When a device is certified according to IEC 61508, the manufacturer supplies a safety manual detailing the criteria for its implementation. Successful implementation of SIS devices often requires a specific configuration, the addition of external diagnostics, the provision for inspection and maintenance, mandated proof-test intervals and particular installation details. Deviation from the safety manual may invalidate the SIL claim limit.
It is important to note that IEC 61508 is a generic functional safety standard that applies to systems used in disparate industries so, some devices may meet its requirements but not be sufficiently robust for the operating environment in many process plants.
Manufacturers sometimes provide field performance reports based on installations at owner/operator sites. More often, though, a manufacturer supplies analysis and testing results with documented predictive calculations of its products probability to fail on demand and spurious trip rate based on the products shelf state design and manufacture. For any new technology, the analysis and testing generally reflects very limited field operating experience. Thus, the manufacturers evaluation represents the highest performance that can be expected from the device when it is implemented in accordance with its safety manual.
The operating environment and the owner/operators inspection and maintenance practices usually dictate field device and non-PE logic solver performance. For example, a data sampling for pressure transmitters from various manufacturers shows 600-to-800-year mean time to failure dangerous (MTTFD); however, owner/operator prior-use data give a range of 75-to-200-year MTTFD.
Many important sources of failure are excluded from the manufacturers boundary. These include the process connections, manner of installation, power supplies and communication interfaces. Failures due to the operating environment can significantly outnumber those due to device manufacture. Failures in the interfaces between the device, the process and other protective systems should be considered when determining its suitability for addition to the approved manufacturers list.
Some owner/operators develop installation details for each type of technology. The field installation should ensure that the core attributes of a protective system are achieved e.g., independence, functionality, integrity, reliability, auditability, access security and management of change. This provides a consistent operator and maintenance interface and allows the analysis and testing for device approvals to be limited to the device and its ability to work within the existing approved installations.
For PE logic solvers, performance typically depends upon how well the safety manual is followed, how recommended upgrades are executed and whether the manufacturers suggested operating environment is maintained. When implemented according to manufacturers recommendations, PE logic solvers tend to achieve the reported level of safety. This does not necessarily mean, however, that the PE logic solver has the robustness to provide the trouble-free service that may be desired. PE logic solvers usually tend to fail-safe more frequently than reported by analysis. This largely stems from violations of operating environment requirements or human error.
Prior use history
In general, manufacturer failure-rate data are 3 to 10 times better for programmable devices than the actual performance observed in the chemical industry. For mechanical devices, the ratio is 30 to 100 times better. Programmable electronic systems are not immune indeed, some certifications assume diagnostics coverage factors that simply are not achievable using current practices. Because of the discrepancy between manufacturer and owner/operator environments, devices should be selected based on demonstrated history in a similar operating environment.
Operating experience provides valuable information for selecting field devices because it identifies how the operating environment degrades the theoretical performance claimed by the manufacturer. For field devices especially, evidence of successful operating experience in similar process applications is very important. In IEC 61508, this is called proven-in-use and in IEC 61511, prior use.
There are specific requirements and limitations regarding prior-use evaluation in IEC 61511 Clauses 11.4 and 11.53 through 11.5.6. The requirements vary depending upon the device type (sensor, logic solver, final element) and whether the device uses programmable elements and, if so, the type of language used for configuration. These requirements are further discussed in ISA TR84.00.04 Annex L.
For SISs, IEC 61511 requires devices be selected based on their expected performance in the operating environment. Maintenance records are a valuable information source. The plant maintenance-tracking system can be used to flag devices with recurring failures for more detailed analysis. In general, it takes three years of operating time to gain sufficient understanding of the potential failure of a device. Operational time can be obtained in similar applications involving process control, non-SIS or SIS.
Operational results can include those from alpha and beta testing where owner/operators work in close association with the manufacturer. Alpha testing is conducted to demonstrate the basic functionality of the device and general compatibility with the service. A successful alpha test leads to beta testing, which usually involves multiple installations to gather information on device failure modes in a variety of operating environments. However, alpha and beta testing results do not suffice for approving devices for SIS service.
Other owner/operators cited as references by a manufacturer frequently can offer valuable insight into product application and use. A manufacturers user group can provide valuable networking opportunities to gather information about product performance. The owner/operator may choose to rely on the manufacturer and other owner/operators field experience or to supplement this evidence with its own inputs, which may include bench testing and field trials in process control or low hazard services. Generally, the more unfamiliar or complex the technology is, the more time that should be spent understanding how it works and how it fails.