Dr. Angela Summers
Automation equipment in control applications is selected primarily based on operational needs, such as functionality, reliability, repeatability, accuracy, communication options and ease of maintenance. Demonstrated in-service performance earns the equipment and its manufacturer a coveted place on the approved equipment list. Equipment in safety applications must also support risk reduction requirements. For safety instrumented systems (SIS), approving the initial selection and continued use of equipment based on in-service performance is referred to as “proven in use” in International Electrotechnical Commission (IEC) 61508 and “prior use” in IEC 61511. Ultimately, the intent of both standards is to collect data that proves the installed equipment is capable of providing satisfactory performance.
Manufacturers often make safety integrity level (SIL) claims on their products. However, SIL is a loop concept and not a device property. An SIL 1 sensor connected to an SIL 1 logic solver with an output to an SIL 1 final element may not achieve an SIL 1 loop. The strength of a chain depends on the total strength of its links. Like a weak link in a chain, the weakest subsystem will limit the integrity of the loop. In many cases, it is necessary to design some, if not all, of the subsystems (the links) to achieve a higher SIL claim so the loop (the chain) design meets the required SIL. Of course, the actual loop performance will also depend upon operations and maintenance management systems.
The most troublesome result of the IEC 61508 certification process is how unconservative the manufacturer claims appear to be. The failure rate data published by various industry data collection programs have revealed in-service dangerous failure rates are significantly higher than what is claimed in the majority of third-party approval reports. For field devices, the reported values are generally 3-10 times lower than what is seen in actual installations. For programmable logic controllers, the manufacturer’s claims can be unconservatively lower than in-service performance by a factor of 10 or more. This means a lot of certified equipment is being sold based on an SIL claim at least one level higher than achievable in the installation.
IEC 61511 only requires the use of safety-certified controllers in SIL 3 applications. For all other technologies and applications, IEC 61511 clause 11.5.2.1 states, “Devices selected for use as part of an SIS with a specified SIL shall be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, and/or 11.5.3 to 11.5.6, as appropriate.” This clause lists two forms of evidence that can be used to select devices for SIS applications:
• Evaluation for compliance with IEC 61508 Part 2 (hardware) and Part 3 (software). This typically involves a third party approval of a specific configuration of a product.
• Prior use or historical data. These data are typically derived from the device’s performance in similar operating environments.
When weighing these two forms of evidence, the more relevant the information is to the in-service environment, the higher the certainty will be that the actual performance will be consistent with the assumed reliability parameters.
Ultimately, the intent of both standards reinforces that there should be sufficient evidence for site personnel to have confidence that the equipment as installed is suitable for the operating environment, meets the risk reduction requirements and is fit for purpose. Practically, every site has different organizational strengths and capabilities. One site may be perfectly capable of supporting a particular technology, while another site may not be. The effect of the process fluid or external environment on a device can be more severe at one site than at another. These factors are typically excluded from an IEC 61508 analysis. Prior use evidence ensures the selected equipment can be dependably specified and implemented in a way that minimizes the potential for random failures and human errors within that site.