Product certificates of conformity to IEC 61508 (or related standards) often vary greatly due to different certification bodies following their own assessment methods and certificate formats. The SIL is actually a dependability measure of the overall safety function being performed by a specific safety system (from sensor to actuator).
However, most certificates are issued for mass produced devices (for example temperature sensors, trip amplifiers, PLCs, valves, etc), so it is important to understand what critical attributes of a device need to be stated on a certificate to indicate it’s suitability in SIL rated safety functions. For example, it is not just the probabilistic failure data that is important – many other factors of a device can lead to system failure. Furthermore, any mention of a SIL number on a device certificate must be highly dependent on conditions and assumptions about the overall safety system and the other devices in it.
Actually, IEC 61508 does not mention the requirement for a certificate, but rather it requires a Functional Safety Assessment (FSA), so it is important that certification covers all the requirements of a FSA (see IEC 61508-1 clause 8). For product FSAs (and hence product certificates) it is essential that all the information the user of the product requires is covered. The FSA report (on which a certificate is based) should itself be auditable, i.e. all relevant clauses from IEC 61508 should be traceable. Furthermore, the process by which the FSA has been conducted should comply with IEC 61508, namely the independence, competence and the tools/procedures of the assessment body. A certification body which has the relevant parts of IEC 61508 in its scope of accreditation will ensure this is the case.
Where is certification useful
Certification is particularly suitable for mass produced devices where it provides evidence of the FSA by an independent and trusted body that declares that the product complies with the standard (for a specified scope). Of course, the manufacturer may also be using the certificate as a marketing document.
However, the user should be competent in understanding functional safety data rather than being satisfied with a SIL capability claim. This can be illustrated by considering the following real example.
Comparison of these figures with others for similar devices shows it claims to be several orders of magnitude better. Experience says that it would be unwise to accept such figures at face value without asking some searching questions.
Another example where caution is advised is where a certificate states ‘SIL3 @HFT=1’. An HFT of 1 means that you need two devices to achieve SIL3 capability. But you don’t need a certificate to tell you that – the standard tells you what SIL is achievable when using redundant devices. Reading the certificate more carefully reveals the device is actually SIL2 capable – So the certificate can easily be misunderstood by the unwary reader whose eye is caught with the words ‘SIL3’.
The SIL capability of an instrument is an important parameter but there are dangers in putting a SIL number as a ‘headline’ on the certificate, as once a SIL capability is stated, there is a tendency to ignore the rest of the certificate.
Whilst SIL is a parameter of the safety function performed by a safety instrumented system (sensor to final element) rather than the individual elements, the 2010 version of IEC 61508 has created the term ‘Systematic Capability’ of an element (SC1 to SC4), which corresponds to SIL1 to SIL4 capability respectively. The SC <number> refers to the rigour of the documentation and quality process used throughout the product’s development to avoid systematic failures.
What should be certified?
In order to engineer a safety function, the system designer needs to know certain information about the constituent instruments (in relation to use in safety functions), in particular the hardware safety integrity (numerical failure data /HFT/SFF/type), and the systematic safety integrity (measured by the SC number). Both of these have to meet the SIL for the device to be capable at that SIL.
Terms ‘safe failure’, ‘dangerous failure’ and hence the ‘safe failure fraction’ for an instrument are only relevant when there is knowledge of the target application. For example, if
Lambda (TO OPEN) = 50 FITS, Lambda (TO CLOSE) = 500 FITS. Then, SFF is either 50/(50+500) = 9%, or 500/(50+500) = 91%.
So the SFF depends on whether failure to open or to close is the ‘safe’ mode.
Where devices have internal hardware fault tolerance (HFT), is the certificate clear about how are faults in one channel detected and reported? What is the channel Mean Down Time (which must not be exceeded) for the failure data to be valid? Accounting for the non-ideal independence between channels? And, the proof test method needed to exercise each channel independently?
It has been noticed that some certificates use HFT=0(1) meaning the normal HFT requirement (1 in this case) is reduced by 1 (to 0 in this case) due to knowledge of probabilistic failures from ‘prior use’ (although this is actually an approach accepted by IEC 61511 for end users rather than IEC 61508).
Sources of component failure data vary as they are often industry specific. The source should be stated and it is worth checking whether the component failure rates are taken from a database appropriate for the intended location and application of the instrument. How has the data been factored for the environmental conditions? (If not stated, best to assume control room use only). Are components used well within their rating? (61508 mentions de-rating). Are there certain components that dominate the unit’s failure rate that require special attention? (e.g. relays, gas sensors, etc).
If Probability of Failure on Demand (PFDAVG) is quoted for an instrument, remember this is also governed by the proof test interval.
Every compliant instrument should have a ‘Safety Manual’ which should be referenced in the certificate. It is critical to use the device only in accordance with the Safety Manual (the certified failure data is usually invalid otherwise). It should give any constraints in use and any assumptions for which the failure data is valid. Plus, it should cover configuration, installation, maintenance, operation, etc, to avoid systematic failures. Refer to IEC 61508-2, ed 2, Annex D which gives specific requirements for the Safety Manual.
In regard to mechanical devices, systematic failures are more dominant, so expect the certificate to reference information on avoiding these. Generally speaking:
- Constant failure rates are usually very low.
- Wear out faults may have a different operational profile (no. of cycles) compared to electronic devices (which tend to follow the idealised time-based ‘bath tub’ profile more closely).
- Sources such as NPRD-2011 give real field data for thousands of components, including the statistical basis for each value.
For devices that include embedded software, expect to see an explicit statement of conformity in the certificate. Remember that software failures are systematic rather than probabilistic. The certificate is a statement that the software:
- Has been developed according to a compliant process (IEC 61508-3, clause 7) and using appropriate techniques and measures (IEC 61508-3, Annexes).
- Assessment includes justification for the development tool chain.
If sufficient valid data is available (millions of operational hours) it is possible to use a statistical approach (IEC 61508-7, Annex D), but the analysis is not trivial.
It must be realised that especially when the certificate is based on predicted (FMEA) data, the ongoing lifecycle should be reviewed by performing field failure analysis to confirm the actual failure rates are no worse than those predicted. It would be reasonable to expect conditions in the certificate that obligate:
- The end user to collect (see IEC 60300-3-2) and feedback field failure information to the manufacturer.
- The manufacturer to analyse field failures and take necessary action (inform the certification body, notify users, etc).
Read the conditions
Most certificates have conditions of certification which should be complied with. These might be conditions for the manufacturer and/or for the end user regarding design modifications, action on failure, ongoing management of functional safety, etc. Whether stated or not, it is certainly the case that selection of equipment for use in safety functions and the installation, configuration, overall validation, maintenance and repair should only be carried out by competent personnel, observing all the manufacturer’s conditions and recommendations in the user documentation.
Choosing an assessor/certifier
As already stated, the assessment process should comply with IEC 61508-1 clause 8, so look for the accreditation logo on the certificate which should ensure these requirements are met. An example certification scheme is CASS (Conformity Assessment of Safety related Systems) which is unique in the following respects:
- Open/transparent methodology and framework for assessment to IEC 61508 (and sector standards).
- Requirements are all in the public domain so there are no hidden surprises.
- Originally a UK government funded initiative, designed by industry for industry.
- CASS is a collective interpretation of IEC 61508 – this ensures the assessor’s ego is kept in check. (About 60 companies contributed).