w w w . r i s k n o w l o g y. c o m / b e s t - p r a c t i c e

B E S T P R A C T I C E A R T I C L E

Which safety device should I buy? An end users guide to select safety devices

compliant with IEC 61508 / 61511

By Jai Chainani and Dr Michel J.M. Houtermans

http://www.risknowlogy.com/best-practicehttp://www.risknowlogy.com/best-practice

B E S T P R A C T I C E A R T I C L E

Which safety device should I buy? An end users guide to select safety devices

compliant with IEC 61508 / 61511

Share this article

www.risknowlogy.com/best-practice

By Jai Chainani and Dr. Michel Houtermans

http://www.risknowlogy.com/best-practice

Copyright 2014 Risknowlogy. All Rights Reserved. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form, or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior permission of the publisher. Requests for permission should be directed to riskfree@risknowlogy.com, or mailed to Risknowlogy, Baarerstrasse 11, 6300, Zug, Switzerland. All pictures are copyright protected by their respective owners. Where possible we refer to the rightful owner. Sometimes we simply do not know the rightful owner and cannot make a reference. If you know who the rightful owner of the copyright protected material is then please contact us at riskfree@risknowlogy.com and we will update our publication. Please do not participate in or encourage piracy of copyrighted materials in violation of the authors rights. Purchase only authorised editions. Risknowlogy is committed to publishing works of quality and integrity. In that spirit, we are proud to offer this book to our readers; however, the words are the authors alone.

First published in Inside Functional Safety Published: October 2014

mailto:riskfree@risknowlogy.commailto:riskfree@risknowlogy.com

Table of Contents

Introduction 5 ................................................................................................

Demonstrating IEC 61508/61511 compliance for safety devices 7 ..............

Current market situation 15 ...........................................................................

Approach for selection of safety device 23 ...................................................

Conclusion 26 .................................................................................................

References 28 .................................................................................................

Share If You Liked It 28 .................................................................................

About The Authors 29 ....................................................................................

About The Best Practice 30 ...........................................................................

About Risknowlogy 33 ...................................................................................

Certification Increase The Trust 34 ...............................................................

History 35.......................................................................................................

Page ! of !4 36

Introduction Safety instrumented system (SIS) play a significant role within the process industry. They reduce the likelihood of events causing harm to personnel, environment and assets by either preventing (PSD, ESD) or mitigating further escalation (F&G, Fire water control). IEC 61508 and IEC 61511 are international standard on best practices for the functional safety of devices used within the SIS.

These standards are world wide considered good engineering practices and some countries incorporate them directly into their safety cases. For those instances it indeed has the force of law. Hence, compliance with the standards is seen as important from an end user perspective as it helps them to demonstrate due diligence including for other mandatory safe operating legislation such as Health and safety act 1994, Management of Health and Safety at work regs, 1992 and Control of major accident hazards regulation, 1999, see Figure 1.

The hardware of SIS consists of devices such as sensors, logic solvers, actuator and peripheral devices, see Figure 2. As with any piece of device also safety devices can fail. One of the main objectives of IEC 61508 is to design a safety system that will take the plant to a safe state when it fails.

In order to design safety devices and systems as per IEC61508/61511, one should first understand how safety devices and thus safety systems can fail. In practice safety devices can fail due to random, systematic or common cause failures. The higher the SIL level the more strict the IEC 61508 requirements are in terms of these random, systematic and common cause failures.

End users must be able to select safety devices that give them a high level of confidence in terms of compliance with IEC 61508. The safety device should be provided to the end-user with key reliability and functional safety parameters such as failures rates, safe failure fraction (SFF), hardware fault tolerance (HFT), type A, type B, etc. With all this information in hand, it becomes easier for an end user to demonstrate compliance with the IEC 61508 and/or IEC 61511.

Ultimately it is the responsibility of an end user to demonstrate that the device selected for SIS is compliant. In practice this means that the end users needs to assure themselves that the chosen safety device meets the requirement of the standard in such a manner that they are able to

Page ! of !5 36

defend their decisions to regulatory bodies or any third party performing a functional safety assessment.

The objective of this paper is to describe what it takes for safety devices to be complaint with IEC 61508/61511 and will review various approaches towards compliance available in the market. This paper will give an order of preference for compliance routes and provide a step based approach for end-users to make smart safety device selection. Finally, the paper will end with conclusion and recommendation.

Page ! of !6 36

Figure 1 - Compliance with IEC 61508/ 61511 relates to current legislation [4]

Demonstrating IEC 61508/61511 compliance for safety devices Which standard to follow?

Although end users have no control over the design, manufacturing and testing process of the safety device, it is them who have to take overall responsibility in the event of dangerous situation. Hence, selecting devices that are compliant with the standard becomes paramount for end users.

In the process industry end-users need to design, operate and maintain SIS according to IEC 61511. The IEC 61511 standard gives the end-users guidance, see Figure 3, on which standard to follow when selecting safety devices to be used as part of the SIS. From this figure, it becomes clear that for new and existing devices end users need to verify and assess safety device against IEC 61508 requirements, while for existing (proven in use) devices they can use devices compliant with IEC 61511. Furthermore, devices in process industries might have a relationship to the machine directive, PED and ATEX and might need to comply with further products standards besides IEC61508/ 61511.

Page ! of !7 36

Figure 2 - Safety Instrumented System [5]

IEC 61508 Requirements for new and existing device

Safety devices can consist of hardware and/or software. IEC 61508 part 2 covers the safety system hardware overall system requirements whereas the software requirements are covered by part 3 of the standard. In order to demonstrate compliance with part 2 and 3, end users must verify and be able to demonstrate that the device used with their SIS meets the requirements of part 2 and/or 3. In summary the requirements to achieve a SIL level address the following requirements:

a. Functional Safety Management (FSM) The IEC 61508 standard requires any SIS stakeholder (end-user, system integrator, product supplier, etc) to have a Functional Safety Management system in place. This is similar to the famous ISO 9001:2000 quality management system but focuses instead on safety aspects. For device suppliers this means two things.

Firstly, it requires that the device supplier has clear safety policies, i.e., an organisational structure with responsibility for safety, procedures, work practices, quality management system together with

Page ! of !8 36

Figure 3 - Which standard to follow IEC 61508 or IEC 61511?

functional safety competency of individuals involved in the design and manufacture of safety devices.

Secondly, they must also demonstrate the process, described through documentation, by which new products are developed and brought into the market and or existing products are modified. This information should include all design steps, all verification activities, responsibilities and all device documentation generated including user documentation.

In practice this means that device suppliers must address among others the following to be compliant with the IEC 61508 standard:

A lifecycle approach; An overview of activities per lifecycle; Make competent people responsible for these activities; Include verification, validation and assessment activities; Address measures to control and measures to avoid failures; Modification procedures for any future modifications; Documentation that supports the above listed points.

b. Hardware requirements The whole purpose of the hardware design requirements are to make sure that systematic failures (during the design for example) have been avoided and that random failures are controlled during the design, manufacturing, and use of the device. Techniques required by the stand- ard to demonstrate systematic failure avoidance and control include for example:

Use of standards and design guidelines; Proven components and parts; Preferred design and architectural constraints are used for the

device;

Continuous diagnostics; Automatic safe response upon detection of failure, e.g., the design

should maintain safety targets either through redundancy, alarms or shut down.

Page ! of !9 36

c. Reliability requirements Concerning the reliability requirement, the purpose is to accurately predict random and common cause hardware failures using reliability data. Key reliability data should include the following:

Type A or B (a designation for the complexity of a device); Probability of Failure on Demand (PFDavg); Recommended proof testing interval; Hardware fault tolerance; Safe failure fraction; Safe detected failure rate; Safe undetected failure rate; Dangerous detected failure rate; Dangerous undetected failure rate. All of the above information is normally obtained through a process

called Failure Mode and Effect Analysis (FMEA). This information can be delivered by the supplier itself, third party report or through a third party certification (see section 3 on compliance demonstration approaches). With this information end users can easily determine how to comply with the architectural constraints and integrity level of the safety function as described in the safety required specification.

Not addressed by the standard but equally important for an end-user is information about the probability of a spurious trip caused due to an internal safe failure of the safety device. The standard requires the information above to be collected from a dangerous failure point of view. The same information can be used though to make statements from a safe failure point of view.

d. Software requirements IEC 61508 part 3 covers the development of embedded and application software used within safety device as part of SIS. The main problems with software are the systematic failures. Many techniques are available to avoid these failures. Achieving safe software is important as many of the measures to control random hardware failures are implemented in software. Safe software is the software that meets IEC 61508 part 3

Page ! of !10 36

requirements and that can still put the safety system in a safe state despite hardware failures or software bugs. Requirements to demonstrate compliance with this part include among others the following:

The use of the V model approach to software design, with the number of phases in the V model being adapted according to the safety integrity level and the complexity of the project. Although the standard refers to V model but does not say anywhere that it is required. An example of a V-model is given in Figure 4.

The design methods should aid modularity and embrace features which reduce complexity and provide clear expression of functionality, information flow, data structures, sequencing, time related constraints and design assumptions;

The embedded software should include software for diagnosing faults in the system hardware and software, including error detection for communication links and on-line testing of standard application software;

The detail design of the software modules and coding implementation should result in small manageable software modules;

The system should as far as possible use trusted and verified software modules which have been used in similar application;

Page ! of !11 36

Figure 4 - A typical V model for device software design [7]

The system should not use dynamic objects which depend on the state of the system at the moment of allocation where they do not allow checking by off-line tools;

The programming languages hould be capable of being fully and unambiguously defined;

The support tool needs to be either well proven in use or certified as suitable for safety system application. In the IEC 61508 standard there are many requirements for software and from a supplier/manufacturer point of view it is the software which is the design and development bottleneck. Once the software is under control basically the device is under control and the hardware follows. In other words, from an end-user point of view buying and installing devices with software means really assuring themselves that the software of the device is IEC 61508 compliant.

e. Basic safety Functional safety is one aspect of a safety device. But this does not cover automatically all basic safety issues of the device in its operating environment. Each device should also address the following basic safety requirements, through appropriate environmental testing, to make sure the device can be used in its intended environment:

Operational temperature range; Storage temperature range; EMC / EMI environment; Vibration / shock testing; IP classification; Pressure (PED); Explosive atmospheres (ATEX); Basic electrical safety and compliance to product standards.

Whichever environment the end-user of the device has, is ultimately the environment the safety device must be able to withstand. The product supplier should be able to demonstrate this environment so that

Page ! of !12 36

the end-user can verify that the device is suitable for his specific environment.

f. User documentation One can have the best safety device in the world but if it is not used properly it can still lead to undesired situations like accidents. User documentation must be provided for the device in the form of a product safety manual. This manual not only addresses all safety aspects during installation, commissioning, operation, maintenance and repair but sometimes also contains restrictions to the application of the device. It is important for end-users that the information in the safety manual is correct and that the restrictions do not limit the end-user unnecessarily. Hence a safety manual should be available before one buys the equipment.

IEC 61511 requirements for existing device

To demonstrate compliance for a safety device with IEC 61511, it must be either shown that the device meets the requirements of IEC 61508 or the device is proven in use according to the requirements of IEC 61511. The requirements for IEC 61508 are described in paragraph 2.2. In this paragraph the IEC 61511 requirements are addressed. IEC 61511 defines proven in use as follows:

When a documented assessment has shown that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system

In practice an end-user knows very well whether a particular valve or smart transmitter works or not. The problem is that in order to prove proven in use it needs to be documented. And this is not always the case. Furthermore, although proven in use is typically something that only end users can determine the suppliers of safety device will do everything to convince end users that their product is proven in use. The reason for this is very simple. When a product is declared proven in use it does not need to comply with all the measures to control and avoid failures according to IEC 61508. In practical terms this means the product

Page ! of !13 36

supplier can avoid expensive modifications to their existing old product. This is not only a huge R&D cost saving for them, but it also does not delay their time to market with this safety device.

The evidence that needs to be delivered in order to demonstrate proven-in-use are not easy to accumulate. It includes:

Consideration of the suppliers quality, management and configuration management systems;

Adequate identification and specification of the components or subsystems;

Sufficient volume of operating experience; Demonstration of performance of the components or subsystems

in similar operation profiles and physical environments if not sufficient operation experience exists;

Statistical evidence that the claimed failure rate is sufficiently low. Especially, the last point is difficult to meet, as failure track records

are usually not available. End users do not always track them, or when they track them than the documented information is not in such manner that it can be used in compliance with the standard. Most product suppliers do not have any capability to track their products once they are sold. Also they can or do usually not collect feedback from customers in such manner that it can be used to demonstrate compliance.

Proven-in-use is a desirable and powerful technique as it is most representative of the application environment and maintenance practices in place. But it can only be demonstrated, and thus used for compliance, if the above requirements can be demonstrated and are documented.

Page ! of !14 36

Current market situation A general overview

End users need to assure themselves that the safety devices selected by them are complaint with either the IEC 61508 or 61511 standards. In practice though they usually do not have the time nor the knowledge to verify compliance for every single device that will be used in their safety functions. It is in the interest of the suppliers to help end users in their selection process to demonstrate that their device is complaint with the standards. But in practice different approaches are currently used in industry to demonstrate compliance. In summary these approaches are:

Partial or full IEC 61508 compliance with certification by an independent third party;

Partial or full IEC 61508 compliance with self declaration by the device supplier;

Proven in use according to IEC 61511 by the end-user with or without independent third party certification;

Proven in use according to IEC 61511 by the supplier with or without independent third party certification;

Any of the combinations above, e.g., proven in use + partial compliance.

It is important for an end-user to understand the pros and cons of the different approaches. An end user needs to understand what the difference are between Partial, Full or Proven in Use compliance and how it affects their daily business. In summary:

Full compliance means that a device meets all applicable requirements of the IEC 61508 standard. The end-user can be sure that the device has been designed according to the rules of the standard. Now it is up to the end-user to install, commission, validate, operate, maintain and repair it correctly.

Partial compliance means that not all requirements have been addressed. The question is how bad is this?. This depends of course on which requirements have been addressed, or better which ones have not. If a device has software inside and only the

Page ! of !15 36

hardware requirements have been addressed then we have no clue about the status of systematic failures in device concerning the software. If the software has 1 bug, then all devices with this software have this bug.

Proven in use means that there is confidence that the product works because end users have seen in practice that it works in their own or a similar process environment. If this is an older device it also means that the device does not meet the requirements of the standard but its proven use demonstrates that the functionality of the device is reliable anyway.

Considering the statements above one can conclude that a newly developed device compliant with the IEC 61508 standards is nice, but it does not provide confidence to end users yet in that it will work to their satisfaction in their process environment. Table 1 shows a comparison between Full IEC61508 compliance and IEC 61511 Proven in use .

From an end-user point of view the best device would be a device fully compliant with the standard, which has proven itself in the field. When demonstrating full compliance, partial compliance or proven in use the industry uses two approaches, i.e., certification or self-declaration. In case of certification, a certificate comes along with the report which summaries the most important properties of the safety device. Certification is produced by an independent third party and competent organisation who are experts in the field of functional safety and who should not have any vested interest in the safety device. The purpose of certification should be to help end user gain confidence in the safety

Page ! of !16 36

Table 1 - Comparison between Full IEC 61508 Compliance and Proven in use (IEC 61511)

device by providing evidence of verification and assessment as per the requirements of the standards. It helps the enduser, as he does not need to perform the analysis himself when using a certified device. Although the standard does not mention anything about certification, i.e., certification is not a requirement in the standard, or any other techniques to demonstrate compliance, certification is available in the market and plays a major role in this industry. Some of the independent / third party companies who certify safety device compliant to IEC 61508 are Exida, TUV Rheinland, TUV SUD, Risknolowgy, Baseefa, Sira, etc. Full IEC 61508 certification is the most comprehensive type of certification available in the market and should cover the entire requirements of IEC 61508 as described in Section 2.2 of this paper. It also demonstrates rigour of verification and assessment by a highly competent independent body that does not have any impartiality with the device.

The certificate itself, see Figure 5, should never be used as a decision to install a product in the plant. It should only be used as a first impression and should never be read without the accompanying technical report and if possible the safety manuals of the device.

Another option is to self-declare compliance with the standard, see Figure 6. There is nothing in the standard to prevent device suppliers to self-declare their verification or assessment activities, either of ones FSM or the other requirements of IEC 61508. This is done not only by product suppliers, but also end-users.

A self-declaration unlike certification is produced by device suppliers stating that their device complies with the requirement of IEC 61508 standard and can be used in a safety instrumented function. Just like certification it should detail key functional safety parameters such as SIL capability, device type, SFF, PFDavg., failure rates, etc, and will either point out a list of restrictions on the certificate or may refer to device safety manual for restrictions.

Self-declaration normally does not come along with a technical report explaining the verification and assessment activities that have taken place. Hence, it is difficult for end users to understand and thus gain confidence on the device. The other concern for the end users with self-declaration is the concern of partiality and vested interest involved if the same company who design, manufacture and test the product are the ones assessing and verifying.

Page ! of !17 36

Page ! of !18 36

Figure 5 - Examples of Full IEC 61508 Certificate by independent / third party

Suppliers sometimes self declare their safety device compliant on the basis of IEC 61511 proven in use requirement. As stated in paragraph 2.3 of this paper that end users are best suited to prove IEC 61511 proven in

Page ! of !19 36

Figure 6 - Example of self declaration by device suppliers (Note: This is not certification)

use requirement for safety device in a particular application. Although possible, an attempt by a supplier to demonstrate proven in use must be looked into with utmost scrutiny.

There is a big difference though between devices with self-declaration and full certification. With self-declaration there is no independent party involved. Both approaches have again their pros and cons. In summary:

Certification means that an independent third party attests that statements made are true, e.g., Our product is compliant with IEC

Page ! of !20 36

Table 2 - Preference order for compliance approach demonstration

61508. Not the end-user or the product supplier attests this statement but an independent party does. This is of course only valuable if the independent party is truly independent and has no legal, financial or political interest the product.

Self-declaration means that the supplier makes the statement about the product himself. End users can find this difficult to trust, as nobody independent was involved. So it becomes a matter for the end-user of whom can I trust? or whom do I allow to use self-declaration and from whom do I want to see a third party certification?.

When it comes to proven in use self-declaration is done by product suppliers and end-users. When the supplier self-declares proven in use then the above point is applicable again. When the end-user self declares then of course this is only of value if the analysis work done within the company is performed with sufficient independence and without any pressure from within the company.

Independently of the approach chosen a technical report should explain and document the work performed. It details the basis of the verification and assessment work. If there is no technical report then end users do not know what work has been done, looses confidence, and cannot demonstrate to any third party that they themselves are compliant with the standard.

For an end-user the question is whether they can trust self-declaration or not. The same applies to independent third party certification. But as stated before independent third parties should not have any financial or political interest in a company and thus one should be able to say that third party certification should be of higher trust then self-declaration.

Ranking different compliance approaches

After reviewing all the different approaches to demonstrate compliance against the standards, Table 2 recommends a preferred order list for end users in selection of safety device used as part of SIS

For an end user the most preferred approach would be Full IEC 61508 certification with proven in use by independent third party. This

Page ! of !21 36

gives confidence and assurance that the device meets requirements of the standard and it is proven that it works in their process environment. All though this is the preferred selection in practice this kind of device is just not always available. Even if the end-user wants to be compliant with the standards they still have to use alternatives in case this option is not available.

The second preferred approach would be proven in use according to IEC 61511 by end user or independent third party. This gives confidence that the device meets the requirement of IEC 61511, works in their process environment and it is proven that the dangerous failure rate is sufficiently low in terms of random, common cause and systematic failures.

Thirdly would be Full IEC 61508 certification by an independent third party. This gives confidence that the device meets the requirements of IEC 61508 standard but no assurance yet that it will work in their process environment and that the predicted failure rates are as low in practice as well.

Whenever ever possible an end-user should try to select devices from the above preferences. Finally there are other compliance approaches such as Full IEC 61508 self declaration by device supplier and Proven in use according to IEC 61511 by device supplier but in practice they are not preferable at all.

Page ! of !22 36

Page ! of !23 36

Figure 7 - Recommended step based flow chart to select safety device compliant with IEC 61508 / 61511

Approach for selection of safety device Selection of device for SIS applications is important as end users depend on that device for protection in the event of a potentially dangerous situation. The selection process for safety devices is a two step process, i.e., is the device fit for purpose and are the dangerous failures sufficiently low (compliance with IEC 61508 / 61511)

Step 1: Fit for purpose The first step is to make sure that the selected safety device is fit for

purpose and will actually work well in the intended application and environment. This step is probably even more important then selecting just a device which is compliant with the standards. The fit for purpose analysis should consist of an application review with the actual operating experience. The review must decide whether:

1. The safety device selected is fit for the job; 2. The safety device is correctly rated for the intended environment; 3. The safety devices safety manual presents any unacceptable restrictions. Many companies have procedures that require testing in the actual

process environment (you could call this phase collecting evidence for proven in use). When failure rate data is missing the end-user can use sources for industry specific reliability data such as the PERD (Process Device Reliability Database) handbook.

The safety manual is a document that should be provided by a product supplier. It explains specifically how the product is to be used in a SIS application. A large safety manual with a long detailed list of instruction on how to make the product safe is a sure sign the supplier does not meet requirements unless these restrictions are implemented by the end user.

Another point to note on the topic of product safety manual is that normally they are not supplied until purchased. End users must ask suppliers to provide the safety manual before selecting device as it may contain restriction of use to a particular application or could contain

Page ! of !24 36

information that is referenced in the independent/third party certification or reports.

Step 2: Dangerous failures protection The second step is to select a safety device that is compliant with IEC

61508 / 61511 with the purpose that the dangerous failures are sufficiently low according to the required SIL level. The selection is based on the dangerous failure expectations expressed in parameters like SIL, PFDavg, SFF , etc., which should be described in the safety requirements specification. This is the step where end users must select safety device from the different recommended compliance techniques that are described in section 3.4.

Figure 7 shows a step-based flow chart that is recommended for selection of safety device used as part of SIS.

Page ! of !25 36

Conclusion SIS plays a vital role in providing protective layer functionality within process industry and helps to reduce risk to As low As Reasonably Practicable (ALARP). End users need to select device used within SIS compliant with IEC 61508 / 61511 standards for their own peace of mind and to be able to defend their decision to regulatory body. Two options are available to demonstrate compliance with the standards i.e. for new and existing devices to follow IEC 61508 requirement or for existing devices to use IEC 61511 proven in use requirement.

Compliance against IEC 61508 can be demonstrated for a safety device by fulfilment of specific requirements in each of the following

areas: FSM, hardware requirement, reliability analysis, software design, basic safety and user documentation. To demonstrate compliance for a safety device with IEC 61511, it must be either shown that the device meets the requirements of IEC 61508 or the device is proven in use. Proven in use is difficult to demonstrate as it requires sufficient failure track record which are usually not tracked or available in a documented form.

End users normally do not have the time or the knowledge to verify compliance for every single device that will be in their safety functions

Page ! of !26 36

against the standards. Few suppliers are helping end users to demonstrate that their device is complaint with the standards. Different approaches that are currently being used to demonstrate compliance are:

Partial OR full IEC 61508 compliance with certification by independent third party

Partial OR full IEC 61508 compliance with self declaration by device supplier

Proven in use according to IEC 61511 by end-user OR independent third party

Proven in use according to IEC 61511 by supplier OR independent third party

Any of the combinations above, e.g., proven in use + partial compliance

Not all approaches that are available in the market towards compliance demonstration are comprehensive or trustworthy. End users should be able to differentiate between the different approaches and should be able to select safety device that gives them confidence as it is them who have to accept responsibility. A recommended preferred option list for end users in selection of safety device against various compliance demonstration approaches is:

The selection process for safety device is a two step process, i.e., step 1: Fit for purpose and step 2: Dangerous failure protection (compliance with IEC 61508 / 61511). A step based approach to select safety device compliant with IEC 61508/61511 is detailed in figure 7 of this paper.

Page ! of !27 36

References 1. The offshore Installation (Safety Case) Regulations 192 SI1992/2885

HMSO ISBN 011025869X 2. Health and Safety at Work etc. Act 1974 (Commencement No.1)

Order 1974, 1974/1439 3. Control of Major Accident Hazards Regulations 1999, SI 1999 No.

743 HMSO ISBN 0 11 0821920 4. Smith, D. J. and K. G. L. Simpson (2005). Functional safety A

straightforward guide to applying the IEC 61508 and related standards. Burlington, U.K.: Elsevier

5. IEC 61508 (1998). Functional safety of electrical /electronic /programmable electronic safety-related systems. Geneva: International Electrotechnical Commission.

6. IEC 61511 (2003). Functional safety - safety instrumented systems for the process industry. Geneva: International Electrotechnical Commission.

Share If You Liked It

Page ! of !28 36

About The Authors

Jai Chainani is a senior instrument control and functional safety engineer. He obtained his Masters degree in control & instrument systems from University of Huddersfield, UK.

Currently, he is work-ing for Britannia Operator Limited (joint venture between Chevron north sea & ConocoPhillips UK) in the maintenance department. His main responsibility and focus is to ensure safe operations, deliver operational excellence and demonstrating compliance of safety instrumented system with functional safety standards. Dr. Michel Houtermans has a MSc. in mechanical engineering and a Ph.D. in safety and risk management. At Factory Mutual Global he held the positions of research and project engineer. At TV SD he has held the positions of project engineer, project manager and department manager. Today he is managing partner at Risknowlogy.

Dr. Houtermans has over 15 years experience in functional safety, has published numerous papers on risk, reliability and safety, and is the Editor-In-Chief of Inside Functional Safety. He actively certifies, products, loops, systems, people and organisations according to functional safety standards and audits safety management systems for international operating companies in the oil & gas, chemical, and process industry. Furthermore he acts as an independent safety auditor for Governments and has served as expert witness on safety related court cases.

Page ! of !29 36

About The Best Practice The goal of the Risknowlogy Best Practice publications is to be the leading destination when it comes to risk, reliability and safety knowledge. It aims to provide professionals around the world with rigorous insights and best practices to help them to become leading risk, reliability and safety practitioners for the benefit of all.

Get involved - Become an author

Thanks for considering working with us. We believe that if companies and organisations would understand their hazards and risks better, if they would understand how to build reliable solutions to manage those risks and if they would know how to achieve safety in an effective manner, then everybody the employees, the bosses, the customers, the people, the environment, the investors and the whole world would be better off. So we try to arm our readers with knowledge and ideas that help them to identify and manage risks better, to design sufficiently reliable solutions and to be more safe at work. To do that we enlist the foremost experts in risk, reliability and safety theory and practice, collaborating to express their best thoughts in the most influential ways possible.

If you have a new piece of research, a new approach, an unexpected perspective on a current event or an original way of looking at a perennial risk, reliability or safety problem in any industry, we would love to hear about it. Heres what we look for, when were considering what to publish at Risknowlogy:

1. Expertise You dont have to have grey hair, or no hair at all for that matter, or to be well known to be a contributor to the Risknowlogy Best Practice, but you must know a lot about the subject youre writing about. 2. Evidence Its not enough to know your subject deeply; you have to prove it to the reader. You can refer to research or practical work of others. You can also demonstrate your thoughts with practical and relevant examples. Use data, create charts, create graphs, do anything

Page ! of !30 36

creative to share your ideas. Our audience is keen to see your thoughts in action. 3. Be Original Risk, reliability and safety problems are not new. The world always had them and always tried to solve them. There arent that many wholly new ideas in risk, reliability and safety and the problems practitioners face have probably been solved already somehow. So if youre writing about a well-worn topic, you need to find a fresh and creative approach. The best way to do this is to be very specific and to rely on your own research, observations, and experience. The worst way to do this, generally, is to give the same solution a new jacket or use a fancy, clever new phrase. 4. Usefulness Whatever you submit it needs to be useful to our readers. Our readers dont read our Best Practices just to stay on top of new developments in risk, reliability and safety thinking. Much more, they are looking for help in changing the way they and their organisations actually approach risk, reliability and safety topics. Try to explain your thinking so that the reader understands how to begin to apply it in a real situation. Making your ideas useful will make it a lot more powerful. 5. Be Persuasive Make your publication a pleasure to read. The Risknowlogy Best Practice readers are smart and skeptical and busy like everybody else in the world. If you dont capture, and keep, their attention, they will not hesitate to move on to something else. Use compelling language, get straight to the point in the first paragraph, avoid jargon, and spend the extra time necessary to make your language sharp and compelling throughout. Use pictures, graphs, use humour, anything is allowed to keep their attention.

Some notes about our editorial process

We are looking for quality, not quantity. We only publish if we feel it contributes in the right way. The best thing to do is to send us a short pitch first so we can give you feedback early enough. Nothing will be published unless we have seen a full draft. Most likely our editors will ask you to revise parts of your publication. We will have it read by more than one editor, to make sure we get the most out of your contribution.

Page ! of !31 36

Send your pitch or full draft to your editor or if you do not have an editor send it to bestpractice@risknowlogy.com.

Just remember our editorial process is more thorough than many other publishers. We will work with you to make your contribution the best for our readers. Contributors tell us frequently that they really appreciate the extra care and attention their work receives. We also retain final decision rights over headlines. Our editors have spent years learning what kind of headlines give Risknowlogy Best Practice pieces the best chance of being read, found on the web and shared both on social media and in offices around the world. We will very likely rewrite the title you suggest; if we do so, its because we believe the revised version will help your publication reach the audience it deserves.

We want you to write your publication yourself, in your own voice coming from your heart. Please dont submit something written by your PR representative or a ghostwriter or something that was published already elsewhere. We dont publish pieces that have appeared elsewhere or that come across as promotional.

bestpractice@risknowlogy.com

Page ! of !32 36

mailto:bestpractices@risknowlogy.com?subject=bestpractice@risknowlogy.com

About Risknowlogy Experts in Risk, Reliability and Safety

Risknowlogy was founded in 2002 with a passion for risk, reliability and safety. We are particularly known for our leading role in functional safety. At Risknowlogy we apply all typical risk, reliability and safety techniques you might heard of: Bowtie, HAZOP, HAZID, LOPA, AHA, OHA, PHA, QRA, FMEA, FMECA, ETA, Markov, FTA, Reliability Block Diagrams, FMEDA, FSM, SIL Assessment, SIL Verification, SIL Certification, Calibration Risk Matrix and Risk Graph, STL and so on. But our services go beyond the application of the classic and standard techniques. Contact Risknowlogy if you are in need of risk, reliability or safety services.

At Risknowlogy we apply risk, reliability and safety techniques so that our customers become more profitable. Our services help companies to be compliant with standards and thus to meet regulatory requirements, to meet the requests of insurance companies, to meet and exceed their availability goals. And more availability leads to more profitability.

Not so typical for industry, but for us bread and butter, services we have carried out for our customers:

Setup a risk, reliability, and safety competence program for the technical employees of a chemical plant

Implement a risk management program including a functional safety handbook for an oil refinery

Calculate the availability of gas supply (needed for electricity, cooling) for a major city in the middle east

Decision support for the implementation of safety functions including their proof test frequency for a petrochemical plant

Pipeline risk management program for countrys pipeline operator Governmental functional safety audit program for tunnel operators Decision support for the best out of five infrastructure solutions

taking into account image, environmental, cost, legal, sustainability aspects for a local government.

Contact Risknowlogy if you are in need of a customised risk, reliability or safety solution.

Page ! of !33 36

http://risknowlogy.com/request-information/?I=I%20need%20Risk,%20Reliability,%20or%20Safet%20serviceshttp://risknowlogy.com/request-information/?I=I%20need%20customized%20Risk,%20Reliability,%20or%20Safety%20Solutions

Certification Increase The Trust If you do not trust it, certify it. Risknowlogy has developed a

Certification Program that is unique in the world, as we are the only company in the world that certifies risk, reliability and safety parameters of products, functions, systems, organisations and professionals.

The Risknowlogy Certification Program has been developed to support end-users. End-users are in need of competent personnel and contractors. End-users need the right procedures and need to make sure that their employees and contractors follow and implement these procedures. End-users need to trust the products and systems they buy and use to operate their processes, factories and plants. End-users can take full advantage of the Risknowlogy Certification Program.

Typical certification projects we have carried out for companies and people:

Risknowlogy certified over 3000 people in the TUV SUD and Siemens certification program Risknowlogy SIL certified products like level transmitters, temperature transmitters, pressure transmitter,s actuators, valves, relays, sensors, pumps Risknowlogy certified Safety Availability in terms of SIL for functions and systems like ESD, HIPPS, BMS, Smoke and Detection, Overfill Prevention Systems Risknowlogy certified Process Availability taking into acount mall function of Safety Instrumented Systems Risknowlogy certified Functional Safety Management systems for System Integrators according to IEC 61508 and IEC 61511

Contact Risknowlogy if you are in need of certification of people, products, functions, solutions, organisations or in a unique in-house certification program customised and tailored to your companys unique needs and requirements.

Page ! of !34 36

http://risknowlogy.com/request-information/?I=I%20am%20interested%20in%20the%20Risknowlogy%20Certification%20Program

History Risknowlogy was founded in 2002 and is an employee owned

business. Today we have offices in Argentina, Colombia, Germany, India, the Netherlands, Switzerland (HQ), the United Arab Emirates, the United Kingdom and Uruguay. We offer our services in Dutch, English, French, German, Italian, and Spanish.

2002 - Risknowlogy was founded in Schinveld, The Netherlands 2007 - Risknowlogy moved headquarters to Zug in Switzerland 2008 - Risknowlogy opened the Buenos Aires office in Argentina 2009 - Risknowlogy opened the Karlsruhe office in Germany 2011 - Risknowlogy opened the Dubai office in the United Arab Emirates 2012 - Risknowlogy opened the Mumbai office in India and the Bogota office in Colombia 2013 - Risknowlogy opened the UK office in the South of England 2014 - Risknowlogy opened the Montevideo office in Uruguay

Contact Risknowlogy if you would like to explore opportunities.

Page ! of !35 36

http://risknowlogy.com/request-information/?I=I%20want%20to%20Explore%20Opportunities%20with%20Risknowlogy

Experts in Risk, Reliability and Safety Baarerstrasse 11, 6300, Zug, Switzerland