Advertisement Feature Cover Story

Understanding SIL Certificates

In recent years there has been an increasing number of Safety Integrity Level
(SIL) product certificates to IEC 61508 and related standards. Paul Reeve,
Sira Certifications principal functional safety consultant, explains the purpose
and benefits of such certificates whilst pointing out the necessity to take care
in understanding the finer points of what is (and what is not) being certified
roduct certificates of conformity to IEC 61508 (or related
standards) often vary greatly
due to different certification
bodies following their own assessment methods and certificate formats. The SIL is actually a
dependability measure of the overall
safety function being performed by a
specific safety system (from sensor
to actuator).
However, most certificates are
issued for mass produced devices (for
example temperature sensors, trip
amplifiers, PLCs, valves, etc), so it is
important to understand what critical
attributes of a device need to be stated
on a certificate to indicate its suitability in SIL rated safety functions. For
example, it is not just the probabilistic
failure data that is important - many
other factors of a device can lead to
system failure. Furthermore, any mention of a SIL number on a device certificate must be highly dependent on
conditions and assumptions about the
overall safety system and the other
devices in it.
Actually, IEC 61508 does not mention the requirement for a certificate,
but rather it requires a Functional
Safety Assessment (FSA), so it is
important that certification covers all
the requirements of a FSA (see IEC
61508-1 clause 8). For product FSAs
(and hence product certificates) it is
essential that all the information the
user of the product requires is covered. The FSA report (on which a certificate is based) should itself be
auditable, i.e. all relevant clauses
from IEC 61508 should be traceable.
Furthermore, the process by which
the FSA has been conducted should
comply with IEC 61508, namely the
independence, competence and the
tools/procedures of the assessment
body. A certification body which has
the relevant parts of IEC 61508 in its
scope of accreditation will ensure
this is the case.

Where is certification useful

Certification is particularly suitable
for mass produced devices where it
provides evidence of the FSA by an

independent and trusted body that

declares that the product complies
with the standard (for a specified
scope). Of course, the manufacturer
may also be using the certificate as a
marketing document.
However, the user should be competent in understanding functional safety
data rather than being satisfied with a
SIL capability claim. This can be illustrated by considering the following
real example.

Certificate to
IEC 61508
D = 2.3 x 10 per hour
PFD = 2.0 x 10-7
MTTF (dangerous) = 500,000 yrs
MTBF (total) = 5,000 yrs
Achieves SIL4 per IEC 61508
-10

Comparison of these figures with

others for similar devices shows it
claims to be several orders of magnitude better. Experience says that it
would be unwise to accept such figures at face value without asking some
searching questions.
Another example where caution is
advised is where a certificate states
SIL3 @HFT=1. An HFT
of 1 means that you need
two devices to achieve
SIL3 capability. But you
dont need a certificate
to tell you that - the standard tells you what SIL
is achievable when
using
redundant
devices. Reading the certificate more carefully
reveals the device is
actually SIL2 capable So the certificate can
easily be misunderstood
by the unwary reader whose eye is
caught with the words SIL3.
The SIL capability of an instrument is an important parameter but
there are dangers in putting a SIL
number as a headline on the certificate, as once a SIL capability is
stated, there is a tendency to ignore

Below: there are

dangers in putting a
SIL number as a
headline on the
certificate as once a
SIL capability is
stated, there is a
tendency to ignore
the rest of
the certificate

the rest of the certificate.

Whilst SIL is a parameter of the
safety function performed by a safety
instrumented system (sensor to final
element) rather than the individual
elements, the 2010 version of IEC
61508 has created the term
Systematic Capability of an element
(SC1 to SC4), which corresponds to
SIL1 to SIL4 capability respectively.
The SC <number> refers to the rigour
of the documentation and quality
process used throughout the products development to avoid systematic failures.

What should be certified?

In order to engineer a safety function, the system designer needs to
know certain information about the
constituent instruments (in relation
to use in safety functions), in particular the hardware safety integrity
(numerical
failure
data
/HFT/SFF/type), and the systematic
safety integrity (measured by the SC
number). Both of these have to meet
the SIL for the device to be capable
at that SIL.
Terms safe failure, dangerous failure and hence the safe failure fraction for an instrument are only
relevant when there is knowledge of
the target application. For example, if
TO OPEN = 50 FITS,
TO CLOSE = 500 FITS.
Then, SFF is either 50/(50+500) = 9%,
or 500/(50+500) = 91%.
So the SFF depends on whether failure to open or to close is the safe mode.
Where devices have internal hardware fault tolerance (HFT), is the cer-

SUMMER 2011 Industrial

Compliance

Advertisement Feature Cover Story

tificate clear about how are faults in
one channel detected and reported?
What is the channel Mean Down
Time (which must not be exceeded)
for the failure data to be valid?
Accounting for the non-ideal independence between channels? And,
the proof test method needed to exercise each channel independently?
It has been noticed that some certificates use HFT=0 (1) meaning the
normal HFT requirement (1 in this
case) is reduced by 1 (to 0 in this
case) due to knowledge of probabilistic failures from prior use (although
this is actually an approach accepted
by IEC 61511 for end users rather
than IEC 61508).
Sources of component failure data
vary as they are often industry specific. The source should be stated and
it is worth checking whether the
component failure rates are taken
from a database appropriate for the
intended location and application of
the instrument. How has the data
been factored for the environmental
conditions? (If not stated, best to
assume control room use only). Are
components used well within their
rating? (61508 mentions de-rating).
Are there certain components that
dominate the units failure rate that
require special attention? (e.g. relays,
gas sensors, etc).
If Probability of Failure on Demand
(PFDAVG) is quoted for an instrument,
remember this is also governed by the
proof test interval.
Every
compliant
instrument
should have a Safety Manual which
should be referenced in the certificate. It is critical to use the device
only in accordance with the Safety
Manual (the certified failure data is
usually invalid otherwise). It should
give any constraints in use and any
assumptions for which the failure
data is valid. Plus, it should cover
configuration, installation, maintenance, operation, etc, to avoid systematic failures. Refer to IEC 61508-2,
ed 2, Annex D which gives specific
requirements for the Safety Manual.
In regard to mechanical devices, systematic failures are more dominant, so
expect the certificate to reference
information on avoiding these.
Generally speaking:
l Constant failure rates are usually
very low.
l Wear out faults may have a different operational profile (no. of
cycles) compared to electronic
devices (which tend to follow the
idealised time-based bath tub profile more closely).
l Sources such as NPRD-2011 give
real field data for thousands of components, including the statistical basis
for each value.
For devices that include embedded

Industrial Compliance SUMMER 2011

Right: An example
certification
scheme is CASS
(Conformity
Assessment of
Safety related
Systems)
Below: for SIL
product certificates
it is important to
understand what is
(and what is not),
being certified

software, expect to see an explicit

statement of conformity in the certificate. Remember that software failures
are systematic rather than probabilistic. The certificate is a statement that
the software:
l Has been developed according to a
compliant process (IEC 61508-3, clause
7) and using appropriate techniques and
measures (IEC 61508-3, Annexes).
l Assessment includes justification
for the development tool chain.
If sufficient valid data is available
(millions of operational hours) it is
possible to use a statistical approach
(IEC 61508-7, Annex D), but the analysis is not trivial.
It must be realised that especially
when the certificate is based on predicted (FMEA) data, the ongoing lifecycle should be reviewed by
performing field failure analysis to

plied with. These might be conditions for the manufacturer and/or for
the end user regarding design modifications, action on failure, ongoing
management of functional safety,
etc. Whether stated or not, it is certainly the case that selection of
equipment for use in safety functions and the installation, configuration,
overall
validation,
maintenance and repair should only
be carried out by competent personnel, observing all the manufacturers
conditions and recommendations in
the user documentation.

Choosing an assessor/certifier
As already stated, the assessment
process should comply with IEC
61508-1 clause 8, so look for the
accreditation logo on the certificate
which should ensure these requirements are met. An example certification scheme is CASS (Conformity
Assessment
of
Safety
related
Systems) which is unique in the following respects:
l Open/transparent
methodology

confirm the actual failure rates are

no worse than those predicted. It
would be reasonable to expect conditions in the certificate that obligate:
l The end user to collect (see IEC
60300-3-2) and feedback field failure
information to the manufacturer.
l The manufacturer to analyse field
failures and take necessary action
(inform the certification body, notify
users, etc).

and framework for assessment to IEC

61508 (and sector standards).
l Requirements are all in the public
domain so there are no hidden surprises.
l
Originally a UK government
funded initiative, designed by industry for industry.
l CASS is a collective interpretation
of IEC 61508 - this ensures the assessors ego is kept in check. (About 60
companies contributed).

Read the conditions

Sira Certification
www.siracertification.com
T: 01244 670 900

Most certificates have conditions of

certification which should be com-