Unfortunately, the application of this numbered system to a process opens much debate. How do you determine if production protection is "major" or "minor"? At what point could a potential injury occur? The method used to derive the SIL designation must be carefully documented using well-established methods.

The first step to determining or designating an SIL is to conduct a process hazards analysis (PHA). PHAs range from simple screening analysis to complex evaluations such as hazard and operability studies (HAZOPs), which employ a multidisciplinary team to methodically examine a process design and determine if hazards or operability problems exist that could result in an accident or other unsafe condition.

A requirement of IEC 61508 is that a target SIL must be assigned for the SIS for any process in which the PHA has concluded that the mechanical integrity of the process and the process control are insufficient to alleviate the potential hazard. The HAZOP should clearly define the risks associated with a process in terms of the likelihood of the hazard occurring, as well as the severity.

It should be noted that the methodology of IEC 61508 extends far beyond the HAZOP process of defining the incident in terms of loss of containment, explosions or hazardous chemical releases. The standard focuses most of the actual evaluation on the potential injury, fatality or other risk to individual persons.

Personnel proficiency

Another significant element of IEC 61508, and a differentiating factor from many other standards, is its personnel competency requirements. All personnel involved in a safety system's development, management, installation, operation or other capacity must meet the proficiency requirements for the specific responsibilities of their task, as defined by the standard for a specific SIL.

Individuals' experience, knowledge, skills and specific training for an application are assessed. Many certification companies have developed qualification procedures to provide consistency. These procedures include such measures as proficiency exams and a review of an individual's background to verify training, experience and references.

Common misconceptions continue to be fueled by individuals satisfied with the manufacturer's product test data. Although these specifications provide pertinent information, the assumption is that the manufacturer repeatedly produces exact duplicates of the product undergoing the testing. One must realize that components are not isolated. Instead, they are part of a sophisticated web of complex systems that must function properly to help ensure plant safety.

You can be confident using system components designed and developed in compliance with IEC 61508. Safety is considered in not only the final test data of the product, but also from the very beginning.

CASS assessment

The framework used by third-party certification companies to assess and certify organizations to IEC 61508 is called the Conformity Assessment of Safety-related Systems (CASS). A "CASS Guide" offers "identifiable deliverables," termed targets of evaluation (TOEs), associated with the applicable causes for the specific assessment within IEC 61508.

The first table in the CASS Guide uses 18 TOEs to guide the assessor in the evaluation of a Functional Safety Capability Assessment (FSCA). The FSCA relates strictly to the assessment processes employed by a facility, not the individual components, products or specific operation and maintenance systems. This assessment determines if a company has the necessary safety infrastructure (a quality system such as ISO 9001) to support the safety life cycle. The FSCA must be successful before the remaining assessments will be performed.

The second table in the CASS Guide uses 21 TOEs to guide the assessor in the evaluation of IEC 61508, part one, "General Requirements." This assessment pertains to system integrators responsible for the overall safety function. Systems integrators might acquire components from suppliers to develop the overall safety function as an SIS.

The third table in the CASS Guide uses 30 TOEs to guide the assessor in the evaluation of IEC 61508, part 2, "Requirements for Electrical/Electronic/Programmable Electronic Systems," and pertains to component manufacturers of SISs.

The fourth table in the CASS Guide uses 45 TOEs to guide the assessor in the evaluation of IEC 61508, part three, "Software Requirements." This assessment pertains to component manufacturers SISs with software residing in the electrical, electronic or programmable electronic system or with software as a separate component in a SIS. Software cannot be assigned a reliability number because software "faults" and does not randomly fail. Software faults are systematic failures resulting from the software development processes. CP

Adler is director of professional development for Moore Industries International Inc., Sepulveda, Calif. Contact him at (818) 894-7111.