Page 13 - Enclosure Fall-Winter 2023-24
P. 13
continued from previous page
EDD INTERNAL Inspection SAFETY INTEGRITY LEVEL CERTIFICATION,
Destructive inspection is utilized when the item's shell AN ALTERNATIVE TO DEPENDABILITY
is sealed or taped over in a way that cannot be broken. The traditional approach to taking credit for a commercial
It involves opening the device to evaluate or perform grade service is to perform a commercial grade dedication
destructive testing, resulting in the item not being able to (CGD). The typical acceptance method used to perform
be re-used. If the item is re-sealable, it may be acceptable this type of CGD is a commercial grade survey (CGS).
to re-use – however, opening most electrical items to be This document evaluates the accreditation process as a
internally inspected invalidates their UL listing. replacement to the traditional approach.
Figure 2 below shows the difference between the SIL methodology applies only to (1) commercial digital
original time delay relay card that used an IC (left) and its equipment that is IEC 61508 SIL certified, (2) IEC 61508
replacement card, which uses a mezzanine circuit board certifications that have been issued by a functional safety
with a CPLD (right). certifying body (CB) that has been accredited to ISO
17065 by an accreditation body (AB) who is a
signatory of the International Accreditation
Forum (IAF) Multi-Lateral Agreement (MLA), and
(3) the dependability critical characteristics (CC)
and not to the physical or performance CCs of
the commercial graded dedication process as
defined by EPRI Technical Report (TR) 106439
and EPRI 3002002982
SIL certifications appear to be an accurate
indicator of hardware and software safety reliability
for programmable electronic equipment at the
Figure 2, Original (left) versus Replacement part (right) platform/product level. The process relays on the
technical and QA requirements involved with SIL certification
are very similar to that of nuclear grade equipment. The
Figure 3 Left shows a firmware version number, which is Certification Bodies (CBs) have a standardized, rigorous,
a strong indicator of digital content. Peeling back the sticker and reliable evaluation process. The Accreditation Bodies
reveals even more information, such as the manufacturer (ABs) hold CBs accountable and maintain an internationally
and part number, which indicate it has a microcomputer. consistent set of expectations to ensure accredited CBs can
be trusted by end-users from any industry in any country.
EPRI research results indicate that there is no reason
to believe that equipment certified to IEC 61508 SIL
level 2 or 3 is not suited to perform safety-related
functions merely because its OEM utilizes a QA
program certified to ISO 9001 (or similar), rather than
a nuclear industry specific QA program. SIL 1 rating
makes up the majority of all Safety System. SIL 4 is
practically never installed.
SIL is a rating on an overall safety function, not just
a single component. A SIL is a measure of safety
system performance, in terms of probability of failure on
demand (PFD). For example, a SIL rating of 2 means
that the sensor, logic controller, reacting device such as
a valve or pump, all of the software and logic involved,
all of the installation materials (wiring, cabling, etc.)
involved, and all support services (such as compressed
air or conditioned electricity with battery backup)
altogether represent a determined SIL 2 risk reduction
Figure 3, The sticker showing the firmware version number factor of 1-in-1,000 years. The SIL 3 certification process is
rigorous enough that many products ‘fail’ a certification audit,
at least the first time around (i.e., they do not achieve SIL 3
certification without needing some sort of design change). v
Fall/Winter 2023/24 www.gloveboxsociety.org 13
