Managing and properly equipping a plant with the right components for optimal safety is a complex, ever-evolving task. Managers in the chemical processing and related industries have the enormous responsibility of increasing productivity and profit, while at the same time properly monitoring, detecting and preventing hazardous events from occurring.
Ultimately, any technologies employed for these functions should improve the plant's overall design scheme, increase efficiency and minimize the associated costs to maintain the safety systems. However, plant managers are forced to contend with limited and complicated information.
They are not alone. Most industries employing a safety system face the same challenge. In response to this, the International Electrotechnical Commission (IEC) released safety standard IEC 61508 to help ensure the highest safety for electrical/electronic/programmable electronic-based safety-related systems.
Unlike traditional product certifications that certify only the final test data, IEC 61508 is process based and applies to the entire life cycle of the product. The manufacturing company and all of the processes used to develop and manufacture its product are certified for optimal safety. Therefore, all phases of a safety product are certified ," from its earliest concept and design stages through its manufacturing, application, maintenance and final decommissioning.
Although virtually anyone directly or indirectly related to plant safety has at least heard of the standard, very few really understand its impact and benefits. The standard has been well received by manufacturers of safety components and complete systems, but the facilities using these IEC 61508-certified products benefit the most.
IEC 61508 is process based and deals with all of the necessary activities involved in the implementation of safety-related systems.
In addition to the potential for loss of life or limb, one plant shutdown can result in costly repairs and equipment replacements, lost time and production and other added expenses just to mitigate the situation and get the plant back up and running again. By employing IEC 61508-certified components, plants decrease the likelihood such a hazardous situation will occur.
But do not think of IEC 61508 as simply insurance for a hazardous event. Facilitating the use of a "building block" approach using certified components with recognized safety characteristics such as IEC 61508 reduces long-term operational and capital costs. The need for consultants for system verification is decreased or eliminated, and procurement costs can be reduced through avoidance of re-assessment on a product-by-product basis. Plant users can be confident they are employing first-rate technologies ," without having to compromise safety.
Standard basics
In 1998, the Geneva-based IEC began drafting standard IEC 61508 to support companies that use safety instrumented systems (SIS) to protect their personnel and facilities from hazardous events. The standard, formally titled "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related System," is composed of seven parts that direct proper management of the life cycle and all components of the SIS.
The first three parts of the standard address management, development, deployment and operation of safety system hardware and software. The remaining four parts deal specifically with definitions, applications and informative annexes to the standard.
To fully understand IEC 61508, it is first necessary to discuss two key terms: safety life cycle and safety integrity level (SIL).
Safety life cycle
Product certification deals primarily with the end product, but IEC 61508 is process based and addresses development, manufacturing, maintenance and all of the other necessary activities involved in safety-related system implementation. The standard's process starts at the concept phase of a project and finishes when all the electric, electrical and programmable electronic safety-related systems; other technology safety-related systems; and external risk-reduction facilities no longer are available for use.
In the safety life cycle of a particular process, process risks are evaluated, and the performance requirements of the SIS are established. Layers of protection are generated and fully tested for optimization. The result is a product designed to meet a particular process risk. Because systems are designed per the safety life cycle, they are more likely to meet the actual requirements of the specific application.
IEC 61508 is an umbrella standard in that it can be applied directly to any industrial process that uses electrical, electronic or programmable electronic products and systems for safety. The standard allows the development of industry-sector-specific standards, provided they follow a safety life cycle model similar to the one defined by IEC 61508. All parts of the standard set out a generic approach for all safety life cycle activities for electrical/electronic/programmable electronic components used in safety-related functions.
Safety integrity level
Four SILs are defined by IEC 61508 to statistically represent the integrity of the SIS when a process demand occurs. The SIL takes into account device integrity, architecture, diagnostics, systematic and common cause failures, testing, operation and maintenance.
An SIL establishes order-of-magnitude targets for risk reduction. This target failure measure is the intended probability of dangerous mode failures to be achieved in respect of the safety integrity requirements, specified in terms of either the average probability of failure to perform the safety function on demand (for a low demand of operation), or the probability of a dangerous failure per hour (for a high demand or continuous mode of operation). The higher the SIL number, the greater the impact of a failure and the lower the acceptable failure rate. See the table.
Unfortunately, the application of this numbered system to a process opens much debate. How do you determine if production protection is "major" or "minor"? At what point could a potential injury occur? The method used to derive the SIL designation must be carefully documented using well-established methods.
The first step to determining or designating an SIL is to conduct a process hazards analysis (PHA). PHAs range from simple screening analysis to complex evaluations such as hazard and operability studies (HAZOPs), which employ a multidisciplinary team to methodically examine a process design and determine if hazards or operability problems exist that could result in an accident or other unsafe condition.
A requirement of IEC 61508 is that a target SIL must be assigned for the SIS for any process in which the PHA has concluded that the mechanical integrity of the process and the process control are insufficient to alleviate the potential hazard. The HAZOP should clearly define the risks associated with a process in terms of the likelihood of the hazard occurring, as well as the severity.
It should be noted that the methodology of IEC 61508 extends far beyond the HAZOP process of defining the incident in terms of loss of containment, explosions or hazardous chemical releases. The standard focuses most of the actual evaluation on the potential injury, fatality or other risk to individual persons.
Personnel proficiency
Another significant element of IEC 61508, and a differentiating factor from many other standards, is its personnel competency requirements. All personnel involved in a safety system's development, management, installation, operation or other capacity must meet the proficiency requirements for the specific responsibilities of their task, as defined by the standard for a specific SIL.
Individuals' experience, knowledge, skills and specific training for an application are assessed. Many certification companies have developed qualification procedures to provide consistency. These procedures include such measures as proficiency exams and a review of an individual's background to verify training, experience and references.
Common misconceptions continue to be fueled by individuals satisfied with the manufacturer's product test data. Although these specifications provide pertinent information, the assumption is that the manufacturer repeatedly produces exact duplicates of the product undergoing the testing. One must realize that components are not isolated. Instead, they are part of a sophisticated web of complex systems that must function properly to help ensure plant safety.
You can be confident using system components designed and developed in compliance with IEC 61508. Safety is considered in not only the final test data of the product, but also from the very beginning.
CASS assessment
The framework used by third-party certification companies to assess and certify organizations to IEC 61508 is called the Conformity Assessment of Safety-related Systems (CASS). A "CASS Guide" offers "identifiable deliverables," termed targets of evaluation (TOEs), associated with the applicable causes for the specific assessment within IEC 61508.
The first table in the CASS Guide uses 18 TOEs to guide the assessor in the evaluation of a Functional Safety Capability Assessment (FSCA). The FSCA relates strictly to the assessment processes employed by a facility, not the individual components, products or specific operation and maintenance systems. This assessment determines if a company has the necessary safety infrastructure (a quality system such as ISO 9001) to support the safety life cycle. The FSCA must be successful before the remaining assessments will be performed.
The second table in the CASS Guide uses 21 TOEs to guide the assessor in the evaluation of IEC 61508, part one, "General Requirements." This assessment pertains to system integrators responsible for the overall safety function. Systems integrators might acquire components from suppliers to develop the overall safety function as an SIS.
The third table in the CASS Guide uses 30 TOEs to guide the assessor in the evaluation of IEC 61508, part 2, "Requirements for Electrical/Electronic/Programmable Electronic Systems," and pertains to component manufacturers of SISs.
The fourth table in the CASS Guide uses 45 TOEs to guide the assessor in the evaluation of IEC 61508, part three, "Software Requirements." This assessment pertains to component manufacturers SISs with software residing in the electrical, electronic or programmable electronic system or with software as a separate component in a SIS. Software cannot be assigned a reliability number because software "faults" and does not randomly fail. Software faults are systematic failures resulting from the software development processes. CP
Adler is director of professional development for Moore Industries International Inc., Sepulveda, Calif. Contact him at (818) 894-7111.