Knowledge Center: Plant Safety

It is fairly common for companies to develop a “preferred list” of transmitters, valves, actuators and other process control components and subsystems. Such lists are usually the result of long-time relationships between the engineering and/or maintenance departments and the various devices themselves. Because of unique process conditions, these preferred lists often include “no substitute” notations for specific plant areas.

Within the minds of those who helped develop these lists, each device is on the list because it has proven its capability, reliability and suitability in prior use. When contributors to the list are asked about a specific component or subsystem they will expound, often in great detail, how a particular device achieved its preferred list status. However, when asked to produce supporting documentation, most simply can not.

Thus the preferred list is all but non-existent when it comes to selecting components and subsystems that will produce a safety instrumented system (SIS) that conforms with International Electrotechnical Commission’s (IEC) 61511-1 standard.

Back to basics Unbeknownst to some people, the IEC 61511 standard is an industry specific version of IEC 61508: “Functional safety of electrical/electronic/ programmable electronic safety-related systems (E/E/PES).”

It is important to understand this origin of IEC 61511 because as users read and begin to apply the standard they will find frequent references to IEC 61508 and that quickly leads to the realization that IEC 61511 is not a standalone standard.

IEC 61508 was developed to serve as a basic functional safety standard for a broad range of industries including chemical, refining, mining and transportation. Despite its broad industry and technology coverage, it is very specific in its conformance requirements.

IEC 61511 is an industry-specific version of this standard with language, terminology and requirements that better fit project-level work in the process industries. IEC 61511 refers directly to IEC 61508 for product certification requirements.

The reality is that in order to design, specify, install, operate, and maintain an SIS application that conforms with the IEC 61511 standard, owner/operators must also conform to relevant sections of IEC 61508, which brings us to the subject of this article: meeting the standards “Proven in Prior Use” requirements.

Quick clarificationIt is important to understand that when these safety standards refer to the SIS they are including all of the hardware, software, mechanical parts and communication networks.

In other words, an SIS is much more than just the logic solver. It includes the transmitters and/or switches; the logic solvers; all programming, operating system, and communication software; power supplies; the final elements (i.e. block valves) and their actuators; and all the interconnecting wiring. When considering equipment justification, all equipment must be considered.

A key, but misunderstood SIS design element is the term “safety integrity level” (SIL). Working through a very thorough design process, a SIL value (1, 2, 3 or 4) is established for each identified hazard. A safety instrumented function (SIF) is designed to reduce the risk of the identified hazard and it must meet the desired SIL level. (note: SIL 4 rated safety instrumented functions require conformance to IEC 61508.)

There is one additional clarification worthy of mentioning; if you choose to place all of the safety protection (more than one SIF) in one logic solver, then the entire logic solver must meet the highest SIL value assigned to a SIF in that logic solver.

For example, say you have identified four potential risks. Following a good design process, three of those risks are SIL 2 and one is SIL 3 – an order of magnitude more stringent. If you place all four safety functions in a single logic solver, the logic solver must have a SIL 3 Capability.

Towards self-certification IEC 61511 is brief but quite clear in its language about selecting SIS components and subsystems:

“The components and subsystems shall be consistent with the SIS safety requirements specifications”’ and “Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate.”

In reading those two paragraphs from IEC 61511, the term “in accordance” and “as appropriate” reminds us that in order to conform to IEC 61511 the SIS application must also conform with appropriate IEC 61508 requirements.

Essentially an owner/operators decision to use “proven in prior use” components and subsystems from their preferred lists in an SIS application requires that the owner/operator develop and maintain a “self-certification” process that is well documented, current, and that fully conforms with IEC 61511 requirements.

While IEC 61511 does not spell out a specific methodology that will result in a conforming self-certification, there are key self-certification program elements that would clearly provide a good program and meet standards requirements. These elements include having:

• A clear description of each component’s and subsystem’s design revision information • Reliability data for identical or very similar applications including applicable conditions and/or restrictions for use of that component or subsystem• Results of operating software compliance as defined in IEC 61508-3• Procedures in place to verify that the component and/or subsystem meets functional requirements, is qualified (rated) for use in the expected environment, and the materials of construction are suitable for expected process conditions including actual test results from use in similar but non-safety critical applications • Acknowledged competency to review the design aspects of both mechanical- and/or electrical-components including component failure modes, fail-safe vs. fail-danger, any claimed automatic diagnostics, and internal redundancy in order to produce a quantitative failure rate. (This number will eventually be used in calculations that determine if a particular SIF design meets its defined SIL requirements) • Acknowledged competency that is capable of combining sophisticated design analysis processes, tools and testing methods with a thorough review of both the devices original design and all subsequent modifications to the electrical, mechanical, and software aspects of the device with the intent of uncovering design errors• Regularly conducted audits of a device manufacturers change management processes for each device on the preferred list that is being used or is being considered for use in an SIS application• A documented “Safety Case” describing, in significant detail, how a manufacturers component and subsystems meet each requirement of IEC 61508

Experience countsAssuming that your company is willing to meet all of the above proven-in-prior use requirements, there is one more that is very difficult to meet, especially for smaller companies. This requirement has to do with having documented operating experience for each device on the preferred list.

IEC 61508 requirements are very specific about the number of operating experience hours needed to meet the various SIL value requirements. For a given component or subsystem revision level IEC 61508 suggests a minimum of 100,000 unit hours for components targeted for SIL 1 applications, a minimum of 1,000,000 unit hours for components targeted for SIL 2 applications, and a minimum of 10,000,000 unit hours for components targeted for SIL 3 applications.

And if that isn’t tough enough, you must also show that you were able to detect and record all the dangerous failures, thus your proof testing procedures must be near 100 percent effective.

One of the frequently asked questions regarding ways to meet IEC’s operating experience requirements is, “Can’t I use data from one of the reliability databases?”

Some owner/operator companies belong to industry specific consortiums where best practices and other industry specific information is shared. Two of the most recognized are the Offshore Reliability Data (OREDA, www.sintef.no/static/tl/projects/oreda) and the Process Reliability Database (PERD, www.aiche.org/CCPS/ActiveProjects/PERD/index.aspx).

Each of these databases provide a wealth of reliability data about a wide range of devices and equipment, however, the taxonomy of these and similar other databases is not sufficient to meet the requirements of IEC 61508. But before you throw up your hands and declare it impossible to conform to the requirements of IEC 61511, there is an alternative.

Third-party waysThere are a growing number of different manufacturers offering SIS components and subsystems. Some of these manufacturers have absorbed the time and expenses necessary to have a specific revision of a specific device fully certified per IEC 61508 requirements by third-parties, such as exida Certification (Geneva, Switzerland), or one of the TÜV companies (Cologne, Munich, and Essen, Germany).

These components and subsystems will include not only the third-party certification but also a detailed user safety manual that includes any restrictions on the devices use.

Other component and subsystem manufacturers have paid to have a third-party assessment of a specific device’s field failure records, thereby helping owner/operators establish prior-use-evaluations. And lastly, a few manufacturers have chosen to self-certify their own devices.

Meeting IEC’s proven-in-prior use requirements is not easy for owner/operators or device manufacturers but consider one additional thing, following an incident, accident investigation teams from local, regional and national regulatory agencies will very likely scrutinize everyone and everything including the SIS component and sub-system certification process. If you decided to self-certify, are you sure your installed SIS applications will pass that kind of scrutiny?

-----------------------

Dr William Goble CFSE, is a recognized expert in safety automation systems.

For more information Please visit Honeywell website at www.honeywell.com/ps/sea