BEST PRACTICE ARTICLE

Which safety device should I buy?

An end users guide to select safety devices
compliant with IEC 61508 / 61511

By Jai Chainani and Dr Michel J.M. Houtermans

w w w . r i s k n o w l o g y. c o m / b e s t - p r a c t i c e

BEST PRACTICE ARTICLE

Which safety device should I buy?

An end users guide to select safety devices

compliant with IEC 61508 / 61511

Share this article

www.risknowlogy.com/best-practice

By Jai Chainani and Dr. Michel Houtermans

Copyright 2014 Risknowlogy. All Rights Reserved.

No part of this publication may be reproduced, stored in or introduced
into a retrieval system, or transmitted, in any form, or by any means
(electronic, mechanical, photocopying, recording, or otherwise), without
the prior permission of the publisher. Requests for permission should be
directed to riskfree@risknowlogy.com, or mailed to Risknowlogy,
Baarerstrasse 11, 6300, Zug, Switzerland.
All pictures are copyright protected by their respective owners. Where
possible we refer to the rightful owner. Sometimes we simply do not
know the rightful owner and cannot make a reference. If you know who
the rightful owner of the copyright protected material is then please
contact us at riskfree@risknowlogy.com and we will update our
publication.
Please do not participate in or encourage piracy of copyrighted materials
in violation of the authors rights. Purchase only authorised editions.
Risknowlogy is committed to publishing works of quality and integrity.
In that spirit, we are proud to offer this book to our readers; however,
the words are the authors alone.
First published in Inside Functional Safety
Published: October 2014

Table of Contents
Introduction ................................................................................................5
Demonstrating IEC 61508/61511 compliance for safety devices ..............7
Current market situation...........................................................................15
Approach for selection of safety device ...................................................23
Conclusion.................................................................................................26
References .................................................................................................28
Share If You Liked It .................................................................................28
About The Authors ....................................................................................29
About The Best Practice ...........................................................................30
About Risknowlogy ...................................................................................33
Certification Increase The Trust ...............................................................34
History .......................................................................................................35

Page !4 of !36

Introduction
Safety instrumented system (SIS) play a significant role within the
process industry. They reduce the likelihood of events causing harm to
personnel, environment and assets by either preventing (PSD, ESD) or
mitigating further escalation (F&G, Fire water control). IEC 61508 and
IEC 61511 are international standard on best practices for the functional
safety of devices used within the SIS.
These standards are world wide considered good engineering
practices and some countries incorporate them directly into their safety
cases. For those instances it indeed has the force of law. Hence,
compliance with the standards is seen as important from an end user
perspective as it helps them to demonstrate due diligence including for
other mandatory safe operating legislation such as Health and safety act
1994, Management of Health and Safety at work regs, 1992 and Control
of major accident hazards regulation, 1999, see Figure 1.
The hardware of SIS consists of devices such as sensors, logic solvers,
actuator and peripheral devices, see Figure 2. As with any piece of device
also safety devices can fail. One of the main objectives of IEC 61508 is to
design a safety system that will take the plant to a safe state when it fails.
In order to design safety devices and systems as per IEC61508/61511,
one should first understand how safety devices and thus safety systems
can fail. In practice safety devices can fail due to random, systematic or
common cause failures. The higher the SIL level the more strict the IEC
61508 requirements are in terms of these random, systematic and
common cause failures.
End users must be able to select safety devices that give them a high
level of confidence in terms of compliance with IEC 61508. The safety
device should be provided to the end-user with key reliability and
functional safety parameters such as failures rates, safe failure fraction
(SFF), hardware fault tolerance (HFT), type A, type B, etc. With all this
information in hand, it becomes easier for an end user to demonstrate
compliance with the IEC 61508 and/or IEC 61511.
Ultimately it is the responsibility of an end user to demonstrate that
the device selected for SIS is compliant. In practice this means that the
end users needs to assure themselves that the chosen safety device meets
the requirement of the standard in such a manner that they are able to

Page !5 of !36

Figure 1 - Compliance with IEC 61508/ 61511 relates to

current legislation [4]
defend their decisions to regulatory bodies or any third party performing
a functional safety assessment.
The objective of this paper is to describe what it takes for safety
devices to be complaint with IEC 61508/61511 and will review various
approaches towards compliance available in the market. This paper will
give an order of preference for compliance routes and provide a step
based approach for end-users to make smart safety device selection.
Finally, the paper will end with conclusion and recommendation.

Page 6
! of 36
!

Figure 2 - Safety Instrumented System [5]

Demonstrating IEC 61508/61511

compliance for safety devices
Which standard to follow?
Although end users have no control over the design, manufacturing and
testing process of the safety device, it is them who have to take overall
responsibility in the event of dangerous situation. Hence, selecting
devices that are compliant with the standard becomes paramount for
end users.
In the process industry end-users need to design, operate and
maintain SIS according to IEC 61511. The IEC 61511 standard gives the
end-users guidance, see Figure 3, on which standard to follow when
selecting safety devices to be used as part of the SIS. From this figure, it
becomes clear that for new and existing devices end users need to verify
and assess safety device against IEC 61508 requirements, while for
existing (proven in use) devices they can use devices compliant with IEC
61511. Furthermore, devices in process industries might have a
relationship to the machine directive, PED and ATEX and might need to
comply with further products standards besides IEC61508/ 61511.

Page !7 of !36

IEC 61508 Requirements for new and existing device

Safety devices can consist of hardware and/or software. IEC 61508 part
2 covers the safety system hardware overall system requirements
whereas the software requirements are covered by part 3 of the standard.
In order to demonstrate compliance with part 2 and 3, end users must
verify and be able to demonstrate that the device used with their SIS
meets the requirements of part 2 and/or 3. In summary the
requirements to achieve a SIL level address the following requirements:
a. Functional Safety Management (FSM)
The IEC 61508 standard requires any SIS stakeholder (end-user, system
integrator, product supplier, etc) to have a Functional Safety
Management system in place. This is similar to the famous ISO
9001:2000 quality management system but focuses instead on safety
aspects. For device suppliers this means two things.
Firstly, it requires that the device supplier has clear safety policies,
i.e., an organisational structure with responsibility for safety,
procedures, work practices, quality management system together with

Figure 3 - Which standard to follow IEC 61508 or IEC 61511?

Page 8
! of !36

functional safety competency of individuals involved in the design and

manufacture of safety devices.
Secondly, they must also demonstrate the process, described through
documentation, by which new products are developed and brought into
the market and or existing products are modified. This information
should include all design steps, all verification activities, responsibilities
and all device documentation generated including user documentation.
In practice this means that device suppliers must address among
others the following to be compliant with the IEC 61508 standard:
A lifecycle approach;
An overview of activities per lifecycle;
Make competent people responsible for these activities;
Include verification, validation and assessment activities;
Address measures to control and measures to avoid failures;
Modification procedures for any future modifications;
Documentation that supports the above listed points.
b. Hardware requirements
The whole purpose of the hardware design requirements are to make
sure that systematic failures (during the design for example) have been
avoided and that random failures are controlled during the design,
manufacturing, and use of the device. Techniques required by the standard to demonstrate systematic failure avoidance and control include for
example:
Use of standards and design guidelines;
Proven components and parts;
Preferred design and architectural constraints are used for the
device;
Continuous diagnostics;
Automatic safe response upon detection of failure, e.g., the design
should maintain safety targets either through redundancy, alarms
or shut down.

Page 9
! of 36
!

c. Reliability requirements
Concerning the reliability requirement, the purpose is to accurately
predict random and common cause hardware failures using reliability
data. Key reliability data should include the following:
Type A or B (a designation for the complexity of a device);
Probability of Failure on Demand (PFDavg);
Recommended proof testing interval;
Hardware fault tolerance;
Safe failure fraction;
Safe detected failure rate;
Safe undetected failure rate;
Dangerous detected failure rate;
Dangerous undetected failure rate.
All of the above information is normally obtained through a process
called Failure Mode and Effect Analysis (FMEA). This information can
be delivered by the supplier itself, third party report or through a third
party certification (see section 3 on compliance demonstration
approaches). With this information end users can easily determine how
to comply with the architectural constraints and integrity level of the
safety function as described in the safety required specification.
Not addressed by the standard but equally important for an end-user
is information about the probability of a spurious trip caused due to an
internal safe failure of the safety device. The standard requires the
information above to be collected from a dangerous failure point of view.
The same information can be used though to make statements from a
safe failure point of view.
d. Software requirements
IEC 61508 part 3 covers the development of embedded and application
software used within safety device as part of SIS. The main problems
with software are the systematic failures. Many techniques are available
to avoid these failures. Achieving safe software is important as many of
the measures to control random hardware failures are implemented in
software. Safe software is the software that meets IEC 61508 part 3
Page 10
! of 36
!

requirements and that can still put the safety system in a safe state
despite hardware failures or software bugs. Requirements to
demonstrate compliance with this part include among others the
following:
The use of the V model approach to software design, with the
number of phases in the V model being adapted according to the
safety integrity level and the complexity of the project. Although
the standard refers to V model but does not say anywhere that it is
required. An example of a V-model is given in Figure 4.
The design methods should aid modularity and embrace features
which reduce complexity and provide clear expression of
functionality, information flow, data structures, sequencing, time
related constraints and design assumptions;
The embedded software should include software for diagnosing
faults in the system hardware and software, including error
detection for communication links and on-line testing of standard
application software;
The detail design of the software modules and coding
implementation should result in small manageable software
modules;
The system should as far as possible use trusted and verified
software modules which have been used in similar application;

Figure 4 - A typical V model for device software design [7]

Page 11
! of 36
!

 The system should not use dynamic objects which depend on the
state of the system at the moment of allocation where they do not
allow checking by off-line tools;
The programming languages hould be capable of being fully and
unambiguously defined;
The support tool needs to be either well proven in use or certified
as suitable for safety system application.
In the IEC 61508 standard there are many requirements for
software and from a supplier/manufacturer point of view it is the
software which is the design and development bottleneck. Once the
software is under control basically the device is under control and
the hardware follows. In other words, from an end-user point of
view buying and installing devices with software means really
assuring themselves that the software of the device is IEC 61508
compliant.
e. Basic safety
Functional safety is one aspect of a safety device. But this does not cover
automatically all basic safety issues of the device in its operating
environment. Each device should also address the following basic safety
requirements, through appropriate environmental testing, to make sure
the device can be used in its intended environment:
Operational temperature range;
Storage temperature range;
EMC / EMI environment;
Vibration / shock testing;
IP classification;
Pressure (PED);
Explosive atmospheres (ATEX);
Basic electrical safety and compliance to product standards.
Whichever environment the end-user of the device has, is ultimately
the environment the safety device must be able to withstand. The
product supplier should be able to demonstrate this environment so that
Page !12 of !36

the end-user can verify that the device is suitable for his specific
environment.
f. User documentation
One can have the best safety device in the world but if it is not used
properly it can still lead to undesired situations like accidents. User
documentation must be provided for the device in the form of a product
safety manual. This manual not only addresses all safety aspects during
installation, commissioning, operation, maintenance and repair but
sometimes also contains restrictions to the application of the device. It is
important for end-users that the information in the safety manual is
correct and that the restrictions do not limit the end-user unnecessarily.
Hence a safety manual should be available before one buys the
equipment.

IEC 61511 requirements for existing device

To demonstrate compliance for a safety device with IEC 61511, it must be
either shown that the device meets the requirements of IEC 61508 or the
device is proven in use according to the requirements of IEC 61511. The
requirements for IEC 61508 are described in paragraph 2.2. In this
paragraph the IEC 61511 requirements are addressed. IEC 61511 defines
proven in use as follows:
When a documented assessment has shown that there
is appropriate evidence, based on the previous use of
the component, that the component is suitable for use
in a safety instrumented system
In practice an end-user knows very well whether a particular valve or
smart transmitter works or not. The problem is that in order to prove
proven in use it needs to be documented. And this is not always the case.
Furthermore, although proven in use is typically something that only
end users can determine the suppliers of safety device will do everything
to convince end users that their product is proven in use. The reason for
this is very simple. When a product is declared proven in use it does not
need to comply with all the measures to control and avoid failures
according to IEC 61508. In practical terms this means the product
Page !13 of 36
!

supplier can avoid expensive modifications to their existing old

product. This is not only a huge R&D cost saving for them, but it also
does not delay their time to market with this safety device.
The evidence that needs to be delivered in order to demonstrate
proven-in-use are not easy to accumulate. It includes:
Consideration of the suppliers quality, management and
configuration management systems;
Adequate identification and specification of the components or
subsystems;
Sufficient volume of operating experience;
Demonstration of performance of the components or subsystems
in similar operation profiles and physical environments if not
sufficient operation experience exists;
Statistical evidence that the claimed failure rate is sufficiently low.
Especially, the last point is difficult to meet, as failure track records
are usually not available. End users do not always track them, or when
they track them than the documented information is not in such manner
that it can be used in compliance with the standard. Most product
suppliers do not have any capability to track their products once they are
sold. Also they can or do usually not collect feedback from customers in
such manner that it can be used to demonstrate compliance.
Proven-in-use is a desirable and powerful technique as it is most
representative of the application environment and maintenance
practices in place. But it can only be demonstrated, and thus used for
compliance, if the above requirements can be demonstrated and are
documented.

Page !14 of 36
!

Current market situation

A general overview
End users need to assure themselves that the safety devices selected by
them are complaint with either the IEC 61508 or 61511 standards. In
practice though they usually do not have the time nor the knowledge to
verify compliance for every single device that will be used in their safety
functions. It is in the interest of the suppliers to help end users in their
selection process to demonstrate that their device is complaint with the
standards. But in practice different approaches are currently used in
industry to demonstrate compliance. In summary these approaches are:
Partial or full IEC 61508 compliance with certification by an
independent third party;
Partial or full IEC 61508 compliance with self declaration by the
device supplier;
Proven in use according to IEC 61511 by the end-user with or
without independent third party certification;
Proven in use according to IEC 61511 by the supplier with or
without independent third party certification;
Any of the combinations above, e.g., proven in use + partial
compliance.
It is important for an end-user to understand the pros and cons of
the different approaches. An end user needs to understand what the
difference are between Partial, Full or Proven in Use compliance and
how it affects their daily business. In summary:
Full compliance means that a device meets all applicable
requirements of the IEC 61508 standard. The end-user can be sure
that the device has been designed according to the rules of the
standard. Now it is up to the end-user to install, commission,
validate, operate, maintain and repair it correctly.
Partial compliance means that not all requirements have been
addressed. The question is how bad is this?. This depends of
course on which requirements have been addressed, or better
which ones have not. If a device has software inside and only the
Page !15 of 36
!

hardware requirements have been addressed then we have no clue

about the status of systematic failures in device concerning the
software. If the software has 1 bug, then all devices with this
software have this bug.
Proven in use means that there is confidence that the product
works because end users have seen in practice that it works in their
own or a similar process environment. If this is an older device it
also means that the device does not meet the requirements of the
standard but its proven use demonstrates that the functionality
of the device is reliable anyway.
Considering the statements above one can conclude that a newly
developed device compliant with the IEC 61508 standards is nice, but it
does not provide confidence to end users yet in that it will work to their
satisfaction in their process environment. Table 1 shows a comparison
between Full IEC61508 compliance and IEC 61511 Proven in use .
From an end-user point of view the best device would be a device fully
compliant with the standard, which has proven itself in the field. When
demonstrating full compliance, partial compliance or proven in use the
industry uses two approaches, i.e., certification or self-declaration. In
case of certification, a certificate comes along with the report which
summaries the most important properties of the safety device.
Certification is produced by an independent third party and competent
organisation who are experts in the field of functional safety and who
should not have any vested interest in the safety device. The purpose of
certification should be to help end user gain confidence in the safety

Table 1 - Comparison between Full IEC 61508 Compliance

and Proven in use (IEC 61511)
Page !16 of 36
!

device by providing evidence of verification and assessment as per the

requirements of the standards. It helps the enduser, as he does not need
to perform the analysis himself when using a certified device. Although
the standard does not mention anything about certification, i.e.,
certification is not a requirement in the standard, or any other
techniques to demonstrate compliance, certification is available in the
market and plays a major role in this industry. Some of the
independent / third party companies who certify safety device compliant
to IEC 61508 are Exida, TUV Rheinland, TUV SUD, Risknolowgy,
Baseefa, Sira, etc. Full IEC 61508 certification is the most comprehensive
type of certification available in the market and should cover the entire
requirements of IEC 61508 as described in Section 2.2 of this paper. It
also demonstrates rigour of verification and assessment by a highly
competent independent body that does not have any impartiality with
the device.
The certificate itself, see Figure 5, should never be used as a decision
to install a product in the plant. It should only be used as a first
impression and should never be read without the accompanying
technical report and if possible the safety manuals of the device.
Another option is to self-declare compliance with the standard, see
Figure 6. There is nothing in the standard to prevent device suppliers to
self-declare their verification or assessment activities, either of ones
FSM or the other requirements of IEC 61508. This is done not only by
product suppliers, but also end-users.
A self-declaration unlike certification is produced by device suppliers
stating that their device complies with the requirement of IEC 61508
standard and can be used in a safety instrumented function. Just like
certification it should detail key functional safety parameters such as SIL
capability, device type, SFF, PFDavg., failure rates, etc, and will either
point out a list of restrictions on the certificate or may refer to device
safety manual for restrictions.
Self-declaration normally does not come along with a technical report
explaining the verification and assessment activities that have taken
place. Hence, it is difficult for end users to understand and thus gain
confidence on the device. The other concern for the end users with selfdeclaration is the concern of partiality and vested interest involved if
the same company who design, manufacture and test the product are the
ones assessing and verifying.
Page !17 of 36
!

Figure 5 - Examples of Full IEC 61508 Certificate by

independent / third party
Page !18 of !36

Figure 6 - Example of self declaration by device suppliers

(Note: This is not certification)
Suppliers sometimes self declare their safety device compliant on the
basis of IEC 61511 proven in use requirement. As stated in paragraph 2.3
of this paper that end users are best suited to prove IEC 61511 proven in
Page !19 of 36
!

use requirement for safety device in a particular application. Although

possible, an attempt by a supplier to demonstrate proven in use must be
looked into with utmost scrutiny.
There is a big difference though between devices with self-declaration
and full certification. With self-declaration there is no independent
party involved. Both approaches have again their pros and cons. In
summary:
Certification means that an independent third party attests that
statements made are true, e.g., Our product is compliant with IEC

Table 2 - Preference order for compliance approach

demonstration
Page !20 of !36

61508. Not the end-user or the product supplier attests this statement
but an independent party does. This is of course only valuable if the
independent party is truly independent and has no legal, financial or
political interest the product.
Self-declaration means that the supplier makes the statement
about the product himself. End users can find this difficult to trust,
as nobody independent was involved. So it becomes a matter for
the end-user of whom can I trust? or whom do I allow to use
self-declaration and from whom do I want to see a third party
certification?.
When it comes to proven in use self-declaration is done by product
suppliers and end-users. When the supplier self-declares proven in
use then the above point is applicable again. When the end-user
self declares then of course this is only of value if the analysis work
done within the company is performed with sufficient
independence and without any pressure from within the company.
Independently of the approach chosen a technical report should
explain and document the work performed. It details the basis of the
verification and assessment work. If there is no technical report then end
users do not know what work has been done, looses confidence, and
cannot demonstrate to any third party that they themselves are
compliant with the standard.
For an end-user the question is whether they can trust selfdeclaration or not. The same applies to independent third party
certification. But as stated before independent third parties should not
have any financial or political interest in a company and thus one should
be able to say that third party certification should be of higher trust then
self-declaration.

Ranking different compliance approaches

After reviewing all the different approaches to demonstrate compliance
against the standards, Table 2 recommends a preferred order list for end
users in selection of safety device used as part of SIS
For an end user the most preferred approach would be Full IEC
61508 certification with proven in use by independent third party. This
Page !21 of !36

gives confidence and assurance that the device meets requirements of

the standard and it is proven that it works in their process environment.
All though this is the preferred selection in practice this kind of device is
just not always available. Even if the end-user wants to be compliant
with the standards they still have to use alternatives in case this option is
not available.
The second preferred approach would be proven in use according to
IEC 61511 by end user or independent third party. This gives confidence
that the device meets the requirement of IEC 61511, works in their
process environment and it is proven that the dangerous failure rate is
sufficiently low in terms of random, common cause and systematic
failures.
Thirdly would be Full IEC 61508 certification by an independent
third party. This gives confidence that the device meets the
requirements of IEC 61508 standard but no assurance yet that it will
work in their process environment and that the predicted failure rates
are as low in practice as well.
Whenever ever possible an end-user should try to select devices from
the above preferences. Finally there are other compliance approaches
such as Full IEC 61508 self declaration by device supplier and Proven
in use according to IEC 61511 by device supplier but in practice they are
not preferable at all.

Page !22 of 36
!

Figure 7 - Recommended step based flow chart to select

safety device compliant with IEC 61508 / 61511

Page 23
! of !36

Approach for selection of safety

device
Selection of device for SIS applications is important as end users depend
on that device for protection in the event of a potentially dangerous
situation. The selection process for safety devices is a two step process,
i.e., is the device fit for purpose and are the dangerous failures
sufficiently low (compliance with IEC 61508 / 61511)
Step 1: Fit for purpose
The first step is to make sure that the selected safety device is fit for
purpose and will actually work well in the intended application and
environment. This step is probably even more important then selecting
just a device which is compliant with the standards. The fit for purpose
analysis should consist of an application review with the actual operating
experience. The review must decide whether:
1. The safety device selected is fit for the job;
2. The safety device is correctly rated for the intended environment;
3. The safety devices safety manual presents any unacceptable
restrictions.
Many companies have procedures that require testing in the actual
process environment (you could call this phase collecting evidence for
proven in use). When failure rate data is missing the end-user can use
sources for industry specific reliability data such as the PERD (Process
Device Reliability Database) handbook.
The safety manual is a document that should be provided by a
product supplier. It explains specifically how the product is to be used in
a SIS application. A large safety manual with a long detailed list of
instruction on how to make the product safe is a sure sign the supplier
does not meet requirements unless these restrictions are implemented
by the end user.
Another point to note on the topic of product safety manual is that
normally they are not supplied until purchased. End users must ask
suppliers to provide the safety manual before selecting device as it may
contain restriction of use to a particular application or could contain

Page 24
! of 36
!

information that is referenced in the independent/third party

certification or reports.
Step 2: Dangerous failures protection
The second step is to select a safety device that is compliant with IEC
61508 / 61511 with the purpose that the dangerous failures are
sufficiently low according to the required SIL level. The selection is
based on the dangerous failure expectations expressed in parameters like
SIL, PFDavg, SFF , etc., which should be described in the safety
requirements specification. This is the step where end users must select
safety device from the different recommended compliance techniques
that are described in section 3.4.
Figure 7 shows a step-based flow chart that is recommended for
selection of safety device used as part of SIS.

Page 25
! of 36
!

Conclusion
SIS plays a vital role in providing protective layer functionality within
process industry and helps to reduce risk to As low As Reasonably
Practicable (ALARP). End users need to select device used within SIS
compliant with IEC 61508 / 61511 standards for their own peace of mind
and to be able to defend their decision to regulatory body. Two options
are available to demonstrate compliance with the standards i.e. for new
and existing devices to follow IEC 61508 requirement or for existing
devices to use IEC 61511 proven in use requirement.
Compliance against IEC 61508 can be demonstrated for a safety
device by fulfilment of specific requirements in each of the following

areas: FSM, hardware requirement, reliability analysis, software design,

basic safety and user documentation. To demonstrate compliance for a
safety device with IEC 61511, it must be either shown that the device
meets the requirements of IEC 61508 or the device is proven in use.
Proven in use is difficult to demonstrate as it requires sufficient failure
track record which are usually not tracked or available in a documented
form.
End users normally do not have the time or the knowledge to verify
compliance for every single device that will be in their safety functions
Page 26
! of !36

against the standards. Few suppliers are helping end users to

demonstrate that their device is complaint with the standards. Different
approaches that are currently being used to demonstrate compliance are:
Partial OR full IEC 61508 compliance with certification by
independent third party
Partial OR full IEC 61508 compliance with self declaration by
device supplier
Proven in use according to IEC 61511 by end-user OR independent
third party
Proven in use according to IEC 61511 by supplier OR independent
third party
Any of the combinations above, e.g., proven in use + partial
compliance
Not all approaches that are available in the market towards
compliance demonstration are comprehensive or trustworthy. End users
should be able to differentiate between the different approaches and
should be able to select safety device that gives them confidence as it is
them who have to accept responsibility. A recommended preferred
option list for end users in selection of safety device against various
compliance demonstration approaches is:
The selection process for safety device is a two step process, i.e., step
1: Fit for purpose and step 2: Dangerous failure protection (compliance
with IEC 61508 / 61511). A step based approach to select safety device
compliant with IEC 61508/61511 is detailed in figure 7 of this paper.

Page 27
! of 36
!

References
1. The offshore Installation (Safety Case) Regulations 192 SI1992/2885
HMSO ISBN 011025869X
2. Health and Safety at Work etc. Act 1974 (Commencement No.1)
Order 1974, 1974/1439
3. Control of Major Accident Hazards Regulations 1999, SI 1999 No.
743 HMSO ISBN 0 11 0821920
4. Smith, D. J. and K. G. L. Simpson (2005). Functional safety A
straightforward guide to applying the IEC 61508 and related
standards. Burlington, U.K.: Elsevier
5. IEC 61508 (1998). Functional safety of electrical /electronic /
programmable electronic safety-related systems. Geneva:
International Electrotechnical Commission.
6. IEC 61511 (2003). Functional safety - safety instrumented systems for
the process industry. Geneva: International Electrotechnical
Commission.

Share If You Liked It

Page !28 of 36
!

About The Authors

Jai Chainani is a senior instrument control and functional safety
engineer. He obtained his Masters degree in control & instrument
systems from University of Huddersfield, UK.
Currently, he is work-ing for Britannia Operator Limited (joint
venture between Chevron north sea & ConocoPhillips UK) in the
maintenance department. His main responsibility and focus is to ensure
safe operations, deliver operational excellence and demonstrating
compliance of safety instrumented system with functional safety
standards.

Dr. Michel Houtermans has a MSc. in mechanical engineering and a

Ph.D. in safety and risk management. At Factory Mutual Global he held
the positions of research and project engineer. At TV SD he has held
the positions of project engineer, project manager and department
manager. Today he is managing partner at Risknowlogy.
Dr. Houtermans has over 15 years experience in functional safety, has
published numerous papers on risk, reliability and safety, and is the
Editor-In-Chief of Inside Functional Safety. He actively certifies,
products, loops, systems, people and organisations according to
functional safety standards and audits safety management systems for
international operating companies in the oil & gas, chemical, and
process industry. Furthermore he acts as an independent safety auditor
for Governments and has served as expert witness on safety related court
cases.

Page 29
! of !36

About The Best Practice

The goal of the Risknowlogy Best Practice publications is to be the
leading destination when it comes to risk, reliability and safety
knowledge. It aims to provide professionals around the world with
rigorous insights and best practices to help them to become leading risk,
reliability and safety practitioners for the benefit of all.

Get involved - Become an author

Thanks for considering working with us. We believe that if companies
and organisations would understand their hazards and risks better, if
they would understand how to build reliable solutions to manage those
risks and if they would know how to achieve safety in an effective
manner, then everybody the employees, the bosses, the customers, the
people, the environment, the investors and the whole world would be
better off. So we try to arm our readers with knowledge and ideas that
help them to identify and manage risks better, to design sufficiently
reliable solutions and to be more safe at work. To do that we enlist the
foremost experts in risk, reliability and safety theory and practice,
collaborating to express their best thoughts in the most influential ways
possible.
If you have a new piece of research, a new approach, an unexpected
perspective on a current event or an original way of looking at a
perennial risk, reliability or safety problem in any industry, we would
love to hear about it. Heres what we look for, when were considering
what to publish at Risknowlogy:
1. Expertise You dont have to have grey hair, or no hair at all for
that matter, or to be well known to be a contributor to the
Risknowlogy Best Practice, but you must know a lot about the subject
youre writing about.
2. Evidence Its not enough to know your subject deeply; you have
to prove it to the reader. You can refer to research or practical work of
others. You can also demonstrate your thoughts with practical and
relevant examples. Use data, create charts, create graphs, do anything
Page !30 of 36
!

creative to share your ideas. Our audience is keen to see your

thoughts in action.
3. Be Original Risk, reliability and safety problems are not new.
The world always had them and always tried to solve them. There
arent that many wholly new ideas in risk, reliability and safety and
the problems practitioners face have probably been solved already
somehow. So if youre writing about a well-worn topic, you need to
find a fresh and creative approach. The best way to do this is to be
very specific and to rely on your own research, observations, and
experience. The worst way to do this, generally, is to give the same
solution a new jacket or use a fancy, clever new phrase.
4. Usefulness Whatever you submit it needs to be useful to our
readers. Our readers dont read our Best Practices just to stay on top
of new developments in risk, reliability and safety thinking. Much
more, they are looking for help in changing the way they and their
organisations actually approach risk, reliability and safety topics. Try
to explain your thinking so that the reader understands how to begin
to apply it in a real situation. Making your ideas useful will make it a
lot more powerful.
5. Be Persuasive Make your publication a pleasure to read. The
Risknowlogy Best Practice readers are smart and skeptical and busy
like everybody else in the world. If you dont capture, and keep, their
attention, they will not hesitate to move on to something else. Use
compelling language, get straight to the point in the first paragraph,
avoid jargon, and spend the extra time necessary to make your
language sharp and compelling throughout. Use pictures, graphs, use
humour, anything is allowed to keep their attention.

Some notes about our editorial process

We are looking for quality, not quantity. We only publish if we feel it
contributes in the right way. The best thing to do is to send us a short
pitch first so we can give you feedback early enough. Nothing will be
published unless we have seen a full draft. Most likely our editors will
ask you to revise parts of your publication. We will have it read by more
than one editor, to make sure we get the most out of your contribution.
Page !31 of 36
!

Send your pitch or full draft to your editor or if you do not have an editor
send it to bestpractice@risknowlogy.com.
Just remember our editorial process is more thorough than many
other publishers. We will work with you to make your contribution the
best for our readers. Contributors tell us frequently that they really
appreciate the extra care and attention their work receives. We also
retain final decision rights over headlines. Our editors have spent years
learning what kind of headlines give Risknowlogy Best Practice pieces
the best chance of being read, found on the web and shared both on
social media and in offices around the world. We will very likely rewrite
the title you suggest; if we do so, its because we believe the revised
version will help your publication reach the audience it deserves.
We want you to write your publication yourself, in your own voice
coming from your heart. Please dont submit something written by your
PR representative or a ghostwriter or something that was published
already elsewhere. We dont publish pieces that have appeared elsewhere
or that come across as promotional.
bestpractice@risknowlogy.com

Page 32
! of !36

About Risknowlogy
Experts in Risk, Reliability and Safety
Risknowlogy was founded in 2002 with a passion for risk, reliability and
safety. We are particularly known for our leading role in functional
safety. At Risknowlogy we apply all typical risk, reliability and safety
techniques you might heard of: Bowtie, HAZOP, HAZID, LOPA, AHA,
OHA, PHA, QRA, FMEA, FMECA, ETA, Markov, FTA, Reliability Block
Diagrams, FMEDA, FSM, SIL Assessment, SIL Verification, SIL
Certification, Calibration Risk Matrix and Risk Graph, STL and so on.
But our services go beyond the application of the classic and standard
techniques. Contact Risknowlogy if you are in need of risk, reliability or
safety services.
At Risknowlogy we apply risk, reliability and safety techniques so that
our customers become more profitable. Our services help companies to
be compliant with standards and thus to meet regulatory requirements,
to meet the requests of insurance companies, to meet and exceed their
availability goals. And more availability leads to more profitability.
Not so typical for industry, but for us bread and butter, services we
have carried out for our customers:
Setup a risk, reliability, and safety competence program for the
technical employees of a chemical plant
Implement a risk management program including a functional
safety handbook for an oil refinery
Calculate the availability of gas supply (needed for electricity,
cooling) for a major city in the middle east
Decision support for the implementation of safety functions
including their proof test frequency for a petrochemical plant
Pipeline risk management program for countrys pipeline operator
Governmental functional safety audit program for tunnel operators
Decision support for the best out of five infrastructure solutions
taking into account image, environmental, cost, legal, sustainability
aspects for a local government.
Contact Risknowlogy if you are in need of a customised risk, reliability
or safety solution.

Page 33
! of 36
!

Certification Increase The Trust

If you do not trust it, certify it. Risknowlogy has developed a
Certification Program that is unique in the world, as we are the only
company in the world that certifies risk, reliability and safety parameters
of products, functions, systems, organisations and professionals.
The Risknowlogy Certification Program has been developed to
support end-users. End-users are in need of competent personnel and
contractors. End-users need the right procedures and need to make sure
that their employees and contractors follow and implement these
procedures. End-users need to trust the products and systems they buy
and use to operate their processes, factories and plants. End-users can
take full advantage of the Risknowlogy Certification Program.
Typical certification projects we have carried out for companies and
people:
Risknowlogy certified over 3000 people in the TUV SUD and
Siemens certification program
Risknowlogy SIL certified products like level transmitters,
temperature transmitters, pressure transmitter,s actuators, valves,
relays, sensors, pumps
Risknowlogy certified Safety Availability in terms of SIL for
functions and systems like ESD, HIPPS, BMS, Smoke and
Detection, Overfill Prevention Systems
Risknowlogy certified Process Availability taking into acount
mall function of Safety Instrumented Systems
Risknowlogy certified Functional Safety Management systems
for System Integrators according to IEC 61508 and IEC 61511
Contact Risknowlogy if you are in need of certification of people,
products, functions, solutions, organisations or in a unique in-house
certification program customised and tailored to your companys unique
needs and requirements.

Page !34 of !36

History
Risknowlogy was founded in 2002 and is an employee owned
business. Today we have offices in Argentina, Colombia, Germany, India,
the Netherlands, Switzerland (HQ), the United Arab Emirates, the
United Kingdom and Uruguay. We offer our services in Dutch, English,
French, German, Italian, and Spanish.

2002 - Risknowlogy was founded in Schinveld, The Netherlands

2007 - Risknowlogy moved headquarters to Zug in Switzerland

2008 - Risknowlogy opened the Buenos Aires office in

Argentina

2009 - Risknowlogy opened the Karlsruhe office in Germany

2011 - Risknowlogy opened the Dubai office in the United Arab

Emirates

2012 - Risknowlogy opened the Mumbai office in India and the

Bogota office in Colombia

2013 - Risknowlogy opened the UK office in the South of

England

2014 - Risknowlogy opened the Montevideo office in Uruguay

Contact Risknowlogy if you would like to explore opportunities.

Page 35
! of 36
!

Experts in Risk, Reliability and Safety

Baarerstrasse 11, 6300, Zug, Switzerland