This is a question I have often been asked in the past.  Most people I have spoken with don’t have a good appreciation of what this means and the purpose.  From the IEC61511 perspective, designers of Safety Instrumented Systems (SIS) are required to justify the selection and use of the equipment to be used in the SIS and Safety Instrumented Functions (SIFs).  The IEC61511 standard provides two (and only two) means of being able to justify the use of equipment: IEC61508 Certified devices for the required SIL or Prior Use Justification.

So, what’s the reason for the two methods?

The reason is to ensure that the equipment has sufficient defense against systematic failures being introduced during the design and manufacturing process.  The use of certified devices that have been certified by an accredited and competent third party to IEC61508 provides a guarantee that the systematic capabilities of the manufacturer, its design, manufacturing and test processes, have been properly assessed to ensure that sufficient steps have been taken to prevent systematic errors being introduced to the product.  The product will then be given a Systematic SIL capability rating.

If devices are selected that have not been certified, then we need to prove that the contribution to the dangerous failure rate due to systematic causes is sufficiently low enough for the SIL being claimed for the device.  This is the purpose of Prior Use Justification.

Just because the user may have been using this equipment before, isn’t sufficient justification. 

In order to meet the Prior Use Justification criteria, the end user (or manufacturer) must be able to prove that the device has been used in a similar application and environment, in either a safety or non-safety related application, for a sufficient time period without any dangerous failures.  This requires that the end user (or manufacturer) has an accurate field failure, data gathering system in place, that is properly maintained.  This requires a quality field failure gathering system to ensure data accuracy.  IEC61508 identifies two such standards for gathering quality field failure data: IEC60300-8 and ISO14224.  This alone can be a challenge for most end users since how data is gathered and classified isn’t consistent. 

Furthermore, it is not just the application and environment that has to be sufficiently similar, but the versions of the device(s) must also be the same for which Prior Use is being claimed.  This includes both the hardware and (if applicable) the software versions.  Here again, one of the challenges is that by the time sufficient data has been gathered, the original device may have changed and/or been replaced by a newer version.  It must also be remembered that not only has the systematic capability to be addressed but also the defense against random failures ascertained to prove they meet the required SIL.  Therefore, a Failure Modes Effects and Diagnostic Analysis (FMEDA) or Failure Modes Effects Analysis (FMEA) or design analysis/testing will need to be undertaken to satisfy the random failure hardware requirements for the SIL being claimed.  Without this it will not be possible to meet the Prior Use criteria and if end users don’t justify the equipment selection and an accident occurs, which can be traced back to the selection of the SIF equipment, then there will be ramifications for the end user.   

If this blog has raised certain questions, concerns and/or interest, then please look out for the upcoming webinar on this topic.