Functional Safety is the part of the overall safety of a system or piece of equipment that depends on a system or equipment operating correctly in response to its inputs.
The concept applies to everyday life and every industry you can think of. It is fundamental for most safety-related systems. The oil and gas industry, nuclear plants, the manufacturing sector, your car, medical devices, transportation all rely heavily on Functional safety to achieve safety in areas where the operation of equipment can give rise to hazards.
Functional Safety
Safe function of a device or system — Functional safety is part of the overall safety of a system or piece of equipment and generally focuses on electronics and related software. It looks at aspects of safety that relate to the function of a device or system and ensures that it works correctly in response to commands it receives. In a systemic approach Functional safety identifies potentially dangerous conditions, situations or events that could result in an accident that could harm somebody or destroy something. It enables corrective or preventive actions to avoid or reduce the impact of an accident.
The concept applies to everyday life and every industry you can think of. It is fundamental for most safety-related systems. The oil and gas industry, nuclear plants, the manufacturing sector, your car, medical devices, transportation all rely heavily on Functional safety to achieve safety in areas where the operation of equipment can give rise to hazards.
Tolerable risk
The aim of Functional safety is to bring risk down to a tolerable level and to reduce its negative impact; however, there is no such thing as zero risk. Functional safety measures risk by how likely it is that a given event will occur and how severe it would be; in other words: how much harm it could cause.
Applications
Functional safety is the best way of reducing inherent risks in hazardous industrial processes both within a factory or chemical plant and out in the field. An automatic valve closure mechanism will ensure that dangerous chemicals are mixed in exactly the required quantities.
A crane safe load indicator will avoid that overloading will collapse the crane and kill workers or innocent bystanders. Sensors or LASER barriers will automatically shut-down a robot, when a human or object enters its activity range, preventing injuries or avoiding potentially costly damage to machinery. A pressure valve will open or close precisely when it is electronically given the instruction to do so. When such security-devices fail to operate as they should, for example during deep-sea oil drilling or during the filling of a chemical tank, major disasters can ensue.
Many systems today are designed to automatically prevent dangerous failures or to control them when they arise.
Such failures can arise for example from:
So called electrical, electronic or programmable safety-related systems (E/E/PE) cover all the parts of a device or system that carry out automated safety functions. This includes everything from sensors, through control logic and communication systems, to final actuators, including any critical actions of a human operator as well as environmental conditions.
Many safety-related systems that would have used electro-mechanical technology or solid-state electronics now use programmable electronics instead. Devices such as programmable controllers, programmable logic controllers (PLCs) and digital communication systems (e.g. bus systems) are part of this trend. Furthermore, enabling technologies, such as application specific integrated circuits (ASICs), micro-processors, and intelligent sensors, transmitters and actuators, are increasingly being integrated into products and systems.
AXYS Consulting can provide assistance with the management of Functional Safety in both the process industry and in mining and other industries as we are Functional Safety Engineers in both Safety Instrumented Systems (TÜV Rheinland, SIS) and Machinery (TÜV Rheinland, Machinery )
Maintenance spare parts are held to support planned maintenance tasks and to avoid or mitigate the risks associated with stockouts. For critical equipment, stockouts can result in lengthy asset downtime and production losses while spare parts are being replenished.
A spare parts stocking strategy is still a somewhat mysterious and misunderstood process, yet it does not have to be. Following a simple review process will allow any organisation to minimise the risk to the business of not having the right spare parts and the right quantity of spare parts available, while minimising the capital invested in these spares.
It can be taken one step further by working closely with parts suppliers and repair shops by designing a comprehensive program that could include their involvement and co-operation.
AXYS Consulting in association with MRO@nalytics can offer client configured MRO@BI (Business Intelligence) tools to review spare parts stocking levels.
Failure Modes and Effects Analysis (FMEA) along with Failure Mode Effects and Criticality (FMECA) was one of the first highly structured, systematic techniques for failure analysis. It was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. FMEA is referred to as an FMECA when a criticality analysis is performed as part of the analysis.
An FMEA is often the first step of a system reliability study. It involves reviewing as many components, assemblies, and subsystems as possible to identify failure modes, and their causes and effects. For each component, the failure modes and their resulting effects on the rest of the system are recorded within a specific FMEA worksheet.
A few different types of FMEA analyses exist, such as
Analysis: The analysis may be performed at the functional level until the design has matured sufficiently to identify specific hardware that will perform the functions; then the analysis should be extended to the hardware level.
Functional: before design solutions are provided (or only on high level) functions can be evaluated on potential functional failure effects.
General Mitigations (“design to” requirements) can be proposed to limit consequence of functional failures or limit the probability of occurrence in this early development. It is based on a functional breakdown of a system. This type may also be used for Software evaluation.
Design: analysis of products prior to production. These are the most detailed FMEAs and used to identify any possible hardware (or other) failure mode up to the lowest part level.
This process is be based on hardware breakdown (e.g. the Bill of Material, Schematic Diagrams, Flow Diagrams, Piping and instrumentation diagram). Failure effects , severity, failure frequency, detection and diagnostics may be fully analysed in this FMEA.
Process: analysis of manufacturing and assembly processes. Both quality and reliability may be affected from process faults.
Reliability-centred Maintenance 3 (RCM3), is the world’s leading maintenance task development methodology from the Aladon Network.
What is RCM3™
RCM2 is globally the most used RCM. More people around the world have received training in RCM2 than any other version of RCM. RCM2 is still the most robust RCM process to date and continues to be a very important consideration for improving asset performance. The industry acknowledges Aladon’s RCM2 as the most capable RCM methodology and recognises the impact it made and continues to make.
RCM2 is the trademark methodology for Aladon and this has formed the basis for RCM3. The SAE JA 1011 and SAE JA 1012 standards provided the guidelines for the development. Aladon extended the RCM2 capability (and requirements of the SAE standards) to align with more recent and international accepted ISO Management Systems (ISO 55000 and ISO 31000).
Additionally, RCM3 is fully integrated with other Business Risk Management Systems like RBI and HAZOP. RCM is no longer another initiative product but a mainstream business risk management process that could become the most important management system for improving Process Safety and Asset Integrity. This new risk based methodology is the only process companies would need to cover all their assets (rotating and static).
Although RCM3 is “newly released”, Aladon has records of many years of testing and improving the methodology. The process has been implemented over a ten year period with leading organisations. The risk based approach was introduced by John Moubray before his passing and although it was not fully developed at the time of his death, the concepts existed. The methodology and concepts are proven and Aladon will deliver RCM2 and RCM3 through its global Network.
The industry, especially the requirements for process safety and managing risks continued to evolve and Aladon improved the concepts and ideas to keep up with emerging standards. Aladon continue to explore new technologies and trends working with our global Network and Technology Partners. Aladon will continue to lead with our world class training courses and robust methodologies.
A progression table from RCM2 to RCM3 illustrates the extended capabilities of RCM3, which may be viewed here. RCM3 will become the new standard for how organizations will manage their operational risks and improve asset integrity. For more information, please contact Aladon or the Aladon Network Member in your area.
RCM3 Highlights
To gain a better understanding of how RCM3 works, consider attending one of the RCM3 Training courses offered by AXYS Consulting.
Reliability-centred Maintenance 2 (RCM2), is the world’s leading maintenance task development methodology from the Aladon Network.
What is RCM2 ?
RCM2 is the leading RCM methodology used to determine the maintenance requirements of any physical asset in its operating context. It is used to decide what must be done to ensure that any physical asset, system or process continues to do whatever its users want it to do.
What users expect from their assets is defined in terms of primary performance parameters such as output, throughput, speed, range and carrying capacity. Where relevant, the RCM2 process defines what users want in terms of risk (safety and environmental integrity), quality (precision, accuracy, consistency and stability), control, comfort, containment, economy, customer service and so on.
The application of RCM2 completely transforms the view that any organization has of its physical assets. Not only does it revolutionize views about maintenance and how maintenance and operations work together but it also leads to a far broader and deeper understanding about how things work.
From the viewpoint of the business which operates the assets, these changes are both profound and profoundly important. They mean that assets not only become more reliable because they are better maintained, but they also mean that operators are less likely to do things which cause their assets to fail. A better understanding of how systems work also means that operators are far more likely to react quickly, confidently and correctly when things do go wrong – a capability which is quite literally priceless, especially in complex, hazardous, tightly coupled facilities.
The RCM2 Process
The RCM2 process identifies the ways in which the system can fail to live up to these expectations (failed states), followed by an FMEA (failure modes and effects analysis), to identify all the events which are reasonably likely to cause each failed state.
Finally, the RCM2 process seeks to identify a suitable failure management policy for dealing with each failure mode in the light of its consequences and technical characteristics. Failure management policy options include:
The RCM2 process provides powerful rules for deciding whether any failure management policy is technically appropriate. It also provides precise criteria for deciding how often routine tasks should be done.
One of the features of RCM2 that distinguishes it from other interpretations of the RCM philosophy is the cross-functional groups of users and maintainers that perform the analyses. After training, these analysis teams apply the process to their assets to produce the most cost-effective asset reliability programs.
RCM2 complies with public standard for RCM. In 1999 the Society of Automotive Engineering introduced a standard to define the criteria a method must comply with in order to be called RCM.
The standards are:
To gain a better understanding of how RCM2 works, consider attending one of the RCM2 Training courses offered by AXYS Consulting.
Due to their large number of assets, most companies need to allocate effort and resources to those areas that can benefit the most. The Criticality Analysis plays an important role in helping to establish an implementation plan and focus required resources where the benefit will be most felt.
Criticality Analysis is the process used to assess the relative criticality of one system against another. The analysis ranks assets according to their identified criticality and is used to assist in selecting the appropriate actions for the system.
The identified outputs may be
AXYS Consulting can use a number of different techniques to access criticality and can work with you to choose an approach that is best for your organisation.
Bowtie achieves a good understanding and appreciation of safety risk control by not only identifying the controls (or barriers) in place but also looking at control failure mechanisms and in turn how these are managed. Based on these considerations, insights are gained into the organisation’s risk mitigation strategies and therefore into the appropriate management of safety resources.
The main strength of the barrier approach is as a qualitative tool, which is a practical solution for the challenges of risk assessment in the dynamic operating environments of industry.
The Bowtie model consists of different elements that build up the risk picture. The risk picture revolves around the hazard (something in, around or part of an organisation or activity which has the potential to cause damage or harm) and the top event (the release or loss of control over a hazard known as the undesired system state).
Consideration is then turned to the threats (a possible direct cause for the top event), consequences (results of the top event directly ending in loss or damage) and the controls (any measure taken which acts against some undesirable force or intention).
The Bowtie model explores the escalation factors (the reasoning to why a control may not be defeated or less effective) of all controls allowing the allocation of escalation factor controls. These prevent the escalation factors having an impact on the prevention or recovery controls. Further attributes, such as control effectiveness or criticality can be allocated to the Bowtie model to evaluate the risk picture.
The HAZOP technique is qualitative, and aims to stimulate the imagination of participants to identify potential hazards and operability problems; structure and completeness are given by using guideword prompts.
The relevant international standard calls for team members to display ‘intuition and good judgement’ and for the meetings to be held in ‘a climate of positive thinking and frank discussion’.
The HAZOP technique was initially developed to analyse chemical process systems and mining operation process but has later been extended to other types of systems and also to complex operations such as nuclear power plant operations. Specific software has been developed to record the deviation and consequence.
In order to identify deviations, the team systematically applies Guide Words to each section of the process. To prompt discussion it may also be helpful to explicitly consider appropriate parameters which apply to the design intent. These are general words such as Flow, Temperature, Pressure, Composition. The standard notes that Guide words should be chosen which are appropriate to the study and neither too specific (limiting ideas and discussion) nor too general (allowing loss of focus). A standard set of Guide Words (given as an example in the table below)
| Guide Word | Meaning |
| NO OR NOT | Complete negation of the design intent |
| MORE | Quantitative increase |
| LESS | Quantitative decrease |
| AS WELL AS | Qualitative modification/increase |
| PART OF | Qualitative modification/decrease |
| REVERSE | Logical opposite of the design intent |
| OTHER THAN | Complete substitution |
| EARLY | Relative to the clock time |
| LATE | Relative to the clock time |
| BEFORE | Relating to order or sequence |
| AFTER | Relating to order or sequence |
A HAZOP study is a team effort. The team should be as small as possible consistent with their having relevant skills and experience.
