February 2008

System Integration

Do you really want to?

International safety standards permit users to utilize a 'Proven in Prior Use' methodology to justify  SIS equipment; but can users take on the responsibility?

Fast Forward

  • End users are only accepting SIL ratings from competent third party organizations. 
  • Buyers should receive audited documentation on how to use the device in a safety application.
  • End users need full information about failure rates, failure modes, and useful life limits.
By William Goble

Several years ago, your plant standardized on one particular manufacturer for all your process measurement transmitters. You now have more than 500 of this manufacturer's transmitters installed in your basic process control systems and safety instrumented systems (SIS).

Following a recent internally initiated audit of your facility's SIS, you realized your systems do not meet the "grandfather clause" requirements described in ANSI/ISA 84.01.00. Now you face the task of bringing those systems into conformance with international safety standards.

One of the questions your SIS team raised is, "Do our installed transmitters meet the 'prior use' requirements described in Section 11.5.3 of IEC 61511-1 - Requirements for the selection of components and subsystems based on prior use?" 

Users often ask this question, and when you read the relevant sections of the IEC standards (61511-1) and the accompanying guidelines (61511-2) it is easy to see the source of some confusion-the standard is short on detail or explanation. 

The confusion becomes most prevalent when users choose to embrace only selected guidelines and examples that justify their own interpretation of "prior use."

Understanding the requirements

When it comes to selecting SIS components (devices) and subsystems, IEC 61511 is quite clear with two basic tasks:

  1. "The components and subsystems shall be consistent with the SIS safety requirements specifications." (In other words, the components chosen must meet application requirements including functional and environ- mental requirements.)
  2. "Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 [safety integrity level] applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate." (All that to say that chosen components must have sufficient safety integrity.)

Two things are worth noting in that second paragraph. First is the reference to other IEC standards (61508-2 and -3), and the second is a reference to IEC 61511-1, Section 11.4 and 11.5.3 to 11.5.6.

The international standard IEC 61508 Functional safety of electrical/electronic/ programmable electronic safety-related systems (E/E/PES) won complete approval in 2000 and serves as a basic functional safety standard that was suitable for a broad range of industries including chemical, refining, mining, and transportation. It defines functional safety as part of the overall safety relating to the equipment under control and the control system that depends on the correct functioning of the E/E/PES-related systems. The standards technical coverage is equally broad, addressing hardware, software, and other safety-related technologies and systems.

Despite IEC 61508 being broad in its industry and technology coverage, it is quite specific in its requirements. In fact, when process industry owner/operators began applying 61508, their feedback was so detailed, and so inclusive, many questioned the cost of conformance across an entire facility. The result of this feedback was the development of IEC 61511-1 Functional safety - Safety instrumented systems for the process industry sector. Thus, when IEC 61511 references IEC 61508, as it does in the area of selecting SIS components and subsystems, it is referencing a significantly more thorough standard.

A key inclusion in IEC 61508, and the one 61511 is referring to in its "in accordance" language, is that components appropriate for use as part of a safety integrated function may be certified by third party expert certification agents such as exida Certification (Geneva, Switzerland), FM Global (Norwood, Ma.), or one of the three TÜV companies (Cologne, Munich, and Essen, Germany).

Each certifying organization has developed its own component testing and certification procedures, but each follows a thorough process that verifies that a component's hardware, software, and its manufacturing and quality control procedures result in sufficient safety integrity and are in accordance with IEC 61508 requirements.

Ensuring components and subsystems are in accordance with appropriate standards is one part of the selection process. The other is determining if the components and subsystems are suitable for the application by answering the following questions:

  1. Does the component meet functional requirements?
  2. Is the component rated for the expected environment?
  3. Are the materials in the component suitable for the expected process conditions?

While it appears to be possible to answer these questions from a paper specification review, know that the complexity of some instrumentation components and industrial processes makes it far too easy to miss some critical mismatch between the component and the application. Therefore, it is highly recommended that components test under actual process conditions.

Most companies will install components under consideration in a number of trial, low risk applications as a pre-cursor for actual use in more critical situations. Owner/operators can usually avoid an application mismatch by paying close attention and using a good problem reporting system of the components under test. "Prior Use" makes a lot of sense for ensuring a product is a good application match.

The obvious next question is how much operating experience is required to make sure a product has enough safety integrity?

IEC 61508 provides some very specific answers to that question.

For a given component's version level IEC 61508 suggests 100,000 unit hours for components targeted for SIL 1 applications and 10 million unit hours for components targeted for SIL 3 applications. Additionally, the standard requires one show testing detected and recorded all dangerous failures. Thus, proof-testing procedures must be near 100% effective.

Before you pursue safety integrity justification via a prior-use, self-certification path, consider this: Following an incident, accident investigation teams from regulatory agencies will review everyone and everything including your component self-certification process. Moreover, because investigators will be looking for the use-of and conformance-to "good engineering practices," they will expect your self-certification process to be every bit as rigorous and through as the process defined above.

system 26

Understand safety integrity

During the 61508-certification process, assessors look closely at the design aspects of both mechanical-components and/or electrical-components. Each analysis includes the components failure modes, fail-safe vs. fail-danger, any claimed automatic diagnostics, as well as internal redundancy. The result of all this scrutiny is typically a set of quantitative failure rates that eventually may work for the control system engineer to verify safety suitability for a particular owner/operator application. 

Certification assessors also look very closely for design mistakes by analyzing the complete component design process including specification and design methods, design tools, testing methods, review techniques, and documentation. Additionally, because any type of modification (i.e., mechanical, software, etc.) can introduce new faults, assessors conduct through examinations of the manufacturers change management processes.

The result of these many and varied analyses should result in a "Safety Case" that describes in significant detail how the component manufacturer meets each requirement of IEC 61508. Additionally, the safety case should be in a certification report openly available to all prospective buyers. 

Each SIS component assessment also results in a SIL Capability rating, and the component is justified for use in a safety-instrumented function up to a defined SIL. For example, a component with a SIL 2 Capability could serve in any safety-instrumented function with a SIL 2 or lower risk reduction requirement. Such components should never work in a SIL 3 application without completing a prior use justification. 

A few SIS component manufacturers use self-certification, however end users are increasingly accepting only a SIL Capability rating that a competent third-party organization has recommended. Thus, nearly all process industry component certifications are from exida or one of the TÜV companies. 

A significant benefit to the buyer for selecting SIS components that have received third-party certification is the component has been fully tested in accordance with IEC 61508 requirements and therefore the quality of its design is suitable for the defined SIL Capability rating.

Accompanying any physical SIS component or subsystem, buyers should also receive audited documentation on how to use the component in a safety application along with a full set of information about failure rates, failure modes, useful life limits, suggested proof test procedures, and application limitations. 

ARC Advisory Group suggests, "Note that the certificate [report] from the independent body should be reviewed in parallel with the manufacture supplied User Safety Manual. This manual is a document that defines the restrictions on use of an SIS component. The User Safety Manual for a good safety system is very thin, with a minimal number of restrictions. Beware of a thick safety manual; it indicates that there are many complexities and limitations associated with the use of the SIS."

The message is clear; safety is serious, and competency is required at each step of the process and by each person and organization involved in any way in order for the installed SIS solution to conform to IEC standards.

Doing it yourself

We have examined the standards language and its requirements as well as the procedures used by component manufacturers and third-party certification organizations to develop, test, and certify SIS components; but we have not fully answered the question, "Do our installed transmitters meet the 'prior use' requirements described in Section 11.5.3 of IEC 61511-1?"

The answer is, "Yes, IF…" for each safety-instrumented function, you have:

  • A clear description of the components including design revision information
  • Reliability data for identical or very similar applications including applicable conditions (restrictions) for use of that component
  • Established the components Diagnostic Coverage and Safe Fail Fraction (SFF) per IEC 61508-2 Annex C, including:

- Performing Failure Mode and Effect Analysis to determine the effect of each component on the subsystem 
- Categorized each failure mode as safe or dangerous
- Calculated the probability of safe and dangerous failures
- Estimated the fraction of safe and dangerous failures that are detected by the diagnostics tests
- Calculated the device's SFF 

  • Results of operating software compliance as defined in IEC 61508-3 

In short, "Yes, IF" you have essentially duplicated most of the design, documentation, review, and certification process that component manufacturers have developed and maintained for each of their "certified as suitable for use" SIS components.

It is clear one must carefully select components used in IEC 61511 conformant applications. Today, with the ever-increasing availability of IEC 61508 certified components, that selection process is far easier than it was in the past.


Dr. William Goble (wgoble@exida.com) is an ISA Fellow. He has 30+ years of professional experience and is an expert in programmable electronic systems analysis, safety, and high availability automation systems, automation systems new product development, and market analysis. Goble is a principal partner at exida. His books on safety and reliability modeling include Control Systems Safety Evaluation and Reliability, ISA Press. 

Process reliability database

Effectively quantifying a component's operational reliability requires information about maintenance, inspections, and process demands that when combined represent a failure mode numerator.

An appropriate denominator for the analysis requires the information be collected from an appropriately sized population of like components. 

Additionally, analysis requires a data structure (taxonomy) that supports parsing only data of interest, such as types of design, operational, and environmental conditions, and so forth.

Developed by the technology committee of the American Institute of Chemical Engineer's and hosted by the Center for Chemical Process Safety division, the Process Reliability Database Project (PERD) provides owner/operators with a comprehensive format to identify and characterize specific equipment/systems including the permutations that result from different entries into data fields for the same component type.

PERD Taxonomies provide a fundamentally sound structure to capture and understand what the raw data means or represents. 

The taxonomy defines quality data, failure modes, causes, mechanisms, data field formats, and other key performance indicators.

Visit http://www.aiche.org/CCPS/ActiveProjects/PERD /index.aspx to learn more about PERD.