• Compliance with domestic and international standards

• Reduced risk liability with documented safety standards

• Compliance from fulfilling requirements in the standard, hence better technical quality of the product

• The majority of certifying authorities have a global network, so it is possible to use these experts to integrate safety-related products produced at different locations into SIS and applications.

• Benefit from fast audit times and utilization of expert opinion especially in planning, design and testing of the products

• Possibility to challenge competitors on account of authentic third party certification

    Compliance is evaluated by a certifying authority, which assesses and certifies that a product has been designed and developed in accordance with the standard. Similar to third party certification and approval, a certifying authority provides benefits [15,16] like:

• Total proposed facility documentation to be presented for documentation assessment. If recommended by a certifying authority, necessary modification/augmentation should be incorporated.

• Product development stages to be assessed

• Assessment of product design and testing process against IEC 61508

• Assessment of business process

• Relevant lessons learned assessment

• Operational safety assessment:

• Assessment of validation planning and associated activities

• Assessment of verification activities

• Documentation of complete assessment results

• Final auditing of entire activities

• On successful final audit report, issuance of certificate

    Many of the certifying authorities use their own software tools (e.g., Exida's Safety Case tool) for the entire system.

• Why is SIL important? From Chapter VIII it is clear that SIL rating corresponds to the PFD for SIF, hence SIS. Also it is clear that the higher the SIL target, the lower the PFD and better the performance of SIS.

• What does SIL rating mean? SIL rating signifies that the entire system, not just an individual product, will reduce the risk to a specific level. Also from the discussions in Chapter VIII, it is clear that SIL rating of the system is dictated by the minimum SIL rating, hence SIL suitability of the individual device is immaterial when SIL rating of the entire system is inadequate.

• Certification: Both products and processes can receive such a certification. Certification for the former is most common and is issued by an independent agency to show that the appropriate SIL calculations have been performed and analysis has been completed on a product. Self-certification, though not common, is also possible. Such certifications are used to signify that it is compatible for use within a system up to the certified SIL. As discussed earlier, FMEDA is normally used to determine the safe/unsafe and detected/undetected failure modes of a product. FMEDA is useful for calculations of safety failure fraction and PFD. Although not common, full certification of IEC 61508 is also possible for manufacturer's design and quality processes.

• Who can issue certificates? According to the standards there are no preferred agencies or companies that have the authority to issue SIL certifications. However, Clauses 8.2.15–8.2.18 along with Tables 4 and 5 of IEC 61508-1:2010 do specify minimum levels of independence of those carrying out a functional safety assessment. It is always better to have a very close look at this part of the standard to understand authority for issuance of the certificates. A variety of consulting firms and agencies provide SIL-related services and in some cases generate certificates. Here the main approach is complying with the functional safety standards. After the standards have been in place for so many years, it is always better to have the product duly certified by independent third party established certifying agencies. During certification, experts will look carefully inside a product's design, safety, and reliability. There will be a thorough audit and after passing the audit, SIL certification will be issued with FMEDA (hardware probabilistic failure analysis based on a huge collection of data) numbers. All these will help in the development of the product. For the self-certified method, it will be prudent to ask for and check a “detailed assessment report,” a document that describes the steps completed to show compliance to IEC 61508. In this regard the blog http://www.exida.com/Blog/Who-certifies-the-certification-agency may be referred to. According to Dr. William Goble “I have yet to see a valid self-certification.” Having said this, one needs to remember and understand that using certified products alone cannot ensure safety of the entire system forever. It is not something that can be bought and applied. Certification can only help in selecting appropriate safe and reliable products for the application. System performance depends on a multitude of factors such as accurate placement, installation, correct maintenance, proof testing, etc. [14]. Now, focus will be on another important issue of proof testing and proof testing interval.

• The proof test of an SIS should reflect real operating conditions as accurately as possible. If possible, the SIS will be activated by manipulating process variables without driving the dangerous situation. If at all the process is driven in the demand state, followed by a proper risk assessment, accompanied by additional controls.

• When process variables cannot be safely or reasonably practicably manipulated, then the correct operation of sensors should be attained by other means, such as comparison with other measurements.

• The inherent difficulties associated with testing valves and inline flow meters are addressed during the design phase of SIS with additional means, for example, additional corroborative measurements.

• Proof tests should address the necessary functional safety requirements of SIS, such as response time and valve leakage class.

    According to Clause 16.2.8 of IEC 61511-1:2003, the written proof test procedures shall describe every step that is to be performed and shall include:

• Direct testing: In direct testing, test equipment is normally used to create specific conditions and then the response of the component is observed. A typically direct test simulation method includes:

• Other methods: These may be used when direct testing is not possible. Typical other methods include: cross-checking sensor history data against other instruments with the same range coverage, periodic replacement and sampled testing of single-use components, valve overhauls to ensure tight shutoff, etc. These other methods are conducted at the proof test interval assumed in the PFD calculation.

• Partial proof testing: The following are the major issues related to partial proof testing:

• The significance of partial proof testing will be clear from Fig. X/2.2.2-1. From Appendix B2 of IEC 61508-6:2010 one can access the formula for PFD calculations. Assuming MTTR is much smaller than proof test interval, dangerous failure rate λ_D and proof test interval T_i are directly related with PFD_av as per the following equation in its simplest form:

    So, for the loop comprising sensor (S), logic solver (LS), and final elements (FEs):

• Standard: As per IEC 61511-1:2003 standard (Clauses 16.3.1.2 and 16.3.1.4) all components in SIS shall be subject to a proof test and any deficiencies found shall be repaired in a safe and timely manner.

• Purpose: Proof tests are meant to reveal all undetected failure modes that would prevent the SIS operating as per SRS, even if this is completed at different intervals (e.g., partial testing). Proof testing should be designed and developed in a way to reveal any reasonably foreseeable undetected failure mode, that is, unrevealed (dangerous) fault conditions in each of the components (e.g., sensors, logic solvers, and final elements) in each SIF, and in the means of connecting the SIS to the process.

• Human error: The proof test procedures should be designed in such a manner that it would minimize human error. For this, a checklist including tick boxes and cross-checking for critical steps could be helpful. Many structure the tests in a way so that errors that could be introduced are revealed by subsequent test steps [17].

• Overrides: All SIS overrides are subject to strict controls to ensure safe application and timely removal.

• Calibration: For SIS proof testing, all test equipment must be calibrated as per national standards.

• Requirements for partial proof testing: As discussed earlier, for partial testing of SIS, the impact on process operation, functional safety, and overall test coverage must be established with the help of proper assessment and as necessary additional controls need to be deployed without disturbing SIS installation.

• Installations: SIS installations are tested on an as-found basis.

• Inspection: As per IEC 61511-1:2003 (Clause 16.3.2) as part of proof testing each SIS shall be subject to periodic visual inspection, including all components. This is to detect and ensure that there are no unauthorized modifications or deteriorations, etc., for example, missing bolts or instrument covers, rusted brackets, open wires, etc. The level of inspection depends greatly on the site conditions and access controls.

• Responsibility: All SIS components should be subject to appropriate maintenance, usually described by the component manufacturer [17].

• Procedure documents and timings: In an actual case the proof test procedure may not follow a single procedure document, but may be made up of different documents, for example, reference to other procedures. Also it may include procedures for testing different parts of SIS at different times. However, in all such cases, measures should be taken to ensure no failure modes or components are missed. It may include partial test procedures and full test procedures.

• Proof testing process description: For understanding the process, Fig. X/2.2-1 may be referred to. The process starts after calculating the PFD for SIS to meet the requirements of PFDs; if not, then it is to be redesigned. When the PFD calculations meet the requirements then all the failure modes are identified. For each of failure modes pertinent to each SIF in SIS, proof testing and inspections are carried out. As seen in Clause 2.2.2, there are three ways in which proof testing can be carried out. First, a check is made to see if direct testing is possible, which is then recorded. After recording, the test looks for another set of failure modes. When direct testing is not possible, then other means or partial testing are considered. If none of them are possible or valid for partial testing, then it is necessary to redesign the system. Whenever any failure mode, other method, or partial testing is valid and done, then, as discussed earlier, it is recorded and another failure mode is sought. In this way when all failure modes are tested the process is complete and proceeds to the maintenance phase.

• Description of the tests and inspections performed including the following:

• Serial number or other unique identifier of the system tested

• Results of the tests and inspection

    Based on the foregoing the following are the details of basic data to be recorded:

• Steps undertaken during testing

• Results of steps

• Details of all faults

• Details of corrective actions including:

• Test duration (start and end time)

• Details of tester and approving authority:

• Influencing factors: The following are influencing factors for proof test results:

• Proof test approaches: Proof tests of “wetted parts” are not always the same. In some cases pressure injection to the main impulse line with isolation and vent valves may be possible, but in a case where there are chances of leakage of energy or fluids, such an approach may not be feasible. So, based on this some of the major approaches are: