David Lewis discusses the value of adopting a new international standard

David Lewis discusses the value of adopting a new international standard – IEC 61508 – and how it affects the risk industry

In addition to protecting lives, safety systems can also protect the environment and the operator's plant. Producing evidence that an operation conforms with best practice, in the form of an accredited certificate of compliance with the relevant standard, is a very good way of reassuring staff, neighbours, insurers and other stakeholders that proper consideration has been given to the risks. It can even result in lower insurance premiums and in making a more convincing safety case for the Health and Safety Executive (HSE).

IEC 61508 is an international standard for functional safety that reflects good practice. It applies where electrical, electronic or programmable equipment is in use in safety systems. Experience shows that the process of certification is not overly expensive and adds value to the safety system.

IEC 61508 defines functional safety as 'that part of overall safety relating to the equipment under control and the control system which depends on the correct functioning of the electric, electronic and programmable electronic (E/E/PES) safety related systems, other technology safety related systems and external risk reduction facilities'. It sets out a generic approach for all safety lifecycle activities for such systems.

Clearly, it is important to know that a safety system will work effectively to prevent a catastrophe. Since IEC 61508 represents best practice, companies that do not adopt it may face the risk of claims for malpractice should an accident occur. Most insurers of plant these days are looking closely at risk management, and IEC 61508 is a key measure to consider.

Compliance with the criteria set out in the standard allows manufacturers, systems integrators and end users to demonstrate to customers that good practice has been followed through the whole lifecycle, and that risks are being managed. Purchasers of systems, or system components, are already using the standard to specify their performance requirements.

IEC 61508 is based upon risk assessment. The standard uses investigation based on evidence to judge functional safety. It calls for independent assessment and recommends minimum levels of independence, all related to the consequences of failure of the system, and to the safety integrity levels of the system.

My own company was the first in the world to become accredited to certify the functional safety capability of organisations against IEC 61508 using the conformity assessment of safety-related systems (CASS) scheme as the vehicle.The scheme is now being developed to certify other phases of the safety lifecycle including 'product', systems and operation and maintenance.

Certification of functional safety capability provides a low cost way of demonstrating compliance, certified by a competent third party. It is encouraged by the HSE and the Department of Trade and Industry. The scope of the certification can cover the specification, design, development, manufacture, implementation, support and application of hardware and software components and complete systems, across many sectors. It covers off-the shelf products, application-specific systems, and their operation and maintenance.

The HSE will use IEC 61508 as a reference standard for determining whether a reasonably practicable level of safety has been achieved when E/E/PES safety-related systems are used to carry out safety functions. The extent to which it will use IEC 61508 will depend on individual circumstances; whether any sector standards based on IEC 61508 have been developed and whether specific industry standards or guidelines exist.

The publication of IEC 61508 represents a significant step in facilitating the safe development of programmable electronic technology. The HSE has played a major part in the development of the standard and is working to facilitate its safe and effective use. The HSE has also been actively involved in the development of CASS. It recognises the importance it can play in giving users confidence that, for example, a safety-related system meets the requirements of IEC 61508, and is committed to work to ensure that the scheme fulfils its stated aims.

Benefits
The benefits of accredited certification to IEC 61508 include:

  • enhancing confidence in the safety of complex E/E/PES systems through the availability of an accredited assessment standard
  • reducing costs by facilitating the re-use of assessed product
  • reducing long term costs by facilitating the use of a building block approach, using certified components with recognised safety characteristics
  • reducing design and development costs for systems that utilise these components
  • generating increased end-user confidence in technologies that can offer flexibility and cost reductions without compromising safety
  • promoting international trade in certified equipment by providing manufacturers with independent and internationally recognised endorsement of their product
  • providing a yardstick to national regulatory authorities assessing 'fitness for purpose' and best practice of installed systems.
    The experience of many of the companies who have had their functional safety capability certified under IEC 61508 is that it did not cost as much as they feared, and it delivered benefits. They believe that the standard will improve safety, give rise to better designed systems and reduce costs. Bob Smith of Hima Sella, one of the first companies in the UK to gain certification, also says that more and more specifiers are now making demonstrable compliance with IEC 61508 mandatory in their new contracts.

    Another organisation, Moore Industries, believes that certification of its functional safety capability was a commercially sensible way to demonstrate compliance to the satisfaction of their customers. Moore's Rob Stockham says, "By keeping the scope of our initial certification quite tight we were able to control costs and avoid too large an investment. Now that we have learnt from the initial phase and obtained some of the benefits, we are happy to bring more work within the certified scope."

    Product certification by a competent third party is another route for component manufacturers to demonstrate that their products meet the stringent requirements of the standard. It is especially useful for established products that have a history of proven reliability. Barry Lytollis, of explosion protection specialist MTL, comments: "MTL knows its customers need products which are certified to IEC 61508 and we are committed to supplying them."

    Where safety is concerned, compromise is not an option. It is worth investing now to ensure that negative repercussions can be avoided.

    David Lewis is managing director of Sira Test & Certification Ltd which provides training and advice to organisations wishing to comply with IEC 61508. Tel: 020 8467 2636, www.siraservices.com

    Practical examples
    The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

  • emergency shut-down systems
  • fire and gas systems
  • turbine control
  • gas burner management
  • crane automatic safe-load indicators
  • guard interlocking and emergency stopping systems for machinery
  • medical devices
  • dynamic positioning (control of a ship's movement when in proximity to an offshore installation)
  • fly-by-wire operation of aircraft flight control surfaces
  • railway signalling systems
  • variable speed motor drives used to restrict speed as a means of protection
  • automobile indicator lights, anti-lock braking and engine-management systems
  • remote monitoring, operation or programming of a network-enabled process plant

    faq
    The IEC website gives some useful information on the standard, including a downloadable introduction to functional safety and an overview of IEC 61508. Also provided are a large number of frequently asked questions, including the following.

    What is functional safety? Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is achieved when every specified safety function is carried out, and the level of performance required of each safety function is met.

    For example, an overtemperature protection device, using a thermal sensor in the windings of an electric motor to de-energise the motor before they can overheat, is an instance of functional safety. But providing specialised insulation to withstand high temperatures is not an instance of functional safety (although it is still an instance of safety and could protect against exactly the same hazard).

    Does IEC 61508 cover the elimination of hazards at source? The standard requires that consideration shall be given to the elimination of the hazards and emphasises the primary importance of eliminating hazards at source ... This could be, for example, by the application of inherent safety principles or the application of good engineering practice. However, detailed guidance on hazard elimination is not provided in the standard.

    Does IEC 61508 require a quantitative risk analysis to be carried out in order to determine safety integrity levels? No. It allows both quantitative and qualitative approaches ... Note that risk analysis generally requires a wide range of expertise. It will usually be necessary for a team to work together and reach agreement.

    Suppliers are quoting that their products conform to IEC 61508 for a specific safety integrity level.

    Does this mean that using these products is sufficient for me to comply with IEC 61508? No. A safety integrity level is not directly applicable to individual sub-systems or components. It applies to a safety function carried out by the E/E/PE safety-related system.

    IEC 61508 covers all components of the E/E/PE safety-related system, including field equipment and specific project application logic. All these sub-systems and components, when combined to implement the safety function (or functions), are required to meet the safety integrity level target of the relevant functions. Any design using supplied sub-systems and components that are all quoted as suitable for the required safety integrity level target of the relevant functions will not necessarily comply with the requirements for that safety integrity level target. A simple example is when the sub-system or component is incorrectly installed.

    Suppliers of products intended for use in E/E/PE safety-related systems should provide sufficient information to facilitate a demonstration that the E/E/PE safety-related system complies with IEC 61508.

    www.iec.ch/zone/fsafety_entry.htm

    AIRMIC COMMENT
    Gary Marshall, chairman, AIRMIC health and safety special interest group, writes:

    Safety is inherent in everything, to some degree. The question is more 'What is the quantum structure to ensure that we improve safety and use resource both profitably and wisely to ensure that we improve it in a way that reduces the severity, potential and frequency of minor accidents, and in turn reduces costs?'

    This has to be coupled with an understanding of the present and future legal landscapes and with the big safety issues which business needs to resolve (for example, how to present and achieve maximum benefit from risk assessment practice).

    To help achieve a better understanding and practice, AIRMIC has reactivated the special interest group on health and safety (HASSIG). After an initial meeting, the group has split into four workstreams aimed at improving group members' understanding in the different areas and feeding back this information to the group as a whole and selectively on to the wider AIRMIC membership.

    The four workstreams are:

  • claims culture linked to the UK's HSE and EU interactions and the targets in the revitalising agenda – leader Paul Mather
  • H&S aspects, benchmarking and accident cost modelling – leader Gary Marshall
  • risk assessment programmes, including an overview of the occupational motor road risk – leader Velma Baptiste-Destouche
  • rehabilitation and occupational health screening – leader Philip Robinson

    Please direct any queries for AIRMIC HASSIG to: enquiries@airmic.co.uk

    • Topics