Recently I was asked by a client to comment on the value of a certification of an instrument against the IEC 61508 standard from a company that he was not familiar with. It turns out that I was not familiar with them either and as such, I was required to perform some research into the company to determine who they are and the quality of their certifications. My research indicated that the company is a relatively large certification body that performs certifications against a very very large number of standards for a wide variety of products. Even so, my client was concerned due to his lack of familiarity, and asked for some guidelines or insight into whether or not he should be willing to accept this companies certificate.
Unfortunately, assessing the value of a certification from a third party organization is difficult, as there are no certifications of the certification agencies themselves, or as Roman Poet Juvenal was quoted as saying “Quis custodiet ipsos custodes?”, or “Who will guard the guards?”. In some countries for some regulated applications, the government regulator themselves will specifically approve certain agencies to perform certifications of the regulated equipment. For instance, in the United States, OSHA regulations for fire detection equipment require that all fire detection equipment by approved by a Nationally Recognized Testing Laboratory (NRTL), and subsequently lists the NRTLs (e.g., UL and FM). For functional safety per IEC 61508, no such regulations or designated NRTL exists. As a result, the end user of the equipment is required to make their own assessment of the worthiness of the certification body. Additionally, equipment vendors must then consider how the certification body that they select will be viewed by their prospective customers – a certification by an unrespected agency is equivalent to no certification at all.
When determining the qualification of an agency I would suggest looking at the history of the specific agency with respect to the specific standard against which you desire certification – in this case, IEC 61508. For equipment certifications against this standard, TUV Rheinland, and TUV Product Services (remember, TUV is not a single organization, and different TUV companies have different skills and experience) have the largest number of certifications under their belt. Additionally, FM has a few and Exida is starting to gain credibility with a significant number of certificates in a relatively short time frame. For these companies, and end users might consider that their certificates are acceptable simply because they are acceptable to a large number of peer companies. Even in this case, it is important to remember the scope of what is being certified and against what standard. For instance, having a long successful history of certifications of micro-electronics against IEC 61508 does not qualify an organization to provide certification of process applications against IEC 61511, which requires an entirely different skill set.
When evaluating the qualifications of a new certification agency, I would want to see not only the certificate, but also the certification report along with the safety case, and a CV of the specific assessor who performed the study. Of course, the equipment vendor might consider this information proprietary and confidential – at which point you can “vote with your feet” by choosing another equipment vendor. The safety case is a document that essentially makes an argument, or case, for the safety of the product or system in question. What a safety case should contain will include a list of all of the requirements (i.e., the normative clauses of the standard that is being certified against), along with compliance arguments. For each requirement, evidence should be provided of how the product/manufacturer met the requirement for the product in question. If you can obtain the safety case, review the evidence statements that are made for a sufficient sampling of the requirement to ensure that the assessor is going into sufficient depth in the review, and that you agree that the evidence listed provide sufficient proof that the requirement was met.
The CV of the assessor should also be reviewed to ensure that the assessor has sufficient education, experience, and qualifications to perform the assessment. The assessor should be a degreed engineer in the field required for the equipment under consideration. For instance, IEC 61508 certification of a logic solver should almost certainly be performed by an electronics engineer, whereas certification of a HIPPS system per IEC 61511 might be better performed by an instrumentation engineer or chemical engineer. Also, experience actually implementing and designing the systems under review is important. A career assessor who has never designed the component or system that they are reviewing may not have sufficient background to identify design flaws that while marginally in conformance with the “standard” are considered bad design practice.
If the safety case and assessor CV are acceptable, you can certainly accept the certificate that was generated. After enough experience with a particular assessment company is accumulated, the exercise of assessing the assessor (by CV and safety case review) can be curtailed.