SIL certs can seriously impair plant safety
28 Jan 2008
IEC61508 AND PARTICULARLY THE PROCESS industry application of it in IEC61511 is gaining ground strongly for high integrity safety instrumented systems. However, the majority of industry is still naively asking for certification that the standard does not require, and has never needed, whilst ignoring its basic essentials. How long can this really go on for?
Far too many companies specify in their enquiry that SIL certificates for the components are required and that certified experts should be employed. They fail to ask for either the safety manuals or reports that contain the data, and also fail to ask for proof of functional safety management. What is most deeply regrettable about this state of affairs is that neither of the former appear anywhere in the standard and both of the latter are basic fundamental requirements.
What is being said here is not as new as many might think. A number of articles have appeared over the past five years under titles such as “The myth of the SIL 3 widgit”, but the difference now is that what is continuing to be promoted is becoming increasingly dangerous and increasingly irresponsible.
A project with which I am involved is being undertaken by several contractors and the different parties are developing the design for an oil terminal. One of the parties wishes to use a particular “SIL 2 certified” PLC. The safety manual for the PLC shows that the basis of the claim and the basis of all the reliability data assumes that the PLC is being used for 16 hours per day, 5 days per week, 52 weeks per year.
Of course the oil terminal needs to operate 24 hours per day, 7 days per week, 365 days per year. So I have no useable safety and reliability data for this product and yet the top management is angrily saying that the PLC has a SIL 2 certificate and I should stop putting obstacles in the way of using it.
The standard never asked for certificates. PLCs are the one device where third party certification is at its most useful, but let us get the emphasis right: I need the report. A certificate without a report is a total waste of paper. I need the report. PLCs are so complex that a comprehensive report is a really important item to ask for and when its backed by a third party then that is great. But I don’t actually need the certificate, what I need is the report.
So why is it that many of the companies that get a certificate then refuse to release the reports? They claim things like proprietary or commercially confidential information is in the report. This claim is heard for all sorts of products from valves and transmitters to PLCs.
Is that reasonable? No. Let’s be completely clear: if you don’t have the safety and reliability data then you can’t use the product. And at that point it doesn’t matter what the certificate says, or how many badges are on it, or how pretty the certificate looks. Without the safety and reliability data you cannot use the product. It is the data that is the absolutely essential part required by the standard. The designer is helpless without reliability data.
The promotion of certificates as being valuable and important has encouraged purchasers to ask for certification which is not required by the standard, whilst failing to ask for the safety and reliability data that is required by the standard.
The dangerous impact of this false requirement for certificates doesn’t just stop there. A package plant was supplied in the UK where certificates were delivered for the transmitters and the safety PLC, but no information was delivered showing the reliability of the total loop, its proof-testing requirements, use of diagnostics or any other important requirements of a safety loop.
Nonetheless, at every level of the company they thought the certificates meant they had an approved safety system with the package. When the “SIL 2 certified” transmitter failed, the instrument engineer found another “SIL 2 certified” transmitter in stores from a different manufacturer. He then replaced the failed unit and carried on until the visit of the safety inspector who asked the instrument engineer how he had adjusted the proof test interval to suit the change of transmitter.
This was a completely new and baffling question for the instrument engineer, who thought he had simply done the sensible thing of swapping one approved transmitter for another. Of course reliability is a function of testing and maintenance as well as design. Therefore, the testing and maintenance plan for a safety loop is an essential. In this case, however, the certificates had completely misled everyone involved into thinking that what they had was safe. And, sadly, it is not an isolated example.
The standard requires functional safety management of everyone: not just the expert, not just the technician, but everyone (even including purchasing department). To have a certified expert and to fail to have functional safety management is to absolutely fail to comply with the standard.
Of course, it may well be right, having put the functional safety management in place, to find that the use of one of the certified expert courses is appropriate to meet the training needs of one of the people in the team … but that decision arises out of functional safety management and not instead of safety management.
The emphasis must be right: the standard requires functional safety management; the standard does NOT require a certified safety expert (see IEC61508 Part 1 clause 6 and the matching requirement exists in all the sector guidance standards - e.g. IEC61511 Part 1 clause 5).
The current certified safety expert exams concentrate on the design of safety instrumented systems and so they do not produce expertise on other areas such as SIL assessment (although the courses do partially cover the subject) but of course the title “certified safety expert” makes far too many contractors and end-users assume that they are expert at everything. So yet again this approach is presently undermining safety and it just further reveals that the contractors and end-users have failed to put in place functional safety management.
Of course, one of the profound ironies of all this is that the same companies that promote the certificates they produce and the experts they certify also claim to be the leading experts in IEC61508 and its sector guidance standards.
That claim will only gain genuine integrity when the report is promoted by those companies as being the essential requirement for the customer and the certificate as optional, and when they promote functional safety management as being the essential requirement of the standard and the certified experts as optional.
In other words, the claim that such certification companies are the leading centre of expertise in IEC61508 is a hollow claim as long as their foremost promotions are certificates and experts when neither are required by the standard.
If safety is to be real then we must promote functional safety management. This must be top of the certification companies’ agenda and not simply some lesser known offering. Contractors and end-users must require functional safety management from their suppliers and of themselves.
Here in the UK there is a free UKAS-accredited scheme for functional safety management such that whatever you negotiate with the certification body for its costs is up to you.
Therefore, let’s not put up false claims about cost as an obstacle to functional safety management. Too many companies have been fooled into spending large sums of money on things that the standard does NOT require, like certificates and experts, whilst they have failed to invest in what the standard DOES require: functional safety management.
