Abstract
A discussion of the appropriate outline for the training of technicians in support of functional safety provisions during the operating and maintenance phase of the safety lifecycle.
I. Introduction
Functional safety practices, as promulgated by IEC 61508, have now been with us for many years, but much of the focus has been on the safety integrity level (SIL) determination and realisation phases (design and installation). These are critical aspects of course, but it is interesting to reflect that a typical safety instrumented function (SIF) will spend the overwhelming proportion of its life in the operating and maintenance phase of the safety lifecycle; this is where the failures really matter, but it does not perhaps receive the attention that it deserves. A perfectly sound installation is unlikely to remain so if appropriate maintenance practices are not adopted. So what are these practices and the related training requirements? We may identify them as belonging to the following distinct areas:
Proof testing
Inspection
Repair
Modification
Security
Performance monitoring
A. Proof testing
Proof test procedures must be suitably rigorous and comprehensive. They should be fully documented and perfectly explicit, with appropriate pass/fail criteria specified: Highly generic ‘procedures’ such as ‘Calibrate and test trip function PZH123’ will not do. Those performing the tests should understand their responsibilities and their accountability for proper execution. They should understand that a procedure may stipulate that a test be done in a particular way to achieve the proper test coverage and that ‘short cuts’ should not be used unless approved by a responsible and competent authority. The test record should distinguish between ‘passed first time’ and ‘repaired and then passed’.
B. Inspection
Technicians should understand that there is a separate requirement to inspect SIFs for signs of degradation; a SIF may function perfectly, but if it is showing signs of distress, this must be reported to the maintenance authority to allow any implications for the wider population to be assessed and for rectification work to be put in hand.
C. Repair
It should be understood that any repair, other than like-for-like exchange, should be approved by a responsible and competent authority. After any repair, a test must be made that covers all aspects of the SIF that could be impacted by the repair. A full proof test may well be appropriate.
D. Modification
Any modification to a SIF must be subject to appropriate change control procedures. These must ensure that any modification does not compromise the function’s ability to meet the stipulations of the safety requirements specification. Emergency ‘frigs’ (ad hoc overrides) are not acceptable; any override must be assessed and authorised by a responsible and competent authority.
E. Security
As far as practicable, SIFs should be secured from unauthorised interference. Access should be controlled, for example, password protection employed and system cabinets locked. Technicians should understand that security provisions should not be bypassed or disabled and that unauthorised personnel should not be given access. It is advisable that all safety instrumented system (SIS) devices, cabinets and junction boxes and so on are clearly identified as being SIF equipment and it should be understood that no unauthorised access, adjustment or modification is permitted.
F. Performance monitoring
Failure of any SIF should be fully investigated to identify the reason for the failure. Failures should be reported to the responsible maintenance authority through an established reporting procedure. This will allow assessment of whether there may be implications for other functions. Technicians should be briefed to recognise and support the need to monitor the ongoing performance of SIFs to validate design assumptions and to identify possible equipment end-of-useful life issues.
II. Training Requirements
Any instrument craftsman deserving of the name will understand how to install, maintain and repair instrument equipment and systems. The training requirement in respect of the operation and maintenance of SIFs revolves around an awareness of the significance of SILs and an understanding of the aspects outlined above. For the operation and maintenance phase, it is not necessary to provide training on the niceties of SIL determination, SIF design and associated quality assurance and management provisions: given an underpinning knowledge of instrumentation systems, the training requirement is relatively limited and could typically be adequately addressed in ½–1 day. It is essentially about making sure technicians understand the need for appropriate discipline in the maintenance and operation of SIFs and that a ‘make-do-and-mend’ approach is not acceptable. If this foundation of awareness and understanding can be established, the need for extended courses and refresher programmes may be questionable (the same may be said of many areas besides functional safety; many courses are inflated beyond the users’ actual requirements). Indeed, if periodic refresher programmes were found to be necessary to promote proper conduct, it might indicate a more fundamental concern with personnel competency – a want of inherent capability or discipline. (We must distinguish here between ‘refresher’ and ‘update’ training.)
III. Conclusion
In summary then, for training of technicians for the operating and maintenance phase of the safety lifecycle, the training course outline should include the following:
The philosophy and scope of the functional safety standards;
The significance of SILs;
An overview of the Safety Lifecycle;
Proof Testing philosophy and approaches;
Maintenance/repair/modification considerations;
Performance monitoring and fault reporting;
Competency, personal responsibilities and accountability.
And, if the course is in-house,
Site-specific issues/practices.
In-house training must address, by way of risk assessed method statements, any safety procedures and safeguards that must be adhered to when taking live plant to its trip condition in order to carry out a proof test.
Footnotes
Funding
The author(s) received no financial support for the research, authorship and/or publication of this article.