does not fail to the safe state, loss of utility and SIS circuit integrity shall be detected and alarmed (…)”, and implicitly through section 11.9.2 that reliability of the required utility systems shall be included in the calculated failure measure of the SIF.

The modified FMEA methodology used to assess such complex safety systems is based on the premise that there is detailed information available for each component (such as DCVs, solenoids, valves, pumps etc.) that is part of the safety function (e.g. through detailed component FMECAs). This allows the methodology to assess the application from a system level, and thereby identify the components in the utility systems that are required for the safety function to work as intended, their redundancy (HFT) and whether failures in these components can be detected from a system level before a demand is put on the safety system. The FMEA is well suited in concept or early design phases, and can provide valuable input to ensure robustness in the design of safety systems.   Amongst the benefits obtained through the modified FMEA application is:

  • Detailed information about the required components in the utility systems necessary for the safety system to work as intended in a demand situation
  • Input to design considerations with regards to single point of failures that can prevent the SIF from working in a demand situation, and single point of failures that can initiate spurious shutdowns.
  • Detailed information about the available redundancy (HFT) of the components included in the safety function
  • Input to reliability block diagrams, and hence an early indication about whether a specific SIL is obtainable based on the PFD and architectural aspects of the requirements
  • Input to components whose failure modes can be detected by the system or operator outside normal proof testing, and prior to a demand on the safety system, hence giving valuable information about safety critical monitoring and alarms.

ORS has gained significant experience through utilizing tailor-made FMEA methods for complex safety systems. The methodology has been successfully implemented in several projects across the world, including the Norwegian Continental Shelf, Gulf Of Mexico and Australia. Contact us to discuss how we can help to improve safety and production performance.