Safety first and last

Known by some as the mother of all safety standards, IEC 61508 is truly international. Although it is not mandatory it is a widely held measure of good practice, so companies are adopting it for a variety of reasons, including commercial advantage, contractual obligations, or to demonstrate to regulators that they are protecting their employees and the environment. Recent inquiries into major incidents provide further support of the increasing importance of IEC 61508 and its sector standard IEC 61511 where such standards have been used as a benchmark of what constitutes acceptable good practice.

There are strong regulatory and social demands for businesses to demonstrate they have exercised their duty of care by providing a safe, reliable operation with full documentation and decision traceability –this is where 61508 and 61511 can help.

Yet even though the final sections of the standard were published by the International Electrotechnical Commission as far back as 2000, the level of understanding and implementation differs widely between industries and even between regulators in different countries.

First we need to be clear about what’s covered. The standard is generic, so it is designed to cover all industrial sectors. It is being followed up by a number of sector-specific standards that refer upwards to IEC61508. For example, IEC 61511 was published 2003 to cover the process industries, and since then 61513 covering nuclear generation, 62061 machinery and 61800-5-2 for power drives have been published..

Because of its generic nature, the range of E/E/PE safety-related systems to which IEC 61508 can be applied is incredibly diverse. But in every case, the standard applies to the system as a whole, including human operators where relevant. The emphasis is on achieving an acceptable overall level of safety, or safety integrity level (SIL), not on installing the right bits of kit.
IEC 61508 is global, which means it covers all aspects of the process, including operation, maintenance and validation. The standard must also be considered throughout the full life cycle of the process, from inception and initial design, through implementation, operation, maintenance, modification, decommissioning and final disposal. In other words, from cradle to grave.

Increasing safety is all about minimising risk, so next we must define what we mean by risk. Risk is a combination of the probability and severity of an adverse effect - how often can it happen and what will be the consequence if it does?

The standard is concerned with the likelihood of events that can have an impact on:
· Safety of personnel
· Integrity of the environment
· Risk of damage to capital equipment
· Risk of lost revenue from lost production
· Risk of litigation from any cause
· Risk of damage to the company’s image and hence its value

This effectively means that all processes should be assessed against the standard to determine whether it applies. The tool for spotting and quantifying the risks is a Hazop (Hazard and Operability Study), which is usually carried out by a competent team from the plant.

Although IEC 61508 is concerned primarily with the integrity of safety systems, it’s also important to specify the correct systems in the first place. Why add an extra layer of complexity with an electronic safety system if good engineering design can mitigate the risk in the first place? The Hazop study will help to highlight any areas where risks can be eliminated.

Once you’ve determined the risks, you can start to design a system to minimise them. Depending on the severity and frequency of the hazard, the safety system will have to reach one of four safety integrity levels, ranging from SIL1 for relatively low risks to SIL4 for the highest risk applications.

The specification of safety requirements including a description of each safety function (determined from hazard analysis) and its target safety integrity level (determined from the risk assessment) are essential and both 61508 and 61511 provide guidance on the contents of a safety requirements specification (SRS). However this is proving a challenging activity on many safety projects! Research undertaken by the UK Health and Safety Executive relating to failures of 34 control and safety systems, concluded that 44% of these failures could be attributed to the requirements phase and its activities. So, effort expended in developing comprehensive safety requirements can reap savings later on in the safety lifecycle!

There are significant benefits to the parties involved in needing the SRS (the party having responsibility for developing the SRS and the party requiring the SRS in order to undertake the integration process) engaging in a dialogue at an early stage. Early dialogue facilitates the concept of partnership working and can be of advantage to both parties.

It’s important to note here that safety integrity and SIL are system concepts and it is incorrect to use these terms in other ways e.g. ‘a SIL 2 instrument’. So a manufacturer of a limit switch, valve or other component may promote it as being suitable for, say, SIL2 applications. The revisions to 61508 will introduce the term Systematic Capability, to characterise the systematic safety integrity of the element or subsystem. For example the systematic capability of instrument x is SIL 2 for the specified safety function.

So, for a specified safety function of SIL X, each subsystem will need to achieve the Systematic Capability of at least SIL X. In addition it has to be installed and maintained correctly in order to maintain its safety performance.

In order for manufacturers to say that their product meets certain requirements of IEC 61508, they should design their systems to limit both systematic and random hardware failures. This will entail a design strategy for systematic safety integrity (specifying packages of techniques and measures) to combat systematic failures and a design strategy for hardware safety integrity, (consisting of the architectural constraints for the specified SIL and quantifying random hardware failures for the target failure measure) to combat random hardware failures.

They may have published and independently audited figures for the probability of failure on demand (PFD), for instance, which can then be used in the assessment of the safety function. However there is more to achieving the target SIL for each function than just the pfd; pfd is only one facet of hardware safety integrity. Whilst it’s not essential to use third-party certified products to achieve SIL compliance, the task of justification will be much easier if you do. If you do use third-party product then ensure that hardware safety integrity and systematic safety integrity are fully addressed.

During the development of the system a critical activity is the functional safety assessment, which checks that functional safety has actually been achieved. This could span several organisations and the people carrying out the assessment must be competent and independent, but that doesn’t mean that every company will have to call in the consultants. 61511 provides more guidance on those safety lifecycle phases requiring functional safety assessments. Whilst this is a necessary and beneficial activity for all parties, the evidence to-date suggests that it is performed in-frequently.

The level of independence required of the assessor ranges from an independent person in the same organisation for SIL1 to an independent organisation for SIL4. The required level of independence for levels 2 and 3 is affected by additional factors such as the complexity of the system, the novelty of the design, novelty of technology and the previous experience of the developers.

For some smaller companies, even the most basic requirement for independent people from a separate department may have to be met by an external organisation. On the other hand, companies that have internal organisations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (in terms of management and other resources) from those responsible for the main development, may be able to use their own teams.

The key to compliance lies in providing documentary evidence to support the validity of all the data used in the assessment.

The final link in the safety chain is periodic proof testing, which ensures that the safety loop continues to meet the required SIL. There is still confusion as to the differences between proof test and functional test.

Proof tests are performed to detect failures in a safety-related system (consisting of safety functions) so that, if necessary, the system can be restored to an “as new” condition or as close to practical to this condition. Whereas functional test usually relates to the testing of a safety-related system to ensure that the specified safety function is working correctly. Both 61508 and 61511 provide guidance on what constitutes adequate proof testing, as well as how to calculate the interval between proof tests. There are always conflicts between the ideal proof test interval and the practical availability of the plant to carry out this kind of check. So it’s important to consider proof testing at the design stage to avoid unnecessary downtime later while test cycles are carried out.

Essentially then, IEC 61508 and IEC 61511 require that end users have in place the means to manage functional safety. They need to ensure they have competent people who can operate and maintain E/E/PE safety systems to keep them doing the jobs they were designed for.

There is help available for those companies concerned that they might not have the necessary skills in house. Equipment manufacturers, consultants and even the regulators can all offer support and advice. However, the ability to offer a true one-stop-shop to address every aspect of compliance is rare. ABB’s Automation Technologies division, has a wealth of experience in the field of safety-related systems encompassing the complete safety life cycle for a host of industrial sectors. ABB UK now has a Safety Execution Centre (SEC) offering safety systems integration based on a Functional Safety Management system certified by TUV for compliance to 61508 and 61511.

By applying this experience, ABB can offer the consultancy and expertise to make sure you’ve got it covered when it comes to meeting the demands of IEC 61508.