Safety needs friends… (Part 2/2)

Safety needs friends… (Part 2/2)

5. June 2019

…it’s got enough enemies already!

This post is all about process safety, even though there are plenty of parallels that can be drawn to IT / OT security.

Everyday (process) safety

As we saw in Part 1 of this blog post, there are processes which cause a system’s performance to (prematurely) deteriorate or which prevent that system from serving its intended purpose. We’ll now discuss why these processes are not all that different for cars (Part 1) than they are for safety systems in the process industry. There is one big differentiator, however, namely the rules and regulations that are effective while the systems are operating. We car drivers are sometimes slightly intimidated by the next “vehicle roadworthiness test” or maybe the manufacturer’s “service booklet”. But apart from that, all we have to contend with is the odd legal reminder to ensure that our motor vehicle is in a generally “safe condition” to be on the road.

When it comes to safety in the process industry, it’s an altogether different story. There are umpteen different laws, regulations etc. that have to be observed, and they are steadily increasing in both number and complexity. The number of control inputs and outputs (IO) connected to a safety system is likewise rising all the time. Whereas this only used to be the case with 10% of all IOs, in the meantime we’re rapidly nearing the 20% mark. In other words, the safety systems are not only getting “bigger”; they are also subject to a growing number of “safeguards”. In the next section, we’ll take a look at the operational phase of safety systems – at where the enemies are lurking, what makes them potentially lethal and what we can do to stop them. We’ll finish off with a comment on the design phase.

Why are safety systems “weakened” prematurely?

It’s because they have “enemies”. Their two main enemies are “wear” and “human error” (whether inadvertent or deliberate). Both of these cause safety systems to “age” prematurely, resulting in accidents which in the worst case could be fatal.

Wear – enemy number one

Wear comes in many different guises: normal wear and tear, aging, material fatigue etc. These are all different words for the same problem: a deterioration in the performance of an existing system. And my safety system is basically no different from my car. It needs one, condition monitoring and two, maintenance.


Let’s start with maintenance. By and large, it’s up to the owner to map out a suitable maintenance strategy. And since the owner is me, I clearly need to do a bit of organizing here. Put simply, I must decide who checks or repairs what and when. By that I mean first, repair work to remedy obvious damage or aging and second, trial runs of the safety system to verify, and confirm, that it’s working correctly.


Good condition monitoring can provide valuable support here in several respects. The solution must provide constant online information online about the condition of my safety systems. It also makes sense to store this data, so that it can be evaluated and presented in reports. We can achieve several things in this way …

  1. Permanent overview of the condition of my safety systems
  2. Early identification of any problems that may occur
  3. Avoid unnecessary maintenance activities
  4. Suitability of the data and subsequent reports as supporting evidence
  5. Document any incidents that occur and use them instead of / in addition to scheduled tests
  6. Compare the design with actual operation and make improvements where necessary (e.g. demand mode)

“Condition monitoring” and “maintenance” are our “friends”!

Human error – enemy number two

Let’s now turn our attention to enemy number two: human error attributable to improper use and sheer ignorance. The deterioration of the safety system is accelerated as a result and if you “incorrectly” bypass that system or any part of it, the consequences could prove fatal. It makes no difference whether you do this deliberately or inadvertently: the outcome is the same.


It’s not at all uncommon – in fact, it’s an everyday occurrence – for safety systems to be bypassed or overridden. There are generally good reasons for doing so, for instance in order to carry out maintenance work on the plant or perform tests. However, that inevitably means undermining (weakening) my safety system. I can take various precautions to mitigate this weakening. One of the most important measures will hopefully have already been implemented upfront, namely good organization. Methods and procedures should exist that define who does what, when and how, so that in situations where there is no alternative but to bypass the safety system, it is not weakened any more than absolutely necessary.


As with “wear”, monitoring is only part of the solution. The safety system must be both monitored and documented. A system that gives me a simple graphical overview of my safety system, its interconnections and the safety situation online in real time could be the answer here. For example, as the operator in the control room, I’m aware of the condition, and I know that the override at point X is correct because I was informed about the maintenance activities. What’s more, I can store work processes or time slots within which this override is allowed. It also makes sense to store this data, so that it can be evaluated and presented in reports.


If it supports an offline simulation mode, this kind of system could also be used to plan maintenance and tests. I could figure out beforehand how disabling or limiting the safety system at one point is likely to impact on other points. It would then be easier to decide which measures are required to guarantee a minimum degree of safety.

Through appropriate organizational measures and a solution for permanent online monitoring, the overall level of safety can be improved in several ways …

  1. Steadily fewer uncontrolled overrides
  2. Continuous monitoring and documentation of compliance with methods and procedures
  3. Ability to carry out a virtual run of the implications of equipment overrides
  4. Condition of the safety systems is constantly visible to the plant operator
  5. Incoming shift can “also” be advised in a simple and readily understandable way regarding the safety systems

“Methods” and “procedures”, and ways to “monitor” them, are our “friends”!

Comment on the design phase

Wear or aging is not something that normally occurs during the design phase of a safety system. We will also leave aside the possibility of hardware faults when it is manufactured and restrict ourselves to the safety system’s design and parameterization for a particular plant. Don’t forget that human error can often be a problem during the design phase.  It could take the form of an incorrectly planned logic circuit, for instance, due to a lack of concentration, uncertainty or the misinterpretation of relevant rules and regulations. The best way to combat this problem is through organizational measures such as seminars, methods and procedures or monitoring compliance.


Our safety system is engaged in a lifelong battle with its enemies. We can support it on the technical level, for instance, with solutions for permanent condition monitoring or online reporting, or on the organizational level with seminars and procedures, in which case compliance must be monitored. By combining both of these strategies in a safety management system (including a management of change solution etc.), we can ensure that our friends remain vigilant. A structured approach such as this enables a high safety level to be maintained throughout the lifecycle.

With friends like these, we can succeed in defeating our enemies.


1 Comment so far

Jump into a conversation
  1. Deressa
    #1 Deressa 10 June, 2019, 04:01

    Very good

    Reply this comment

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.