IEC61508 Part 1 Clause 6

Download Report

Transcript IEC61508 Part 1 Clause 6

BS EN 61508
also known as IEC 61508
Functional safety of
Electrical/Electronic/Programmable
Electronic Safety Related Systems
www.61508.org
BS EN 61508
Certification in perspective
Clive de Salis
M.A, B.Sc, M.I.Chem.E., M.Inst.M.C
I.Chem.E. Registered Safety professional
Member of SIESO
www.61508.org
Copyright basis:
This presentation material is made for educational
purposes only. Some diagrams and photographs are
copied herein and text is reproduced within for the
purposes of study. These items may not be reproduced
for any other purpose without the written permission of
the copyright holder
www.61508.org
True or False?
All the instruments in a SIL rated safety
loop need a certificate for their SIL rating
www.61508.org
True or False?
I can replace a SIL 2 certified transmitter
in a loop with another SIL 2 certified
transmitter from a different manufacturer
so long as they both have certificates
www.61508.org
True or False?
If I use a SIL 2 certified PLC I can use it
for any applications of SIL 2 or SIL 1.
www.61508.org
True or False?
Using a Certified Expert to design my
SIL loops allows me to use my usual
local systems integrator and place the
order as part of the DCS
www.61508.org
We will return to these
“True or False”
questions later
www.61508.org
If we are truly concerned
about safety...
...then we should be
willing to learn!
www.61508.org
What was the common
cause of failure in all of the
following accidents ?
Flixborough
Hickson & Welch
Seveso
Texaco Pembroke
Buncefield
Texas City
www.61508.org
If we know what fails ...
... then we can develop
systems, checks and
procedures to minimise the
risk of failure
www.61508.org
If we know what fails ...
... then we can develop
systems to monitor the
likely items of failure and
act to make the system
safe if it fails
www.61508.org
If we know what fails ...
... then we can put systems
in place to stop when a fault
is detected.
... we can avoid putting
something faulty into service
www.61508.org
If I have a need for a
SIL rated safety system
then ...



I have to use a certified PLC
Purchasing will ask for TÜV [insert any well-known
name here] certificate for the transmitter
So I'll have a SIL 2 certified transmitter with a
SIL 2 certified PLC ..... so I have a SIL 2
certified loop
= Job done + Sleep easy!
... is that it?
www.61508.org
What is the most common reason for
control system related accidents?
Is it specification ?
Is it design ?
Is it installation ?
Is it commissioning ?
Is it operation ?
www.61508.org
HSE's own research
...
www.61508.org
So what was the common
cause of failure in all of the
following accidents ?
Flixborough
Hickson & Welch
Seveso
Texaco Pembroke
Buncefield
Texas City
www.61508.org
It's people!
Now here's the irony...

Almost everyone will choose a certified PLC


....the MOST reliable part of the loop even
without a certificate
A lot of people will ask for a certified transmitter


....less reliable than the PLC but robust
Some people will ask for a certificate with the valve


... an unreliable part of the loop
Too many people fail to ask for the safety report


... the bit that is ESSENTIAL for the design (they
went away surprisingly happy with a certificate!)
Hardly anyone asks about the people
 ...
the LEAST reliable part
www.61508.org
We have put the cart
before the horse

IEC61508 never asked for any certificates for transmitters
etc

IEC61508 does ask for evidence of reliability of the loop
So you need the report
 And if the report is verified by a third party then that
is good
But let's get the emphasis in the right place


 YOU
NEED THE REPORT

the certificate is a side-issue
 A certificate without a report is a waste of paper
www.61508.org
We have put the cart
before the horse

IEC61508 does ask for Functional Safety Management


IEC61508 Part 1 Clause 6
IEC61508 does NOT ask for a certified expert!

The use of a certified expert may well be appropriate as part
of your management of safety

But let's get the emphasis right:

You NEED evidence of Functional Safety Management

Of everyone ...

Not just the expert
 Not just the technician
www.61508.org
Functional Safety
Management is about people
IEC61508 Part 1 Clause 6
It's about PEOPLE
Have you ever known of a company full
of good engineers
... but with C**P management?
www.61508.org
Changes now made to
IEC61508 in the 2nd edition
include ...

Competence is a normative requirement
For everyone involved in the safety loop
 For all stages of the lifecycle

www.61508.org
Competency applies to everyone
involved
This includes the person writing
the spec…
…remember that the biggest
source of control system accidents
was the specification
www.61508.org
The HSE have issued guidelines for
the management of competency for
safety related systems
The guidance requires that you check that
your Contractors are competent
… and your Contractor’s
sub-contractors
www.61508.org
are competent
Functional Safety
Management is about people
IEC61508 Part 1 Clause 6


It's about PEOPLE
Certification of functional safety
management is available


and it is UKAS accredited
It covers ALL phases of the lifecycle

from SIL assessment

to operation
www.61508.org
This certification is
for functional safety
management for SIL
assessment & SIS
specification
for the process and
water industries (as
detailed on page 2 of the certification)
www.61508.org
Was a competent SIL
assessment done?
IEC 61508
Part 5 Table D
Example methodology
NOTE: The demand rate W can be
interpretted as the probability of the
initiating cause AND all independent
technology risk reducers AND mitigation
factors failing simultaneously to cope
You are NOT supposed to use the
example as written in part 5 it is ONLY
an example technique
W1 to W3 expressed
as demand rate
Define
the
event
Basic
Process
Control
System
F1 or F2
and
P1 or P2
Probability
of the event
after all other
systems fail
Other Technology
Risk Reducers that
are independent
X
NOT covered
Risk element
to be covered
by SIL system
X
NOT
covered
You are supposed to design and
calibrate a risk
X graph to suit YOUR process
Outcome
severity
Probability
of initiating
cause
People
factors
BPCS not covered
www.61508.org
Mitigation
measures
CORPORATE
TARGET
PROBABILITY
Hidden in
the final
answer
Was a competent SIL
assessment done?
Many companies
are using this risk
matrix taken from
Shell's system
WITHOUT using the
rest of Shells
system
- Can that be right?
www.61508.org
A PLC from one of
the top 5
manufacturers in
the world claims a
SIL 2 certificate
You should ask for a
certified PLC but you
NEED the REPORT
Is the designer right to use this “SIL 2” PLC in the loop?
www.61508.org
A true ......
... but sad story
There's a SIL 2
certified
one in stores
The transmitter
Pardon?
of another
has
failed –make
It's ...
use that
SIL 2I'llcertified
Erm...?
A package plant was supplied
with a SIL 3 certified safety PLC
HowI did
you see
adjust
Can
please
the
the
loop
testing
for
proof testing plan and
different
your the
records
of proof
transmitter?
testing?
www.61508.org
The management was
responsible


Management thought if the engineers specified the right
certificates and purchasing bought them then that was
enough!
Management sent engineers to the FAT who didn't know
anything about safety systems
RESULT
= PROHIBITION
NOTICE
ISSUED
Management
didn't make purchasing
aware that
the

systems should have had a detailed “design file”



Management didn't know that the system should have been
tested and validated at installation
Management had NO system for managing the prooftesting and maintenance and NO non-conformance system
Management had not ensured everyone was competent for
their role
www.61508.org
Was the answer to use
a certified expert?
Certified experts are not mentioned anywhere in IEC61508
... so you can't be criticised for what a standard does NOT say!
NO
- It was to comply with
IEC61508 Part 1 Clause 6
Functional SAFETY MANAGEMENT
www.61508.org
The HSE have issued guidelines for
the management of competency for
safety related systems
www.61508.org
www.61508.org
Functional Safety
Management is about people
IEC61508 Part 1 Clause 6


It's about PEOPLE
Certification of functional safety
management is available


and it is UKAS accredited
It covers ALL phases of the lifecycle

from SIL assessment

to operation
What you negotiate with the various
certification bodies for their cost is
up to you !
... and the scheme
is FREE www.61508.org
IEC61508
does require
functional safety management

IEC61508 Part 1 Clause 6

Clause 6.2.1(h) covers the management of competency




The UKAS accreditted scheme is available .... AND it
covers competency management
HSE guidelines for competency management for safetyrelated systems have now been published
The UKAS accreditted CASS scheme is FREE of charge
What's your excuse for not sorting out the part that
the standard does require and spending your money on
stuff that the standard doesn't require?
www.61508.org