Advertisement Feature Cover Story

SUMMER 2011 Industrial Compliance8

Product certificates of confor-mity to IEC 61508 (or relatedstandards) often vary greatlydue to different certification

bodies following their own assess-ment methods and certificate for-mats. The SIL is actually adependability measure of the overallsafety function being performed by aspecific safety system (from sensorto actuator). However, most certificates are

issued for mass produced devices (forexample temperature sensors, tripamplifiers, PLCs, valves, etc), so it isimportant to understand what criticalattributes of a device need to be statedon a certificate to indicate it’s suitabil-ity in SIL rated safety functions. Forexample, it is not just the probabilisticfailure data that is important - manyother factors of a device can lead tosystem failure. Furthermore, any men-tion of a SIL number on a device cer-tificate must be highly dependent onconditions and assumptions about theoverall safety system and the otherdevices in it. Actually, IEC 61508 does not men-

tion the requirement for a certificate,but rather it requires a FunctionalSafety Assessment (FSA), so it isimportant that certification covers allthe requirements of a FSA (see IEC61508-1 clause 8). For product FSAs(and hence product certificates) it isessential that all the information theuser of the product requires is cov-ered. The FSA report (on which a cer-tificate is based) should itself beauditable, i.e. all relevant clausesfrom IEC 61508 should be traceable.Furthermore, the process by whichthe FSA has been conducted shouldcomply with IEC 61508, namely theindependence, competence and thetools/procedures of the assessmentbody. A certification body which hasthe relevant parts of IEC 61508 in itsscope of accreditation will ensurethis is the case.

Where is certification usefulCertification is particularly suitablefor mass produced devices where itprovides evidence of the FSA by an

independent and trusted body thatdeclares that the product complieswith the standard (for a specifiedscope). Of course, the manufacturermay also be using the certificate as amarketing document. However, the user should be compe-

tent in understanding functional safetydata rather than being satisfied with aSIL capability claim. This can be illus-trated by considering the followingreal example.

Comparison of these figures withothers for similar devices shows itclaims to be several orders of magni-tude better. Experience says that itwould be unwise to accept such fig-ures at face value without asking somesearching questions. Another example where caution is

advised is where a certificate states‘SIL3 @HFT=1’. An HFTof 1 means that you needtwo devices to achieveSIL3 capability. But youdon’t need a certificateto tell you that - the stan-dard tells you what SILis achievable whenusing redundantdevices. Reading the cer-tificate more carefullyreveals the device isactually SIL2 capable -So the certificate caneasily be misunderstoodby the unwary reader whose eye iscaught with the words ‘SIL3’. The SIL capability of an instru-

ment is an important parameter butthere are dangers in putting a SILnumber as a ‘headline’ on the certifi-cate, as once a SIL capability isstated, there is a tendency to ignore

the rest of the certificate. Whilst SIL is a parameter of the

safety function performed by a safetyinstrumented system (sensor to finalelement) rather than the individualelements, the 2010 version of IEC61508 has created the term‘Systematic Capability’ of an element(SC1 to SC4), which corresponds toSIL1 to SIL4 capability respectively.The SC <number> refers to the rigourof the documentation and qualityprocess used throughout the prod-uct’s development to avoid system-atic failures.

What should be certified?In order to engineer a safety func-tion, the system designer needs toknow certain information about theconstituent instruments (in relationto use in safety functions), in partic-ular the hardware safety integrity(numerical failure data/HFT/SFF/type), and the systematicsafety integrity (measured by the SCnumber). Both of these have to meetthe SIL for the device to be capableat that SIL. Terms ‘safe failure’, ‘dangerous fail-

ure’ and hence the ‘safe failure frac-tion’ for an instrument are onlyrelevant when there is knowledge ofthe target application. For example, ifTO OPEN = 50 FITS, TO CLOSE = 500 FITS.Then, SFF is either 50/(50+500) = 9%,or 500/(50+500) = 91%.So the SFF depends on whether fail-

ure to open or to close is the ‘safe’ mode.Where devices have internal hard-

ware fault tolerance (HFT), is the cer-

Understanding ‘SIL’ CertificatesIn recent years there has been an increasing number of Safety Integrity Level(‘SIL’) product certificates to IEC 61508 and related standards. Paul Reeve,Sira Certification’s principal functional safety consultant, explains the purposeand benefits of such certificates whilst pointing out the necessity to take carein understanding the finer points of what is (and what is not) being certified

Below: there aredangers in putting aSIL number as a‘headline’ on thecertificate as once aSIL capability isstated, there is atendency to ignorethe rest of the certificate

D = 2.3 x 10-10 per hourPFD = 2.0 x 10-7

MTTF (dangerous) = 500,000 yrsMTBF (total) = 5,000 yrsAchieves SIL4 per IEC 61508

Certificate to IEC 61508

Advertisement Feature Cover Story

Industrial Compliance SUMMER 2011 9

Sira Certificationwww.siracertification.com T: 01244 670 900

tificate clear about how are faults inone channel detected and reported?What is the channel Mean DownTime (which must not be exceeded)for the failure data to be valid?Accounting for the non-ideal inde-pendence between channels? And,the proof test method needed to exer-cise each channel independently?It has been noticed that some cer-

tificates use HFT=0(1) meaning thenormal HFT requirement (1 in thiscase) is reduced by 1 (to 0 in thiscase) due to knowledge of probabilis-tic failures from ‘prior use’ (althoughthis is actually an approach acceptedby IEC 61511 for end users ratherthan IEC 61508). Sources of component failure data

vary as they are often industry spe-cific. The source should be stated andit is worth checking whether thecomponent failure rates are takenfrom a database appropriate for theintended location and application ofthe instrument. How has the databeen factored for the environmentalconditions? (If not stated, best toassume control room use only). Arecomponents used well within theirrating? (61508 mentions de-rating).Are there certain components thatdominate the unit’s failure rate thatrequire special attention? (e.g. relays,gas sensors, etc).If Probability of Failure on Demand

(PFDAVG) is quoted for an instrument,remember this is also governed by theproof test interval. Every compliant instrument

should have a ‘Safety Manual’ whichshould be referenced in the certifi-cate. It is critical to use the deviceonly in accordance with the SafetyManual (the certified failure data isusually invalid otherwise). It shouldgive any constraints in use and anyassumptions for which the failuredata is valid. Plus, it should coverconfiguration, installation, mainte-nance, operation, etc, to avoid sys-tematic failures. Refer to IEC 61508-2,ed 2, Annex D which gives specificrequirements for the Safety Manual.In regard to mechanical devices, sys-

tematic failures are more dominant, soexpect the certificate to referenceinformation on avoiding these.Generally speaking:

l Constant failure rates are usuallyvery low.

l Wear out faults may have a differ-ent operational profile (no. ofcycles) compared to electronicdevices (which tend to follow theidealised time-based ‘bath tub’ pro-file more closely).

l Sources such as NPRD-2011 givereal field data for thousands of compo-nents, including the statistical basisfor each value.For devices that include embedded

software, expect to see an explicitstatement of conformity in the certifi-cate. Remember that software failuresare systematic rather than probabilis-tic. The certificate is a statement thatthe software:

lHas been developed according to acompliant process (IEC 61508-3, clause7) and using appropriate techniques andmeasures (IEC 61508-3, Annexes).

lAssessment includes justificationfor the development tool chain.If sufficient valid data is available

(millions of operational hours) it ispossible to use a statistical approach(IEC 61508-7, Annex D), but the analy-sis is not trivial.It must be realised that especially

when the certificate is based on pre-dicted (FMEA) data, the ongoing life-cycle should be reviewed byperforming field failure analysis to

confirm the actual failure rates areno worse than those predicted. Itwould be reasonable to expect condi-tions in the certificate that obligate:

l The end user to collect (see IEC60300-3-2) and feedback field failureinformation to the manufacturer.

lThe manufacturer to analyse fieldfailures and take necessary action(inform the certification body, notifyusers, etc).

Read the conditionsMost certificates have conditions ofcertification which should be com-

plied with. These might be condi-tions for the manufacturer and/or forthe end user regarding design modi-fications, action on failure, ongoingmanagement of functional safety,etc. Whether stated or not, it is cer-tainly the case that selection ofequipment for use in safety func-tions and the installation, configura-tion, overall validation,maintenance and repair should onlybe carried out by competent person-nel, observing all the manufacturer’sconditions and recommendations inthe user documentation.

Choosing an assessor/certifier As already stated, the assessmentprocess should comply with IEC61508-1 clause 8, so look for theaccreditation logo on the certificatewhich should ensure these require-ments are met. An example certifica-tion scheme is CASS (ConformityAssessment of Safety relatedSystems) which is unique in the fol-lowing respects:

l Open/transparent methodology

and framework for assessment to IEC61508 (and sector standards).

l Requirements are all in the publicdomain so there are no hidden surprises.

l Originally a UK governmentfunded initiative, designed by indus-try for industry.

lCASS is a collective interpretationof IEC 61508 - this ensures the asses-sor’s ego is kept in check. (About 60companies contributed).

Right: An examplecertificationscheme is CASS(ConformityAssessment ofSafety relatedSystems)

Below: for SILproduct certificatesit is important tounderstand what is(and what is not),being certified