Meet SIS “User Approval” Mandates

No manufacturer’s claim, third-party analysis or certification report reduces the user’s responsibility for determining that a product is fit for its purpose. Make sure to properly balance analysis and testing information with field experience.

By Angela E. Summers and Susan Wiley, SIS-TECH Solutions, LP

Share Print Related RSS

The following disclaimer should look familiar: “This paper is distributed ‘as is.’ All warranties, either expressed or implied, are disclaimed as to quality, performance or merchantability, whether expressed, implied or statutory, hidden defects, or fitness for any particular purpose. The author makes no representations about the suitability of the information in this paper for any purpose. Reader bears the entire risk relating to the use of this paper.”

A paragraph similar to the above appears in many end-user license agreements accepted during software installation and with hardware manufacturers’ terms and conditions. The underlying concept is that the user has the responsibility to determine whether a product is fit for a particular purpose.
The manufacturer limits its liability associated with effects that are beyond its control, such as the operating environment. Other limitations typically appear in the installation and maintenance manual (or in the safety manual for safety instrumented system (SIS) devices). Product manuals provide warnings concerning installation, commissioning, maintenance, and testing requirements. Deviation from the manufacturer’s recommended practices generally invalidates all warranties, either expressed or implied.

No manufacturer’s claim, third-party analysis or certification report reduces the user’s responsibility for determining that a product is fit for its purpose. The ISA standard for SISs, ISA 84.01-2004, mandates that a user evaluate and decide that hardware, software, procedures, etc., are acceptable for their application.

The user approval process

An owner/operator must formally check the suitability of devices. This user approval process should evaluate each device using analysis and testing and should demonstrate performance in the operating environment. (The boundary for any device must include the hardware and software elements necessary for it to perform its design intent.) The outputs of the process should be an approved manufacturers’ list and an installation, commissioning and maintenance plan (e.g., the safety manual for the SIS) that outlines implementation requirements and constraints.

User approval requires a close relationship between the manufacturer and the owner/operator as a product moves from early development through obsolescence. Technological evolution can hasten obsolescence — for example, the lifespan of some programmable devices is less than 10 years due to the rapid development of computer technology, the need for increased interconnectivity and the demand for uniform configuration tools. This can result in a product lacking desired features, with promises for future upgrades. Sometimes, correcting problems or providing requested functionality may require significant changes.

The owner/operator should carefully control the replacement of components in any way other than “like” for “like.” When the manufacturer offers a new version of an approved component or recommends an alternative, these components should go through the user approval process. For new versions of approved products, this process can be simplified when the manufacturer documents revisions to the products and highlights any configuration changes.

Configuration management can be challenging but is essential. To succeed, the owner/operator should put an SIS product specialist in place to receive and review advisory notices and product information from manufacturers with the authority to add or drop devices from the approved manufacturers’ list. When possible, the specialist should be independent of the project team seeking approval of a device.
The owner/operator should share field performance and lessons learned in applying a device with its manufacturer and circulate the information among project and plant personnel.

Getting started

To identify the operating environment, draw an imaginary bubble around the device as installed in the process. This bubble establishes the device’s boundary. The operating environment may include a variety of items that affect device operation, such as:

  • external environmental conditions;
  • process operational conditions;
  • communications and interconnectivity;
  • human interfaces;
  • access security means; and
  • support systems, e.g., instrument air and electricity.

For Programmable Electronic (PE) logic solvers, the operating environment also encompasses the embedded software, the hardware architecture, application software and input/output configuration.
Devices should be analyzed and tested to evaluate their design, manufacture and validation procedures, as well as the manufacturer’s quality and change-management systems. The rigor of the analysis and testing depends upon the complexity of the device and the maturity of its technology. This step should result in the following:

  • delineation of the analysis boundary;
  • identification of potential dangerous failures;
  • specification of assumed diagnostic coverage factor and any user requirements necessary to achieve the diagnostic coverage, e.g., configuration requirements and the need for external diagnostics; and
  • declaration of the probability of safe and dangerous failures, noting any assumptions regarding maintenance activities and test intervals.

Analysis and testing should also include evaluating the device’s conformance to applicable codes, standards and practices. Meeting the area classification and following the applicable electrical codes is important for all instrumented system applications; inappropriate devices can become ignition sources should a loss of containment occur. For SISs, the requirements of IEC 61511 Clause 11.5 should be met. Guidance on complying with this clause is also provided in ANSI/ISA TR84.00.04 Annex L.

Certification caveat

Manufacturers wishing to advertise their products for safety systems analyze and test their devices for compliance with the intent of IEC 61508. A device may gain “certification” if evaluated by a recognized certification body. (In the U.S., Nationally Recognized Testing Laboratories (NRTLs) handle certification — OSHA’s website, www.osha.gov, has a complete listing of NRTLs.) A certified product can be labeled with an “SIL (Safety Integrity Level) Claim Limit.”

When a device is certified according to IEC 61508, the manufacturer supplies a safety manual detailing the criteria for its implementation. Successful implementation of SIS devices often requires a specific configuration, the addition of external diagnostics, the provision for inspection and maintenance, mandated proof-test intervals and particular installation details. Deviation from the safety manual may invalidate the SIL claim limit.

It is important to note that IEC 61508 is a generic functional safety standard that applies to systems used in disparate industries — so, some devices may meet its requirements but not be sufficiently robust for the operating environment in many process plants.

Deciphering data

Manufacturers sometimes provide field performance reports based on installations at owner/operator sites. More often, though, a manufacturer supplies analysis and testing results with documented predictive calculations of its product’s probability to fail on demand and spurious trip rate based on the product’s “shelf state” design and manufacture. For any new technology, the analysis and testing generally reflects very limited field operating experience. Thus, the manufacturer’s evaluation represents the highest performance that can be expected from the device when it is implemented in accordance with its safety manual.

The operating environment and the owner/operator’s inspection and maintenance practices usually dictate field device and non-PE logic solver performance. For example, a data sampling for pressure transmitters from various manufacturers shows 600-to-800-year mean time to failure dangerous (MTTFD); however, owner/operator prior-use data give a range of 75-to-200-year MTTFD.

Many important sources of failure are excluded from the manufacturer’s boundary. These include the process connections, manner of installation, power supplies and communication interfaces. Failures due to the operating environment can significantly outnumber those due to device manufacture. Failures in the interfaces between the device, the process and other protective systems should be considered when determining its suitability for addition to the approved manufacturers’ list.

Some owner/operators develop installation details for each type of technology. The field installation should ensure that the core attributes of a protective system are achieved — e.g., independence, functionality, integrity, reliability, auditability, access security and management of change. This provides a consistent operator and maintenance interface and allows the analysis and testing for device approvals to be limited to the device and its ability to work within the existing approved installations.

For PE logic solvers, performance typically depends upon how well the safety manual is followed, how recommended upgrades are executed and whether the manufacturer’s suggested operating environment is maintained. When implemented according to manufacturer’s recommendations, PE logic solvers tend to achieve the reported level of safety. This does not necessarily mean, however, that the PE logic solver has the robustness to provide the trouble-free service that may be desired. PE logic solvers usually tend to fail-safe more frequently than reported by analysis. This largely stems from violations of operating environment requirements or human error.

Prior use history

In general, manufacturer failure-rate data are 3 to 10 times better for programmable devices than the actual performance observed in the chemical industry. For mechanical devices, the ratio is 30 to 100 times better. Programmable electronic systems are not immune — indeed, some certifications assume diagnostics coverage factors that simply are not achievable using current practices. Because of the discrepancy between manufacturer and owner/operator environments, devices should be selected based on demonstrated history in a similar operating environment.

Operating experience provides valuable information for selecting field devices because it identifies how the operating environment degrades the theoretical performance claimed by the manufacturer. For field devices especially, evidence of successful operating experience in similar process applications is very important. In IEC 61508, this is called “proven-in-use” and in IEC 61511, “prior use.”

There are specific requirements and limitations regarding prior-use evaluation in IEC 61511 Clauses 11.4 and 11.53 through 11.5.6. The requirements vary depending upon the device type (sensor, logic solver, final element) and whether the device uses programmable elements and, if so, the type of language used for configuration. These requirements are further discussed in ISA TR84.00.04 Annex L.
For SISs, IEC 61511 requires devices be selected based on their expected performance in the operating environment. Maintenance records are a valuable information source. The plant maintenance-tracking system can be used to flag devices with recurring failures for more detailed analysis. In general, it takes three years of operating time to gain sufficient understanding of the potential failure of a device. Operational time can be obtained in similar applications involving process control, non-SIS or SIS.

Operational results can include those from alpha and beta testing where owner/operators work in close association with the manufacturer. Alpha testing is conducted to demonstrate the basic functionality of the device and general compatibility with the service. A successful alpha test leads to beta testing, which usually involves multiple installations to gather information on device failure modes in a variety of operating environments. However, alpha and beta testing results do not suffice for approving devices for SIS service.

Other owner/operators cited as references by a manufacturer frequently can offer valuable insight into product application and use. A manufacturer’s user group can provide valuable networking opportunities to gather information about product performance. The owner/operator may choose to rely on the manufacturer and other owner/operators’ field experience or to supplement this evidence with its own inputs, which may include bench testing and field trials in process control or low hazard services. Generally, the more unfamiliar or complex the technology is, the more time that should be spent understanding how it works and how it fails.

Proven performance takes on special significance for SISs because most operate as dormant systems that only take action when a process demand occurs. In contrast, control system devices are expected to operate frequently, if not continuously — so their failures usually are rapidly detected; if these failures cannot be managed by the control system or operator, an independent SIS often is implemented to mitigate any unacceptable process risk.

A debate now is underway on whether to integrate the SIS with the control system. One of the strongest arguments for separation is the common practice of using the latest technology in control applications. Many owner/operators that strive to adopt the newest control technology often find that the products are not as well developed as originally thought. New control system implementation can turn into an unplanned product development project. While necessary for production or quality reasons, this can be a hazardous practice for SISs. Do not under-value proven operating history.

A reality check

User approval is an important aspect of complying with ANSI/ISA 84.00.01-2004. This approval should balance predictive evidence, such as analysis and testing reports, with field operating history. While some manufacturers now provide devices that are “certified for use” in SISs, these devices are relatively limited in their range of application and technology. Many are not field proven and some are not demonstrating the robustness necessary for process industry applications. An IEC 61508 analysis often assumes an unreal operating environment: one that does not include the process impact, ambient conditions, stress, manufacturing defects, software errors, installation issues, electrical disturbances, instrument air or other support-system quality problems, etc.

Consequently, owner/operators in the process industry should always seek to achieve the proper balance of analysis/testing information and field experience. Whenever possible, they should rely heavily upon operating experience for selecting devices for SISs, especially for those devices installed in a process environment. The amount of information or experience required and the degree of rigor associated with an evaluation may vary depending upon the nature of the device and the required SIL. However, the user approval process must establish sufficient evidence to justify that the device can and does achieve the required performance in the intended operating environment.

Angela E. Summers, Ph.D., P.E., is president of SIS-TECH Solutions, LP, Houston, Texas. She is the recipient of ISA’s 2005 Albert F. Sperry Award “for outstanding contributions and leadership in the specification, development, and implementation of safety instrumented systems for the process automation industry.” E-mail her at asummers@sis-tech.com.

Susan Wiley is a senior consultant with SIS-TECH Solutions, LP, Houston, Texas. E-mail her at swiley@sis-tech.com.

Share Print Reprints Permissions

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments