Heinz Gall, of TUV-Rhineland, talked about functional safety and how the IEC standards 61508 and 61511 work. If you are manufacturing products, they need to be built in accordance with 61508, he noted, and if you are using them in a Safety Instrumented System, they need to comply with 61511 (or the North American Version, ISA84, which is entirely the same, but with a Grandfather Clause). These standards are risk oriented, and are written on the principle of risk reduction, the management of functional safety, and are lifecycle oriented.
"You must have safety management, and qualified personnel are a must!" Gall repeated.
He pointed to
TUV-ASI where you can get lists of TUV approved products and certified experts, and so on.
His presentation underscored what we've been telling you since 61511 came out-- you can't escape the need to engineer a safety instrumented system, and you can't escape the need to have an ongoing safety management program. I had coffee with Gall and Kazuhiro Makishima, Head of Global Safety Solutions Center for Yokogawa, and we discussed the fact that people keep whining and whinging about the fact that the standard is descriptive, and not prescriptive. That is, the standard does not say, do this, then this, then this, and you will be safe. Oh, no. The standard says if you do these things, this way, you can design a system that you can, with ongoing functional safety management, use to keep your plant safe. That is a huge difference.
In the Q&A session that followed Gall's talk, a number of interesting points were raised:
Austin Brell, from Saudi Aramco, asked if TUV will do reliability analysis. Gall replied that they can-- but that the safety standard itself doesn't require this.
A guy from Saudi Chevron whose name I didn't get asked if there was a central database for failure rates of SIS equipment. Gee, what a good question. No, Gall said, there isn't. So what TUV does instead is they use the standard databases of failure rates for all electronic components, and constructs a failure rate for a piece of equipment based on its components--"and we are really conservative."
Brell asked again about the failure rate of communications-- Gall had noted that it was less than 1%. Gall answered that that was by agreement, and that there is a developing IEC standard that will peg it at that value.
Another Saudi Aramco guy asked what happens when a model changes? Gall noted that, just as FM does for standard instruments, TUV must re-certify when anything changes.
Somebody else asked about the use of Foundation Fieldbus as a Safety Bus...Gall noted that the protocol was approved, but there is currently no implementation of FF for SIS. Whether there will be or not depends, he said, on the manufacturers, and likely the pressure of end users.
A guy from Dresser-Masoneilan asked a couple of interesting questions, and the discussion turned to the use of electronic diagnostics (such as FF or HART) in the SIS calculation...Gall reminded us all that if you have cranked diagnostics into your calculations, and you lose diagnostics, your calcs are wrong. So you must ensure that you can tell when you lose the diagnostic signal. He recommended using a discrete or analog signal to tell you this.