In accordance with CENELEC policyAugust 2004 marked the deadline for the withdrawal of any national standards that conflict with IEC 61508the international standard focusing on safety-related systems that incorporate electricalelectronic and/or programmable electronic (E/E/PE) instruments and devices. The question is: who does it affect and what are their responsibilities?
IEC61508 is a massive tome that has taken eight years to produce. It is truly international and all embracing andalthough not mandatoryis widely held as a measure of good practice. Increasinglycompanies are adopting it not only to demonstrate to regulators that they are protecting their employees and the environment but also to give them a commercial advantage over their competitors.
Even though the final sections of the standard were published by the International Electrotechnical Commission in 2000the level of understanding and implementation differs widely between industries and even between regulators in different countries.
First we need to be clear about what’s covered. The standard is genericso it is designed to cover all industrial sectors. It is supported by a number of sector-specific standards that refer upwards to IEC61508including IEC61511 (process industries)IEC61513 (nuclear generation) and IEC62061 (machinery). These select the relevant clauses of IEC61508 and apply them to the particular issues of the industrial sector.
Because of its generic naturethe range of E/E/PE safety-related systems to which IEC61508 can be applied is extremely diverse. But in every casethe standard applies to the system as a wholeincluding the measurement transducers and actuatorsthe human operators and the maintenance. The emphasis is on achieving an acceptable overall level of safetyor safety integrity level (SIL)not on installing the right bits of kit.
IEC61508 is truly globalwhich means it covers all aspects of the processincluding designoperationmaintenance and validation. The standard must also be considered throughout the full life cycle of the processfrom inception and initial designthrough implementationoperationmaintenancemodificationdecommissioning and final disposal. In other wordsfrom cradle to grave.
Increasing safety is all about minimising riskso next we must define what we mean by risk. Risk is a combination of the probability and severity of an adverse effect – how often can it happen and what will be the consequence if it does?
The standard is concerned with the likelihood of events that can impact on:
- Safety of personnel.
- Integrity of the environment.
- Risk of damage to capital equipment.
- Risk of lost revenue from lost production.
- Risk of litigation from any cause.
- Risk of damage to the company’s image and hence its value.
This effectively means that all processes should be assessed against the standard to determine whether it applies. The tool for identifying and quantifying the risks is a Hazop hazard and operability studywhich is usually carried out by a team from the plant.
Although IEC61508 is concerned primarily with the integrity of safety systemsit's also important to specify the correct systems in the first place. Why add an extra layer of complexity with an electronic safety system if good engineering design can mitigate the risk in the first place? The Hazop study will help to highlight any areas where risks need to be mitigated.
Once you have determined the risksyou can start to design a system to minimise them. Depending on the severity and frequency of the hazardthe safety system will have to reach one of four safety integrity levelsranging from SIL1 for relatively low risks to SIL4 for the highest risk applications.
It is important to note here that a SIL is not the property of a component or subsystembut of the overall safety function. So a manufacturer of a limit switchvalve or other component may promote it as being suitable forsaySIL2 applicationsbut that will only be true if it is installed in a compliant safety function and maintained correctly.
All manufacturers can really say is that their products meet certain requirements of IEC61508. They may have published and independently audited figures for the probability of failure on demand (PFD)for instancewhich can then be used in the assessment of the element’s hardware reliability. But this is only part of the requirement for SIL compliance of the safety function. The systematic integrity of the element (the qualitative assessment of its ability to meet the requirements of the SIL level) is just as important. Although the standard does not prescribe that it is essential to use certified products to achieve SIL compliancethe task of justification will be much easier if you do.
Once the system is up and runningthe next critical activity is the functional safety assessmentwhich checks that functional safety has actually been achieved. Those carrying out the assessment must be competent and independentbut that does not mean that every company will have to call in the consultants.
The level of independence required ranges from an independent person in the same organisation for SIL1 to an independent organisation for SIL4. The required independence for levels 2 and 3 is affected by factors such as the complexity of the systemthe novelty of the design and the experience of the developers.
For smaller companieseven the most basic requirement for independent people from a separate department may have to be met by an external organisation. Companies that have internal organisations skilled in risk assessment and the application of safety-related systemswhich are independent of and separate (in terms of management and other resources) from those responsible for the main developmentmay be able to use their own teams. The key to compliance lies in providing documentary evidence to support the validity of all the data used in the assessment.
The final link in the safety chain is periodic proof testingwhich ensures that the safety loop continues to meet the required SIL. Once again the standard provides guidance on what constitutes adequate proof testingas well as how to calculate the interval between proof tests. There are always conflicts between the ideal proof test interval and the practical availability of the plant to carry out this kind of check. So it is important to consider proof testing at the design stage to avoid unnecessary downtime later while test cycles are carried out.
IEC61508 is continually under review. Parts 1–4 were reviewed last year and parts 1–7 will be updated during the next two years with a full revision in 2008. The maintenance programme for the standard is considering a range of issues including the subject of ‘Proven in Use’ which is in danger of being exploited. The revisions will improve the clarity of the requirements for SIL and the concepts of SIL capability.
There are some new technical issues associated with digital communications and ASICSbut one of the more important outcomes will be the requirement for documented competence for those implementing and managing safety systems and the definition of the content of the ‘Safety Manual’ as the primary document supporting the Safety Instrumented System.
Essentially thenIEC 61508 requires that end users have in place the means to manage functional safety. They need to ensure they have competent people who can operate and maintain E/E/PE safety systems to keep them doing the jobs they were designed for.
Help is available for those companies concerned that they might not have the necessary skills in house. Equipment manufacturersconsultants and even the regulators can all offer support and advice.
Howeverthe ability to offer a true one-stop-shop to address every aspect of compliance is rare. ABB’s Automation Technologies division has a wealth of experience in the field of safety-related systems encompassing the complete safety life cycle for a host of industrial sectors.
Stuart Nunns is Principal Safety Consultant for ABB and Roger Prew is Manager of the Safety Lead Competency Centre in ABB.
"