excellence in dependable automation

Tales from the inside the instrument IEC 61508 Certification

Mnchen, Germany +49-89-49000547 Sellersville, PA., USA +1-215-453-1720 email: wgoble@exida.com

Copyright exida 2001..2008

Introduction
William Goble
William Goble has over 30 years of professional experience. His areas of expertise include safety and high availability automation systems, automation probabilistic analysis, new product development and market analysis. He developed many of the techniques used for probabilistic evaluation of safety and high availability automation systems. He was formerly Director, Critical Systems at Moore Products where job duties included marketing, design and development and engineering project management. He has written three books on topics of safety and reliability modeling. He is a fellow member of ISA. He has published many papers and magazine articles. Dr. Goble has a BSEE from Penn State, a MSEE from Villanova and a PhD from Eindhoven University of Technology in Eindhoven, Netherlands.

Independent and neutral

The exida team

Development
former Development Managers (Siemens, Moore) former TV Managers former Certification Assessors

Safety Certification

Instrumentation Engineers (Air Products, Exxon, PDVSA, Honeywell, Siemens, etc.)

Application Design + Operation

Functional Safety Standards

100 90 80 70 60 50 40 30 20 10 0

ANSI/ISA 84.01-2004

IEC 61511
IEC 61508 Parts 1,2,4

IEC 61508 Parts 3,5,6,7

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
ISA S84.01-1996 Published

Year

Is your company implementing or planning on implementing the ISA 84.01 Functional Safety Standard?

IEC 61511 Equipment Justification

Application Fit Justification
Make sure that the equipment performs the needed functions and is fully compatible with the environment and process.

Safety Integrity Justification

Equipment used in safety instrumented systems must be chosen based on either IEC 61508 certification to the appropriate SIL level or justification based on prior use criteria

Prior Use ???

Prior use generally means:
We do not have the failure data! a user company has many years of documented successful experience (no dangerous failures) I do not want to take responsibility for with a particular version of a particular instrument equipment justification! this can provide justification for using that We do not take the time to record all instrument even if it is not safety certified. instrument failures! Operating conditions must be recorded and must This is a new instrument! be similar to the proposed safety application. I cannot justify PRIOR USE!

Copyright exida 2001..2008

Alternative for safety integrity justification IEC 61508 Full Certification The end result of the certification process is a certificate listing the SIL level for which a product is qualified and the standards that were used for the certification. A good certification assessment will demonstrate high design quality for hardware, software and high manufacturing quality. A good certification assessment will check to see that proper end user documentation is provided The Safety Manual

Trend toward 61508 certified instruments

IEC 61508 Certification is a measure of design quality.
IEC 61508 Certification provides fully justifiable equipment selection without safety integrity documentation created by the end user.

More and more products are getting IEC 61508 Certification:

30 25 20

From exida Process Measurement Instrument Market report

15 10 5 0
0' 2 96 97 98 99 00 01 03 04 05 06 20 19 19 19 19 20 20 20 20 20 20 20 07

Number of IEC 61508 Certified Sensors

What does an instrument manufacturer have to do?

1. Hardware - meet PFDavg expectations for target SIL via:
Low failure rates, fail-safe design High diagnostic coverage 2. Hardware - Meet SFF requirement for target SIL. 3. Software - Meet software process requirements for target SIL, systematic fault avoidance

Full Product Certification

User Documentation - 5 Certify the process 3,4 Hardware 1,2

4. Product - Meet design process requirements for target SIL, systematic fault avoidance
5. Produce Safety Manual for User

Hardware Analysis
Based of warranty data analysis or field failure data analysis Industry

Product Database COMPONENT DATABASE Product Product Failure Modes Diagnostic Coverage Failure Mode Distribution Compare

Draft Component s

FMEDA

Feedback to update database

An FMEDA is an analysis technique used in IEC 61508 Certification. It is a detailed, systematic review of the design looking at every part in the design.
Copyright exida 2001..2008

What are the results of the FMEDA ? Failure Rates: lS (Failure rate of all safe failures)

lSD (Failure rate of all safe detected failures) lSU (Failure rate of all safe undetected failures)

lD (Failure rate of all dangerous failures) lDD (Failure rate of all dangerous detected failures) lDU (Failure rate of all dangerous undetected failures)

Calculation of SFF

Product Failure Data Example from FMEDA

FMEDA Fault Insertion Test

Fault Insertion Tests (F.I.T.) verify the theoretical FMEDA with actual product reactions to faults
Simulate component failures and test that diagnostics perform as expected.
Verify software contribution to fault handling F.I.T. suites driven from FMEDA to test each diagnostic and functional failure mode.

exida Safety Case Database

Requirements Arguments Assessment

Audit Lists Evidence

Copyright exida 2001..2007

Independent Assessment Process

Define Scope Review FSM Plan + Procedures Assess System & Software Architecture
Assess Safety Case Review Design documentation On-site Audits Review Testing Problems? Assessment report Certificate Independent Audit Complete Safety Case Checklist

Assessment Plan
Complete Safety Case Checklist

Application Safety Requirements Milestones Role allocation + Competence System FMEA Partitioning + Safety Criticality Software + IC On-Chip Redundancy Physical & Logical Independence Common Cause Requirements Tracking FMEDA & Fault Insertion Tests Test Specification Safety Manual Implementation of procedures Competence

Complete Safety Case Checklist

Safety Manual Test execution

Copyright exida 2001..2008

Experience
Design Quality? Does everyone pass? NO a majority fail initial audits
Hardware A transmitter has shipped over 25,000 units and has been shipping for nearly 5 years. The FMEDA analysis quickly showed that when the microprocessor clock stops, the 4 20 mA output freezes! Hardware A valve has been shipping for nearly two years. The tool verification check showed that mechanical tolerances were incorrectly translated by a CAD tool revision such that the valve would bind at high temperatures! Hardware A transmitter has shipped over 200,000 units and has been shipping for nearly 3 years. A Fault Injection Test showed that diagnostics simply did nothing. Component failures in the transmitter could cause drifting outputs and this situation would not be revealed. Hardware A valve manufacturer has been making a particular ball valve design for thirty years. The product is clearly field proven. A purchasing agent changed vendors on a critical part. The new part was not quite the same material and many field failures resulted. IEC 61508 requires that the design specify exact parts with a qualification procedure needed for all changes including a new vendor.

Experience
Design Quality? Does everyone pass? NO a majority fail initial audits
Software a major transmitter supplier created a strong IEC 61508 complaint software process. It was to be used ONLY on SIL products as the documentation and testing BURDEN were so high. After experiencing fewer problems at final test and fewer field problems the IEC 61508 design process is being used for all software. Software the computing power and operating systems inside a transmitter of today is clearly comparable to the DCS Main Processor of 1990. Field instruments today are sophisticated and complicated.

Are IEC 61508 Products Available?

IEC 61508 Certified Products: Pressure Transmitters Temp. Transmitters Flow Transmitters Level Transmitters PLCs

Trip Amps, modules

Actuators Solenoids

Valves

IEC 61508 PLC Certification

19

IEC 61508 Pressure Transmitter Certification

IEC 61508 Solenoid Valve Certification

21

Read more about Functional Safety ISA and others have several best sellers for automation safety and reliability

excellence in dependable automation

Questions?