Life-saving safety equipment is becoming increasingly important in a wider cross-section of companies. So, at the same time, there is a growing trend to adopt best practices for the management of safety systems. Now industrial clients are looking for new design or upgrades to a plant to be in line with the Safety Instrumented System (SIS) standards of IEC61508* in addition to fire and gas system performance approvals. It is important that safety engineers and owners consider the fundamental elements of Safety Instrumented Systems and how they will implement these elements. The safety requirements specification of any SIS to IEC61508 includes the target Safety Integrity Level (SIL) for defined Safety Instrumented Functions (SIF). In a fire and gas safety system, a SIF could be a gas or flame detector combined with the outputs to annunciate or to initiate mitigation systems.
Safety-system manufacturers today use the term SIL in different ways. How does an engineer determine the meaning of the words ‘Certified SIL Capable? Further, does that term differ significantly from the phrase SIL Suitable, indicating the practice of a manufacturer to perform self declaration?
Certified SIL Capable – An IEC61508 Assessment
When a device is given a certain SIL capability level, it means the device may be used in a design at that capability level or below. For instance, a Certified SIL2 device may be used in a SIF with a SIL2 or SIL1 risk reduction. To attain a Certified SIL Capability rating, an IEC61508 assessment must be done.
Properly assessing SIL Capability is an extensive process. It includes analysing the complete component design process: specificationmethods, designmethods, design tools, testing methods, review techniques, and documentation. When this assessment is performed by a third-party on behalf of a safety manufacturer, the IEC61508 Certified SIL Capability rating provides simple and solid safety integrity justification. A statement of SIL conformance that is not validated by a third party does not reflect a complete SIL design and verification process.
The result of that assessment should be a Safety Case, which describes how an instrumentmanufacturer meets each requirement of IEC 61508. All safety and design engineers should be able to review the Safety Case of any device they are interested in.
Makers of equipment destined for safety-related applications have a duty of care on them to provide equipment that is fit for purpose. When purchasing an assessed device, the buyer should receive audited documentation on how to use the component in a safety application. In addition, they will receive information on failure rates, failure modes, useful life limits, suggested proof test procedures and application limitations.
Considerations in the Safety Assessment
The assessment considers many facets of the safety manufacturer’s device and process, including hardware and software, manufacturer’s management of change, the manufacturer’s design and development process, and fault injection.
With the latest advances in technology, detection devices and logic solvers rely on themanufacturers own designed algorithms, software, and firmware. The vast majority of gas and flame detection devices now rely on highly specified microprocessors at their core to provide levels of functionality never previously available. These microprocessors are more powerful with each passing generation, and modern devices far exceed the performance of processors used in personal computers only a few years ago.
Now that the capabilities are so extensive, the manufacturers take advantage of this by using more detailed and complex software code. It is, therefore, imperative that the software in a safety device be fully evaluated in accordance with IEC61508 for the targeted SIL. Otherwise, can users and engineers be sure that the selected hardware will be able to perform at the target SIL level?
While mechanical hardware data is crucial to the calculations for SIL systems and product capabilities, the importance of software functionality and potential failure must not be overlooked and specific proof of compliance should be sought for the firmware/software elements of any product.
When a component passes an IEC61508 assessment process, it meets the integrity requirements from both a random hardware failure perspective and a systematic design and software failure perspective.
Fault Injection Testing
The IEC61508 hardware assessment analyses the component failures and groups them into safe or dangerous, and detected or undetected. This process is called a Failure Modes, Effects and Diagnostics Analysis (FMEDA). This analysis provides the failure rates used in the SIL capability. However, this is only a fraction of the complete requirements.
In most devices, and especially flame and gas detectors, there are thousands of lines of programming that enables them to detect the hazard. Product with untested software is analogous to a personal computer being checked for reliability based on component characteristics without having data on any element of the operating system or application vital to the correct function of it. The creation of this software can introduce failure modes and therefore IEC61508 has recommendations for coding practices for each target SIL.
To verify that the design performs as predicted, the final device is then subjected to fault injection testing. Once a device has been created and released its ongoing updating and the management of change process is also evaluated as part of an overall device certification.
Management of Change (MOC)
Management of change is a critical part of the evaluation by a third-party for testing and achieving ‘Certified SIL Capability.’ The instrument manufacturer’s change process is a potential for the introduction of faults as changes are made to the original device. While important for all products (including simple mechanical devices), MOC is especially so for any product that contains complex integrated circuits and software. Design mistakes can introduce dangerous failures. Therefore, any product change must go through a rigorous safety impact analysis to determine the scope of the change.
When considering longer term operation, product updates should also be taken into account. Any product with a SIL certificate must go through a Safety Impact Analysis before any update is performed. This ensures that devices are kept within the original design parameters and that safety capabilities are maintained. Use of SFF (Safe Failure Fraction) and FMEDA data at the system design stage will only be good for those devices at that time and that version. Any updates to the product, without a certified SIL capability,may result in a complete recalculation of the PFD (Probability of Failure on Demand.) Again, without third-party testing, many items could be overlooked by safety manufacturers.