Do purchasing teams really need to worry about Functional Safety & SIL?

When it comes to complying with the safety standards IEC 61508, IEC 61511 and IEC 62443 for a safety and security project, it is not only the automation and/or instrument engineer who needs to worry about the requirements for purchasing the appropriate safety devices.

The responsibility for choosing and purchasing safety ‘elements’ (components and devices) also rests with an organisation’s commercial and purchasing department. As such, those handling equipment selection and purchase must have an equally good appreciation of the requirements for safety devices and the need to ensure they are fit for the application within a safety instrumented system (SIS).

Experience suggests that when it comes to the compliance requirements of IEC 61508 and IEC 61511 / ISA 84, the commercial and procurement teams are typically left out of any formalised appreciation and awareness training. While members of  process safety, engineering and maintenance teams are quite likely to appreciate the requirements of the IEC safety lifecycles given their impetus over the last 15 years or so, the same cannot automatically be assumed to apply to the commercial / purchasing department.

"The solution that gets purchased might not necessarily be the one that was envisaged."

Consequently, there is a risk that purchasing decisions may be taken in isolation without due recognition of the importance of supporting cyber security, safety functionality and safety integrity considerations associated with automation projects and safety-related devices.

Look beyond the price tag

Without an understanding of the potential pitfalls of safety device selection, the price-focused nature of any conscientious purchaser presents an inherent risk that safety devices may be selected more for their price than their ability to provide the required level of protection.

While a purchasing decision may start with the specification and data sheets provided by the project / operational technical teams, the solution that gets purchased might not necessarily be the one that was envisaged.

A purchasing team might discover that a seemingly similar device (one that in reality does not meet functional safety) for a project is some 25% cheaper, offering the chance to potentially save the company large sums of money. This device may well work perfectly within the first two years of operation. However, it is only established during the operational phase that the reliability after the two-year period is no longer guaranteed, or the device may work fine for normal operating conditions, but may fail during an emergency process condition. For example, a valve can shut down the process flow if the pipeline pressure is normal, but may well fail at very high-pressure conditions if it hasn’t been properly specified.

Alternatively, suppliers may be overpromising compliance (so called ‘vendor SIL claims’) at a much-reduced cost in comparison to other solutions, with the truth only becoming apparent once the device or system purchased has been shipped to site and found to be inappropriate due to several application issues regarding fitness for purpose over time.

An over-emphasis on cost over safety may also increase the likelihood of a buyer stumbling into a situation where additional product purchase or extensive engineering hours need to be applied to make it work which only become apparent during the site start-up phase.

In each of these situations, the reliability of the devices being purchased depends on well-proven design, choice of construction materials and software, all of which typically carry a higher price tag for reasons outlined below. To find that an apparently bargain price product lacks the necessary features or characteristics to meet a hazardous process demand at the installation and commissioning phase of a project, or when failure on demand becomes evident in operation, is not an ideal scenario. 

"There needs to be greater cooperation between the commercial teams and those persons responsible for functional safety assurance"

Good safety is good business

Many commercial teams quite rightly seek ways to optimise the Capex cost of a project or Opex for an operational facility, but are they aware of the impact of such decisions on functional safety?

The key issue here for safety-related applications is that a reliable device usually means a ‘proven device’, which may well lead to cost differentiation during the purchasing and cost analysis process because:

• Many hours have been spent by the device manufacturer to ensure adequate design and ongoing modification improvements where operational problems have been detected.
• Such devices invariably use proper quality materials (e.g. more resistant wetted parts to the process medium) and so will invariably cost more
• Software improvement process costs are included which guarantee that all revealed errors (e.g. during 5 years of operations) are corrected over time
• The costs of management, competent resource, documentation and complex / time-consuming testing are also included

Here, the requirements for improved quality and reliability requirements may result in an increased cost for devices that are approved for safety-related applications, and so it is vitally important that purchasing departments should be aware of this factor when undertaking vendor qualifications and eventual purchase of SIL capable safety devices.

There needs to be a careful balancing act between meeting the safety requirements, and the leverage some manufacturers may apply to elevate the costs of their products based solely on inflated IEC 61508 compliance arguments.

There needs to be greater cooperation between the commercial teams and those persons responsible for functional safety assurance and less reliance on internal vendor qualification ‘checklists’ that provide one-line vendor responses to safety compliance and the purchase of safety devices. We should not forget that the device selection process is based on performance-based standards and prescriptive factors used for device selection are not enough to state and evaluate compliance, or non-compliance. In such purchasing decisions, we need ‘judgement’ to be applied and this leads us to purchasing team competency requirements.

Remember that the safety standards require:

• IEC61508

o   Those organisations or individuals that have overall responsibility for one or more phases of the overall E/E/PES safety lifecycle, shall…………specify all management and technical activities that are necessary to ensure that the E/E/PES SRS achieve and maintain the required functional safety

o   In other words, a ‘functional safety management system’ (FSM)

• IEC61511

o   Persons, departments or organisations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable

o   In other words, a ‘competency assurance programme’

In both cases, the requirements stipulated apply to the purchasing teams involved in the relevant lifecycle phases. Ideally, commercial and purchasing teams will have appropriate quality procedures that have been aligned to their functional safety management (FSM) equivalent to deliver the following:

• Recognition of safety device requirements during the safety requirements specification development
• A means to further qualify suppliers for functional safety requirements
• A means to allow commercial and project / operational teams to successful qualify vendor proposals to meet safety related applications
• A means to handle query change management for safety device selection and purchase
• A means to confirm that what is specified is the same as that which is delivered
• A means to ensure that safety device user manuals, certificates, reports and supporting information is provided to support SIL verification purposes

Such a purchasing methodology should not be seen as a simple “cut and paste” approach. Each safety project should have a compliant QMS/FSM process completed as appropriate on each and every occasion to ensure that functional safety and cyber security requirements are appropriately established for the specific project.

Ensuring that commercial and purchasing teams are fully briefed and conversant with the requirements of the safety standards and know what to look for regarding safety device selection and vendor claims will provide the responsible organisation with the following benefits:

• The commercial and technical teams responsible can ensure that everyone in the supply chain understands their obligations and can optimise the cost of the solution in accordance with exacting safety requirements
• Everyone in the supply chain will be able to demonstrate that their products work as  claimed, allowing the commercial and technical teams responsible to undertake robust appraisal and selection (apples with apples, etc.)
• Everyone in the supply chain will be able to support their assumptions on device and application requirements
• The commercial and technical teams responsible will be able to ensure that safety system solutions can be properly tested
• The commercial and technical teams responsible will be able to document device selection carefully in accordance with Industry good practice
• The commercial team will be able to leverage and optimise the requirements for related systems, i.e. fit for purpose solutions at realistic capital cost and avoidance of overburden in operational cost once installed

The takeaway question 

So, when was the last time your commercial / purchasing department attended an appropriate IEC safety standards briefing / training session on what to look out for, the potential pitfalls in supplier engagement and what would constitute industry good practice for the commercial / purchasing requirements for such safety related devices?

Contact me at oilandgas@gb.abb.com if you want to talk further about this subject.