Hero Engineering

HERO ENGINEERING

AS/IEC61508ApplicationtoGuidelinesintheAustralianMining

Sector– Part1FundamentalIssues

For

SafeWorkAustralia–PublicDiscussion

Code of Practice

UndergroundWindingSystems

Technical PublicationNumber:HE-TP-2011-001-1

DISCLAIMER

This documenthasbeenpreparedaspartof thepublicdiscussionas invitedbySafeWork

Australiafor theproposed“Codeof Practice–UndergroundWindingSystems”.

HeroEngineeringacceptsnoliabilityorresponsibilitywhatsoeverfor itinrespectof anyuse oforrelianceuponthisdocumentbyanythirdparty.

Copyingthis documentinpartorinfull withoutthepermissionof Hero Engineeringisnot permitted.

HE-TP-2011-001-1,Oct-2011

Contents

1Introduction...... 3

2WhatisAS/IEC 61508...... 3

3AS/IEC 61508FundamentalIssues...... 4

4IEC 61508 Guidelines fromotherSources...... 5

5DiscussionsofAS/IEC 61508Issues...... 6

5.161508Infancy issues...... 6

5.2AS/IEC61508Management Issues...... 6

5.3AS/IEC61508Security Issues...... 7

5.4AS/IEC61508FailureConcepts...... 8

5.5AS/IEC61508 CommonMisunderstandings...... 8

5.6AS/IEC61508Safety RelatedData...... 10

Tables

Table1. IEC61508 RelatedStandards...... 4

Table2.AS/IEC61508SILLevels...... 9

Table3.AS/IEC61508HardwareFault Tolerances...... 9

HE-TP-2011-001-1,Oct-2011

1Introduction

1.1HeroEngineeringanditspersonnelhavebeeninvolvedincontrolandsafetysystemdesign, deploymentandmaintenancesincebeforethecompany’sinceptionin2006.Thisinvolvement hasincludedprojectsoutsideoftheminingsectorinboththemanufacturingsectorsandoiland gassectors. Theinvolvementincludessafetysystemdesignandimplementationwithinthe AS/IEC61508“Functionalsafetyofelectrical/electronic/programmableelectronicsafety-related systems”framework.AS/IEC61508isastandardinwhichseveralHeroEngineeringstaffhave gained certification under the Internationally recognised German TUV Rhineland FSEng (Functional Safety Engineer) system.

1.2Mostrecentlythisexperienceandskillsethasbeenutilisedinseveralundergroundmine shaft sinking projects. These projects have required compliance with the AS/IEC 61508 standards.HeroEngineeringdoesnotclaimanextensivehistorywithwindingsystemsandas suchhasapproachedthesubjectfromfundamentalaspects.Wehavereviewedthehistoryof winders, theexistinglegislation, theexistingguidelinesand theproposedguidelines.

1.3Fundamentaltothisisanumberofgeneralissueswiththebasicuseofthesestandards. Thisdocumentispart1of2andisintendedtohighlightsomeoftheongoingissueswiththe standards.Theseconddocumentisintendedtobemorespecificthecurrentdiscussionofthe proposedwinder guidelines.

1.4Althoughthisdocumentwaspreparedfordiscussionforthedraftguidelinesforunderground winding systems,thisdocumentisnotrestrictedinusefordiscussioninthedevelopmentof otherguidelinesincludingsectorsotherthan mining.Inparticularare the“lifecycle”management issueswithAS/IEC 61508,whichiftobesolved, mustincludenotonlyotherengineering disciplinesbutalsonon-engineeringservicesandpersonnel aswell.

2WhatisAS/IEC61508

2.1AS61508“Functionalsafetyofelectrical/electronic/programmableelectronicsafety-related systems” isageneralstandarddevelopedbytheInternationalElectrotechnicalCommission (IEC) as a means of standardising the classification of, design of, maintenance of and componentsused inelectrical/ electronic/programmableelectronicsafety-related systems.

2.2Unlikeprevioussystems itincludedconcepts suchas:

•Theway componentsandsystemsfail; and,

•Thatnotall components ofthesametypehave thesamereliability;and,

•Themanagement ofsafety systems;and,

•Thesafety requiredby different industries wouldneedadditional andspecificstandards.

2.3Thisstandardwasintendedasageneralstandardcoveringanygeneralapplication.The intention was that for specific industries other standards based on IEC 61508 would be developed,which hashappenedinfortheprocessindustry,machineryandotherareas(see

Table1below).Thestandardissometimesreferredtoasanumbrellastandardwiththeother

HE-TP-2011-001-1,Oct-2011

standards underneaththe61508standard. Assuchin thisandother documents when refereeing toAS/IEC61508thereader may imply thisas a referencetoother standards.

2.4Table1isnotallinclusiveandonlyincludesthosecurrentstandardsproducedbytheIEC. Thereareotherfunctionalsafetystandardsnotlisted,readersareencouragedandadvisedto lookfor andsearchfor standardsasmay beapplicable totheir needs.

Table1.IEC 61508RelatedStandards

AS/IEC Number / Title / Industryor
Application
61511 / Functionalsafety–SafetyInstrumentedsystemsfor theprocess industrysector (note:3parts) / Process Industry
62061 / Safetyof machinery–Functionalsafetyof safety-relatedelectrical, electronicandprogrammableelectronic controlsystems / Machinery
61513 / NuclearPower plants–Instrumentation andcontrolsystems important tosafety–Generalrequirements for systems / Nuclear
Instrumentation
62304 / Medicaldevicesoftware- Softwarelife cycleprocesses / MedicalSoftware
61800-5-2 / Adjustablespeedelectricalpower drivesystems –Part 5-2:Safety requirements–Functional(note:ispartof alargerstandard) / Variable Speed
Drives

Note:AS/IEC62061hasanequivalentISOStandard 13849Safetyofmachinery–Safety-related partsof controlsystems.

3AS/IEC61508FundamentalIssues

3.1AS/IEC61508hasanumberofcurrentissuesthatmakegeneralapplicationofthestandard problematic. This doesnot makethestandardunusableorirrelevantor toodifficult toapply.

3.2Thecornerstonesofthe “functional safety”issuesareessentially timeand education.AS/IEC

61508islittlemorethanadecadeold.Comparedtootherengineeringdisciplinessuchascivil engineering mining which is thousands of years old and compared to hazardous area engineeringwhichhasfoundationsgoingbackoveracenturyincoalminingfunctionalsafetyis still initsinfancy.

3.2.1Significantly,apartfromafewcommercialtrainingandcertificationcoursesthereareno equivalenteducationandcertificationcoursesfortechniciansasthereareforhazardousareas andhighvoltages.

3.3A secondary effect of this is that as engineers outside of control and safety system engineeringingeneralhavelittleunderstandingofthesestandards.Tertiarytothatisthose outsideengineeringeffectivelyhavenoknowledgeatallofthesestandards.Theconsequence ofthisisthatthenon-engineeringsafetypersonnelwhocontrolthesafetyregimesonminesites havenoknowledgeiftheplantandmachineryactuallymeetanysafetystandards.Thereexists aseparationofsafety control, whichisnotuncommoninmany industries.

Akeyaspectforallindustrieswillbeforthesafetyengineeringpersonneltoinclude other disciplines in the AS/IEC61508 process. In particular this will apply to non- engineeringpersonnel inthemanagementof functionalsafety.

3.4These issueswill bediscussedinmoredetail inlater sections ofthis document.

HE-TP-2011-001-1,Oct-2011

4IEC61508Guidelinesfromother Sources

Prior to discussing the AS/IEC 61508 issues Hero Engineering will bring to note 2

Norwegianguidelineswhichhaveprovenuseful.

4.1Inotherareasoutside the miningsectorwhereHeroEngineeringoperatesand thereareIEC

61508guidelineswithsignificanthistoryandarefurtherdevelopedthanexistforthemining sector.Thisisnotdetractionontheminingindustryorothersectors.Asasimpleconsequence ofwhatincidentsothersectorshavefaced,thosesectorsorindustriesaresimplyfurtherahead inthe developmentofguidelines.Assuchitisprudenttolearnfromandusetheexperience available.

4.2ThePiperAlphaaccidentintheNorthSearesultedinmayrecommendationsamongstwhich theNorwegianauthoritiesproducedtheOLF070“ApplicationofIEC61508and61511inthe NorwegianPetroleumIndustry“.

4.3Wherethisguidelinefundamentallydiffersfrom otherguidelinesisinitsapproachand justification.OLF070doesnotsimplylistthefundamentalsafetyfunctionsasoccurinthe petroleum industry andprovide minimum SILratingsforsuchfunctions.

4.4Itfirstexplainsthestandardsandthemanagementandsystemvalidationrequirements. Then it explains the system development requirements. The actual minimum function requirementsareasubsectionofthis(section7.6).Ratherthanprovideaninflexiblesystemit thenprovidesamechanism (section7.7)forthere-assessmentofsafetyfunctions,suchthat whereitcanbeengineered functions donotneedtomeettheminimum requirementsas described.

4.5HeroEngineeringhasrecentlyseenthisexercisedwhereanFPSOlowpressureflareknock outdrumhighfluidlevelsafety functionwasthroughassessmentre-evaluatedfromtheOLF070 table7.1requirementofSIL3downtoSIL2.Nosafetywascompromised,soundengineering principleswere exercisedandtheguidelinesweremet.Therewasfulldisclosureinareport justifying the lowerSIL requirement.

4.6OLF070goeson tocoverdesign,installation,mechanicalcompletion,systemvalidationand thenoperationalmanagement. This includesguidelinesfor themanagementofchange(MOC).

4.7MostimportantlyOLF070dedicatesasignificantamount(two-thirds)ofitstimeinjustifying itsrequirementsandprovidingpracticalguidanceoneachofthefunctionstypesitsdealswith. Thisincludespracticalexamplesoftheuseofreliabilitydataindeterminingthecharacteristicsof adeployedsystem.

4.8FurthertoOLF070,theNorwegianSINTEForganisationproducedareportonthepost deploymentmanagementofIEC61508systems.Thisreport“SINTEFA8788Guidelinesfor follow-upofSafetyInstrumentedSystems(SI)intheoperatingphase”istodateoneofthefew guidelinesofits typethataddressestheongoingmanagementoffunctionalsafety.Thisis irrespectiveofindustry typeor nationality.

4.9Thevalueofthisdocumentcannotbeunderestimatedbybothengineersandnon-engineers asinparticularithighlightstheleveloforganisedmanagementrequired.Thelistofparticipants

inthedevelopmentofthisguidelinegivesenormouscredencetotheguideline.Thisguideline

HE-TP-2011-001-1,Oct-2011

includesadviceondocumentationcontrol,proceduralcontrolandcompetencemanagement. Therearesomesignificanttechnicalaspectstothisguideline,whichnon-engineeringpersonnel will generally avoid,butthestructures itadvisesaresomething theyshouldbeinvolvedwith.

5Discussionsof AS/IEC61508Issues

Thefollowingsectionsareprimarilybasedtheexperiencesrelatedtoandexperiencedbythe authors withrespecttotheissuestheyhavefacedwiththeapplicationoffunctionalsafety standards not only in mining, but alsoinmanufacturingandthepetroleumindustries.

5.161508 Infancyissues

5.1.1Inengineeringterms,FunctionalSafety,asaspecificengineeringdisciplinemaywellbe regardedasstillinitsinfancy.Comparedtootherengineeringdisciplinesitisveryyoung.Civil Engineeringwith roadworks,plumbing,bridgebuildingetc.hasbeenpracticedforseveral thousandyears. Metallurgy andalloyinghasbeenpracticedforcenturies.HazardousArea techniqueshavebeeninpracticeforoverahundredyearsandstandardisedfor manydecades.

5.1.2Intermsofhazardousareacomponentcertificationthereisaninternationalsystemthe IECEx system,whichisestablishedandaccepted,asarethestandards thatsystemisbasedon. InAustraliathereisanationallyaccreditedsystemadministeredthroughtheTAFEsystemof educationofbothengineersandtechnicians.

5.1.3Intermsofsomeengineeringdisciplinestherearelegalrequirementsforthepersons involvedsuchasstructural engineeringandelectrical installation.

•Functional safety hasnoInternational system forcomponent certification.

•Apartfromshortcoursesofferedbyvariouscompaniesandorganisationsthereappearsto nobasiceducationat theuniversity degree level forengineers infunctional safety.

•Therearenoequivalenttrainingcoursesandqualificationsfortechniciansforsafetyrelated installation,testingor maintenanceas thereareforhazardousareasandhigh voltage.

•Therearenolegalrequirementsyetforthequalificationsforthosewhodesignormodify safety systems.

•Exceptingspecificapplications,suchaswinders,therearefew(asmostlyvague)legal requirementsforsafety relatedsystemson industrial plantandmachinery.

•Accepting theefforts someindustries there isageneral lackof reliablesafety relateddata.

Thefuturesuccessof functional safety asan engineeringdisciplinewilldependon numerousfactorsallhappeninginacohesiveplannedstructurethatincludeseducation, legislation and guidelines. For that to occur, cooperation of government, industry management(non-engineering),thetertiaryeducationsystemandengineerswillhaveto worktogether.

5.2AS/IEC 61508ManagementIssues

5.2.1AS/IEC61508asanengineeringconceptisholisticinnature;termssuchas“lifecycle” and “periodic proof testing” and similar are often discussed. Less discussed are the management issues and combined with the separation between engineering and non-

engineeringthereisasignificantsupportissue.Ifengineeringpersonneldonotgarnerthe

HE-TP-2011-001-1,Oct-2011

supportofnon-engineeringresourcesinassistinginthemanagementofthesafetysystems theremaintaintheycanonly expecttofail inthatmaintenance.

5.2.2Thenon-engineeringpersonnelgenerallyincludethosewithgeneral“slip,tripandfall”, personnelprotectionequipment(PPE)andsafetyinductioninterests.Asthesepersonneloften haveasignificanteffect onany industrial site’ssafety environment,systemsandpractice,having suchpeopleremainignorantofengineeringsafetystandardslikeAS/IEC61508canleaveany minesitewithseriousunknownissues.

5.2.3This in fact should not be the case, AS/IEC 61508 contains within its management structuresomebasicrequirementswheretheinclusionofnon-engineeringsafetypersonnelcan play asignificant andvital role.

5.2.4Engineersbytheirnatureandworkregimescanbeveryorganisedintechnicalactivities andextremelyunorganisedinnon-technicalactivities.ThiscannothappenintheAS/IEC61508 frameworkwhererecordkeeping,documentcontrol,managementofchange,andotheraspects arevital tothemaintenanceofthesesafety systems.

5.2.5Section4ofA8788detailsmanyoftheactivitiesthatrequireorganisationintheoperation ofAS/IEC61508systems.Itistheorganisationalsupportwherenon-engineeringpersonnelare required. Thetechnicalaspectsoftheseactivitiesdonotneedtobeunderstood,butgetting theseactivities doneontimeandasperprocedureandbypeoplewiththerighttrainingand competenciesisvital,andengineerswill benefitfrom theright support.

As such the future inclusion of non-engineering personnel into the AS/IEC 61508 management structure should not be seen by engineers as an intrusion into their operations.Itshouldbeseenasavital,ifnotessentialsupportservice.Thetaskfacing safety engineers is the education they must provide to other engineers and non- engineeringpersonnel such that thoseservicesareprovidedsuccessfully.

5.3AS/IEC 61508SecurityIssues

5.3.1Alongwith(andpossiblypartof)themanagementsupportrequiredisthefuturesecurity issueforAS/IEC61508.Notonlyaretherebackupversioncontrolissuestherearethecyber issues.The STRUXNETvirus(describedastheworld’sfirstcyber-weapon)provedbeyond doubtthatsoftware basedcontrolsystemscanbeattackedandsafetybreached.Assafety systemsmovemoretowardsprogrammablesafetycontrol,thereisaneverincreasingreliability onportableandfixedcomputers(engineeringstations)tosupportthosesystems.STRUXNET attackedviatheengineeringsupportsoftwarelocatedonstandardpersonalcomputersasused by engineers.

5.3.2Protecting the support and engineering systems for AS/IEC 61508 is a vital part of maintainingplantandmachinerysafety.Informationtechnology(IT)inmostindustriesisnot seenbyengineersaspartofengineeringitisseenassomethingexternaltotheiroperations.In AS/IEC61508 the separationof safetycontrol from basic control is oftencarriedintothe engineeringsupport.Inmanycasesthecomputersfromwhichsafetysystemsaresupportedare designandplannedtooperateinisolationfromothersystems.Thereisnointenttohavesuch computers linked inanyway tolocal or plantwidenetworks.

5.3.3ITpersonnelhaveatendencytotreatallcomputersonanysiteinanyindustryastheir territoryandtheirresponsibility.Safetyengineersexpressthisvulnerabilitywithphrasessuchas

HE-TP-2011-001-1,Oct-2011

“thegreatestthreattosafetyisanITpersonwithasparepatchlead”.Amongstthesafety engineeringcommunitythereareoftendiscussionsaboutexperiencesofengineeringstations andlaptopsbeing “updated”orlinkedinto local networks withouttheirknowledge.

This is an area of vulnerability where safety engineers will best be served by a managementsystem basedoninclusion(see5.2above).

5.4AS/IEC 61508FailureConcepts

5.4.1Thisisakeyareawheresafetyengineerscanoftenbeatcrossoroppositepurposeswith all otherengineeringandnon-engineeringdisciplines.

A key concept in functional safety is that “given time any and all componentsandsystemsshall fail”.

5.4.2Ingeneraleveryoneelse(management,engineering,maintenance)areconcernedwith making somethingworkorkeepingitworking,anAS/IEC61508safetyengineerisprimarily concernedwhenthingsdon’t’work.Ingeneral,withtheexceptionofmaintenance,whenaplant ormachineiscommissionedanengineer’sjobisover.AnAS/IEC61508engineer’sjobisover when theplantor machineisdecommissioned. Thisisoftenreferredtoas the“61508 lifecycle”.

5.4.3Assuch,anAS/IEC61508engineerisingeneralinvolvedinthedesignofoppositeor reverses logicsystems.Forexample-aregularengineerwouldmonitorthenormallyopen contactonmotor contactortoseeifthemotorgetsswitchedonandconsideritafailureifit doesn’t switch on. A safety engineer is concerned with the normally closed contact and considersitafailureifthemotordoesnotswitchoff.Asafetyengineerisonlyconcernedwith bringequipmenttoasafestate.Makingequipmentworkiseitheranothertask,sometimesan interlinkedtaskandsometimes irrelevant.

5.4.4AddedtothisisthatAS/IEC61508considersthatanycomponentorsystemcan faileither dangerouslyorsafelyandthatfailuresareeitherdetectableornot.InAS/IEC61508thisis expressedbythesafetyparameter-SafeFailureFraction(SFF),andisapercentageofthe failures of acomponentorsystemthatareeithersafeordetectable.Thereisalsoasecond parametercalledDiagnosticCoverage(DC)whichisthepercentagedangerousfailuresthatare detectable.

Engineeringisaboutmakingplantandmachinerywork.Safetyengineeringisabout makingplantandmachinerysafe. Thesearenotthesamething.

5.5AS/IEC 61508CommonMisunderstandings

5.5.1PriortotheacceptanceofAS/IEC61508thedominantconceptsinbothmachineryand processsafetywerebasedonphysicalarchitectureandusuallyintermsofredundancy.Partsof AS4204“Safety ofMachinery”wereandstillarebasedontheEuropeanstandardEN954 “Safety- relatedparts of controlsystems”.

5.5.2TheEN954systemcategorisedsafetyprimarilyonarchitecturethelowercategoriesare single channeltheuppercategoriesareredundant.Intheprocessindustrysafetysystems became dominatedbytheTMRconcept.TMRtriplemoderedundancybasicallyperformed criticalsafety functionswith3ofeverything.3sensors,3processorsand3outputdevices. Some of the early programmable safety controllers for machinery also followed the TMR

concept.

HE-TP-2011-001-1,Oct-2011

5.5.3From this therehavebeenbasic misunderstanding thatintheAS/IEC61508framework:

•SIL1means1of; and,

•SIL2means2of; and,

•SIL3means3of.

5.5.4TheacronymSILstandsforSafetyIntegrityLevelitisameasureofprobabilitythata safetyfunctionwilldoasexpected.Thereareinactuality4SILlevelsdefinedin2setsfor2 typesof demand(seeTable2below).Thestandardsafetyintegrityasthe“probabilityofa safety-relatedsystemsatisfactorilyperformingtherequiredsafetyfunctionsunderallthestated conditionswithinastatedperiodoftime.Demandinthiscontextisameasureofhowoftenthe safety systemor function iscalledupon.

Table2.AS/IEC 61508 SILLevels

SILLevel / LowDemandModeAverage probabilityto fail ondemand(PFDAVG) / High Demand ModeProbabilityofadangerousfailureperhour(PDFHR)
1 / = 10-2 to <10-1 / = 10-6 to <10-5
2 / = 10-3 to <10-2 / = 10-7 to <10-6
3 / = 10-4 to <10-3 / = 10-8 to <10-7
4 / = 10-4 to <10-5 / = 10-9 to <10-8

Note:Table2is takenfromtables2and3AS61508.1-1999(IEC61508.1-1998)

5.5.5TheSILlevelrequiredbyasystemisnotequaltothenumberofindependentorbackup channelsoradescriptionofredundancy.InAS/IEC61508systemsredundancyisreferredtoas HardwareFault Tolerance(HFT)andrangesfrom0to2.HFTisthenumberoffaultsthe functionor system cantoleratebeforethefunctionmay not beable tooperate.

5.5.6Table3belowshowstheHFTfortypeAandBsubsystems,whicharedistinguishedby what can bedeterminedaboutasub-system’sfailuremodesandfaultbehaviourunderfault conditions.TypeAarewelldefinedandTypeBlessdefined.Forwindersanexampleofatype Adevicewouldbetheemergencystopbuttononthewinderdriverscontrolconsole,whenall partsofthebuttonandcontactsaresuitedtouseinAS/IEC61508applications.Thingslikea Lilly controllerwouldbeTypeBsystems for several reasonsas describedinthestandard.

Table3.AS/IEC 61508HardwareFaultTolerances

Safe Failure Fraction / TypeASafety-relatedSubsystems / TypeBSafety-relatedSubsystems
HardwareFault Tolerance / HardwareFault Tolerance
0 / 1 / 2 / 0 / 1 / 2
60% / SIL1 / SIL2 / SIL3 / NotAllowed / SIL1 / SIL2
60%-90% / SIL2 / SIL3 / SIL4 / SIL1 / SIL2 / SIL3
90%-99% / SIL3 / SIL4 / SIL4 / SIL2 / SIL3 / SIL4
99% / SIL3 / SIL4 / SIL4 / SIL3 / SIL4 / SIL4

Note:Table3istakenfromtables2and3AS61508.2-2001(IEC61508.1-2000)

5.5.7WhatTable3showsisthatunlikepreviousstandardswherethedesignarchitectureand redundancyrequirementsweresetbythefunctionclassificationaloneinAS/IEC61508these requirements are a combination of the function classification and the capabilities of the components used. This is because previous systems did not consider the reliability of components.Aweaknessofprevioussystemswasthatthequalityandreliabilityofcomponents

HE-TP-2011-001-1,Oct-2011

wasnotconsidered.Assuchsystemswithidenticalarchitecturewouldhavethesameratings irrespectiveofwhetherthecomponentsusedwereofequalquality.Previoussystemsreliedon faultdetectionanddidnotincludeallowances for differences inundetectabledangerous failures.

5.5.8InparticulartheAS/IEC61508systemconsidershowcomponentsbehavewhentheyfail. Itaccepts thatnotallfailuresaredetectableandthatthereexists forany system failures thatcan bebothdangerousandundetectable.

5.6AS/IEC 61508SafetyRelated Data

5.6.1OfalltheissuesfacingtheapplicationofAS/IEC61508systemssafetyrelateddataisthe notonly themost significantit isat times themost misunderstoodandmisused.

5.6.2PriortoAS/IEC61508systemssuchasthatdescribedinEN954andsuedinAS4024 werebasedontheweakestlinkprinciple.Theratingoftheweakestlinkwastheratingofthe systemor function.Itdidnotmatterwhatthe ratingoftheinput device(s)orlogicsolveroroutput device(s)were,whicheverhadthe lowestcategory ratingdictatedthe system rating.

5.6.3This maderating suchsystems relative easy but has however causedissues in the applicationofAS/IEC61508.Forexample,previouslythecombinationofacategory2inputa category2logicsolverandcategory2outputmadeforacategory2system.InAS/IEC61508 systemsthe combinationofaSIL2inputaSIL2logicsolverandSIL2outputdoesnot necessarilymakeaSIL2safetyfunctionorSIL2system.

This is because AS/IEC 61508 takes into account the functional behaviour of the componentsandsystem incombination.Hence theterm functionalsafety.

5.6.4AparticularmisconceptionisthecertificationofAS/IEC61508components.Asidefrom therebeingnosinglesystemorasystemsuchastheIECExsystemthatexistsforhazardous area applications,thereexistmisconceptionsoverwhatisacertifiedsafetyproduct.Inreal termsthereisinfactnosuchthingasaSILrateddevice.Therearedevicesratedforuse inSILrated applications.Thisisbecause,asmentionedpreviously,SILratingisaholistic ratingofeithera functionorasystem.Thismayappearasaslightplayonterminologybutisan importantconcept.AS/IEC61508isholisticinnatureandthisiscarriedthroughinuseofsafety relateddata.

A device suitable for use in an AS/IEC 61508 system is one where the data for determiningtheSILratingof thesystem or functionisavailable.

Deviceswithcertificationarethosewhichhavebeentestedorassessedbyacertification authorityororganisationandthesafetyrelateddatadeterminedanddescribedforuse, whichmayinclude limitsonuse.

5.6.5Oneseriousissuewiththeuseofbasicdataisitsrelevancetotheactualfieldexperience. Aspreviously discussedmanagementisimportantandanaspectofthisisthecollectionofdata. TheaforementionedA8788guidelineprovidesguidanceonthere-evaluationofsafetyrelated data.ThehighlyregardedtextbyDavidJSmith“FunctionalSafety–AStraightforwardGuideto applyingIEC 61508 andrelatedstandards”separatesdataintositespecific,industryspecific andgenericdata.Insection7.3ofthistexttheconceptofconfidencelevelsinthesedatatypes isdiscussed.InprevioussearchesbyheroEngineeringonly1othersuchstudyintherelevance ofsafetyrelateddatawasfoundandthatwasonlyinreferencetoastudyintheBritishNuclear

industry –theactualreport wasunavailable.

HE-TP-2011-001-1,Oct-2011

5.6.6WhattheSmithtexthighlightsisactuallypartofthepreviouslydiscussedmanagementof functional safety.Functionalsafetymanagementincludesthecollectionofanduseoffailure data.

Withouttheassistanceofotherssuchasmaintenancepersonnelaccuratedatacannot happensuccessfully.

Withouttheassistanceofothernon-engineeringmanagementpersonnelthesecurityand retentionof thedatacannotbeguaranteed.

Withoutseniormanagementrealisingtheimportanceofsafetyrelateddatacollectionand keeping and ongoing re-assessment processes. The safety of personnel they are responsiblefor maynotbewhat theyexpectorbelieve it tobe.

5.6.7AdifficultaspectofapplyingstandardssuchasAS/IEC61508 towindersisthatthevariety ofwindersisimmenseandvaried.InrecentprojectsHeroEngineeringhasdealtwithwinders rangingin powerfrom15kWtoover2000kWanddesignspeedsfrombelow0.5m/stoover

10m/s. Theconfigurationsincludesynchronisedwinders,electro-mechanical-clutcheddrivetrains

andelectro-hydraulictransmissions.

5.6.8WhencomparedtootherAS/IEC61508guidelinesinotherindustrieswhatismissingisa fundamentalsystemwhere givenbasicwinderengineeringparametersareusedtoclassify the requirements.ThisisnotunprecedentedasAS4343PressureEquipment–HazardLevelsuses simpleengineeringvaluessuchasvolume,pressureandfluidtypetoclassifypressurevessels, vacuumvessels,boilersandpressurepiping–(seeAS4343Table1).Thebasicsetofwinder safetyfunctions arewellestablished,whatisnotascleariswhatanygivenwindermightor mightnot require.

6ConclusionsandRecommendations

6.1AlthoughcomplexandstillinitsinfancyAS/IEC61508anditsrelatedstandardsaretheway forwardfornotonly theAustralianMiningSectorsbutforother sectors as well.

•Thetestedandcertifiedcomponentsforuseinsafetysystemsworldwidearefollowingthis system.Anyothersystemwouldorcouldleadtoengineersbeingunabletousecomponents withany degreeof certainty.

•Thereexistwelldevelopedguidelinesfromotherindustriesandnationswhichhavebeen developedthatcanprovidethebasisforallAustralianIndustriesdevelopingsimilarand consistentguidelines.

6.2Theremustbefurtherdevelopmentofeducationnotonlyforengineerspracticingstandards suchasAS/IEC61508butotherengineerswhoseworkrunsalongsidethesesystems.Oneor moreoftheinternationally recognisedcertificationprograms forengineers mustbecomeformally recognisedinlegislationtobringsafetysystemsimplementationinlinewithsimilarengineering practicesuchasexists forstructuralengineering.

6.3There must be further education development and qualifications for non-engineering management supportof engineers practisingAS/IEC61508andrelatedstandards.

6.4Theremustbe trainingandqualificationsdevelopedfortechnicalsupportstafftobringsafety relatedsystems intoline withotherpractices suchashazardousareasandhighvoltages.