The following disclaimer should look familiar: This paper is distributed as is. All warranties, either expressed or implied, are disclaimed as to quality, performance or merchantability, whether expressed, implied or statutory, hidden defects, or fitness for any particular purpose. The author makes no representations about the suitability of the information in this paper for any purpose. Reader bears the entire risk relating to the use of this paper.
A paragraph similar to the above appears in many end-user license agreements accepted during software installation and with hardware manufacturers terms and conditions. The underlying concept is that the user has the responsibility to determine whether a product is fit for a particular purpose.
The manufacturer limits its liability associated with effects that are beyond its control, such as the operating environment. Other limitations typically appear in the installation and maintenance manual (or in the safety manual for safety instrumented system (SIS) devices). Product manuals provide warnings concerning installation, commissioning, maintenance, and testing requirements. Deviation from the manufacturers recommended practices generally invalidates all warranties, either expressed or implied.
No manufacturers claim, third-party analysis or certification report reduces the users responsibility for determining that a product is fit for its purpose. The ISA standard for SISs, ISA 84.01-2004, mandates that a user evaluate and decide that hardware, software, procedures, etc., are acceptable for their application.
The user approval process
An owner/operator must formally check the suitability of devices. This user approval process should evaluate each device using analysis and testing and should demonstrate performance in the operating environment. (The boundary for any device must include the hardware and software elements necessary for it to perform its design intent.) The outputs of the process should be an approved manufacturers list and an installation, commissioning and maintenance plan (e.g., the safety manual for the SIS) that outlines implementation requirements and constraints.
User approval requires a close relationship between the manufacturer and the owner/operator as a product moves from early development through obsolescence. Technological evolution can hasten obsolescence for example, the lifespan of some programmable devices is less than 10 years due to the rapid development of computer technology, the need for increased interconnectivity and the demand for uniform configuration tools. This can result in a product lacking desired features, with promises for future upgrades. Sometimes, correcting problems or providing requested functionality may require significant changes.
The owner/operator should carefully control the replacement of components in any way other than like for like. When the manufacturer offers a new version of an approved component or recommends an alternative, these components should go through the user approval process. For new versions of approved products, this process can be simplified when the manufacturer documents revisions to the products and highlights any configuration changes.
Configuration management can be challenging but is essential. To succeed, the owner/operator should put an SIS product specialist in place to receive and review advisory notices and product information from manufacturers with the authority to add or drop devices from the approved manufacturers list. When possible, the specialist should be independent of the project team seeking approval of a device.
The owner/operator should share field performance and lessons learned in applying a device with its manufacturer and circulate the information among project and plant personnel.
To identify the operating environment, draw an imaginary bubble around the device as installed in the process. This bubble establishes the devices boundary. The operating environment may include a variety of items that affect device operation, such as:
- external environmental conditions;
- process operational conditions;
- communications and interconnectivity;
- human interfaces;
- access security means; and
- support systems, e.g., instrument air and electricity.
For Programmable Electronic (PE) logic solvers, the operating environment also encompasses the embedded software, the hardware architecture, application software and input/output configuration.
Devices should be analyzed and tested to evaluate their design, manufacture and validation procedures, as well as the manufacturers quality and change-management systems. The rigor of the analysis and testing depends upon the complexity of the device and the maturity of its technology. This step should result in the following:
- delineation of the analysis boundary;
- identification of potential dangerous failures;
- specification of assumed diagnostic coverage factor and any user requirements necessary to achieve the diagnostic coverage, e.g., configuration requirements and the need for external diagnostics; and
- declaration of the probability of safe and dangerous failures, noting any assumptions regarding maintenance activities and test intervals.
Analysis and testing should also include evaluating the devices conformance to applicable codes, standards and practices. Meeting the area classification and following the applicable electrical codes is important for all instrumented system applications; inappropriate devices can become ignition sources should a loss of containment occur. For SISs, the requirements of IEC 61511 Clause 11.5 should be met. Guidance on complying with this clause is also provided in ANSI/ISA TR84.00.04 Annex L.
Manufacturers wishing to advertise their products for safety systems analyze and test their devices for compliance with the intent of IEC 61508. A device may gain certification if evaluated by a recognized certification body. (In the U.S., Nationally Recognized Testing Laboratories (NRTLs) handle certification OSHAs website, www.osha.gov, has a complete listing of NRTLs.) A certified product can be labeled with an SIL (Safety Integrity Level) Claim Limit.