Scribd Logo
Upload

Welcome to Scribd!

  • Understanding SIL Certificates PDF

    Uploaded by

    mint1975
    11 views2 pages

    Original Title

    Understanding SIL certificates[1].pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views2 pages

    Understanding SIL Certificates PDF

    Uploaded by

    mint1975

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Advertisement Feature Cover Story

    Understanding ‘SIL’ Certificates


    In recent years there has been an increasing number of Safety Integrity Level
    (‘SIL’) product certificates to IEC 61508 and related standards. Paul Reeve,
    Sira Certification’s principal functional safety consultant, explains the purpose
    and benefits of such certificates whilst pointing out the necessity to take care
    in understanding the finer points of what is (and what is not) being certified
    roduct certificates of confor- independent and trusted body that Below: there are the rest of the certificate.

    P mity to IEC 61508 (or related


    standards) often vary greatly
    due to different certification
    bodies following their own assess-
    ment methods and certificate for-
    declares that the product complies
    with the standard (for a specified
    scope). Of course, the manufacturer
    may also be using the certificate as a
    marketing document.
    dangers in putting a
    SIL number as a
    ‘headline’ on the
    certificate as once a
    SIL capability is
    Whilst SIL is a parameter of the
    safety function performed by a safety
    instrumented system (sensor to final
    element) rather than the individual
    elements, the 2010 version of IEC
    mats. The SIL is actually a However, the user should be compe- stated, there is a 61508 has created the term
    dependability measure of the overall tent in understanding functional safety tendency to ignore ‘Systematic Capability’ of an element
    safety function being performed by a data rather than being satisfied with a the rest of (SC1 to SC4), which corresponds to
    specific safety system (from sensor SIL capability claim. This can be illus- the certificate SIL1 to SIL4 capability respectively.
    to actuator). trated by considering the following The SC <number> refers to the rigour
    However, most certificates are real example. of the documentation and quality
    issued for mass produced devices (for process used throughout the prod-
    example temperature sensors, trip uct’s development to avoid system-
    amplifiers, PLCs, valves, etc), so it is Certificate to atic failures.
    important to understand what critical
    attributes of a device need to be stated
    IEC 61508 What should be certified?
    on a certificate to indicate it’s suitabil- In order to engineer a safety func-
    ity in SIL rated safety functions. For D = 2.3 x 10 per hour
    -10
    tion, the system designer needs to
    example, it is not just the probabilistic PFD = 2.0 x 10-7 know certain information about the
    failure data that is important - many MTTF (dangerous) = 500,000 yrs constituent instruments (in relation
    other factors of a device can lead to MTBF (total) = 5,000 yrs to use in safety functions), in partic-
    system failure. Furthermore, any men- Achieves SIL4 per IEC 61508 ular the hardware safety integrity
    tion of a SIL number on a device cer- (numerical failure data
    tificate must be highly dependent on Comparison of these figures with /HFT/SFF/type), and the systematic
    conditions and assumptions about the others for similar devices shows it safety integrity (measured by the SC
    overall safety system and the other claims to be several orders of magni- number). Both of these have to meet
    devices in it. tude better. Experience says that it the SIL for the device to be capable
    Actually, IEC 61508 does not men- would be unwise to accept such fig- at that SIL.
    tion the requirement for a certificate, ures at face value without asking some Terms ‘safe failure’, ‘dangerous fail-
    but rather it requires a Functional searching questions. ure’ and hence the ‘safe failure frac-
    Safety Assessment (FSA), so it is Another example where caution is tion’ for an instrument are only
    important that certification covers all advised is where a certificate states relevant when there is knowledge of
    the requirements of a FSA (see IEC ‘SIL3 @HFT=1’. An HFT the target application. For example, if
    61508-1 clause 8). For product FSAs of 1 means that you need TO OPEN = 50 FITS, TO CLOSE = 500 FITS.

    (and hence product certificates) it is two devices to achieve Then, SFF is either 50/(50+500) = 9%,
    essential that all the information the SIL3 capability. But you or 500/(50+500) = 91%.
    user of the product requires is cov- don’t need a certificate So the SFF depends on whether fail-
    ered. The FSA report (on which a cer- to tell you that - the stan- ure to open or to close is the ‘safe’ mode.
    tificate is based) should itself be dard tells you what SIL Where devices have internal hard-
    auditable, i.e. all relevant clauses is achievable when ware fault tolerance (HFT), is the cer-
    from IEC 61508 should be traceable. using redundant
    Furthermore, the process by which devices. Reading the cer-
    the FSA has been conducted should tificate more carefully
    comply with IEC 61508, namely the reveals the device is
    independence, competence and the actually SIL2 capable -
    tools/procedures of the assessment So the certificate can
    body. A certification body which has easily be misunderstood
    the relevant parts of IEC 61508 in its by the unwary reader whose eye is
    scope of accreditation will ensure caught with the words ‘SIL3’.
    this is the case. The SIL capability of an instru-
    ment is an important parameter but
    Where is certification useful there are dangers in putting a SIL
    Certification is particularly suitable number as a ‘headline’ on the certifi-
    for mass produced devices where it cate, as once a SIL capability is
    provides evidence of the FSA by an stated, there is a tendency to ignore

    8 SUMMER 2011 Industrial Compliance


    Advertisement Feature Cover Story

    tificate clear about how are faults in Right: An example plied with. These might be condi-
    one channel detected and reported? certification tions for the manufacturer and/or for
    What is the channel Mean Down scheme is CASS the end user regarding design modi-
    Time (which must not be exceeded) (Conformity fications, action on failure, ongoing
    for the failure data to be valid? Assessment of management of functional safety,
    Accounting for the non-ideal inde- Safety related etc. Whether stated or not, it is cer-
    pendence between channels? And, Systems) software, expect to see an explicit tainly the case that selection of
    the proof test method needed to exer- statement of conformity in the certifi- equipment for use in safety func-
    cise each channel independently? Below: for SIL cate. Remember that software failures tions and the installation, configura-
    It has been noticed that some cer- product certificates are systematic rather than probabilis- tion, overall validation,
    tificates use HFT=0 (1) meaning the it is important to tic. The certificate is a statement that maintenance and repair should only
    normal HFT requirement (1 in this understand what is the software: be carried out by competent person-
    case) is reduced by 1 (to 0 in this (and what is not), l Has been developed according to a nel, observing all the manufacturer’s
    case) due to knowledge of probabilis- being certified compliant process (IEC 61508-3, clause conditions and recommendations in
    tic failures from ‘prior use’ (although 7) and using appropriate techniques and the user documentation.
    this is actually an approach accepted measures (IEC 61508-3, Annexes).
    by IEC 61511 for end users rather l Assessment includes justification Choosing an assessor/certifier
    than IEC 61508). for the development tool chain. As already stated, the assessment
    Sources of component failure data If sufficient valid data is available process should comply with IEC
    vary as they are often industry spe- (millions of operational hours) it is 61508-1 clause 8, so look for the
    cific. The source should be stated and possible to use a statistical approach accreditation logo on the certificate
    it is worth checking whether the (IEC 61508-7, Annex D), but the analy- which should ensure these require-
    component failure rates are taken sis is not trivial. ments are met. An example certifica-
    from a database appropriate for the It must be realised that especially tion scheme is CASS (Conformity
    intended location and application of when the certificate is based on pre- Assessment of Safety related
    the instrument. How has the data dicted (FMEA) data, the ongoing life- Systems) which is unique in the fol-
    been factored for the environmental cycle should be reviewed by lowing respects:
    conditions? (If not stated, best to performing field failure analysis to l Open/transparent methodology
    assume control room use only). Are
    components used well within their
    rating? (61508 mentions de-rating).
    Are there certain components that
    dominate the unit’s failure rate that
    require special attention? (e.g. relays,
    gas sensors, etc).
    If Probability of Failure on Demand
    (PFDAVG) is quoted for an instrument,
    remember this is also governed by the
    proof test interval.
    Every compliant instrument
    should have a ‘Safety Manual’ which
    should be referenced in the certifi-
    cate. It is critical to use the device
    only in accordance with the Safety
    Manual (the certified failure data is
    usually invalid otherwise). It should
    give any constraints in use and any
    assumptions for which the failure
    data is valid. Plus, it should cover
    configuration, installation, mainte-
    nance, operation, etc, to avoid sys-
    tematic failures. Refer to IEC 61508-2,
    ed 2, Annex D which gives specific
    requirements for the Safety Manual.
    In regard to mechanical devices, sys-
    tematic failures are more dominant, so
    expect the certificate to reference
    information on avoiding these. confirm the actual failure rates are and framework for assessment to IEC
    Generally speaking: no worse than those predicted. It 61508 (and sector standards).
    l Constant failure rates are usually would be reasonable to expect condi- l Requirements are all in the public

    very low. tions in the certificate that obligate: domain so there are no hidden surprises.
    l Wear out faults may have a differ- l The end user to collect (see IEC l Originally a UK government
    ent operational profile (no. of 60300-3-2) and feedback field failure funded initiative, designed by indus-
    cycles) compared to electronic information to the manufacturer. try for industry.
    devices (which tend to follow the l The manufacturer to analyse field l CASS is a collective interpretation

    idealised time-based ‘bath tub’ pro- failures and take necessary action of IEC 61508 - this ensures the asses-
    file more closely). (inform the certification body, notify sor’s ego is kept in check. (About 60
    l Sources such as NPRD-2011 give users, etc). companies contributed).
    real field data for thousands of compo-
    nents, including the statistical basis Read the conditions Sira Certification
    for each value. Most certificates have conditions of www.siracertification.com
    For devices that include embedded certification which should be com- T: 01244 670 900

    Industrial Compliance SUMMER 2011 9

    You might also like