Advertisement Feature Cover Story

Understanding SIL Certificates

In recent years there has been an increasing number of Safety Integrity Level (SIL ) product certificates to IEC 61508 and related standards. Paul Reeve, Sira Certifications principal functional safety consultant, explains the purpose and benefits of such certificates whilst pointing out the necessity to take care in understanding the finer points of what is (and what is not) being certified
roduct certificates of conformity to IEC 61508 (or related standards) often vary greatly due to different certification bodies following their own assessment methods and certificate formats. The SIL is actually a dependability measure of the overall safety function being performed by a specific safety system (from sensor to actuator). However, most certificates are issued for mass produced devices (for example temperature sensors, trip amplifiers, PLCs, valves, etc), so it is important to understand what critical attributes of a device need to be stated on a certificate to indicate its suitability in SIL rated safety functions. For example, it is not just the probabilistic failure data that is important - many other factors of a device can lead to system failure. Furthermore, any mention of a SIL number on a device certificate must be highly dependent on conditions and assumptions about the overall safety system and the other devices in it. Actually, IEC 61508 does not mention the requirement for a certificate, but rather it requires a Functional Safety Assessment (FSA), so it is important that certification covers all the requirements of a FSA (see IEC 61508-1 clause 8). For product FSAs (and hence product certificates) it is essential that all the information the user of the product requires is covered. The FSA report (on which a certificate is based) should itself be auditable, i.e. all relevant clauses from IEC 61508 should be traceable. Furthermore, the process by which the FSA has been conducted should comply with IEC 61508, namely the independence, competence and the tools/procedures of the assessment body. A certification body which has the relevant parts of IEC 61508 in its scope of accreditation will ensure this is the case.

independent and trusted body that declares that the product complies with the standard (for a specified scope). Of course, the manufacturer may also be using the certificate as a marketing document. However, the user should be competent in understanding functional safety data rather than being satisfied with a SIL capability claim. This can be illustrated by considering the following real example.

Below: there are dangers in putting a SIL number as a headline on the certificate as once a SIL capability is stated, there is a tendency to ignore the rest of the certificate

Certificate to IEC 61508

D = 2.3 x 10 per hour PFD = 2.0 x 10-7 MTTF (dangerous) = 500,000 yrs MTBF (total) = 5,000 yrs Achieves SIL4 per IEC 61508
-10

the rest of the certificate. Whilst SIL is a parameter of the safety function performed by a safety instrumented system (sensor to final element) rather than the individual elements, the 2010 version of IEC 61508 has created the term Systematic Capability of an element (SC1 to SC4), which corresponds to SIL1 to SIL4 capability respectively. The SC <number> refers to the rigour of the documentation and quality process used throughout the products development to avoid systematic failures.

What should be certified?

In order to engineer a safety function, the system designer needs to know certain information about the constituent instruments (in relation to use in safety functions), in particular the hardware safety integrity (numerical failure data /HFT/SFF/type), and the systematic safety integrity (measured by the SC number). Both of these have to meet the SIL for the device to be capable at that SIL. Terms safe failure, dangerous failure and hence the safe failure fraction for an instrument are only relevant when there is knowledge of the target application. For example, if TO OPEN = 50 FITS, TO CLOSE = 500 FITS. Then, SFF is either 50/(50+500) = 9%, or 500/(50+500) = 91%. So the SFF depends on whether failure to open or to close is the safe mode. Where devices have internal hardware fault tolerance (HFT), is the cer-

Where is certification useful

Certification is particularly suitable for mass produced devices where it provides evidence of the FSA by an

Comparison of these figures with others for similar devices shows it claims to be several orders of magnitude better. Experience says that it would be unwise to accept such figures at face value without asking some searching questions. Another example where caution is advised is where a certificate states SIL3 @HFT=1. An HFT of 1 means that you need two devices to achieve SIL3 capability. But you dont need a certificate to tell you that - the standard tells you what SIL is achievable when using redundant devices. Reading the certificate more carefully reveals the device is actually SIL2 capable So the certificate can easily be misunderstood by the unwary reader whose eye is caught with the words SIL3. The SIL capability of an instrument is an important parameter but there are dangers in putting a SIL number as a headline on the certificate, as once a SIL capability is stated, there is a tendency to ignore

SUMMER 2011 Industrial

Compliance

Advertisement Feature Cover Story

tificate clear about how are faults in one channel detected and reported? What is the channel Mean Down Time (which must not be exceeded) for the failure data to be valid? Accounting for the non-ideal independence between channels? And, the proof test method needed to exercise each channel independently? It has been noticed that some certificates use HFT=0 (1) meaning the normal HFT requirement (1 in this case) is reduced by 1 (to 0 in this case) due to knowledge of probabilistic failures from prior use (although this is actually an approach accepted by IEC 61511 for end users rather than IEC 61508). Sources of component failure data vary as they are often industry specific. The source should be stated and it is worth checking whether the component failure rates are taken from a database appropriate for the intended location and application of the instrument. How has the data been factored for the environmental conditions? (If not stated, best to assume control room use only). Are components used well within their rating? (61508 mentions de-rating). Are there certain components that dominate the units failure rate that require special attention? (e.g. relays, gas sensors, etc). If Probability of Failure on Demand (PFDAVG) is quoted for an instrument, remember this is also governed by the proof test interval. Every compliant instrument should have a Safety Manual which should be referenced in the certificate. It is critical to use the device only in accordance with the Safety Manual (the certified failure data is usually invalid otherwise). It should give any constraints in use and any assumptions for which the failure data is valid. Plus, it should cover configuration, installation, maintenance, operation, etc, to avoid systematic failures. Refer to IEC 61508-2, ed 2, Annex D which gives specific requirements for the Safety Manual. In regard to mechanical devices, systematic failures are more dominant, so expect the certificate to reference information on avoiding these. Generally speaking: l Constant failure rates are usually very low. l Wear out faults may have a different operational profile (no. of cycles) compared to electronic devices (which tend to follow the idealised time-based bath tub profile more closely). l Sources such as NPRD-2011 give real field data for thousands of components, including the statistical basis for each value. For devices that include embedded Right: An example certification scheme is CASS (Conformity Assessment of Safety related Systems) Below: for SIL product certificates it is important to understand what is (and what is not), being certified plied with. These might be conditions for the manufacturer and/or for the end user regarding design modifications, action on failure, ongoing management of functional safety, etc. Whether stated or not, it is certainly the case that selection of equipment for use in safety functions and the installation, configuration, overall validation, maintenance and repair should only be carried out by competent personnel, observing all the manufacturers conditions and recommendations in the user documentation.

software, expect to see an explicit statement of conformity in the certificate. Remember that software failures are systematic rather than probabilistic. The certificate is a statement that the software: l Has been developed according to a compliant process (IEC 61508-3, clause 7) and using appropriate techniques and measures (IEC 61508-3, Annexes). l Assessment includes justification for the development tool chain. If sufficient valid data is available (millions of operational hours) it is possible to use a statistical approach (IEC 61508-7, Annex D), but the analysis is not trivial. It must be realised that especially when the certificate is based on predicted (FMEA) data, the ongoing lifecycle should be reviewed by performing field failure analysis to

Choosing an assessor/certifier
As already stated, the assessment process should comply with IEC 61508-1 clause 8, so look for the accreditation logo on the certificate which should ensure these requirements are met. An example certification scheme is CASS (Conformity Assessment of Safety related Systems) which is unique in the following respects: l Open/transparent methodology

confirm the actual failure rates are no worse than those predicted. It would be reasonable to expect conditions in the certificate that obligate: l The end user to collect (see IEC 60300-3-2) and feedback field failure information to the manufacturer. l The manufacturer to analyse field failures and take necessary action (inform the certification body, notify users, etc).

and framework for assessment to IEC 61508 (and sector standards). l Requirements are all in the public domain so there are no hidden surprises. l Originally a UK government funded initiative, designed by industry for industry. l CASS is a collective interpretation of IEC 61508 - this ensures the assessors ego is kept in check. (About 60 companies contributed).

Read the conditions

Most certificates have conditions of certification which should be com-

Sira Certification www.siracertification.com T: 01244 670 900

Industrial Compliance SUMMER 2011