Академический Документы
Профессиональный Документы
Культура Документы
independent and trusted body that declares that the product complies with the standard (for a specified scope). Of course, the manufacturer may also be using the certificate as a marketing document. However, the user should be competent in understanding functional safety data rather than being satisfied with a SIL capability claim. This can be illustrated by considering the following real example.
Below: there are dangers in putting a SIL number as a headline on the certificate as once a SIL capability is stated, there is a tendency to ignore the rest of the certificate
the rest of the certificate. Whilst SIL is a parameter of the safety function performed by a safety instrumented system (sensor to final element) rather than the individual elements, the 2010 version of IEC 61508 has created the term Systematic Capability of an element (SC1 to SC4), which corresponds to SIL1 to SIL4 capability respectively. The SC <number> refers to the rigour of the documentation and quality process used throughout the products development to avoid systematic failures.
Comparison of these figures with others for similar devices shows it claims to be several orders of magnitude better. Experience says that it would be unwise to accept such figures at face value without asking some searching questions. Another example where caution is advised is where a certificate states SIL3 @HFT=1. An HFT of 1 means that you need two devices to achieve SIL3 capability. But you dont need a certificate to tell you that - the standard tells you what SIL is achievable when using redundant devices. Reading the certificate more carefully reveals the device is actually SIL2 capable So the certificate can easily be misunderstood by the unwary reader whose eye is caught with the words SIL3. The SIL capability of an instrument is an important parameter but there are dangers in putting a SIL number as a headline on the certificate, as once a SIL capability is stated, there is a tendency to ignore
Compliance
software, expect to see an explicit statement of conformity in the certificate. Remember that software failures are systematic rather than probabilistic. The certificate is a statement that the software: l Has been developed according to a compliant process (IEC 61508-3, clause 7) and using appropriate techniques and measures (IEC 61508-3, Annexes). l Assessment includes justification for the development tool chain. If sufficient valid data is available (millions of operational hours) it is possible to use a statistical approach (IEC 61508-7, Annex D), but the analysis is not trivial. It must be realised that especially when the certificate is based on predicted (FMEA) data, the ongoing lifecycle should be reviewed by performing field failure analysis to
Choosing an assessor/certifier
As already stated, the assessment process should comply with IEC 61508-1 clause 8, so look for the accreditation logo on the certificate which should ensure these requirements are met. An example certification scheme is CASS (Conformity Assessment of Safety related Systems) which is unique in the following respects: l Open/transparent methodology
confirm the actual failure rates are no worse than those predicted. It would be reasonable to expect conditions in the certificate that obligate: l The end user to collect (see IEC 60300-3-2) and feedback field failure information to the manufacturer. l The manufacturer to analyse field failures and take necessary action (inform the certification body, notify users, etc).
and framework for assessment to IEC 61508 (and sector standards). l Requirements are all in the public domain so there are no hidden surprises. l Originally a UK government funded initiative, designed by industry for industry. l CASS is a collective interpretation of IEC 61508 - this ensures the assessors ego is kept in check. (About 60 companies contributed).