November 2020

Special Focus: Process Controls, Instrumentation and Automation

Increase uptime by reducing systematic failure risk

Pondering the history of industrial incidents, it would be incorrect to assume that most failures occur randomly.

Siew, H., Endress+Hauser

Pondering the history of industrial incidents, it would be incorrect to assume that most failures occur randomly. Muddying the already-murky waters of random vs. systematic failure, safety instrumented system (SIS) design primarily considers probability of failure on demand (PFD) calculations, and PFD is tied to random failure rate and risk.

Systematic failure in both safety and other automation systems occurs more frequently than random failure, as justified by findings by the UK Health, Safety and Environment Committee. Of failures recorded in the study, 65% were systematic in nature (FIG. 1), caused by improper specification, design and implementation errors, as well as mistakes made during installation and commissioning.

FIG. 1. A public study shows that 65% of failures were systematic in nature and inherent in device specification, design and implementation, or installation and commissioning. Source: UK Health, Safety and Environment Committee.

Systematic failures of process instrumentation can be reduced by thoroughly understanding the application, along with sensing elements, logic solver, final element, material selection and prior-use experience. Failure conditions often originate at the design stage of a safety system before equipment is placed in service. By adjusting a device’s design, manufacturing process, and operating procedure and/or documentation, process manufacturers can reduce inherent device shortcomings—which results in decreased overall industrial process risk.

This article includes an examination of IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems) and IEC 61511 (Functional Safety of SIS Designs), followed by a description of how modern instrumentation addresses multiple risks of systematic failure, while simplifying commissioning and maintenance, for safety systems and other automation systems.

Random vs. systematic failure

Random failure refers to primarily unavoidable hardware issues like electronic components that degrade over time and eventually fail. To reduce the impact of random failure, maintenance procedures employ proof testing throughout equipment lifecycles, with the hope of discovering fault risks and addressing them prior to failure. However, even with rigorous testing, hardware is inevitably susceptible to occasional random failures (FIG. 2).

FIG. 2. Random vs. systematic failures.

Systematic failure—which refers to preexisting problems caused by faulty equipment design, manufacturing processes, material specification and/or device installation—is almost entirely avoidable through careful engineering. Functional safety standards protect against systematic failure by providing rules, methods and guidelines to prevent errors. When a system adheres to the appropriate standards, it functions with minimal systematic failures. Systematic failures are commonly caused by human error, be it operational or planning. For example, a lack of application understanding, or insufficient maintenance planning, may lead to failure caused by corrosion, abrasion, sedimentation or deterioration.

IEC 61508 for modern, smart instruments

Covering the “functional safety of electrical/electronic/programmable electronic safety-related systems,” IEC 61508 is applicable to any industry using electronic controllers within safety systems. It defines methods for application, design, deployment and maintenance of automatic protection systems.

Per IEC 61508, manufacturers can choose to certify their instruments by “design with full compliance” (Route 1H) or “proven in use” (Route 2H) methods. Utilizing instrumentation in accordance with IEC 61508 provides several advantages, including:

  • A reduction in systematic errors throughout the service life
  • Prior-use phase is shortened to 6 mos. vs. 12 mos. (FIG. 3), with prior-use status achieved in accordance with NAMUR NE 130 prior-use recommendations
    FIG. 3. For instruments designed in accordance with IEC 61508, the NAMUR NE 130 recommendation provides criteria to achieve prior-use status.
  • A prior-use test following manufacturer software and firmware updates is not required for IEC 61508-compliant devices, provided they were previously in service.

The IEC 61508 equipment functional safety manual includes critical information such as safety functions, failure mode effect and diagnostic analyses and proof test procedures. It provides all necessary information to define the safety requirements of an SIS.

Process influence on safety function

During SIS design, it is important to ensure that instruments, materials, sizing and other factors are correctly specified to meet the target application’s requirements. If improperly specified, adverse consequences (such as corrosion, abrasion and cavitation) can occur and degrade the safety function. Prior-use experience, when available, can aid in verifying a device’s suitability to meet the required safety function. Many manufacturers offer software tools to verify specified equipment material and if sizing is appropriate for the target application (FIG. 4). These types of tools can be used to simplify safety system design.

FIG. 4. Digital tools (such as the one showna) help ensure that a device’s function, material and size are suitable for the target process application

Installation and commissioning

To adhere to IEC 61511 standards (titled “Functional safety—Safety instrumented systems for the process industry sector”), equipment documentation must adhere to the safety requirements specification (SRS) for the SIS. An SRS for commissioning and proof testing includes scope, duration, state of the tested device, test procedures, state of the process, detection of failures, and methods for error prevention.

Documented SRS procedures do not guarantee errorless installations, so plant personnel must pay careful attention not to miss critical parameter settings. However, these procedures provide a roadmap to guide the way.

Modern smart instruments also provide tools to aid in commissioning. A manufacturer can preset many of the required configuration parameters prior to device shipment, although it is still necessary to check these settings as part of installation and commissioning. To provide reliable safety functionality, the proper configuration must be initialized for the specific safety instrumented function.

An installer can perform the required safety integrity level (SIL) commissioning sequence through guided prompts on the instrument’s device display or through asset management software tools (FIG. 5). When using software, it is possible to generate an SIL-relevant parameters report following commissioning to ensure compliance with the safety function. The last step is to activate the SIL lock when present to prevent unauthorized tampering.

FIG. 5. An SIL confirmation sequence using softwareb for checking flowmeter parameters.

Operating standards aid error detection

A typical instrument (e.g., level transmitter) connects to a logic solver or safety controller in an SIS and sends the process variable via a 4-20mA or 4-20mA HART current signal. While a 4-20mA signal can only transmit the process variable, HART allows many other parameters to be transmitted, including diagnostic information.

Even with a basic 4-20mA signal type, per NAMUR NE 43 recommendations, a current in the 3.8mA–20.5mA range conveys a valid measurement value, while a signal less than 3.6mA or greater than 21mA indicates failure information to the safety controller or transmitter (FIG. 6). NE 43 is utilized extensively across many industries, and most suppliers manufacture instrumentation operating within the 4-20mA signal standard.

FIG. 6. NAMUR NE 43 recommendations for 4-20mA transmitters (top) and process control systems (bottom) allow end users to confidently mix instruments from various vendors.

By adhering to the 4-20mA signal standard, manufacturers ensure that their devices function with other vendors’ instrumentation, and simultaneously reduce potential for incompatibility. Without this type of standardization, instrumentation cross-compatibility would be limited, and SIS errors would occur more frequently.

Many modern smart devices also utilize NAMUR NE 107 recommendations to provide five basic status indications for identifying normal state or one of four error types (FIG. 7). When present, these status indications are most often communicated via HART. Error types include:

FIG. 7. Five standard status states specified by the NAMUR NE 107 recommendation.
  • Maintenance required
  • Signal out of specified range (often adjustable via a transmitter)
  • Function check/temporary invalid signal
  • Instrument failure.

NE 107 allows for the routing of error signals to operations or maintenance staff when a problem exists. By utilizing a field device management tool, users can drill further down into diagnostic data to identify error causes.

Reducing systematic failure during proof testing

While every plant requires personnel to run, manage and ensure continued operations, human error can introduce problems to automated systems—particularly during atypical maintenance procedures. For example, instruments that are temporarily pulled out of service for proof testing are sometimes damaged during reinstallation. When possible, it is advantageous to reduce touchpoints on instrumentation to lessen systematic failure risk, especially for components of an SIS.

For certain applications requiring proof tests, partial in-situ testing can reduce the frequency of full proof tests. In a full proof test, the instrument under examination is manually removed from service and tested on a bench. In-situ testing eliminates instrument removal and should be used whenever possible because it reduces system downtime, saves money on testing, avoids exposure to hazardous processes or chemicals, and reduces systematic error rates.

For applications where in-situ testing is not possible, IEC 61508-compliant manufacturers offer guided proof testing sequences to minimize systematic failure. These step-by-step instructions reduce the potential for human error (FIG. 8).

FIG. 8. A guided proof test helps diminish operator errors. If the values indicated are identical, then the device configuration has not changed since the last proof test.
FIG. 8. A guided proof test helps diminish operator errors. If the values indicated are identical, then the device configuration has not changed since the last proof test.

These documents also detail the reporting format to create comprehensive verification reports that are consistent across every instrument in the plant.

Reducing operational systematic failures

Conditions like corrosion, abrasion, sedimentation and overall process deterioration can cause system upsets. Smart devices’ predictive statistics can be used to predict these and other types of failures, allowing personnel to attend to potential faults prior to malfunctions.

Condition monitoring systems help interpret measured data to more accurately forecast failure possibilities. The predictions provided by these systems help users schedule maintenance and improve process optimization. Possible applications of condition monitoring include the detection of deposit buildup or corrosion-induced wear (FIG. 9).

FIG. 9. A condition monitoring system can detect process variances in the early stages to avoid costly systematic failures.

Systematic failures can also occur during device replacement. Even when an instrument is replaced with an identical substitute, the complexity of modern instrumented systems makes it difficult to properly set all parameters manually. However, there are tools—such as watchdog, checksum, reverse conversion loops, and others—that validate an identical copy of configuration parameters from the old instrument to the new. These elements are integrated into the instrument device diagnostics. If a user is notified of a disparity, this indicates a potentially erroneous configuration. Configuration software can automatically detect and alert the user when there is a difference in these settings.

IEC 61508-compliant level switches ease maintenance

A hydrocarbon producer plagued with maintenance issues introduced IEC 61508-compliant tuning fork level switches to streamline operations and reduce risk of systematic failure. Previously, the producer used non-compliant level switches to prevent tank overfill of a highly toxic chemical, and the tank needed to be emptied and cleaned annually to remove the level switches and perform full proof tests.

After replacing the instrumentation with IEC 61508-compliant level switches, the producer was able to perform in-situ testing without instrument removal, requiring a full proof test just once every 3 yr.

Personnel are now able to monitor the tuning fork level switch diagnostic functions and oscillation frequencies to detect corrosion before it is visible to the human eye, thus enabling predictive maintenance that decreases systematic failure occurrences.

In-situ proof testing of the new instrumentation is carried out using a proprietary verification sequence toolc that provides step-by-step instructions to ensure adherence to the proper procedure. This sequence tool produces an SIL verification report at its conclusion, which is transmittable as a portable document format file. These new capabilities cut system downtime, ease maintenance difficulties and reduce systematic failures.


Throughout the safety lifecycle, systematic failure focus is critical in SIS design. Proper risk assessment and comprehension of the safety application help to minimize systematic failures. While random failure risk will always exist in varying quantities, systematic failure risk can be reduced to exceptionally low levels by employing the following tactics:

  • Consider available application data and ensure device function, material and sizing suitabilities
  • Deploy detailed operating procedures for devices in service
  • Adhere to standards such as IEC 61508 (functional safety) and IEC 61511 (SIS)
  • Reduce human touchpoints and also minimize frequency of full proof tests, as allowed by the SIS.

Reducing systematic failure risk of instrumentation leads to increased uptime and throughput, while reducing maintenance expenses and improving process safety. Risk reduction starts with careful supplier selection and continues throughout design, installation, commissioning, operation and maintenance. HP


      a Endress+Hauser’s online Applicator tool
        b Endress+Hauser’s FieldCare software
        c Endress+Hauser’s SIL verification sequence wizard

The Author

Related Articles

From the Archive



{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}