Institute of Measurement and Control. Functional Safety 2016

Page 5

If devices developed in accordance with IEC61508 Route 1s are used and the element has been

through 3rd part assessment then systematic capability will have been assessed as part of product

development and documented as part of the certification.

Whilst IEC 61511 Prior use arguments can also help make the case for systematic safety integrity this

is typically not the case for a logic solver so is not ‘in scope’ for this paper.

Of course addressing systematic safety integrity for the SIS goes far beyond simply selecting devices

with the right SC level. The requirements for Functional Safety Management (FSM) stated in

IEC61511 Part 1 Clause 5 also need to be met.

Synthesis of Elements

It is possible, within IEC 61508, to take an extra credit of SC 1 when voting two elements or devices

together. For example two sensors, each with SC 1 can be voted in a 1oo2 arrangement to achieve

SC 2. This is only allowable if there is sufficient independence between the devices, such that

circumstances leading to a systematic failure of one element will not also lead to the same failure in

the other element. It is not possible to take further additional credits.

If voting identical transmitters then it is important to note that you cannot use the ‘synthesis of

elements’ route to take an extra credit for SC, because both are potentially susceptible to a common

cause systematic failure.

In practise it is quite common to vote multiple transmitters to achieve a higher SIL but, in many cases,

for practical reasons, these transmitters would be identical rather than diverse. For instance you might

have a 1oo2 or 2oo3 vote of identical “SIL 2 capable” transmitters as part of a SIL3 SIF. With identical

transmitters the synthesis of elements wouldn’t be possible so the SIF would be limited to SC 2

because, with insufficient diversity, you cannot take advantage of synthesis of elements.

This perhaps explains why we see certificates with transmitters certified as SIL 2 and SC 3.

IEC61511 and Techniques and Measures

IEC 61511 encourages the use of appropriate techniques and measures but, unlike IEC 61508, it

doesn’t give specific detailed requirements and the choice is left open to the user. From a software

perspective part of the reason that IEC 61511 is less prescriptive is because it restricts software to

either Limited Variability Languages or to Fixed Program Languages.

When application logic is programmed using a Limited Variability Language

·

Programming is simpler.

·

Choice of functions is smaller.

·

Development environment is more controlled and will protect against some mistakes.

·

Less scope to make mistakes.

But it still requires....

·

Competent people.

·

Good processes and procedures, good project management, good quality management

and appropriate verification and validation.

·

Independent peer review of code.

·

A good specification