Control of human failures during the full life cycle of a safety instrumented system is vital to ensure that a safety function will operate correctly when required. Since the introduction of modern electronic instrumentation, there have been steady improvements in the hardware, and it is now likely that human factors are the dominant cause of system failures. Endress+Hauser can help you to simplify commissioning, maintenance and proof-testing routines that could lead to errors being introduced if they are not performed correctly.

Human errors are most likely to be introduced through incorrect handling of the sensor. The sensor can have complex parametrisation, and commissioning and testing procedures are often poorly defined. In addition, changes made during the system’s life cycle are often not subject to rigorous management of change (MOC) procedures.

For the safety instrumented function (SIF) to meet the target level of risk reduction, the probability of failure on demand of each element must be known. Typically, the manufacturer’s data will be used to calculate if the SIF meets the required level, but this data is only valid if the device is used, commissioned, tested and maintained following the instructions in the functional safety manual. For complex devices such as radar level transmitters, the sheer number of parameters that could potentially be adjusted makes this a complex task to manage.

Dependable software

Software tools are used for commissioning, adjustment and proof testing, and consideration should be given to how these tools interact with the device and how they are used by the operator. To reduce errors that could impact safety performance, a good software tool should give clear instructions, follow a logical sequence, keep the task simple, prevent potentially unsafe parameters being set and generate records of the ‘as left’ state.

Breaking the tasks into separate activities such as commissioning, SIL confirmation and proof testing ensures that the work remains focused and the operator is not overwhelmed with information and options. Endress+Hauser’s DeviceCaresoftware, used in conjunction with a radar level transmitter, for example, has separate software wizards available for each of these tasks.

Simple and safe commissioning

The first stage after installation of the radar level transmitter would be to carry out basic commissioning. Here the commissioning wizards would be used. The wizard guides the operator through the common steps required to commission the radar level transmitter, ensuring that:

  • All settings important to a basic set-up are covered.
  • Clear instruction is given on each setting.
  • A defined end point is clearly given when the device is commissioned.
  • A prompt to generate a record of the commissioning settings is given.

After the completion of commissioning using the wizard, the operator can be confident that the radar transmitter will perform as intended. This may not be the case if the operator is left to enter individual parameters based only on what they perceive to be correct and relevant. If the application is SIL rated, the next step would be to employ the SILconfirmation wizard to ensure that all safety-relevant parameters have been checked and recorded.

Proof testing

For a proof test to be valid it must uncover a known proportion of the dangerous undetected failures, in other words the failures not detected by the transmitter’s own diagnostics. Endress+Hauser’s software wizard will again guide the operator through the test, ensuring all steps are completed and a time-stamped pdf record of the test is generated.

Crucially, the software will not generate the proof test record until the transmitter is SIL locked again after the proof test. Locking of transmitters after proof testing is often neglected; in the operator’s mind the task is complete once the test has passed, but it should be remembered that locking of SIL devices against unauthorised modification is a requirement of IEC 61508. With some modern smart instrumentation, the SIL locking itself will change the diagnostics running in the device. If a transmitter is not SIL locked, it is not in compliance with the functional safety manual and all SIL data is invalid.

The potential for human error during commissioning, maintenance and proof testing can be greatly reduced through the use of suitable software tools. Software that guides the technician and restricts them from making potentially dangerous errors, deviations or omissions in commissioning or testing both simplifies the task and reduces the risk of functional safety being compromised.

As well as being a leading manufacturer of instrumentation for safety systems, Endress+Hauser offers services to optimise your processes in terms of reliability, safety and economic efficiency. For practical guidance on assessing the useful lifetime of SIL instruments and developing a functional safety management plan, visit https://www.smarter-decisions.co.uk/.