Home‎ > ‎


Stuff that has nowhere else to go...

European astronauts – hitching a ride in the space race

posted 9 Aug 2016, 02:54 by John O'Sullivan

First published in Engineers Journal 09 August 2016

John O’Sullivan’s new book tells the story of how European astronauts lived on board the International Space Station, helped construct the space laboratory and performed valuable scientific experiments. Read on for a chance to win a copy

The Soyuz ‘crew taxi’

The history of European human spaceflight is not as straightforward as its American or Russian counterparts. Europe was not a competitor in the ‘space race’. As a collection of nations with different languages, cultures and goals, the vision for space has been complex.

For the first three decades of the space age, Europe was divided by the Iron Curtain. Even today, the European Space Agency (ESA) does not build or fly a human-rated spacecraft. But despite all these factors, there is a rich history of Europeans travelling to space on a variety of spacecraft and performing a variety of missions.

As Europe is not a single country with a manned space programme, European astronauts must ‘hitch a ride’ to get into space. This has resulted in many different routes to orbit. Before the period covered by this book, astronauts from communist countries and from France had flown on Soviet Soyuz spacecraft to the Salyut and Mir space stations.

Columbus European astronauts

Fig 1: The ESA-built Columbus module being moved to the Harmony module (NASA)

Later, astronauts from other Western European space agencies and ESA flew to Mir. Western Europeans represented their national space agencies and ESA by flying on NASA space-shuttle missions. Naturalised US citizens from around the world, including quite a few Europeans, succeeded in joining NASA’s astronaut corps by applying to the Johnson Space Centre in Houston, Texas.

Spacecraft and missions

European astronauts have travelled to the International Space Station (ISS) in two types of spacecraft: the American Space Shuttle and the Russian Soyuz. They have been resupplied on board the station by payload in the Italian-built Multi-Purpose Logistics Modules (MPLM) carried aboard Shuttles and also by a variety of unmanned vehicles – the Russian Progress, the European ATV, the Japanese HTV and the SpaceX commercial Dragon spacecraft.

Soyuz European astronauts

Figure 2: The Soyuz ‘crew taxi’

European astronauts have conducted many types of mission on board the ISS. There have been week-long visits, where the ESA astronaut travelled to the station to deliver a new crew, returning to Earth with the previous crew. There have been assembly missions where the ESA astronaut helped deliver a new module or conduct a spacewalk to add solar arrays or antennae. And there have been long duration missions where the ESA astronaut has been a member of a six-month expedition, in one case (Frank de Winne) commanding the facility. While the book covers all 18 missions from 2000 to 2012, here are samples of each type of mission.

Cervantes, A Visiting Mission
Astronaut: Pedro Duque
Mission duration: Ten days, one hour, 37 minutes
Launch date: 18 October 2003

Pedro Duque European astronauts

Figure 3: Pedro Duque during an interview with Spanish TV. (NASA)

The Cervantes mission had four objectives:

  1. To exchange the Soyuz ‘lifeboat’ at the ISS;
  2. To carry out a programme of scientific and technical research organised by the ESA and the Spanish Ministry of Science and Technology via the Centre for Development of Industrial Technology (CDTI) . A number of experiments from the Odissea mission were to be repeated. Educational and promotional activities would be undertaken with the aim of bringing the European human space programme and research performed in space to a wider public, and to young people in particular;
  3. To increase operational experience aboard the ISS; from a European perspective the Cervantes mission was important because it would increase the experience of ESA’s astronauts ahead of the launch of the Columbus laboratory module;
  4. To exchange the ISS Expedition crews, because Expedition 8 would fly up on Soyuz TMA-3 and Expedition 7 would return to Earth with Duque on Soyuz TMA-2 .

Celsius, An Assembly Mission
Astronaut: Christer Fuglesang
Mission duration: 12 days, 20 hours, 45 minutes
Launch date: 10 December 2006

European astronauts

Figure 4: The kink that developed in the port-side solar array of the P6 truss segment during the first attempt to retract that array on 13 December 2006. (NASA)

ESA astronaut Christer Fuglesang became the first Swedish astronaut to venture into space when he flew as a Mission Specialist on Space Shuttle Discovery for the STS-116 mission that undertook ISS Assembly Flight 12A.1. The STS-116 mission had many objectives:

  1. The P5 truss segment was a ‘spacer’ that was installed between the P4 and P6 segments, both of which carried solar array assemblies. The P6 segment had been installed early in the assembly process by being temporarily placed on the Z1 truss atop the Unity node. STS-120 in October 2007 was to transfer P6 to its permanent position at the end of P5, thereby completing the port side of the integrated truss;
  2. NASA astronaut Sunita Williams replaced ESA astronaut Thomas Reiter as the second Flight Engineer of the Expedition 14 crew;
  3. Although primarily an ISS assembly flight including spacewalks for Fuglesang, a number of experiments in human physiology and radiation dosimetry were conducted for the ESA Celsius mission;
  4. Delivery of 2.5 tonnes of supplies, equipment and research payloads in the SpaceHab Single Module.

Promisse, A Long Term Expedition
Astronaut: André Kuipers
Mission duration: 192 days, 18 hours, 58 minutes
Launch date: 21 December 2011

European astronauts André Kuipers

Figure 5: André Kuipers in the ESA Cupola sending a postcard from space. (ESA)

ESA astronaut André Kuipers was delivered in December 2012 for the fourth European long-duration mission to what was now a fully operational ISS. His term as a member of an international six-person crew was scheduled to last almost six months. The mission objectives were as follows:

  1. Microgravity: Kuipers was himself a medical doctor who had been actively involved in microgravity research for at least a decade. As he posted on his ESA blog, “The data I will collect from myself can bring valuable information about the effects of weightlessness on the human body. This research may help to prepare for a future mission to Mars.”
  2. Scientific experiments: he undertook around 30 ESA experiments covering human research, fluid physics, materials science, radiation, solar research, biology, and technology demonstrations. Most of the experiments were carried out in the Columbus laboratory, which would mark its fourth anniversary in orbit during his mission. Countermeasures against bone loss in weightlessness, the study of headaches in space, and mapping the radiation environment inside the ISS were among the experiments related to human exploration. In addition, André carried out at least 20 experiments on behalf of NASA and the Japanese and Canadian space agencies involving almost 30 research facilities in the various laboratories of the ISS;
  3. Flight engineer: as a flight engineer, Kuipers had assignments ranging from station systems to payload operations. He had to be on hand to deal with visiting spacecraft. He was the prime crewmember for docking ESA’s ATV-3 named ‘Edoardo Amaldi’. He was also involved in berthing the new Dragon spacecraft that had been developed by Elon Musk’s company SpaceX as part of NASA’s commercial resupply programme;
  4. Education: André Kuipers shared some of the magnificent views of Earth from the ISS’s Cupola and invited children to become involved in a wide range of educational activities. Spaceflight is uniquely able to inspire primary and secondary pupils to learn about biodiversity and climate change on Earth. André transmitted to classrooms across Europe, demonstrating experiments on convection and wet foam formation. Being an advocate for health and well-being, he also encouraged new generations of space explorers to stay fit by following the international education initiative Mission X: Train Like an Astronaut;
  5. Science: around 30 experiments were carried out during the Promisse mission, covering a wide range of disciplines. Kuipers had an extensive science, technology and education programme focused on life on Earth and looking ahead to future global human exploration missions.

The European Space Agency (ESA) has a long history of human spaceflight, flying in space with both NASA and the Soviet/Russian space agencies over the years. John O’Sullivan’s new book tells the story of the ESA astronauts who have visited the International Space Station over its first decade and how they have lived on board, helped construct the space laboratory and performed valuable scientific experiments.

In the Footsteps of Columbus, European Missions to the International Space Station is published by Springer-Praxis. It is available as kindle or paperback at www. Amazon.co.uk, 391pp; ISBN: 978-3319275604

European astronauts

John O’Sullivan, author of In the Footsteps of Columbus: European Missions to the International Space Station pictured at the National Space Centre in Cork

John O’Sullivan BE, Dip Phys Sci, Dip PM, CEng MIEI, PMP, FSP, CMSE ® studied Electrical Engineering at University College Cork. He has over 20 years’ experience in the automation and control sector delivering solutions to the life-science industry in Ireland. He is a Chartered Engineer with Engineers Ireland and a Project Management Professional with the Project Management Institute. He has always had a fascination with aviation and space, leading him to gain his Private Pilot Licence in 2003 and to study Astronomy and Planetary Science with the Open University. Since 2010 he has been awarded a Certificate in Astronomy and Planetary Science and a Diploma in Physical Science by the OU, as well as a Diploma in Project Management from the Cork Institute of Technology. He was an unsuccessful applicant for the ESA Astronaut Corps in 2008, and lives in East Cork with his wife and daughter.

Why 21 CFR Part 11 can be implemented sensibly

posted 25 Sept 2015, 05:21 by John O'Sullivan

First published on LinkedIn 16th Sep 2015

The Code of Federal Regulations is the codification of the rules and regulations issued by the US Federal Government. There are 50 titles and they cover all aspects of federal law. For example Agriculture, Energy, National Defence, Public Health etc.

Title 21 is Food and Drugs and is administered by the Food and Drug Administration (FDA) and the Drug Enforcement Agency (DEA). Chapter 1 falls under the remit of the FDA and is further broken down into Food, Pharmaceuticals, Medical Devices, Animal feed and medicines as well as Radiography and Mammography. These sectors are generally gathered under the term Life Sciences. Part 11 covers the guidelines on Electronic Records and Electronic Signatures related to the Life Science industry.

One may wonder why an indigenous Irish company operating in the Irish market has to concern itself with this US regulatory document. As an open economy, Ireland depends on Foreign Direct Investment and as a result most large manufacturing plants in this country export to the United States. This is particularly true of the Life Science industry. Any company exporting to the US is subject to regulatory oversight and audit by the FDA and failure to comply can result in warnings, non-conformance reports and even plant closure.

Douglas supplies control and automation systems which include databases of information which constitute batch records. These batch records form part of the traceable data associated with the product/device. If there is a problem with a product in field, this data has to be available. It can outline, where a product was manufactured, when and by whom. Audit trails can identify the staff on duty during the manufacture, process parameters used, logs of alarms and events related to the batch as well as trends of the temperatures, pressures etc. of all critical instruments. Other information systems (LIMS, MES, ERP) can also provide lists of the raw materials, laboratory results, shipping details and distribution channels but this is outside the scope of this essay.

If a company has decided that electronic records rather than paper records constitute the batch record, then the data has to be recorded, logged and stored in compliance with Part 11. It instructs that procedures and systems are in place to ensure the authenticity, integrity and confidentiality of the records.

When 21 CFR Part 11 was published in 1997 it was considered excessive by user groups. This was due to misunderstanding of the requirements and the lack of Commercial Off The Shelf (COTS) software solutions to help implement it. As a result, some companies continued to use paper records (with the associated overhead of review, storage, security etc.), others implemented expensive bespoke software solutions (with the risk of obsolescence and lack of future support).

In 2001 the FDA issued a guidance for industry narrowing the scope of Part 11 and elaborating on the use of paper records produced from a computer system.

In general, with common practice among manufacturers & suppliers and the release of “21 CFR Part 11 compliant“ COTS software from the major vendors, it has become relatively straightforward to implement a compliant solution.

In conclusion, as with the Risk Based approach in GAMP5, Part 11 compliance depends on a sensible, collaborative approach where data integrity and hence product quality and patient safety can be ensured in cost effective manner.

Good Automation Manufacturing Practice

posted 25 Sept 2015, 05:18 by John O'Sullivan

First published on LinkedIn 8th Sep 2015

Good Automation Manufacturing Practice

How GAMP5 reduces risk and improves quality

As an automation and control system integrator, we at Douglas provide hardware and software solutions to industry. Our customers range from local indigenous industry (manufacturing, dairy, brewing, distilling) to multinational manufacturers (pharmaceuticals, medical device, biotechnology). We also provide projects, services and support to airports, railway signaling and energy clients.

 With this wide range of clients, their expectations of deliverables can differ greatly. This is a as a result of a number of factors. Common practice, regulatory requirements, project budgets vary across the sectors. 

Unless the system integrator has one client or works exclusively in a single sector, the automation provider needs to be flexible and able to adapt its offering. 

The way we have addressed this is through the use of GAMP. Good Automation Manufacturing Practice is a guidance document produced by the ISPE (International Society for Pharmaceutical Engineering). It “aims to achieve validated and compliant automated systems”. GAMP initially started in the 1990s and version 1.0 was published in 1995. GAMP4 arrived in 2002.

 We used GAMP4 to develop a suite of template documents to ensure:

  1. Common approach and content in Douglas documents
  2. Coverage of all GAMP recommendations
  3. Elimination of repeated work.

In 2008 GAMP5 was published which is subtitled “A Risk-Based Approach to Compliant GxP Computerised Systems”. At this stage we realigned our templates with the new guidelines. This did not mean many changes but I received some training and learned that the approach was changing. Risk-Based meant a more sensible approach to validating systems. It seems that GAMP had been taken to heart in the industry to the extent that the approach had become rigid. Systems were being tested and retested needlessly. Off the shelf components were being tested and qualified too rigorously. Utility systems that had limited influence on quality were being validated to the same degree as production facilities. Time and engineering effort was being wasted and this was affecting schedules and budgets.

GAMP5 had a new message. Assess the risk and achieve compliance by putting the correct proportional effort into the appropriate areas. Also it encouraged the leveraging of supplier quality systems. The overarching message was to ensure Patient Safety, Product Quality and Data Integrity.

At Douglas I carried out a cross-reference between GAMP and our own Operating Procedures to ensure we had captured the requirements correctly. This resulted in a matrix which we can present to our clients to show GAMP compliance.

When we are bidding for a project we include a list of the full suite of documents that we can offer, as per GAMP. These range from Quality and Project Plan, various Design Specifications, Source Code Reviews, Factory and Site Test Protocols, Reports, User Manuals, Drawings, Training documents, Configuration Records etc.

We select the appropriate combination of documents, based on the clients’ requirements and the scale and scope of the project. On a macro level, this means we can provide the correct level of documentation for the project.

Within the documents, because we have templates, we can delete, as appropriate, sections that do not apply or are unnecessary. After the bid is successful, the Quality and Project Plan outlines not only the documents to be provided, but who will author them and who will review and approve them.

I have found that using GAMP has helped us deliver a well validated compliant solution to the customer. It also sets out a flexible framework which can be modified to suit the customer’s needs.

Elfordstown Earthstation, Irish National Space Centre

posted 16 Feb 2015, 01:42 by John O'Sullivan   [ updated 23 Feb 2016, 04:36 ]

First published in Spaceflight Magazine, British Interplanetary Society March 2015
Elfordstown Earthstation, Irish National Space Centre

By John O’Sullivan

Tucked away in a valley outside Midleton (East Cork, Ireland) is Europe’s westernmost Earthstation and teleport. It was built in 1984 as part of the Eutelsat network by the Irish national telecommunications company, Irish Telecom (now Eircom) to facilitate transatlantic telephony. It was built alongside another teleport at Rambouillet, near Paris in France.  At that time, the site consisted of a 32m C band antenna, a 13.1m KU band antenna and an 11m C band antenna. There was also a 120m Microwave transmitter tower. These have since been joined by a 9.1m KA band antenna.

By 1997 transatlantic fibre-optic cables replaced the satellite based communication systems and the system was shut down. The site was maintained by Eircom and was used as a local depot until January 2010 when it was reopened as a teleport by National Space Centre Ltd. Founded by Rory Fitzpatrick and supported by Enterprise Ireland, NSC took over the lease and started work on getting the antennae operational.

32m Dish, CORY, National Space Centre. Credit Ger McCarthy

Eutelsat/Skylogic Tooway Satellite Broadband Internet

The 9.1m KA band antennae, is one of 10 teleports (including 2 backups) around Europe providing internet gateway services. The dish is communicating with the Eutelsat KA-SAT. The 6 ton KA-SAT was launched in December 2010 atop a Proton rocket from Baikonur Cosmodrome in Kasakhstan. It uses 4 antennae to provide 82 KA-band spotbeams providing coverage of Europe and parts of North Africa. With a throughput of 90 Gbps, it can provide up to 50Mbps downstream and 10 MBps upstream.

While the satellite is in Geostationary orbit and should be at a fixed point above the Earth’s surface the antennae at Elfordstown is continuously making imperceptible adjustments to maintain its signal strength.

Due to the geographic location of the Elfordstown site, it services Eastern Europe (e.g. Poland, Latvia, Lithuania and Egypt). Its servers connect to the Irish internet fibre backbone and from there to Gdansk (for example) the data is transmitted and received via satellite, all within 600ms. The network is managed and maintained by Eutelsat subsidiary Skylogic, based in Turin, Italy. The service went live across Europe on 31st May 2011.

As an aside, Ireland’s Tooway feed comes from Madrid, Spain. The other stations are at Turin, Italy; Athens, Greece; Berlin, Germany; Helsinki, Finland; Larnaka, Cyprus; Udine, Italy; Scanzano, Italy and Rambouillet, France.[i]

exactEarth Maritime Tracking

In April 2012 the 3.7m exactEarth antennae was commissioned and it sits under a radome at the rear of the site. This is a tracking antenna capable of moving at 15 degrees per second as it tracks one of exactEarth’s constellation of 5 microsatellites up to 6 times each day.

The exactEarth microsatellites can range from 10kg to 100kg (much lighter than traditional satellites) and the orbit is a polar orbit meaning they can observe the entire surface of the Earth in 12 hours, passing over each pole every 100 minutes.

The first ground tracking station at Svalbard,Norway is now joined by a network of stations, including Elfordstown which transmit the data to the Toronto, Ontario data centre.

The satellites receive data from shipboard AIS transponders. They are required by maritime law to be carried on all vessels over 300 gross tonnage. This data can be used by governments and companies for the purposes of collision avoidance, navigation, security and fishing monitoring.[ii]

Radio Astronomy

In May 2011 it was announced that the 32m antenna will become a Deep Space Radio Telescope, for educational use, as part of a partnership with the local Cork Institute of Technology and the CIT Blackrock Castle Observatory. [iii]

In 2011, a competition to name the dish by Irish schoolchildren resulted in the name CORY or “Computer Operated Radio Yoke”[1]. The competition was won by Rebecca Cantwell of Regina Mundi College, Cork.

Name the Big Dish competition winner Rebecca Cantwell with NASA Astronaut Greg Johnson. Credit Ger McCarthy


Space Debris Detection

As part of an agreement with the Moscow Institute of Physics and Technology (Fiztech), signed in November 2011, plans are to use the 32m antenna as a radar tracker of space debris. Collaboration between University College Cork (UCC), Cork Institute of Technology (CIT), NSC and Fiztech will lead to exchanges of data and students between the academic institutions as well as satellite teleconferencing.

A formal agreement with Roscosmos, the Russian Federal Space Agency was signed in 2012 to provide a framework for this project and others in the areas of communications, navigation and exploration.




C-SIGMA (Co-operation in Space for Global Maritime Awareness) is an international initiative intended to foster wider cooperation and exchange in the use of and access to satellite based maritime surveillance information at global level. In June 2013, NSC hosted the fourth meeting of C-Sigma at the Elfordstown site. Leading global satellite technology companies, space agencies and maritime users from all over the world attended the conference. Representatives from the following Organisations presented at C-SIGMA IV:

Irish Naval Service

Irish Coast Guard

Revenue Irish Tax and Customs

European Maritime Safety Agencty (EMSA)

European Space Agency (ESA)

European Commission

NATO Centre for Maritime Research and Experimentation (CMRE)

German Aerospace Centre (DLR)

New Zealand Defence Technology Agency (DTA)

LOOKNorth Canadian Centre of Excellence for Commercialisation Research (CECR)

EADS Astrium



Channel Logistics


KSAT Konsberg Satellite Services

MDA BlueHawk (Maritime Domain Awareness)

Collecte Localisation Satellites (CLS)

Mitsubishi Space Software (MSS)[iv]

Astronaut and Cosmonaut Visits

Since 2010 the NSC has hosted NASA Astronaut Greg Johnson (STS-123 and STS-134) and Russian Cosmonaut Candidate Sergei Zhukov.

International Astronautical Federation

National Space Centre (Ireland) was invited to become a member of the International Astronautical Federation and approved by member organisations at the Congress meeting on Monday 1 October 2012.[v]

Forestry Management

In May 2013 NSC was awarded a project funded by the Russian Skolkovo Foundation (a science and technology cluster near Moscow). In partnership with the foundation and Irish company Treemetrics, the NSC will provide uplink and downlink capabilities as well as analysis of Russian forestry data to help increase forest harvest efficiencies.[vi]

Other Projects

As well as the work listed above, NSC partners in EU Framework Programmes for Research and Technological Development, it partners in ESA funded projects and it sponsors satellite business competitions.

European Satellite Navigation Competition – Galileo Masters

NSC has sponsored the Irish regional prize and co-ordinated the regional competition since 2012 and in 2013 Irish company CarSafari represented Ireland at the finals in Munich. Vicinity Systems won the Irish prize at the 2012 competition.

Anistiamo Project

Anistiamo is an ESA/ESRIN funded project based on satellite maritime surveillance of the Arctic and North Atlantic Oceans. NSC collaborates with Finnish and Norwegian partners.


ESA’s Integrated Applications Programme (IAP) funds this project to develop the next generation Recognised Maritime Picture (RMP) for the Irish Naval Service using AIS data.


This is a feasibility project investigating the provision of specialised meteorological services using space based assets.


This is an EU FP7 (Framework Programme 7) project investigating workflow and technology for tracking vessels at sea as part of European external border surveillance programme.



After the success of the C-SIGMA meeting the ambitions of NSC know no bounds. It had applied to host the International Astronautical Federation’s Congress in 2017 but Adelaide, Australia ultimately won the vote held at the 2014 IAC last year. NSC will no doubt hit the headlines again soon as it advocates for space activities in Ireland.


[1] Yoke: Irish slang for “thing”.

Not all stickers are created equal

posted 16 Feb 2015, 01:34 by John O'Sullivan   [ updated 16 Feb 2015, 01:35 ]

First Published in Sidepodcast.com 07 February 2015
Not all stickers are created equal
By John O’Sullivan
F1 sticker pack

As the 2015 F1 cars are launched I notice a distinct lack of sponsorship on the cars. This seems to be a continuation of last year’s slim pickings. To quantify the problem I’ve tabulated the sponsorship coverage of all the teams using the three main areas of the car; Airbox, Sidepod, Rear Wing. I have categorised the stickers into 4 types, only one of which is the elusive “Sponsor”. The other three are:

  1. The engine manufacturer: Not a sponsor. e.g. Mercedes three pointed star on the W06 Hybrid airbox

  2. The fuel/oil supplier: Not a sponsor e.g. Cepsa on the rear wing of the STR10

  3. The team/team owner: Not a sponsor e.g. Red Bull on the sidepod of the RB11 and Genii on the airbox of the E23 Hybrid

There are, as usual, some exceptions and complications. I’ve allowed Infiniti as a sponsor of Red Bull as the engine is by Renault and their stickers are also on the car, more discretely as engine supplier. Kingfisher ( a VJ Mallya company) joins Claro and NEC on the airbox of the VJM08 but Kingfisher is not the owner of Force India and there are 2 other sponsors there. Ferrari are also cheeky in putting UPS alongside Shell on the side pod so I’ve allowed that as half a sponsor.

I’ve also made some assumptions on the status of fuel and oil suppliers. Williams are using Petronas (Malaysian) fuel despite their Petrobras (Brazilian) stickers. According to Wikipedia, Force India will run Shell V power in their Mercedes engine and Toro Rosso will run Cespa in their Renault.  I would have thought that all Mercedes powered teams would opt to run the optimised Petronas product and likewise that Renault teams would use Total.

The dollar value of the sponsorships is not taken into account here, so while the Williams comes out on top with 3/3 areas covered in legitimate sponsors, apparently Martini got a bargain, both in the price and the 2014 exposure due to the Williams resurgence.

The table supports my first glance opinion on the state of sponsorship with Williams topping the table and Mclaren at the bottom. However the few surprises include Toro Rosso at the bottom due to their reliance on owner and fuel stickers and Force India’s high ranking due to the plethora of drinks and Mexican telcom sponsors. Also Red Bull is in third place thanks to Infiniti even though they are the most obvious candidate for a single owner-branded car.*

*Based on Red Bull’s interim camouflage livery.








Rear Wing









Force India





Kingfisher, Claro, NEC

Sahara Force India


Red Bull



Sponsor + Owner/Team


Red Bull


Infiniti, Red Bull



Sponsor + Fuel/Oil




UPS, Shell
















Banco do Brasil



Engine + Owner/Team








Engine + Fuel/Oil




Honda, Mobil



Toro Rosso





Red Bull

Red Bull





Safety Integrity Levels: An Overview

posted 16 Feb 2015, 01:31 by John O'Sullivan   [ updated 16 Feb 2015, 01:46 ]

First published in Engineers Journal, Engineers Ireland 14th January 2015

Safety Integrity Levels: An Overview

John O’Sullivan outlines how to assign a Safety Integrity Level to a system and how to mitigate risk with Safety Instrumented Functions.

Author: John O’Sullivan, Engineering Director, Douglas Control and Automation



The term SIL is used as a convenient shorthand to describe the safety rating of various hardware components and systems, e.g. “This PLC CPU is rated SIL3”. The Safety Integrity Level (SIL), was designed to be a short hand to represent the results of complex analysis but it is still only a part of an overall lifecycle approach to functional safety.

Technically, the Safety Integrity Level is the level by which the risk is reduced by the introduction of a Safety Instrumented System (SIS). There are 4 levels, SIL1 being the least reduction in risk, SIL4 being the greatest.

The Safety Instrument System is separate to and independent of the Basic Process Control System (BPCS) and, like the BPCS, consists of sensor(s), logic solver(s) and final element(s). The SIS reduces the risk by intervening during a failure of the BPCS to ensure the system remains safe. While the SIS hardware and software components may resemble the BPCS components and may come from the same manufacturer, they are required to be more reliable.

The specification, design and operation (Safety Life Cycle, SLC) are defined in the standard IEC 61508, “Functional Safety of electrical/electronic/programmable electronic safety-related systems”. This standard has spawned a number of industry and sector specific standards that delve into more detail for specific industries, although we will focus on IEC 61508 in this article.

IEC 61508 defines the Safety Life Cycle in three sections

  • Phases 1 to 5: Analysis

  • Phases 6 to 13: Realisation

  • Phases 14 to 16: Operation

The following standards elaborate on the approach to SIL assignment outlined in IEC 61508:

  • IEC 61511”Functional Safety – Safety instrumented systems for the process industry sector”

  • IEC 61513 “Nuclear power plants – Instrumentation and control important to safety”

  • IEC 50128 “Railway applications – communication, signalling and processing systems – software for railway control and protection systems”

  • IEC 50129 “Railway applications – communication, signalling and processing systems – safety related electronic systems for signalling”

Hazard and Risk Analysis

During the analysis phases of a project, hazard identification and risk analysis are carried out by an interdisciplinary team. This should consist of all the system stakeholders including designers, process owners, safety, automation, mechanical & electrical specialists. Where possible, hazards are designed out of the system. Where this is not possible, e.g. a volatile raw material is essential to the process, the risks associated with the hazard are identified.

Hazards are considered occurrences of harm and once identified the risk is assessed as the product of “frequency of the occurrence” and the “severity of the harm”.

Methods of analysis include:

  • HAZOP: Hazard and Operability Study

  • FME(C)A: Failure Mode Effect (and Criticality) Analysis

  • FMEDA: Failure Mode Effect and Diagnostic Analysis

  • ETA: Event Tree Analysis

  • FTA: Fault Tree Analysis

Normally a risk matrix uses the likelihood of the occurrence and the consequence of the event to categorise the risks. Risks that cannot be designed out and are not tolerable will require safety functions to reduce the risk to a tolerable level. This results in the “residual risk” which must be less than the pre-defined “tolerable risk”. The greater the reduction required to reach the residual risk, the higher the SIL. See the diagram below where the consequences, frequency/exposure, probability of avoidance are used to determine the required SIL.

Figure 1: Risk Assessment

Risk Parameters:

C1:       Minor injury or damage

C2:       Serious injury or one death, temporary serious damage

C3:       Several deaths, long term damage

C4:       Many dead, catastrophic effects

Frequency / Exposure Time:

F1:        Rare to quite often

F2:        Frequent to continuous

Possibility of Avoidance:

P1:       Avoidance possible

P2:       Unavoidable, scarcely possible

Probability of Occurence:

W1:      Very low, rarely

W2:      Low

W3:      High, frequent

Safety Integrity Levels Required:

-:         Tolerable Risk, no safety requirements

a:         No special safety requirements

b:         A single E/E/PE is not sufficient

1:         SIL 1

2:         SIL 2

3:         SIL 3

4:         SIL 4


Depending on the SIL level to be achieved based on the risk reduction required, a device must achieve a low enough Probability of Failure and a high enough Safe Failure Fraction.

Probability of Failure

Probability of Failure comes in two flavours: Probability of Failure on Demand (PFD) for safety functions that are only activated when required and Probability of Failure per Hour (PFH) for safety functions that are operating continuously. The lower the Probability of Failure the higher the Risk Reduction Factor. The higher the risk reduction factor, the higher the SIL achieved. See the tables below for the figures related to PFD and PFH.



PFD (power)




10−1 - 10−2




10−2 - 10−3




10−3 - 10−4




10−4 - 10−5


Table 1: Probability of Failure on Demand




PFH (power)




10−5 - 10−6




10−6 - 10−7




10−7 - 10−8




10−8 - 10−9


Table 2: Probability of Failure per Hour

Safe Failure Fraction

While the PFD and PFH tell us how likely a failure is to occur, the Safe Failure Fraction (SFF) tells us what fraction of failures will be safe or if dangerous, detected. This is achieved by increased diagnostics and reporting of the safety function. The Greek letter λ is used to define the rate of failure per hour.

  • λsafe = Failure rate leading to safe state

  • λdangerous = Failure rate leading to dangerous state

  • λtotal = λdangerous + λsafe

This results in 4 types of failure rate depending on whether the failure is detected or undetected. λdu  is the rate of dangerous undetected failures.

Thus SSF = 1- λdu  / λtotal  

So for SSF to be as high as possible, failures have to be safe or detected. If all the failure were safe and/or detected the SFF would be 1 or 100%.

Before SSF can be used to determine the SIL, other factors have to be considered. First is the Hardware Fault Tolerance (HFT) of the device. Achieved through redundancy, a HFT of N means that N+1 faults are required before the safety function is lost. Secondly devices are treated differently for SSF depending on their type. Type A devices are considered to be well defined and have sufficient failure data from experience in the field. Type B devices are considered to have insufficient data and field experience. See the tables below for the figures related to SSF.


Hardware Fault Tolerance (HFT)








60% to 90%




90% to 99%








Table 3: SSF for Type A subsystem


Hardware Fault Tolerance (HFT)





Not allowed



60% to 90%




90% to 99%








Table 4: SSF for Type B subsystem

In summary, the tools are available to identify and analyse risks associated with a system design and then implement the appropriate Safety Instrumented System to mitigate those risks and save lives and assets.

John O’Sullivan BE, Dip Phys Sci, CEng MIEI, Engineering Director of Douglas Control and Automation, has 20 years’ experience in the automation industry focusing on the pharmaceutical, biotechnology and medical device sectors.

He has developed design and test specifications for the regulated environment and project manages automation and safety projects for life science customers.

He has consulted on the validation of certified failsafe, high availability systems.

South of Ireland Open 2011

posted 1 Sept 2011, 04:24 by John O'Sullivan

Although ostensibly the last competition of the 2010/2011 fencing season in Ireland, the South of Ireland Open, hosted by UCC Fencing Club last weekend, was the de facto first competition of the 2011/2012 season. After the summer break the fencers congregated at the Mardyke Arena to compete in all 6 weapons; Mens Epee, Mens Sabre and Womens Foil on Saturday and Mens Foil, Womens Epee and Womens Sabre on Sunday.


Mens Epee was won by Foyle Fencing Club’s David Burnside who beat his club mate and Irish No.1 Andrew Fenwick in the final. Maynooth’s Fergal Martin and formerly Cork-based Frenchman, Nicolas Veyrat shared the bronze medals. UCC’s Matthew Tracey and Paul Whelan were Cork’s best, both getting to the Final 8.


National No.2 ranked Stephen Concannon won Mens Sabre, with Foyle men, James Nichol, David Connolly and Richard Magee taking silver and bronze. Last years winner, Cork Sabreur, Hugh Tobin of UCC just missed the medals.


After a strong season last year, UCD’s Portuguese fencer Joana Romahlo, captured the gold in Womens Foil, beating Belfast’s Victoria Duxbury. Again, it was Northern Ireland based fencers who rounded out the medals. Katie Gillespie and Lucy Taylor took bronze medals home to Derry and Down respectively. UCC’s Shu Tay just missed the medals and led the strong Cork field of 10 UCC and 2 Cyrano women foilists.


Sunday saw an unusual entry in Mens Foil as both Epee finalists, David Burnside and Andrew Fenwick decided to enter the competition instead of cheering on their clubmates from the sidelines. Andrew made it to the final where he was beaten by Irish No.2 Fergal Martin of Maynooth. Maynooth’s Kevin Maher and UCD’s John Wyatt took the bronzes. Rory Hayes of UCC was the best placed Cork based fencer.


The pattern of Foyle Fencing Club success was repeated in Women’s Epee with the final being an all Derry affair. Emile McSorley beat Lucia McCafferty in the final. UL’s Miriam Cashman and UCC’s Jacinta Clair shared the bronzes.


In Womens Sabre, UCC’s Aoife O’Loughlin, ranked Irish No.1, couldn’t repeat last year’s victory, sharing bronze with Michelle Narey, from the UK’s White Eagle club. Oxford’s Francine Robb won gold, with Niamh Spence adding to Foyle’s trophy cabinet with silver.


All in all, a good turnout meant that 125 fencers entered across 6 weapons, although a recent change to the ranking system could mean that top Irish fencers concentrate on UK and European competitions to earn ranking points ahead of next years Olympics in London.


For Cork’s two clubs, UCC Fencing Club and Cyrano Fencing Salle, it was good opportunity to start the season close to home before the next competition which is the Intermediates to be held in UCD on the 1st and 2nd October.


John O’Sullivan

Fast Good Cheap, Pick Two

posted 1 Sept 2011, 04:21 by John O'Sullivan

The Project Management Triumvirate

John O’Sullivan, 29 Jun 2011


I can’t remember when I first heard it or who said it but the phrase stuck with me as an obvious truth of project management (it also applies to providing a service or doing business in general).

It can be phrased a number of ways:

“I can do cheap, fast and well. Pick two”.

“I can deliver on-schedule, on-budget and in-spec. Pick two”,


“Scope/Cost/Schedule” etc.


I’ve looked at it any number of ways to get around it and there doesn’t seem to be a solution which offers the whole triumvirate as all three seem to be mutually exclusive.


In my area of automation project management the key is to determine the client’s requirements. Obviously they will say they want it all but it’s important to agree on the priority. Ask for their order of preference so one of the trilogy has to be third choice. More often than not, one point is demonstrably the primary objective with the other two equal last.
In the pharmaceutical area costs can be absorbed by profitable blue-chip companies, schedules are well planned and organised so quality is the prime objective.
In discrete manufacturing, the demand for validation and documentation is not as onerous but schedules are tight, downtime is a crime and cost control is all important.
In transport, quality of safety systems is the key. It is important to get this info explicitly defined at the kick off stage, or better yet, at the tender stage so that everyone knows what is important.


As a supplier/service provider it is equally important to communicate the priorities internally to the team. There is no point in an engineer spending days striving for 5 9s accuracy or millisecond response when the customer is not willing to pay for it or wait for it.


Also at review meetings, the trilogy can be used as a convenient short hand to capture status. “Are we on budget? Are we on time? Are we on spec?” If the answer to any one is no, then are we slipping on the highest priority item or the lowest?


We can’t deliver all things to all men but we can clarify the priorities early and often so that everyone is on the same page. This way

1)      The client expectation is met

2)      The team is more productive and efficient

3)      The project is kept on track

1-8 of 8