Recently I witnessed something I never thought I would in the engineering profession: I was told by a system designer that even though they knew the safety reliability data for one device was too optimistic, they were going to use it because it meant they didn’t need to implement online diagnostics or redundancy. They could save money. I had, until that point, maybe naively, assumed that when engineers used optimistic data they simply did not know better.
The crux of the problem is that there are two distinct world views when it comes to process safety reliability data. One approach is to leave it up to the equipment manufacturers to calculate their own failure rates by looking at field return data. Some of these OEMs believe that all failures are a result of customer misuse and therefore report virtually no failure. This results in data for their valves that appear by inspection to be too good to be true. They report a dangerous failure rate of about 10 FITS (1 FIT is equal to 1 failure per billion hours). This reported failure rate states that the valve will only be unavailable to perform its safety function once every 11,400 years!
This means that if the engineer’s plant has 11,400 valves, which is not out of the question, it should be expected that one valve could be in a degraded state any given year. Anyone who has ever worked in a process plant knows that a failure rate like that is unrealistic.
Another valve manufacturer supplied data that indicated a dangerous failure rate for its valve of around 450 to 800 FITs depending on the application. Why is this failure rate so much higher? These failure rates are based on a formal analysis of the actual product design (FMEDA) and are driven by a component database with over 60 billion hours of operational data.
Engineers have been told for decades that the responsibility for design and construction to that design is in the hands of the “engineer in responsible charge.” If the engineer is a consultant, he or she has liability insurance against an issue of design or construction that causes an accident. If he or she works for a company, the company liability insurance is supposed to provide coverage in the event the design is faulty. But most insurance contracts exclude intentional or deliberate actions.
There is no apparent protection for the engineer who designs the safety system based on “compliance,” or the company, regardless of the legal opinions that are offered before the fact. When the failure occurs, the liability is still there and the opposing council will argue for negligence on the part of the engineer and company for self-serving rationalization of engineering principles.
Referring back to our example, this is exactly the same issue—reliance on clearly unrealistic test data. It is a short step from that to questions about the validity of the “third party certificate” as a means to avoid proper engineering calculations and performance measurement. The IEC standards require operating plants to have a Functional Safety Management (FSM) process in place. The standards do not encourage compliance, but rather actual increased safety iteratively by following the process the company has established.
Tagged as: safety reliability data redundancy product design FMEDA FITS diagnostics Chris O'Brien