Can you depend on that sensor?
You won’t have to look far to find examples of automation component failures in critical situations with catastrophic results. Several Toyota owners reported experiencing problems with their anti-lock braking system causing their cars to speed up when not expected. There were many contributing causes to the Deepwater Horizon spill, but a major one was the failure of the blowout preventer. Safety sensors can help maximize safety and reliability by minimizing critical failures and help ensure that safety is not compromised in the event of a failure.
What is a safety sensor?
Many understand the term as suggesting an instrumentation device used to measure process conditions that could be potentially dangerous. The device is typically a part of an equipment set for a safety instrumented function (SIF) which also includes a logic solver and final element. The SIF is part of a safety instrumented system (SIS), whose purpose is to drive a process to a safe state or to allow it to move forward when specific conditions are present. Examples of safety-sensor products include a pressure transmitter, temperature transmitter, gas detector, level transmitter, flow transmitter, flame detector, acoustic detector, or even proximity switch. These common items are recognizable but do not differentiate between an ordinary process sensor and a safety sensor. So what is the difference?
The standard for design and development of safety sensors
IEC 61508 is a multi-industry international standard that covers functional safety of automatic systems. The term “functional safety” is not the same as electrical safety or hazardous area safety. This standard is not concerned with shock hazards, burn hazards, or explosive atmospheres; rather, it covers the correct operation of a device (reliability) and, perhaps most importantly, how a device fails. Two different types of failures are covered: random failures and systematic failures.
The two main goals of the standard are clear-cut. The first is correct operation—a device must be sufficiently reliable. Reliability requires protection against both random and systematic failures. A random failure is defined as “a failure, occurring at a random time, which results from one or more of the possible degradation mechanisms in the hardware." Systematic failures are defined in IEC 61508 as “a failure, related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors." The standard protects against systematic failures by having hundreds of requirements for the design, test, and manufacturing processes. These requirements reflect the best engineering practices known to avoid design mistakes and manufacturing faults.
The second main goal is that the device must fail in a predictable manner. A quantitative failure-mode analysis is done for random failures with published numbers for each failure mode. These numbers provide a safety-system designer with the information needed to determine if a safety sensor is sufficiently reliable when used in combination with a logic solver and final control element to meet the required safety integrity level (SIL). This task called SIL verification.
There are four different levels of safety integrity defined by IEC 61508 (Figure 1). The requirements for each safety integrity level are different. SIL 1 represents the lowest level. Each safety integrity level is intended to represent an order of magnitude improvement in safety and reliability and thus carries with it more stringent requirements. The requirements for a SIL 3 certification are much tougher than for SIL 2 certification, and those for SIL 2 certification are tougher than those for SIL 1.
When an instrumentation sensor has been assessed by a competent, third-party agency and meets the requirements of IEC 61508, it is common to label it as a safety sensor or safety-certified instrument. The 2010 version of IEC 61508 introduced the term “systematic capability,” which indicates the best-case safety performance that the device can provide when it is applied per its safety manual. Certified devices can have a systematic capability rating from one to four that matches the SIL level of a SIF in which it may be used.
Failure mode analysis
Minimizing the impact of random failures can best be evaluated with a quantitative failure rate and failure mode analysis, as required by IEC 61508. The best technique is called a failure modes, effects, and diagnostic analysis (FMEDA). An FMEDA requires each component in a device (resistor, transistor, capacitor, etc.) to be examined individually to evaluate its failure modes and their impact on the operation of the device. The ability of any self-diagnostic to detect the failure is evaluated, and the cumulative impact of all component failures is calculated. This produces a set of numbers for a device—a failure rate for each failure mode. These numbers are then used by system designers to meet the targeted and required SIL levels for each SIF.
The FMEDA process is quite detailed and systematic, often identifying design problems that can be fixed to improve the design safety and reliability. As part of the certification, the number and type of product field failure data are analyzed as a function of the total accumulated operating hours. This observed failure rate can then be compared to the calculated failure rate in the FMEDA. If the values are comparable, this helps demonstrate the product development and quality process is effective.
Should you choose a safety sensor for your SIS?
The process industry-specific functional safety standard is IEC 61511 (ISA 84.00.01-2004). This standard requires that equipment used in a SIS be carefully selected and justified. While all sensor devices must be evaluated for any specific application, choosing equipment that "meets the requirements of IEC 61508" is a common way to justify sufficient safety integrity performance. If not using safety-certified sensors, IEC 61511 allows an end user to perform his or her own proven-in-use justification. With a proven-in-use justification, the burden is placed on the end user to audit the vendor’s design and quality assurance processes, to review manufacturer documentation of failure modes and failure rates, as well as to gather evidence of suitability by documenting the operating history in similar applications in other plants.
SIS designers choose safety certified sensors rather than doing a proven-in-use justification for a number of reasons, including:
• Assuring that the product has high design reliability and safety
• Avoiding the burden of vendor design and manufacturing audits
• Reducing effort and cost for safety-system design (SIL verification)
• Reducing risk and potential liability from application of the product
• Regulatory agency preferences or demands IEC 61508 certified products, and
• Avoiding the recording of operating hours and analysis of all repairs and failures.
Without complete plant maintenance records, especially proof-test-as-found condition records, a designer would have difficulty providing documented trouble-free operating history from his or her plants. As a proven-in-use justification means taking responsibility for the reliability and safety of a sensor, high-quality data is important. Some will prefer to avoid the burden of vendor auditing and the documentation of those audits. Beyond just the safety integrity issue, other process operators specify safety sensors to get the assurance of high levels of design quality and reliability. There are regulations in some countries that indicate safety-certified products must be used in certain applications.
Certification of device manufacturers
When the functional safety standards were written in the late 1990s and early 2000s, the safety certification concept was in its developing stages. While several PLC products were IEC 61508 safety certified, there were fewer sensor devices at that time. The E+H Liquiphant Fail-Safe, a tuning-fork level switch, was safety certified per the German VDE0801/A1 standard in 1996. The first safety-certified sensor per IEC 61508 was the 345 pressure transmitter from Moore Products in 1998. Over time, additional sensor devices passed the tough requirements with strong growth, which began in 2006. Today there are a number of safety-certified sensor devices for almost any process variable from every major instrumentation manufacturer. Figure 3 shows a cumulative count of the number of safety-sensor devices. A list of safety-certified devices, including sensors, is maintained on the Safety Automation Equipment List (www.sael-online.com). This list is updated regularly as new certifications are added from a variety of competent certification agencies, while obsolete products are removed.
Developing safer products
Developing products compliant with IEC 61508 is a rigorous and demanding process. Roughly 70% of the approximately 330 requirements for device-safety certification involve the design and test process. The clear objective of this level of attention is design quality. It is interesting to note that a majority of the requirements (about 200) relate to the software development process. Why is this? Remember that software was prohibited from safety applications by regulation in many countries through the late 1990s. There is software paranoia in the nuclear industry that is still so strong that new custom designs implemented purely with hardware are continually being developed even when well-proven alternatives exist. The software engineering requirements of IEC 61508 are quite strong for SIL 3 capability, and most consider this appropriate as it seems so easy to write software without sufficient testing. Yet some question the need for all this attention of software engineering in a simple sensor device. This thing is called a "smart" pressure transmitter, but could the software really be that complicated? Some ask, "Could this pressure transmitter that fits in my hand possibly be as complex as the rack of equipment in the safety PLC cabinet?"
No one questioned the need for safety certification of PLC products in the late 1990s. The PLC software designs were somewhat complex and appropriately perceived as such. One design example had software with two primary execution tasks: logic solving and communications. A rough idea of design complexity is given by the size of the processor and memory. A 1990s safety PLC did logic solving with a 16-bit microprocessor with four megabytes of memory. In the 2010s many sensor designs are much more complicated than the old PLCs. Today’s sensor designs use multitasking operating systems with 32-bit microprocessors and larger memories. The sensor devices take full advantage of this processing power to provide high-speed statistical analysis of the process variable, much better automatic self-diagnostics, and more features. Given that the complexity of the new 2010-era designs is even greater than the safety PLC of 1999, the importance of software engineering quality is greater than ever.
No safety without security
According to IEC 61508, if a security threat is seen as being reasonably foreseeable, then a security-threats analysis should be carried out. If security threats are identified, a vulnerability analysis should be undertaken in order to specify security requirements to be incorporated into the design. The ISA Security Compliance Institute (ISCI) has developed a program for security testing and certification of critical control system products with an Ethernet connection, such as PLCs, digital-protective relays, communication modules, and even sensor devices. The program, called ISA Secure, utilizes test specifications and protocols developed from publicly available sources such as the ISA-99 industry standard. With the occurrence of the Stuxnet virus, and the potential of Stuxnet-like attacks in the future, there has certainly been great attention drawn to the importance of control-system cyber security. Thus cyber security has become part of the safety certification process in some certification bodies.
Certifying the certifiers
The IEC 61508 functional-safety standard requires a level of independence in the assessment of functional safety that varies according to the SIL level. However, it does not require any specific accreditation, even for SIL 3 or SIL 4, as is required in the electrical safety standards. The IEC 61511 standard even uses the words "meets the requirements of IEC 61508" rather than using the term "certified." Therefore, we can conclude that anyone could perform a functional safety evaluation of a sensor device per IEC 61508. As a practical matter, IEC 61508 is a large, complex document. The technical depth required to understand the issues is quite high, and this is recognized by the market. Therefore, purchasing specifications of major end-user companies routinely contain language indicating the competency required or even which specific certification agencies are accepted.
While self-certification by a manufacturer is not prohibited by the standard, few have followed this path as they recognize the market demand for an accredited test laboratory/certification body with the technical skills beyond traditional electrical safety.
Certification agency accreditation is done per IEC Guide 65 (EN45011), which has requirements for the operation of a product certification program, and ISO 17025, which has requirements for a test laboratory. Technical competency is evaluated for each area of certification (e.g., functional safety, cyber security, electrical safety, etc.). Accreditation is done by an organization in each country that is governmental or quasi-governmental. In the U.S., for example, accreditation is done by the American National Standards Institute (ANSI).
It is not hard to imagine functional safety certification becoming a standard part of sensor devices. Hazardous area approval was an option in the early days of electrical safety standards. Today it is difficult to buy any field device without a hazardous area rating. As more and more devices are achieving functional safety certification, more manufacturers are making functional safety a standard part of the product development process. Functional safety will likely be a standard attribute of sensor devices in the future. This is indicated by one advertising campaign for a pressure transmitter product recently that said, "Safety is not an option." Every device produced has the rating. This should provide a good return on investment as design quality improves and fewer mysterious field failures occur.
William Goble, PhD, is principal engineer and director of the functional safety certification group at exida, an accredited certification body. His doctorate is in quantitative reliability and safety analysis of automation systems.
Find more information about safety sensors at: www.exida.com/certification
See a list of safety-certified sensors, logic solvers, final control elements, and more at: www.sael-online.com