Professional Documents
Culture Documents
www.hazardexonthenet.net
Functional safety 27
Certification. Establishes that a specific Standards are where requirements that must be met in order to
solution (product, service or system) meets the everything starts achieve an overall risk reduction target. A
standard. Through an assessment, certification There are thousands of local, regional and risk assessment effort yields a target SIL,
offers confidence that the solution is safe, national standards that apply to fire detection which thus becomes a requirement for the
functional, and will perform as expected. A devices, ranging from basic electrical final system. The requirement informs how
functional safety certificate is issued to confirm standards under Underwriters Laboratories to set up the development process - using
the assessment was determined compliant. (UL) and Canadian Standards Association appropriate quality control, management
For valid certification, the product certifier must (CSA), fire- and explosion-specific standards processes, validation and verification
achieve accreditation to the standards used established by organisations such as techniques, and failure analysis - so that one
as indicated by the accreditation body logo on Factory Mutual (FM ), and functional safety- can reasonably justify that the final system
the certificate. specific standards set by the International attains the required SIL.
Electrotechnical Commission (IEC).
Product certifier. A group that has been As an international safety standards authority,
accredited as able to assess and audit IEC 61508 defines the requirements for IEC strives to anticipate safety hazards
products, services and systems for public ensuring that systems are designed, and develop requirements, processes
safety—meeting the standard—and therefore implemented, operated and maintained and procedures that mitigate them. As
are able to properly provide certification. For to provide the required SIL. Four SILs are voids and weaknesses in the code are
example, exida is an accredited functional defined according to the risks involved in the identified or new issues and technologies
safety product certifier. system application, with SIL4 being used emerge, requirements evolve to bridge the
to protect against the highest risks. The gaps, address the issues and improve the
Accreditation body. A group that identifies standard also calls for a process that can standard.
and accredits companies that possess the be followed by all links in the supply chain
necessary knowledge and rigour to certify so that information about the system can be For example, IEC 61508 and 61511
function for solutions. They may also be the communicated using common terminology standards present general requirements
organisation that endorses the standard. The and system parameters. when it comes to certification. This has led to
American National Standards Institute (ANSI) is a variety of interpretations, and has opened
an example of an accreditation body. The specific safety integrity level (SIL 1, the door to many forms of self-certification.
2, 3 or 4) characterises the development
www.hazardexonthenet.net
28 Functional safety
www.hazardexonthenet.net
Functional safety 29
1. Self-certification is risky certification body logo on the certificate. • Hardware failure modes, effects and
Selecting properly certified flame and gas Without this crucial step there is no formal diagnostic analysis (FMEDA)
detection products and installing these evidence of competency, and safety may be • Hardware probabilistic failure analysis
products to approved safety codes and compromised. (stress conditions and useful life)
standards are both vital for safety purposes. • Software and hardware testing procedures
There are considerations to weigh each The IEC 61508 standard requires “evidence and methods
step of the way, including operational of competence” for all who perform • Quality procedures, document control and
efficiency, maximum productivity and overall assessments. While it does not require a functional safety management
safety. Ultimately, certified products, correct formal authorised or accredited status, most
installation and proper day-to-day operation customers who purchase IEC 61508-certified 3. What you can (and can’t) learn from
are all factors in achieving the highest safety products demand a product certifier that documentation
standard. demonstrates a high level of technical When evaluating products for a functional
competence. (See Figure 1 below for a matrix safety system, much can be learned through
But even the best developed products, that depicts the different accreditation levels a careful review of the product certificate.
properly installed and operated, may not of product certifiers; it is significant to note Each certificate includes the standards met
provide expected safety features without that as of August 2016, no single group had and particularly significant, the year of release
a legitimate product certification. Product achieved accreditation in all three areas, SIL, of standard used to issue certification.
certification is crucial to safety because it performance and hazardous location.)
establishes a systematic means to evaluate For instance, if a product has been evaluated
safety at the extremes and for special The product certifier that meets this high level to the older IEC 61508:2000 (Edition 1)
use conditions. Without valid third-party of accreditation must demonstrate strong Series released version, the potential buyer
product certification, the risk is greater for competency in the key areas of functional needs to be aware that this standard version
a catastrophic event due to the lack of safety. This is demonstrated during an audit is less specific and therefore allows for
diligence. Achieving full and reliable functional by a well-established accreditation body. more optimistic Safe Failure Fraction values
safety certification requires careful attention. For example, to certify that a product meets (and is therefore less safe) than the most
IEC 61508, the product certifier must have current 2010 (Edition 2) released version.
2. Not all product certifiers are equally full competency in functional safety areas The significant difference is that FMEDA
qualified including: calculations now require the exclusion of non-
Product certifiers are evaluated by • Mechanical design (stress conditions, useful safety related components, resulting in the
accreditation bodies. Such organisations life and systematic design procedures) requirement of a more stringent assessment.
look for conformance with competency • Software design (software failure “The older version leads to a more favourable
standards to ensure that products are mechanisms and systematic design Safe Failure Fraction value because
evaluated and certified by the product procedures) ‘no-effect’ failures were declared safe—a
certifier to meet expected performance • Electronic hardware (electronic hardware misleading factor when considering overall
levels. The responsibilities of accreditation failure mechanisms and systematic design safety,” says David Sullivan-Nightengale,
bodies go beyond simple audits and include procedures) Senior Compliance Engineer at Det-Tronics.
approving key policy documents, reviewing
the evaluation process and monitoring
the product certifier’s audit programs. The
accreditation body seeks to ensure products
are properly certified, which generally means:
A. The product is labelled with the
registered certification mark;
B. The product certifier issues certification
to a well-recognised test standard that is
within the certifier’s scope of accreditation;
and
C. The product certifier issues certification
from one of its recognized facility locations.
www.hazardexonthenet.net
30 Functional safety
Additional information on manufacturer’s by simply requiring redundancy (HFT + 1). About the authors
claimed capabilities can be obtained by This is no longer acceptable. The product
reviewing the product safety manual. This is manufacturer must first prove it has a SIL 3
necessary to determine the robustness of compliant development process (because
the product and process safety certifications. process capability is fundamentally necessary
The product’s proof test, which is contained as a systematic measure in assuring product
within the safety manual, defines necessary design robustness). Product certifiers with
maintenance required during product use competency in Functional Safety Certification
to assure ongoing proper functionality. will ensure product and process compliance
There are cases when a product claims a to manufacturer-claimed capability. (See
high SIL capability but it requires expensive Figure 2 below for the product, redundancy
field maintenance. This and other claimed and process certifications required for SIL 2
capabilities noted in the safety manual or SIL 3 functional safety systems.)
should be reviewed in detail when comparing
products. In summary
Products designed to reduce risks in hazardous Jon D. Miller has 30 years’ experience
4. Confusion surrounding SIL industrial applications must be certified to in the field of hazardous locations and
It is important to understand that a SIL- particular standards, and those who offer functional safety with a focus on fire
capable certification does not mean that product certification are responsible for and gas detection and systems with
the product is performance approved. examining these products to ensure that they Det-Tronics since 1996. He is Chairman
A SIL-capable product certificate may list meet functional safety requirements. However, for the US Gas Detection Standards
a variety of codes and standards. Such a not all product certifiers are in a position to Development Committees for UL
list must not be mistaken for compliance to certify what a specific application may require. STP60079 TG79-29 (Combustible) and
UL STP9200 (Toxic), and he is Convener
each, as mentioned at the start of this paper.
for the International Gas Detection
It may only reference that during evaluation Confirming that a product certifier is accredited
Standards Development Committees for
such codes and standards were considered. for the assessment of conformity to IEC 61508
IEC TC31 MT60079-29 (Combustible)
Codes are not accreditable by any agency— is a critical step for wary buyers of functional and IEC TC31 JWG45 (Toxic). Miller is
the only way for a product to be properly safety products. The accredited product certifier also a member of IEEE and a member
certified is if a product certifier tests and will have proven competency to ensure not only of several ISA, UL, and IEC committees
evaluates it to the related standard, and the product and process compliance, but also to responsible for hazardous location and
product certifier is recognised as competent ensure that all relevant information is reflected in functional safety electrical equipment.
for the standard by an accreditation body. the manufacturer’s safety manual. Further, the
Some groups that offer product certifications safety manual and supporting manufacturer’s
may not be able to issue accreditation documentation must be followed completely
certifications to the standards required for to ensure safe use of product and proper
a specific application. functionality of the ‘Safety Function.’ Only then
can full and proper compliance ensure the
Another misperception relating to SIL is that a highest possible level of product reliability and
SIL 2 manufacturer can claim a SIL 3 product performance for safety purposes.
www.hazardexonthenet.net
Corporate Office
6901 West 110th Street Phone: 952.946.6491
Minneapolis, MN 55438 USA Toll-free: 800.765.3473
www.det-tronics.com Fax: 952.829.8750
det-tronics@det-tronics.com
© 2016 Detector Electronics Corporation. All rights reserved.