Process owners and fire protection professionals in the oil and gas industry know that functional safety system components such as flame and gas detectors need to be certified for compliance with specific standards, including a facility’s target Safety Integrity Level (SIL). What is not as well known is that the certifying bodies asked to determine SIL compliance may not be accredited to conduct every certification they undertake.
The International Electrotechnical Commission (IEC) defines the requirements for ensuring systems are designed, implemented, operated and maintained to attain a target Safety Integrity Level (SIL). Defined as the relative level of risk-reduction provided by a safety function, the target SIL for an application or process is arrived at through a risk assessment. This target SIL becomes a requirement for the final system, and the specific safety integrity level (SIL 1, 2, 3 or 4) characterizes the development requirements that must be met in order to achieve the overall risk reduction target.
In effect, the SIL requirement determines how the development process must be set up so that one can be reasonably confident the final system will attain the required SIL level. Each component used in the functional safety system must also be certified for compliance with the desired SIL level. Although product certifying bodies can certify to any standard, they may not have accreditation for that standard, which means there is no third-party confirmation of their competency.
SIL doesn’t stand still
As an international safety standards authority, IEC strives to anticipate safety hazards and develop requirements, processes and procedures that anticipate and mitigate them. As voids and weaknesses in the code are identified or new issues and technologies emerge, requirements evolve to bridge the gaps, address the issues and improve the standard. From early editions in 1998 and 2000 to its most current edition, IEC 61508 Series (2010), major modifications have been introduced within the standard. Specifically, IEC 61508 Series (2010) changed or added several requirements, including:
- Traceability. Specification must now provide details of a component’s supply chain and document how a component relates to other components in a sub-assembly or integrated system.
- Redundancy of SIL 2 products and services no longer achieves SIL 3. It is no longer the case that functional system-level certification can be achieved by applying redundancy to SIL 2 components and processes. The only way to achieve SIL 3 functional system certification is by using SIL 3 compliant components in conjunction with SIL 3 certified processes (with or without redundancy) or using redundant SIL 2 compliant components in conjunction with SIL 3 certified processes.
- Treatment of no-effect failures. The FMEDA calculations used now require the exclusion of non-safety, “no-effect failures.” A no-effect failure is the failure of a component that is part of the safety-related circuit, but which has no effect on the functional/system level when it fails. Under edition 2000, no-effect failures were considered safe and could be tallied as such for purposes of calculating the overall safety score. Under edition 2010, no-effect failures cannot be added to the safe side of the ledger for purposes of balancing out unsafe findings.
- Electromagnetic compatibility (EMC) requirements. Electromagnetic immunity is of critical importance to functional safety, and is now mandatory rather than optional.
Components need to be SIL-capable
Functional safety certification addresses how the entire fire and gas detection system meets the requirements and standards set by the regulatory agencies. This is a process that involves conducting an initial safety assessment, determining what actions need to be taken to enhance or upgrade the safety platform, and having the appropriate certifying companies and agencies evaluate the systems. The process also requires determining whether the system’s components and sub-assemblies meet required standards.
It is not uncommon to see safety components and sub-assemblies such as fire detectors referred to as being SIL “certified.” Technically, this is incorrect. SIL certification applies to functional safety processes at the system level and not to components contained in that system. When a device manufacturer refers to its product as certified under SIL, what they are really communicating is that the product has been evaluated against the appropriate set of requirements, has passed them, and is therefore “compliant” with IEC 61508. In effect, the product is “SIL capable,” helping to contribute to the SIL certification of the system in which the product is used.
Not all product certifiers are equally qualified
The relevant accreditation standard for product certifying bodies is ISO/IEC 17065, and IEC 61508:2010 should be explicitly mentioned in the scope of a certifying organization’s accreditation. Companies offering to certify products are numerous and include organizations such as exida, FM, SIRA, UL and TÜV Rheinland. They provide a variety of services when it comes to certification, and each is unique in its capabilities and accreditations. The accreditation bodies that evaluate product certifiers look for conformance with competency standards to ensure that products are evaluated and certified by the product certifier to meet expected performance levels.
The accreditation body seeks to ensure products are properly certified, which generally means:
- The product is labeled with the registered certification mark;
- The product certifier issues certification to a well-recognized test standard that is within the certifier’s scope of accreditation; and
- The product certifier issues certification from one of its recognized facility locations.
Points A and C above are usually well understood and applied. However, not all product certifiers issue functional safety certifications per IEC 61508 within their scope of accreditation (item B above). Such certifications will not include the certification body logo on the certificate. Without this crucial step there is no formal evidence of competency, and safety may be compromised.
Other cautions about SIL certifications
- A SIL-capable certification does not mean that the product is performance approved. A SIL-capable product certificate may list a variety of codes and standards. Such a list must not be mistaken for compliance. It means only that during evaluation such codes and standards were considered.
- Redundancy cannot make a SIL 2-compliant product SIL 3. Another misperception relating to SIL is that the manufacturer of a SIL 2-capable product can claim SIL 3 compliance by simply requiring redundancy (HFT + 1). This is no longer acceptable in the newest version of IEC 61508. The product manufacturer must first prove it has a SIL 3-compliant development process, because process capability is fundamentally necessary as a systematic measure in assuring product design robustness.
- A certification of SIL compliance may not be to current standards. Each SIL certificate includes the standards met, and particularly significant, the year of release of the standard used to issue the certification. Products evaluated to an older standard may or may not meet the current standard. For instance, if a product has been evaluated to the older IEC 61508:2000 (Edition 1) Series released version, a potential buyer needs to be aware that this standard version is less specific and therefore allows for more optimistic Safe Failure Fraction values (therefore less safe) than the most current 2010 (Edition 2) released version.
Products designed to reduce risks in hazardous oil and gas applications must be certified to particular standards, and those who offer product certification are responsible for examining these products to ensure that they meet functional safety requirements. However, not all product certifiers are in a position to certify what a specific application may require. Confirming that a product certifier is accredited for the assessment of conformity to IEC 61508 is a critical step in ensuring the functional safety of fire and gas systems.
The information above is provided for informational purposes only and is not intended to provide professional services or substitute for the review and advice, in any given circumstances, of an appropriate professional. Det-Tronics makes every effort to provide timely and accurate information but makes no claims, promises, or warranty regarding the accuracy, completeness, timeliness or adequacy of the information provided in this paper and expressly disclaims any implied warranties and any liability for use of this white paper or reliance on views expressed in it.
For more information, go to www.det-tronics.com