End-users that operate (critical) rotating machinery have a legal obligation to implement a suitable and verifiable safety instrumented system (SIS). Safety Integrity Level (SIL, IEC 61508), one of the more prominent risk reduction methods, allows those responsible to prove that everything has been done to reduce risks to a minimum. SIL is also incorporated by the API 670-5th edition as go-to method to comply with safety standards regarding machine protection systems. As SIL has proven a valuable method to meet the legal safety requirements, the market of turbine overspeed protection systems has become largely SIL-driven.
More and more end-users demand SIL certified safety systems, which is why OEM’s are incorporating SIL in their system design. However, there is an important distinction that has to be made in the SIL certification; certified by proven in use on the one hand and certified by design on the other.
Certified by proven in use
SIL certification by proven in use means that the SIS is not designed according to the SIL requirements as specified in the IEC 61508, but rather based on mean time between failures (MTBF), mean time to failure (MTTF) and failure modes (detected versus undetected). Proven in use is accepted based on statistics rather than on safety integrity defined by corresponding directives. The requirements for proven in use certification are very demanding, and require a user to have*:
- A formal system for gathering reliability data that differentiates between safe and dangerous failures.
- A way of assessing the recorded data to determine the safety integrity of the SIS and its suitability for the application.
- Evidence that the application is clearly comparable.
- Recorded historical evidence of operational hours.
- Evidence of the manufacturer’s management, quality and configuration manufacturing systems.
- Device firmware revision records.
- Proof that reliability data records are updated and reviewed regularly.
*Source: IEC 61508 & IEC 61511
This is often applied to systems already in use that fail the SIL certification (IEC 61508). Based on their decade-long reliable use, with few failures, these systems are SIL-certified by proven in use. It is important to note that proven in use is only valid to the specific application the system has been operational on and thus cannot simply be transferred to comparable applications.
Note: Proven in use is a more valid approach for an end-user than for an OEM. Since the end-users knows all the ins and outs of the instrument, application and environmental conditions.
Certified by design
SIL certification by design means that the system is designed in accordance with IEC 61508 requirements for a specified range of applications. The proof-test interval for systems certified by design are much longer than those certified by proven in use. However, the more complex the system is, the more regular it needs to be tested. This is because more functionalities lead to more potential weak points in the system.
Certification by design, for OEM’s, is always preferred over proven in use due to its wider applicability and longer test intervals. However, many products will never be able to receive such certification due to their design. In terms of SIL the only option is then to either use a non-certified product or strive towards a proven in use certification.
SpeedSys; overspeed protection certified by design
Istec has developed the SpeedSys: a certified by design overspeed protection system. We stripped all additional functionalities and returned to the core of overspeed protection as defined by the API 670 standard. The SpeedSys features a minimal test interval of 10 years, scalability for higher SIL rating through voting structures and a transmitter-based architecture as opposed to complex rack-based architectures. The SpeedSys offers the same level of protection as any rack-based system but is much more financially accessible for both smaller and larger rotating equipment.