Contractual Provisions for the Supply of Safety Instrumented Systems

It is often the case that a supply contract or enquiry will stipulate as one of the conditions ‘… must comply with IEC61508/61511’. This is an understandable but flawed manoeuvre that potentially makes for significant contractual difficulties. The difficulty arises because the scope of these functional safety standards is so very broad and encompasses the complete safety lifecycle associated with safety instrumented system (SIS) provisions, including (non-exhaustively) design, specification, procurement, installation, commissioning, and operation and maintenance of the system. If procuring an engineered system (rather than a stand-alone device), compliance will necessarily require collaboration between the customer and the supplier. Many aspects of compliance may be beyond the supplier’s control and much will depend on how and where the system is deployed and used. Absolute compliance is a worthy aim, but extremely difficult to achieve in practice. To be compliant in every particular, including not just the hardware and software aspects, but also all the project protocols such as planning, verification, validation, assessment, auditing, and so on is a very tall order indeed (and gets taller with increasing Safety Integrity Level). Absolute compliance is approached with diminishing returns, with increasing effort required for ever smaller incremental gains in compliance. There may well be a point beyond which improved compliance would incur grossly disproportionate cost and difficulty, and not just for the supplier, since project timescales might extend significantly, and additional costs would likely propagate into other areas and would likely lead to inflation of prices. Note that there is no legal requirement for compliance; the legal requirement (in the United Kingdom) is to reduce risk ‘so far as is reasonably practicable’. That said, it should be recognised that the standards are held to constitute ‘good practice’ and the regulator will expect the procurement of SIS provisions to be suitably informed by the standards or otherwise to offer equivalent assurance of suitability. The real question is whether any deviations from compliance will materially affect safety and whether the overall provision is fit-for-purpose in its contribution towards reducing risk so far as is reasonably practicable.

Some may object that this introduces ‘greyness’ into what they would prefer to be ‘black-and-white’, but ‘greyness’ is in the nature of many engineering projects, particularly in matters of risk, and it is the role of the professional engineer to exercise responsible engineering judgement in these matters.

A key aspect of any SIS supply contract invoking the functional safety standards is the Safety Requirements Specification (this specification need not be a stand-alone document; the requirements may be distributed across a number of documents). Sometimes, the requirements are not fully or explicitly identified and a supplier may be obliged to infer some requirements or assume a default consistent with his usual equipment and practices. Usually, these matters are resolved straightforwardly and amicably as a project progresses, but the potential for contractual disputes is apparent.

A contract that deploys the catch-all stipulation: ‘… must comply with IEC61508/61511’, could give rise to disputes where a customer insists on absolute compliance despite the unwarranted cost and difficulty that this may incur for a supplier whose offering is compliant in all essentials and who has made all reasonably practicable efforts to comply. This is not to suggest bloody mindedness on the part of the customer; both parties could believe themselves to be acting in good faith, for example, the customer might mistakenly believe absolute compliance is an essential legal requirement or the supplier might not appreciate the potential significance of a deviation. Conversely, it must be acknowledged that situations might arise where a supplier might seek to avoid expense or difficulty even when they are reasonably justified, and a customer might seek compliance beyond what is reasonably practicable in an attempt to reduce or eliminate perceived liability. In recognition of these potential difficulties, GAMBICA offers the following model provisions for suppliers of engineered SISs:

We undertake to comply with IEC61508/IEC61511 (as required), so far as is reasonably practicable, given:

The safety requirements specified.

Any agreement between us regarding deviations from compliance for reasons of practicability and the avoidance of grossly disproportionate cost.

The timely availability of any necessary information from you.

The accuracy of data provided by you.

Any stipulations or conditions you may impose that might militate against full compliance.

The acceptance, for any outsourced elements integrated into our offering, of suitable documented statements of compliance, where we, with due diligence, believe these to be made in good faith by competent and reputable suppliers.

The acceptance of suitable ‘proven-in-use’ (IEC61508) or ‘prior-use’ (IEC61511) arguments in demonstration of compliance for any elements that are not specifically designed and developed to be compliant with the standards.

These provisions are couched in terms of the undertaking by the supplier, but might equally be adapted as part of the stipulations by the customer. It is hoped that these terms will facilitate an appropriately collaborative venture in the procurement of SISs. Note that these model provisions are not offered as being definitive or complete; suppliers or customers should satisfy themselves of their appropriateness to any individual contract.