A short (and possibly evil) treatise on SILs from our guest blogger
May I introduce myself?
The name’s Screwtape, some of you might have heard of me from that short and nasty book by C.S. Lewis. All lies of course, and I would know, about lies that is… baboom tish! Anyway the world has moved on and I’m sure that you’d be completely unsurprised to hear that I’ve branched out into software consulting now. I do find the software industry one that is oh so over-ripe for the plucking of immortal souls, ah but I digress. Your good host has asked me here today to render a few words on the question of risk based safety integrity levels and how to turn such pesky ideals, akin in many ways to those other notions of christian virtue, to your own ends.
First off congratulations! Your standard is risk based and therefore relies upon the estimation and allocation of very small increments of likelihood, an exercise that is inescapably laden with uncertainty and subjectivity, and one that therefore requires the exercise of a high degree of design discretion. There is, as a consequence, an almost limitless scope to game the standard, you lucky thing you. Now down to the specifics…
- If you don’t like the failure targets assigned functional failures (and who does) change the argument to one of about accident rates. This gives you tremendous scope to obsfucate the issue with arcane notations and enormous accident causation models while laying off frequency targets on anything other than your SIL nominated components.
- Subtly re-draw the boundary of the system so that problematic area’s fall outside the scope of the analysis, and therefore outside the SIL assessment, it’s a game map makers have been playing for centuries and it can also work for you! This relies on the old chestnut that it’s hard to detect the absence of something that isn’t there.
- Build a long chain of consequence mitigation for the functional failure should it occur to reduce the failure rate (and derived SIL target) to whatever arbitrary level you’re comfortable with. Then as the coup de grâce push that mitigation sequence outside your system boundary. For double points make use of operator action as much as you can. For triple points make sure the failure target assigned to the operator is completely unrealistic but hidden assumption of the analysis.
- Take the SIL standard (whatever it might be) and then develop your own version of what a SIL level constitutes by adding, modifying and subtracting tasks. Skew the processes you choose to those that have least direct impact on the end product (never ever require specific safety functions like watch dog timers) so that it’s easy for you to claim ‘partial’ compliance, and difficult for anyone to figure out what that means.
- Claim a higher that required SIL going in to the program, using your in house SIL level but give yourself sufficient wiggle room in your procedures to allow the design authority to vary the process then proceed to water down the actual applied requirements so that what’s actually done is much less.
- Establish a captive independent safety assessor (paying them works well) or a toothless internal review board (that appears independent but isn’t) to ensure that the answer to each problem report is no further action required. At all costs avoid independent assessment of criticality this is pure poison to art of avoiding spending money on fixing things. Never ever, ever, ever keep metrics….
- If your standard allows you to combine lower level SIL’s together using a higher SIL rated comparator function to give a higher SIL overall, but you don’t want the expense of building that comparator then keep the lower SIL components and push the comparator outside your system. Double points if you levy the comparator function on the operators.
- Never use the customers risk criteria definitions, you want to use definitions and terms that are different enough that it’s always an arduous exercise to translate between their definitions and yours. There’s plenty of room for misdirection here, see 9 below, as well as providing an avenue for plausible deniability via the ‘oh sorry that got lost in translation…’ defence.
- If the customer gives you a failure target but not a unit of duration then pounce like the leopard! You can make your derived targets look as good as needed just by playing with the duration, but make sure you bury that definition ‘in plain sight’ so that they can’t claim you never told them.
Apply these rules religiously, while simultaneously selling to upper management how much money you’re saving the company, and by golly I wouldn’t be surprised if you rise to the dizzying height of head of division before you know it. Just disregard that slight smell of brimstone and that gnawing vacant feeling somewhere in your chest.
Yours most cordially,
Senior partner, Screwtape inc, plc.