Lawrence T. Suttinger
Westinghouse Savannah River Company
Aiken, SC 29802-0616

Carl L. Sossman
Westinghouse Safety Management Solutions
Aiken, SC 29804-5388

Available for a processing fee to U.S. Department of Energy and its contractors, in paper, from:
U.S. Department of Energy, Office of Scientific and Technical Information, P.O. Box 62, Oak Ridge, TN 37831-0062,  
phone: (865 ) 576-8401,  
fax: (865) 576-5728,  
email:  reports@adonis.osti.gov

KEYWORDS: Operator Action, Safety Instrumented Function, Safety Instrumented System

In many process safety applications, operator action by itself or in combination with other layers of protection provides the necessary risk reduction for functional safety. The operator can not provide this safety function in isolation. There are a number of physical systems and administrative systems that are required to be available for the operator to adequately perform as part of the safety function implementation. The operator must have the necessary process information presented to him/her and a means to take the needed action to correct the undesirable or unwanted process condition. As such, the operator must receive an alarm or monitor an indication to determine that a process parameter has or, in a good design, is nearing the point of exceeding a safety limit. The operator must then act to affect the process system in a manner to bring it to a safe state or prevent it from continuing its movement toward its safety limit.

This paper presents an overview of the factors that should be considered when crediting operator action for performing a safety function or being a part of the process of enabling a safety function. Criteria for evaluating operator action, such as required time response and operator training among others, are discussed. The paper will address these and other factors that should be considered when determining the reliability of the operator to respond and perform his/her part of the safety function. The entire safety function includes the operator and the reliability of the instrumented system that provides the alarm or indication, the final control element, and support systems. The integration of the operator performance with the hardware safety availability, including the effects of the supporting systems is discussed. The analysis of these factors will provide the justification for the amount of risk reduction or safety integrity level that can be credited for the Safety Instrumented Function (SIF), including operator action.

Safety for a process industry sector facility can be achieved by a number of means. These include (1) the design of a process or facility to eliminate the safety risk, (2) administrative controls (i.e. inventory control, safety procedures), (3) the basic process control system, (4) the application of safety prevention and mitigation systems (i.e. mechanical, safety instrumented system), (5) facility emergency response systems, and (6) community emergency response systems. These safety features are graphically depicted in Figure 1.

Figure 1 – Typical Process Facility Safety Features/ Protection Layers

These safety features can be used by themselves or in combination with other safety features to provide the necessary risk reduction to achieve the required margin of safety. IEC 61511 (draft) identifies these safety features as protection layers. ISA S84.01 recognizes the application of non-Safety Instrumented System (SIS) protection layers that would include safety related operator action, but the methods for accomplishing this is presently identified as outside the scope of the standard.

The operator of the facility or process is directly involved in one or more aspects of protection layers 2 through 6 of Figure 1. This paper will focus on the credit, in terms of risk reduction, that can be taken for operator action to place a process or facility in its safe state in response to an alarmed or monitored parameter.

Risk for a facility is a function of the frequency of a hazardous event, and the severity or consequence of that event. Each facility will establish a unique set of risk criteria depending on the facility function (i.e. processing or storage), location, design, quantity and types of hazardous materials, and the facility’s tolerance for risk.

The risk that a process or operating facility presents can be reduced to a level that is acceptable, within the risk criteria established for the facility, by the application of protection layers. Figure 1 above illustrates a range of features, sometimes called protection layers, which can be used to reduce the risk to an acceptable level. The protection layers consist of emergency response systems, design features, administrative controls and active protection systems. Three of the active protection systems are often implemented by manual operator action in response to process parameters that exceed safety limits. The first of these is when the operator action is part of the Basic Process Control System (BPCS). The second is when the operator action is an integral part of a Safety Instrumented System (SIS) that is designed to prevent or mitigate an event. The third is where the operator activates a facility emergency response system. In either the first or second case an operator may respond to an alarm/indication in the control room and initiate an action within the control room, or the operator may be required to go into the facility to physically place a component in a safe state. The main distinction in these is that the BPCS, not being a safety system as is the SIS, does not have the same design, maintenance and operational criteria imposed upon it as would be imposed on a safety system. As a result, there are limits to the amount of risk reduction that can be credited for operator action as a result of BPCS alarms/indication. Credited, as used in this application, is defined as the numeric value of risk reduction or probability of failure on demand that can be assigned to the protection layer. The value of risk reduction determines the Safety Integrity Level (SIL) that can be achieved for the design of the Safety Instrumented Function (SIF).

There are several industry standards that address the design of safety instrumented systems for the process industry.

• ISA S84.01, Application of Safety Instrumented Systems for the Process Industries

• IEC 61511 (draft), Functional Safety: Safety Instrumented Systems for the Process Industry Sector

ISA S84.01 covers the design of Safety Instrumented Systems that are automatic. Operator action, where it is the sole means required to return a process to a safe state, is outside the scope of the ISA standard (Ref. ISA S84.01, Section 1.2.14). Thus the ISA standard, at this time, does not provide any guidance for the design and verification of operator action to accomplish a SIF. IEC 61511 (draft) is broader in scope in its definition of a protection layer and SIS. IEC 61511 Part 1, Section 3.2.57, definition of Protection Layer, and 3.2.70, definition of Safety Instrumented System, discuss operator actions. The IEC standard recognizes that safety responses may be automated or initiated by human actions. Both of the standards provide a fairly consistent approach to the design of automatic Safety Instrumented Systems. The differences that exist between IEC 61511 (draft) and ISA S84.01 concerning the design and verification of operator action within a SIS are expected to be addressed in the process of issuing IEC 61511 and subsequent ISA S84.01 reaffirmation.

To understand the differences in how to design and evaluate an automatic SIS versus an operator actuated SIS, it is beneficial to look at the architectures of the two SIS types. Figure 2 provides the basic architecture of an automatic SIS. It is composed of sensor(s), logic solver(s) and final element(s). It is assumed for this figure that the system is de-energize to actuate, so there are no supporting systems required for the system to complete its safety function. If the SIS was an energize to actuate function, then support systems (e.g. electrical power, hydraulic, instrument air) would also be required to provide the motive force to complete the safety instrumented function.

Figure 2 – Typical Example of Automatic Actuated SIS Architecture

Figure 3 provides the basic architecture for manual operator action within a SIF. The SIS is composed of sensor(s), logic solver(s), alarm presentation/operator action(s) and final element(s). The basic architecture is different than the automatic SIS in that Alarm Presentation and Operator Action are an additional block in the architecture. Support Systems will always be required to complete the safety instrumented function that incorporates manual operator action. An operator actuated SIS does not fail-safe on total loss of power or motive force. An alarm or indication must be presented to the operator in order for the operator to react and take action. The most common support system required for an operator to satisfactorily implement this safety function is the supply of electrical power (e.g. normal electrical power, battery power, UPS) to illuminate an alarm light or actuate an audible alarm, but there may be others.

Figure 3 – Typical Example of Operator Actuated SIS Architecture

Operator Action Within a BPCS

The normal control and operation of a facility is accomplished through the BPCS. Although limited credit can be given to the BPCS for safety related risk reduction, insufficient care in design can and usually does result in having a negative impact on safety. Operator actions, which are implemented through the BPCS, in response to process conditions are not part of a safety system, but it is generally accepted that a degree of risk reduction can be credited for these actions. IEC 61511 (draft), Part 1, Section 9.4.2 states that a risk reduction factor for a BPCS used as a protection layer shall be less than 10. A risk reduction factor of less than 10 is equivalent to an average Probability of Failure on Demand (PFD) of greater than 10^-1. It is not expected that a formal verification or calculation of the PFD of credited protection layer operator action within the BPCS will be done, as would be required for a SIS. There are no specific industry standards or design requirements for BPCS operator action credited as a protection layer. The design of a BPCS operator interface should incorporate Human Factors Engineering (HFE) principals to ensure that the operator will respond adequately to an alarm or process indication. In addition, it is important that operator response to normal plant operations and facility upsets does not unduly challenge the safety of the facility by putting the process into an undesirable mode or condition.

Operator action as part of a Safety Instrumented Function can be credited with a level of risk reduction greater than 10. Once the decision has been made to credit an operator actuated protection layer with a risk reduction greater than 10, then the system from the sensor to the final element (Figure 3) should be designed and evaluated as a SIS per the requirements of IEC 61511 or ISA S84.01.

The key to designing and evaluating an Operator Action within a SIS (OASIS) is to recognize the additional factors that affect the probability of failure on demand. The two main factors that affect the Safety Integrity Level (SIL) of an OASIS in addition to the factors considered for an automatic SIS are human errors and support system reliability.

Human error essentially is the failure of the operator to respond correctly within the required time to the alarm/process indication and to take the actions necessary to place the process/facility in a safe state. The human response can be broken down into four functions: (1) Recognize the unsafe condition, (2) Analyze the condition properly, (3) Perform the required safety action, and (4) Follow the process/facility response to completion of the safety function (i.e. SIS action implemented and process returning to safe operating values). There are a number of methods for evaluating the probability of human error. Two of the more well known methods are the Technique for Human Error Rate Prediction (THERP) (Reference NUREG/CR-1278) and the Accident Sequence Evaluation Program Human Reliability Analysis Procedure (Reference NUREG/CR-4772). Error rates are usually established on a per demand basis. The nominal human error rates can be reduced or increased based on operator related environmental factors (quality of displays, control layout and clarity, control area environment, procedures, access), personnel factors (training, experience), and stress factors (personal, shift schedules, response time pressure, severity or magnitude of safety condition). The best source for determining the human error rate would be company/facility specific historical data, but in most organizations this is not available. Therefore, one must use other sources and adjust the human error rate for safety related operator responses to their application and circumstances accordingly.

The second deals with the reliability of support systems that are required for the OASIS to meet its SIF, which includes a specified Safety Integrity Level. Most SIS systems are designed as de-energize to actuate. As a result, the calculation of PFD for these SIS systems does not generally have to take into consideration any system outside of the SIS. An OASIS inherently requires support systems to complete the SIF. Display/alarms require power to actuate the light and horn for operator response. Therefore, the reliability of the electrical power system directly affects the PFD of the OASIS.

The checklist shown below in Table 1 can be used as an aide in the design and evaluation of the adequacy of operator action within a safety instrumented function:

Table 1 – Checklist for Human Factors Issues

Human Factors Engineering Issues	Yes	No	N/A
Can the operator respond within the required time response for the SIF?
Are operators provided specific alarm response procedures?
Are operators adequately trained relative to the required SIS action?
Are operators periodically evaluated for competency in SIS response?
Are operators physically capable of accomplishing the response action?
Are controls and displays adequate, effective, and suitable for operator tasks?
Is the operator action consistent with existing protocol and procedures, established conventions and operator experience?
Do separate displays present consistent information?
Is display movement consistent/compatible with related control movement?
Is displayed information readable to the necessary precision, concise, complete, and usable without extrapolation?
Is adequate information about normal and upset conditions displayed?
Is display failure readily apparent?
Are displays and controls located within recommended height and reach limits?
Are SIS alarms obvious to an operator?
Are related controls, displays and alarms grouped together?
Is the possibility of accidental operator activation of SIF initiation minimized?
Is the SIS operator interface in an area that requires frequent operator attention?
Do displays support operator task requirements in terms of range, precision and accuracy?
Are normal operating ranges and alarm setpoints clearly identified?
Are the completions of commanded SIS actions (i.e. valve position, pump status) displayed?

The Figures 4, 5, 6 & 7 illustrate the differences between the evaluations/verifications of an automatic SIS versus an operator action within a SIS.

Figure 4 – Automatic SIS Action to Close Valve on High Pressure

Figure 5 – Fault Tree of Automatic SIS Shown in Figure 4

Figure 7 – Fault Tree of SIS Operator Action to
Close Valve on High Pressure Shown in Figure 6

Operators are an integral part of the control and safety of virtually all facilities. When operator action is credited as a protection layer within a Safety Instrumented Function, the verification of the amount of risk reduction achieved should be handled in the same manner as the verification of an automatic Safety Instrumented System as defined by ISA S84.01 or IEC 61511. The verification includes the consideration of human error rates, support system reliability, administrative controls such as operator training, and the establishment and control of alarm response procedures. The systematic evaluation/verification of an operator’s safety related actions will greatly aid in assigning the proper credit for the risk reduction provided by this action, and identify the salient factors that affect the probability of failure on demand of the operator action within the safety instrumented function.

1. IEC 61511 (Draft), Version d5FDIS, dated 4/24/02, Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
2. ISA S84.01-1996, Application of Safety Instrumented Systems for the Process Industries.
3. NUREG/CR-1278, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, U.S. Nuclear Regulatory Commission, August 1983.
4. NUREG/CR-4772, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, U.S. Nuclear Regulatory Commission, February 1987.