2.3 Equipment Suppliers
Companies who promote their equipment and/or software for use in safety applications have responsibilities for being accurate about claims they make about their products.
There is currently, as of 2019, no formal framework for ensuring that Safety Integrity Level (SIL) capability claims are valid. This means equipment choice needs to involve careful consideration of the evidence that manufacturers provide with their products.
Broadly speaking, elements used in safety applications can be separated into the following categories:
- Logic solvers, comprising hardware and each of the following if programmable;
- Embedded Software.
- Utility Software (for program configuration).
- Application Programs.
- Final Elements.
- Interposing devices.
In each main category, there is the possibility for devices being either "Type A" or "Type B" according to designations for equipment in standard IEC 61508.
IEC 61508 edition 2 is the manufacturer's reference standard for designing hardware and software.
Type A devices are non-complex and contain no software or programmability. These devices are generally easier to qualify for use in a safety application as there is no software involved. However they typically have less self-diagnostic capability, meaning there is usually little or no information available if they fail in service between proof tests.
Examples of Type A devices include discrete (on/off) sensors and switches, non-programmable relays and contactors, solenoid valves, actuators and final element valves.
Type B devices can contain complex components such as microprocessors and typically they offer programmability, meaning embedded software is present. These devices are generally less easy to qualify for use in a safety application due to the presence of complexity and software. However they typically have better self-diagnostic capability, meaning there is often good information available to the user if they fail in service.
Examples of Type B devices include smart sensors (also known as instruments or transmitters), programmable logic solvers, programmable relays and all other devices which have embedded software.
When equipment suppliers assess their products, either by themselves or using a third party assessor, they must designate if the device is Type A or Type B. They must also produce information known
2.4 Engineering Companies (EPC's)
Engineering companies (EPC's) who work on behalf of end user Duty Holders will typically be working on new SIS projects, or sometimes large refurbishments where complete systems or major sub-systems are being replaced. EPC's do not work in isolation, and will often be joined by the Duty Holder's technical representatives for key phases of hazard, risk and SIL assessment, sign-off of documentation and witnessing of testing activities before the system enters or re-enters service.
This embedded nature means the EPC takes on some joint liability for technical decisions and engineering activities relating to the SIS before the operations phase.
As a result, EPC's tend to focus on getting a project completed on time and within budget, with less emphasis on the operational aspects of the system. This limited responsibility means that the Duty Holder must take care that operational requirements are not side-lined and are given equal weighting in terms of priority for the final design.
Consultants who work on behalf of end user Duty Holders or engineering companies will typically be working on only a few specific phases of the safety life-cycle.
As each specialist consultant provides support for only a limited aspect of the overall safety life-cycle, it is important that the Duty Holder or engineering company sets very clear boundaries and expectations for deliverables.
The best way of setting boundaries and expectations is for there to be very clear Terms of Reference and detailed procedures provided by the Duty Holder and/or engineering company. Experienced consultants will require this approach and will question missing or conflicting information.
An example problem that can occur is when different consulting companies assist with HAZOP (Hazard and Operability study) and subsequent SIL Determination activities involving LOPA - Layer of Protection Analysis. If the quality of the HAZOP is not sufficient for the LOPA, then significant time can be wasted. Several similar examples persist at different stages of the design.