Proven in prior use: a DIY challenge

Australian and international safety standards permit users to apply a ‘proven in prior use’ methodology to justify their safety integrity level (SIL)-rated safety instrumented system (SIS) equipment. But, before you choose that option, be sure you can accept the responsibility and you have the proper tools and procedures.

Consider the case where your plant has just completed an internal audit of your facility’s existing SIS. As expected, you confirmed that your systems do not meet the full IEC/AS 61511 requirements and now you are faced with bringing those systems into compliance with the standards. However, you believe your plant is relatively safe and you have standardised most of your existing safety system equipment (and a good fraction of your other control instruments) on a few manufacturers’ makes and models.

One of the questions your SIS team has raised is: ‘Do any of our existing instruments meet the prior use requirements described in Section 11.5.3 of IEC/AS 61511-1?’ (see sidebar: 61511’s Prior Use Language). In other words, ‘Are our installed instruments suitable for SIL-rated applications and can we show this ourselves?’

This is a common question. When you read the relevant sections of IEC/AS 61511-1 and the accompanying guidelines in IEC/AS 61511-2, it is easy to see the source of confusion. The standard is short on details and explanations. The confusion grows when users only select guidelines and examples that justify their own interpretation of ‘prior use’.

Understanding the requirements

Three things must be true for an instrument to be used properly in a SIL-rated safety application. First, each instrument must meet the application requirements, as is true for all control elements. Second, each instrument’s design must meet a sufficient safety integrity level. And third, the entire safety function must meet the SIL requirements for probability of failure on demand (PFDavg) and any additional architectural fault tolerance constraints. Since fit-for-service application requirements are usually well understood, and the calculation tools to determine the PFDavg and architectural constraints are generally available commercially, the focus is on the less understood design requirements for each instrument.

The design requirements for safety integrity can be confirmed by one of two methods. The first is a ‘prior use’ assessment, usually done by the end user. As mentioned above, the standards do not provide much detailed guidance. The idea is to prove that a component has demonstrated its performance long enough and under enough different conditions to justify relying on it as part of a SIL-rated safety instrumented function. The second method to confirm an equipment item for SIL-rated applications is third-party assessment of the device’s design ‘in accordance with’ IEC 61508.

As a result, a number of third-party expert certification agents such as exida Certification (Geneva, Switzerland), FM Global (Norwood, MA), or one of the three TÜV companies (Cologne, Munich and Essen, Germany) now exist. Each certifying organisation has developed its own elements testing and certification procedures following a thorough process. They verify that an element’s hardware and software, as well as its manufacturing and quality control procedures, provide sufficient safety integrity and have applied the appropriate systematic failure management techniques in accordance with IEC 61508 requirements.

If you are looking at assessing your own equipment under the prior use path, you are first faced with the direct question, ‘How much operating experience is required to make sure a product can be applied at a given SIL?’ This is quickly followed with, ‘What other things do I need to demonstrate that my equipment meets these SIL requirements?’

Comparing against a third-party safety integrity certification

During a third-party IEC/AS 61508 equipment certification process, assessors look closely at the design aspects of both mechanical components and/or electrical components. Each analysis includes the element’s failure modes, fail-safe v fail-danger, any claimed automatic diagnostics, as well as internal redundancy. The result of all this scrutiny is typically a set of quantitative failure rates that eventually may be used by the control or safety system engineer to verify safety suitability for a particular application.

Third-party certification assessors also look closely for design mistakes by analysing the complete element design process, including specification and design methods, design tools, testing methods, review techniques and documentation. Additionally, because any type of modification (eg mechanical, software, etc) can introduce new faults, assessors conduct thorough examinations of the manufacturer’s change management processes.

All these various analyses should result in a ‘safety case’ that describes in significant detail how the element manufacturer meets each requirement of IEC/AS 61508. Additionally, the safety case should be summarised in a certification report that is openly available to all prospective buyers.

Each SIS element assessment also results in a SIL capability rating and the element is justified for use in a safety instrumented function up to that defined SIL. For example, an element with a SIL 2 capability could be used in any safety instrumented function with a SIL 2 or lower risk reduction requirement. Such elements should never be used in a SIL 3 application unless an additional proven-in-use or prior use justification has been completed.

Buyers of third-party certified SIS elements or subsystems should also receive audited documentation on how to use the element in a safety application, along with a full set of information about failure rates, failure modes, useful life limits, suggested proof test procedures, application limitations — and documentation that the production of the element is in accordance with the functional safety management (FSM) procedures.

All of these applications, performance, systematic error management and documentation requirements should be met with a competent third-party assessment from a well recognised assessor. Also, for most equipment, the equipment provider pays for the assessment. As a result, they are usually able to divide out the assessment cost over all of the units sold so the cost that any one user pays for the certification is greatly reduced.

It is worth remembering a comment from the ARC Advisory Group: “The user safety manual for a good safety system is very thin, with a minimal number of restrictions. Beware of a thick safety manual; it indicates that there are many complexities and limitations associated with the application of the safety-related elements in a SIS.”

Doing it yourself

To pursue the DIY path to using equipment in SIL-rated applications, we still need to fully answer our two questions about how to show whether our installed equipment meets the prior use requirements described in Section 11.5.3 of IEC 61511-1.

Fortunately, IEC/AS 61508 provides some specific guidance on the first question about the amount of operating experience required. For a given version of a given safety element, 100,000 unit hours should be used for elements targeted for SIL 1 applications and 10,000,000 unit hours for elements targeted for SIL 3 applications. SIL 2 would correspondingly fall in at 1,000,000 unit hours. On top of the raw unit hours, the standard requires that you also show that all dangerous failures have been detected and recorded. This translates into the rather challenging requirement that your proof testing procedures and associated documentation must be close to 100% effective.

As you might expect, the formal list of other requirements in answer to our second question is also substantial. So, the most accurate answer on meeting the requirements to prove in prior use is, you can do it yourself if you also have the following for each safety function:

• A clear description of the elements, including design revision information;
• Reliability data for identical or very similar applications, including applicable conditions (restrictions) for use of that element;
• The element’s diagnostic coverage and safe fail fraction (SFF) per IEC 61508-2 Annex C, including:
  • performed failure mode and effect analysis to determine the effect of each element on the subsystem and safety function;
  • categorised each failure mode as safe or dangerous;
  • calculated the probability of safe and dangerous failures;
  • estimated the fraction of safe and dangerous failures that are detected by the diagnostics tests; and
  • calculated the element or subsystem SFF;
• Compliance results of safety-related operating software in all elements as defined in IEC 61508-3;
• Testing intervals established that ensure achieving the average probability to fail on demand; and much, much more.

In short, you can make the choice to do it yourself if you have essentially duplicated the design, documentation, review and certification process that element manufacturers and third-party assessors have developed and maintained for each of their ‘certified as suitable for use’ SIS elements. This is probably manageable for extremely basic components such as a thermocouple or cabling, and, if we have our procedures in good order, maybe our transmitters as well. But it becomes much more difficult to make the choice to ‘prove’ for more complex valve and actuator assemblies and a downright mess for ‘smart’ elements and other programmable devices.

Summary

So, the answer is that you can demonstrate that your existing equipment meets the ‘proven in prior use’ requirements for SIL-rated applications. But, before you pursue safety integrity justification via a prior-use, self-certification path, consider the fact that following an incident, accident investigation teams from regulatory agencies will review everyone and everything, including your element self-certification process. And, because investigators will be looking for the use of, and conformance to, ‘good engineering practices’, they will expect your self-certification process to be every bit as rigourous and thorough as the corresponding third-party certified equipment path. So, when all is said and done, you may not really want to do it yourself for anything but the most basic safety system components.
 

exida
www.exida.com
 

*Dr Eric Scharpf has 20 years of professional experience in process safety applications. He is widely recognised as an expert in optimally applying safety instrumented systems to operating plant applications. Dr Scharpf is a partner at exida and has written the widely used ‘Safety Integrity Level Selection’ text.

*Dr William Goble has over 30 years of professional experience and is widely recognised as an expert in programmable electronic systems analysis, safety and high availability automation systems, automation systems new product development and market analysis. Dr Goble is a principal partner at exida and has written two widely used books on topics of safety and reliability modelling, including Control Systems Safety Evaluation and Reliability.