About Us Rob Stockham BA IEng MIEE General

About Us! Rob Stockham BA IEng MIEE General Manager Moore Industries-Europe, Inc Member IEE Honorary Secretary ISA England Institute of Directors Director The CASS Scheme Ltd Treasurer The IEC 61508 Association

About Us! Bob Smith CEng FInst. MC MIEE BA Functional Safety Specialist Moore Industries-Europe, Inc Member IEE ISA Fellow Institute of Measurement and Control

SOLD on Safety We must be ‘sold’ on the commitment to undertake safety-critical and safety-related requirements fully and properly BUT! We must be careful that we are not ‘sold’ a safety answer that is non-compliant with IEC 61508! Functional Safety is a culture and not a widget you can buy

Typical Safety Related Loop Logic Solver Sensor Actuator Application - Duty Calibration and Maintenance Procedures Environment Safety Integrity Level (SIL) Requirement Defined for Loop Component Safety Data PFD, SFF, etc PIU and Software PIU Proven in Use PFD Probability Failure on Demand SFF Safety Failure Fraction Selection and Justification of Instruments ? ? ?

How could a loop component be selected Selection follows a comprehensive Risk Assessment and Assignment of Safety Integrity Level (SIL) for the whole safety instrumented loop Component selected having an appropriate Safety Integrity Level (SIL) capability Typically SIL 1, 2, 3 and 4 (SIL 4 being the highest) Basis for selection Alternatively a. ‘Proven in Use Claim’ OR b. ‘Manufacturer Claim’ OR c. ‘Third Party EXPERT Opinion’ Can this be justified Certification ‘Suitable for SIL 3’ But what does this mean?

a. Justification as PROVEN IN USE? By Whom?

What do the IEC themselves say about ‘proven in use’ ? http: //www. iec. ch/zone/fsafety/compliance. htm

This is a question raised on the IEC website: “D 11) Can an E/E/PE safety-related system contain hardware and/or software that was not produced according to IEC 61508, and still comply with the standard (proven in use)? ” and the answer: “It may be possible to use a proven in use argument as an alternative to meeting the design requirements for dealing with systematic failure causes in IEC 61508, including hardware and software. But it is essential to note that proven in use cannot be used as an alternative to meeting the requirements for: • architectural constraints on hardware safety integrity (see 7. 4. 2. 1 of IEC 61508 -2); • the quantification of dangerous failures of the safety function due to random hardware faults (see 7. 4. 3. 2 of IEC 61508 -2); and • system behaviour on detection of faults (see 7. 4. 6 of IEC 61508 -2). See 7. 4. 2. 2 of IEC 61508 -2 for a summary of design requirements, including references to more detailed systematic hardware requirements in the standard. ”

and……. “A proven in use claim relies on the availability of historical data for both random hardware and systematic failures, and on analytical techniques and testing if the previous conditions of use of the subsystem differ in any way from those which will be experienced in the E/E/PE safety-related system. 7. 4. 7. 6 of IEC 61508 -2 requires that: the previous conditions of use of the subsystem are the same as, or sufficiently close to, those which will be experienced in the E/E/PE safety-related system (see 7. 4. 7. 7 of IEC 61508 -2); • if the above conditions of use differ in any way, a demonstration is necessary (using a combination of appropriate analytical techniques and testing) that the likelihood of unrevealed systematic faults is low enough to achieve the required safety integrity level of the safety functions which use the subsystem (see 7. 4. 7. 8 of IEC 61508 -2); • the claimed failure rates have sufficient statistical basis (see 7. 4. 7. 9 of IEC 61508 -2); • failure data collection is adequate (see 7. 4. 7. 10 of IEC 61508 -2); • evidence is assessed taking into account the complexity of the subsystem, the contribution made by the subsystem to the risk reduction, the consequences associated with a failure of the subsystem, and the novelty of design (see 7. 4. 7. 11 of IEC 61508 -2); and • the application of the proven in use subsystem is restricted to those functions and interfaces of the subsystem that meet the relevant requirements (see 7. 4. 7. 12 of IEC 61508 -2). ”

And finally, “ 7. 4. 2. 11 of IEC 61508 -3 allows the use of standard or previously developed software without the availability of historical data but with the emphasis on analysis and testing. This concept should be distinguished from the proven in use concept described above. ”

In summary: The proven-in-use route is for the end-user and it requires the collection of comprehensive statistically significant data on failures experienced in the application, or a very similar application being considered. Testing may also be required to support a proven-in-use claim, particularly where the Instrument uses software/firmware. Diligence and weight of supporting evidence will increase in direct relation to the required Safety integrity level.

b. Justification using MANUFACTURERS CLAIM? Check the basis for the claim, to be compliant with IEC 61508 the Supplier should be able to show: • • • ISO 9000: 2001 Certification of ALL design and manufacturing procedures. Key staff competency and responsibility. Functional Safety Management Capability in accordance with IEC 61508 -1. The Supplier should be able to provide documented evidence of the following: • A documented FMEDA providing, safe and dangerous failure rates, diagnostic coverage, Safe Failure Fraction and Hardware Fault Tolerance. • That hardware design Techniques and Measures, taken against the possibility of systematic hardware failure, are consistent with the required SIL capability. • That software design Techniques and Measures, taken against the possibility of systematic software faults, are consistent with the required SIL capability.

A good, competent manufacturer possessing Functional Safety Management certification should be perfectly capable of providing all the necessary supporting data for the instrument produced, without third party Certification.

Can the supplier claim a SIL capability in compliance with IEC 61511 instead of IEC 61508?

Reference IEC 61511 -1, Section 1, Scope, para b): “applies when equipment that meets the requirements of IEC 61508, or of 11. 5 of IEC 61511 -1, is integrated into an overall system that is to be used for a process sector application but does not apply to manufacturers wishing to claim that devices are suitable for use in safety instrumented systems for the process sector (see IEC 61508 -2 and IEC 61508 -3; ”

c. Justification using THIRD PARTY CERTIFICATION? Does this relieve the end-user of any responsibility? NO! Compliance is always the responsibility of the end-user. Certification by a third party is a potentially useful contribution to a fitness for purpose argument but the same IEC 65108 issues Must be covered and documented and visible!

c. Justification using THIRD PARTY CERTIFICATION? Check the basis for the claim, to be compliant with IEC 61508 the Certifier should be able to show: • • • ISO 9000: 2001 Certification of ALL design and manufacturing procedures. Key staff competency and responsibility. Functional Safety Management Capability in accordance with IEC 61508 -1. The Certifier should be able to provide documented evidence of the following: • A documented FMEDA providing, safe and dangerous failure rates, diagnostic coverage, Safe Failure Fraction and Hardware Fault Tolerance. • That hardware design Techniques and Measures, taken against the possibility of systematic hardware failure, are consistent with the required SIL capability. • That software design Techniques and Measures, taken against the possibility of systematic software faults, are consistent with the required SIL capability.

Additionally:

The 61508 Association What is The 61508 Association? The 61508 Association is a cross-industry group of organizations with an interest in achieving a dependable and cost-effective method for demonstrating compliance with IEC 61508 and related standards. What is the Association for? The purpose of The 61508 Association is to promote the CASS method for providing the integrity, transparency and consistency of the conformity assessment process for all phases of the lifecycle of safety-related systems. We achieve our purpose by: • Bringing together all parties with an interest in functional safety • Identifying and removing obstacles to the profitable application of IEC 61508 and related standards • Facilitating the improvement in the understanding of and competence in the use of IEC 61508 and related standards • Working with CASS to ensure that the scheme meets the conformity assessment needs of the functional safety stakeholders Contact us with any questions go to www. 61508. org.

QUESTIONS?