A control system or device is deemed to be safety related if it provides functions which significantly reduce the risk of a hazard, and in combination with other risk reduction measures, reduces the overall risk to a tolerable level, or if it is required to function to maintain or achieve a safe state for the equipment under control (EUC).
These functions are known as the safety functions of the system or device and are the ability to prevent initiation of a hazard or detect the onset of a hazard, and to take the necessary actions to terminate the hazardous event, achieve a safe state, or mitigate the consequences of a hazard.
All elements of the system which are required to perform the safety function, including utilities, are safety related, and should be considered part of the safety related system.
Safety related control systems may operate in low demand mode, where they are required to carry out their safety function occasionally (not more than once/year) or in high demand (more than once/year) or continuous mode where failure to perform the required safety function will result in an unsafe state or place a demand on another protective system. The likelihood of failure of a low demand system is expressed as probability of failure on demand, and as failure rate per hour for high/continuous demand systems.
Safety related control systems operating in continuous or high demand mode where the E/E/PES is the primary risk reduction measure have been known as HIPS (high integrity protective systems). However, use of such systems does not circumvent the need for a hierarchical approach to risk reduction measures such as inherent safety, and careful consideration of prevention of common mode failures by use of diverse technology and functionality (such as relief valves), independent utilities and maintenance and test procedures, physical separation, and external risk reduction (such as bunds). Measures should favour simple technological solutions rather than complex ones. The lowest failure rate which can be claimed for high integrity systems operating in continuous or high demand mode is 10-9 dangerous failures per hour.
It should be noted that control systems for equipment under control which are not safety related as defined above may also contribute to safety and should be properly designed, operated and maintained. Where their failure can raise the demand rate on the safety related system, and hence increase the overall probability of failure of the safety related system to perform its safety function, then the failure rates and failure modes of the non-safety systems should have been considered in the design, and they should be independent and separate from the safety related system.
A control system operating in continuous or high demand mode, for which a failure rate of less than 10-5/hr is claimed in order to demonstrate a tolerable risk, provides safety functions, and is safety related.
In some circumstances, the safety function may require the operator to take action, in which case, he/she is part of the safety related system and will contribute significantly to the probability of failure on demand (PFD). Typically, in a well designed system, a figure of 10-1 is assumed for the probability of an operator failing to take correct action on demand. Where exceptional care has been taken in design of human factors such as alarm management, instructions and training, and where such arrangements are monitored and reviewed, then a probability of failure on demand of not better than 10-2 may be achievable. Any supporting hardware or software, such as alarm systems, would also need the requisite integrity level).
