Institute of Measurement and Control. Functional Safety 2016

Page 4

Complying with IEC 61508 is a major undertaking for vendors of products, particularly for complex

PES logic solvers with many components, diverse hardware modules and software developed using

fully variable languages. Meeting and maintaining compliance with IEC 61508 is an ongoing challenge

for the life of the product and generally requires working very closely with the independent third party

assessor for the life of the product.

The good news for systems integrators and users is that the functionality introduced to meet the

requirements of a specific systematic capability level pay dividends later on when using product as

part of a safety integrated system during the realisation and operation phases of the safety lifecycle.

Certification and Systematic Capability

When implementing a Safety Instrumented System it is common to make use of devices which are

independently third party assessed and certified to show that they meet the requirements of IEC

61508. However neither IEC 61508 nor IEC61511 actually make mention of certification for either

product or people.

The adoption of certification has proved a useful, arguably necessary expedient for both

manufacturers and end users but it is important to understand the limits of certification and not

misinterpret and therefore be misled by the information that appears on certificates and associated

reports.

Certificates have traditionally indicated a SIL capability but this terminology isn’t defined within either

IEC 61511 or IEC 61508 so the term systematic capability, which refers to a SIF element rather than

the SIF itself, is encouraged as a way to more clearly convey what the certification covers.

First and foremost a certificate generally states that the device in question was developed in

accordance with IEC61508 and therefore that its systematic safety Integrity is of a sufficiently high

level to support its use in a SIF of up to the stated SIL level if implemented in accordance with the

safety manual.

Where applicable the certificate may also give some indication of what degree of hardware fault

tolerance might be required to meet a certain SIL level. This is helpful for assessing architectural

constraints. The certificate (or associated) report will also contain failure rate data to allow the

calculation of the overall PFDavg for the SIF.

Determining if a Safety Instrumented Function meets a particular SIL from a hardware integrity

standpoint requires an assessment of all the components used and of the SIF architecture. So even

though a device may carry a certificate that says it ‘meets’ SIL2 and has SC 2 this does not

automatically mean that a SIF containing nothing less than SIL2 & SC2 certified equipment can

achieve SIL2. This will also depend on the underlying safety data (failure rates, proof test interval,

probability of failure on demand etc) for the components and also the application.

So don’t forget to always read the report to the certificate and take note of the safety manual. If in

doubt seek clarification from the product manufacturer.

IEC 61511 E2.0 Device Selection

Para 11.5.2.1 of IEC 61511-1:2016 states

“Devices selected for use as part of a SIS for with a specified SIL 1 to SIL 3 applications shall either

be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, as appropriate, or else they shall be

in accordance with 11.4 and/or 11.5.3 through 11.5.6, as appropriate.“

So, in short, devices should meet the requirements of IEC 61508 or they should go down the route of

“Prior Use” as defined by IEC 61511-1:2010 to help demonstrate systematic capability.