(104x) PFD for SIF: Accounting for Systemic Human Error in SIS

Safety Instrumented System (SIS) standards have raised the bar on using instrumented systems (formerly called interlocks, Emergency Shutdown’s etc.).  It introduces requirements for improved management systems to enforce independence from other Independent Protection Layers (IPLs).  It requires verification that the performance of each Safety Instrumented Function (SIF) will be met during its lifetime.  The performance criteria is documented as the target SIL or risk reduction factor for each SIF.  This is tied to specific values of probability of failure on demand (PFD).  The initial SIS standards did not include systematic human errors in the example calculation for SIL in either IEC 61508 or 61511 and current working revisions, while beginning to more rigorously acknowledge the role systematic failures play in overall performance, still fall short regarding methods to quantify.  While the SIL Verification methods outlined in the standards and technical reports like ANSI/ISA TR84.00.02 facilitate consistency, as user companies seek to obtain greater risk reduction from their safety instrumented systems to satisfy their corporate risk criteria, failure to adequately address potential systematic failures can lead to overly optimistic results and a misallocation of resources intended to reduce risk

This paper shows that human error during testing, maintenance, and restoration of a SIF can potentially dominate its Probability to Fail Dangerous (PFD) value, calling into question whether the required risk reduction is indeed being met.  This is especially pertinent to SIL 2 and SIL 3 requirements.   Example methods for human error analysis related to a SIS are provided as well as some proven approaches for controlling human factors that affect the base error rate (for a given mode of operation).  It also discusses ways to prevent or else detect and recover from errors made in redundant channels (such as used in 1oo2, 1oo3, or 2oo3 voting).