Understanding safety standards ‘Proven in Prior Use’ requirements
05 July 2008
The decision to use ‘proven in prior use’ components and subsystems in an SIS application requires the development and maintenance of a ‘self-certification’ process that conforms to international safety standards.
Understanding safety standards
It is fairly common for companies to have developed a ‘preferred list’ of transmitters, valves, actuators and other process control components and subsystems. Such lists are usually the result of long-time relationships between the engineering and maintenance departments and the various devices themselves. Because of unique process conditions, these preferred lists often include ‘no substitute’ notations for specific plant areas.
Within the minds of those who helped develop these lists, each device is on the list because it has proven its capability, reliability and suitability in prior use. When contributors to the list are asked about a specific component or subsystem they will expound, often in great detail, how a particular device achieved its preferred list status.
However, when asked to produce supporting documentation, most simply can not. Thus the ‘preferred list’ is all but non-existent when it comes to selecting components and subsystems that will produce a safety instrumented system (SIS) that conforms with International Electrotechnical Commission’s (IEC) 61511-1 Functional safety – Safety instrumented systems for the process industry sector standard.
UNDERSTANDING THE BASIC REQUIREMENTS
The IEC 61511 standard is an industry specific version of IEC 61508 Functional safety of electrical / electronic / programmable electronic safety-related systems (E/E/PES).
It is important to understand the origin of IEC 61511 because as users read and begin to apply the standard they will find frequent references to IEC 61508 and that quickly leads to the realisation that IEC 61511 is not a standalone standard.
IEC 61508 was developed to serve as a basic functional safety standard for a broad range of industries including chemical, refining, mining, and transportation. Despite its broad industry and technology coverage, it is very specific in its conformance requirements. IEC 61511 is an industry specific version of this standard with language, terminology and requirements that better fit project level work in the process industries. IEC 61511 refers directly to IEC 61508 for product certification requirements.
The reality is that in order to design, specify, install, operate, and maintain an SIS application that conforms with the IEC 61511 standard, owner/operators must also conform to relevant sections of IEC 61508 and that brings us to the subject of this article, meeting the standards ‘Proven in Prior Use’ requirements.
A QUICK CLARIFICATION
It is important to understand that when these safety standards refer to the SIS they are including all of the hardware, software, mechanical parts and communication networks. In other words, an SIS is much more than just the logic solver. An SIS includes the transmitters and/or switches; the logic solvers; all programming, operating system, and communication software; power supplies; the final elements (i.e., block valves) and their actuators; and all the interconnecting wiring. When considering equipment justification, all equipment must be considered.
A key, but misunderstood SIS design element is the term Safety Integrity Level (SIL). Working through a very thorough design process, a SIL value (1, 2, 3 or 4) is established for each identified hazard. A safety instrumented function (SIF) is designed to reduce the risk of the identified hazard and it must meet the desired SIL level. (note: SIL 4 rated safety instrumented functions require conformance to IEC 61508.)
There is one additional clarification worthy of mentioning; if you choose to place all of the safety protection (more than one SIF) in one logic solver, then the entire logic solver must meet the highest SIL value assigned to a SIF in that logic solver. For example, say you have identified four potential risks. Following a good design process, three of those risks are SIL 2 and one is SIL 3—an order of magnitude more stringent. If you place all four safety functions in a single logic solver, the logic solver must have a SIL 3 capability.
SELF CERTIFICATION REQUIREMENTS
IEC 61511 is brief but quite clear in its language about selecting SIS components and subsystems: ‘The components and subsystems shall be consistent with the SIS safety requirements specifications’ and ‘Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with 11.4 and 11.5.3 to 11.5.6, as appropriate.’
In reading those two paragraphs from IEC 61511, the term ‘in accordance’ and ‘as appropriate’ reminds us that in order to conform to IEC 61511 the SIS application must also conform with appropriate IEC 61508 requirements.
Essentially an owner/operator’s decision to use ‘proven in prior use’ components and subsystems from their preferred lists in an SIS application requires that the owner/operator develop and maintain a ‘self-certification’ process that is well documented, current, and that fully conforms with IEC 61511 requirements.
While IEC 61511 does not spell out a specific methodology that will result in a conforming self-certification, there are key self-certification program elements that would clearly provide a good program and meet standards requirements. These elements include having:
• A clear description of each component’s and subsystem’s design revision information;
• Reliability data for identical or very similar applications, including applicable conditions and/or restrictions for use of that component or subsystem;
• Results of operating software compliance as defined in IEC 61508-3;
• Procedures in place to verify that the component and/or subsystem meets functional requirements, is qualified (rated) for use in the expected environment, and the materials of construction are suitable for expected process conditions including actual test results from use in similar but non-safety critical applications;
• Acknowledged competency to review the design aspects of both mechanical—and/or electrical—components including component failure modes, fail-safe vs. fail-danger, any claimed automatic diagnostics, and internal redundancy in order to produce a quantitative failure rate. (This number will eventually be used in calculations that determine if a particular SIF design meets its defined SIL requirements);
• Acknowledged competency that is capable of combining sophisticated design analysis processes, tools and testing methods with a thorough review of both the device’s original design and all subsequent modifications to the electrical, mechanical, and software aspects of the device with the intent of uncovering design errors;
• Regularly conducted audits of a device manufacturer’s change management processes for each device on the preferred list that is being used or is being considered for use in an SIS application; and
• A documented ‘Safety Case’ describing, in significant detail, how a manufacturer’s component and subsystems meet each requirement of IEC 61508.
Assuming that your company is willing to meet all of the above proven-in-prior use requirements, there is one more that is very difficult to meet, especially for smaller companies. That requirement has to do with having documented operating experience for each device on the preferred list.
IEC 61508 requirements are very specific about the number of operating experience hours needed to meet the various SIL value requirements. For a given component or subsystem revision level IEC 61508 suggests
• Minimum of 100,000 unit hours for components targeted for SIL 1 applications,
• Minimum of 1,000,000 unit hours for SIL 2 applications, and
• Minimum of 10,000,000 unit hours for SIL 3 applications.
And if that isn’t difficult enough, you must also show that you were able to detect and record all the dangerous failures, thus your proof testing procedures must be near 100% effective.
One of the frequently asked questions regarding ways to meet IEC’s operating experience requirements is, ‘Can’t I use data from one of the reliability databases?’
Some companies belong to industry specific consortiums where best practices and other industry specific information are shared. Two of the most recognised are the Offshore Reliability Data (OREDA; www.sintef.no/static/tl/projects/oreda/ ) and the Process Reliability Database (PERD; www.aiche.org/CCPS/ActiveProjects/PERD/index.aspx).
Each of these databases provide a wealth of reliability data about a wide range of devices and equipment, however the taxonomy of these and similar other databases is not sufficient to meet the requirements of IEC 61508.
Now before you throw up your hands and declare it impossible to conform to the requirements of IEC 61511, there is an alternative.
An alternative to self-certification
There are a growing number of different manufacturers offering SIS components and subsystems. Some of these manufacturers have absorbed the time and expenses necessary to have a specific revision of a specific device fully certified per IEC 61508 requirements by third-parties, such as exida Certification (Geneva), or one of the TÜV companies (Cologne, Munich, and Essen).
These components and subsystems will include not only the third-party certification but also a detailed user safety manual that includes any restrictions on the devices’ use.
Other component and subsystem manufacturers have paid to have a third-party assessment of a specific device’s field failure records, thereby helping owner/operators establish prior-use-evaluations. And lastly, a few manufacturers have chosen to self-certify their own devices. A comprehensive list of such components is available at www.exida.com/applications/sael/index.asp.
Meeting IEC’s proven-in-prior use requirements is not easy but consider one additional thing, following an incident, accident investigation teams from local, regional and national regulatory agencies will very likely scrutinise everyone and everything including the SIS component and sub-system certification process. If you decided to self-certify, are you sure your installed SIS applications will pass that kind of scrutiny?
Dr. William Goble has over 30 years of professional experience and is widely recognised as an expert safety systems. He is a partner at exida and has written two books on topics of safety and reliability modelling including ‘Control Systems Safety Evaluation and Reliability.’
Online Help is Available
For most engineers working in process plants today, selecting SIS components and subsystems for a defined SIS application is not their primary responsibility or their area of expertise.
As an aid to these persons, the exida Web site includes a regularly audited and updated Safety Equipment List of all SIS components that have been certified by any third-party organisation as conforming to IEC 61508.
IEC 61511’S PRIOR USE LANGUAGE – VERBATIM
18.104.22.168 Appropriate evidence shall be available that the components and subsystems are suitable for use in the safety instrumented system.
NOTE 1 In the case of field elements, there may be extensive operating experience either in safety or non-safety applications. This can be used as a basis for the evidence.
NOTE 2 The level of details of the evidence should be in accordance with the complexity of the considered component or subsystem and with the probability of failure necessary to achieve the required safety integrity level of the safety instrumented function(s).
22.214.171.124 The evidence of suitability shall include the following:
• Consideration of the manufacturer’s quality, management and configuration systems;
• Adequate identification and specification of the components or subsystems;
• Demonstration of the performance of the components or subsystems in similar operating profiles and physical environments;
NOTE In the case of field devices (for example, sensors and final elements) fulfilling a given function, this function is usually identical in safety and non-safety applications, which means that the device will be performing in a similar way in both type of applications. Therefore, consideration of the performance of such devices in non-safety applications should also be deemed to satisfy this requirement.
• The volume of the operating experience.
NOTE For field devices, information relating to operating experience is mainly recorded in the user’s list of equipment approved for use in their facilities, based on an extensive history of successful performance in safety and non-safety applications, and on the elimination of equipment not performing in a satisfactory manner. The list of field devices may be used to support claims of experience in operation, provided that
o the list is updated and monitored regularly;
o field devices are only added when sufficient operating experience has been obtained;
o field devices are removed when they show a history of not performing in a satisfactory manner;
o the process application is included in the list where relevant.
Visit www.isa.org to obtain a copy of IEC 61511 (ANSI/ISA-84.00.01-2004 IEC 61511Mod. parts 1, 2 & 3).
Most Viewed Articles...