Dr. Angela Summers – President & CEO of SIS-TECH Solutions
Automation equipment in control applications is selected primarily based on operational needs, such as functionality, reliability, repeatability, accuracy, communication options, and ease of maintenance. Demonstrated in-service performance earns the equipment and its manufacturer a coveted place on the approved equipment list. Equipment in safety applications must also support the risk reduction requirements in addition to meeting the operational needs. For safety instrumented systems (SIS), the concept of approving the initial selection and continued use of equipment based on in-service performance is referred to as proven in use in IEC 61508 [2010] and prior use in IEC 61511 [2016]. Ultimately, the intent of both standards is to collect data that proves that the installed equipment is capable of providing satisfactory in-service performance.
Manufacturers often make safety integrity level (SIL) claims on their products, but SIL is a loop concept and not a device property. A SIL 1 sensor connected to a SIL 1 logic solver with an output to a SIL 1 final element may not achieve a SIL 1 loop. Like links in a chain, the integrity is limited by the weakest link, but the chain is only as strong as the whole. In many cases, it is necessary to design some, if not all, of the subsystems (the links) to achieve a higher SIL claim so that the loop (the chain) meets the required SIL.
The most troublesome result of the IEC 61508 certification process is how non-conservative the manufacturer claims appear to be. The failure rate data published by various industry data collection programs has revealed that in-service dangerous failure rates are significantly higher than what is claimed in the majority of 3rd party approval reports. For field devices, the reported values are generally 3 to 10 times lower than what is seen in actual installations. For PLCs, the manufacturer’s claims can be non-conservatively lower than in-service performance by a factor of 10 or more. This means that a lot of certified equipment is being sold based on a SIL claim at least one level higher than achievable in the installation.
IEC 61511 only requires the use of IEC 61508 compliant equipment when applying PLCs in SIL 3 applications. For all other technologies, IE 61511 clause 11.5.2.1 states, “Devices selected for use as part of a SIS with a specified SIL shall be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, and/or 11.5.3 to 11.5.6, as appropriate.” This clause lists two forms of evidence that can be used to select devices for SIS applications:
- Evaluation for compliance with IEC 61508 Part 2 (hardware) and Part 3 (software). This typically involves a 3rd party approval of a specific configuration of a product.
- Prior use or historical data. This data is typically derived from the device’s performance in similar operating environments.
When weighing these two forms of evidence, recognize that the more relevant the information is to the in-service environment, the higher the certainty that the actual failure rate will be in alignment with the assumed reliability parameters. In-service data is essential to understanding the real potential for human (or systematic) errors. In contrast to IEC 61508 compliance information, prior use identifies not only hardware failures and their root causes, but also systematic failures, which is essential for achieving industry benchmarked performance.
IEC 61511 acknowledges the importance of in-service records for justifying the continued use of existing equipment. For example, clause 5.2.5.4 states that “for existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard the user shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.” The newly required stage 4 functional safety assessment involves a periodic examination of site operating and maintenance records to determine whether the installed SIS is being managed as planned and complies with the safety requirements specification.
IEC 61511’s quality metrics are also appropriate for proving the fitness for purpose of equipment in any safety control, alarm, and interlock application. Fundamentally, this approval process involves making an engineering judgment of the equipment’s design quality, functional capabilities, use factors, in-service history, failure rate in the operating environment, and ability to fulfill the safety requirements specification for the particular application.