31/10/2016
1
© Engineering Safety Consultants Limited Page 1
Process Sector Functional Safety - IEC 61511
Changes in 2nd Edition
Ron Bell
Engineering Safety Consultants Ltd
www.esc.uk.net©
© Engineering Safety Consultants Limited Page 2
Changes to IEC 61511: Edition 2
Please Note: The presentation covers some of the key changes that have been made in Edition 2 of IEC 61511-1 and takes into account the recent Corrigendum that was issued to correct some of the errors in the published version of Edition 2.
The presentation in not intended deal with all the changes that have been made but those that are covered in the presentation are indicative of some of the key changes.
To indicate an overall theme, in respect of specific changes, not all the paragraphs in the slides may have changed and during the actual presentation this would have been explained.
31/10/2016
2
© Engineering Safety Consultants Limited Page 3
Changes to IEC 61511: Edition 2
1. Background & relationship to IEC 61508
2. Key changes to IEC 61511 Edition 2 (focussed on IEC
61511-1 containing the normative requirements)
3. Current position of the Second Edition
4. Current position of IEC 61508
© Engineering Safety Consultants Limited Page 4
Changes to IEC 61511: Edition 2
1. Background & relationship to IEC 61508
2. Key changes to IEC 61511 Edition 2 (focussed on IEC
61511-1 containing the normative requirements)
3. Current position of the Second Edition
4. Current position of IEC 61508
31/10/2016
3
© Engineering Safety Consultants Limited Page 5
IEC 61508 and Functional Safety
IEC 61508
Title: Functional safety of electrical,
electronic & programmable
electronic safety-related systems….
A eight Part international standard covering
all safety lifecycle activities...concept......
specification...design...implementation…operation
maintenance & modification
IEC 61508 and Functional Safety
Part 0: Functional safety and IEC 61508 (IEC TR 61508-0)
Part 1: General requirements
Part 2: Requirements for electrical, Electronic, programmable
electronic systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity
levels
Part 6: Guidelines on the application of Parts 2 & 3
Part 7: Overview of techniques and measures
Parts 1, 2 & 3 contain normative & informative requirements
Parts 0, 5, 6 & 7 contain only informative requirements
A “shall” is a normative requirement
A “should” is an informative requirement
Notes are informative
31/10/2016
4
The Parts of IEC 61508
Part 0: Functional safety and IEC 61508 (IEC TR
61508-0)
Part 1: General requirements
Part 2: Requirements for electrical, electronic,
programmable electronic systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of
safety integrity levels
Part 6: Guidelines on the application of Parts 2 & 3
Part 7: Overview of techniques and measures
Standalone & and sector/product standards
Standalone
IEC
61508
Elements to
IEC 61508
Elements to IEC 61508 used in Sector implementations
IEC 62061: Machinery
IEC 61511: Process
IEC 61513: Nuclear**
Sector & product implementations
IEC 61800-5-2
Power drives
EN 50128 / EN 50129**Railway applications
31/10/2016
5
Standalone & and sector/product standards
Market benefits of generic elements
IEC
61508
Sector & product standards
Large market for generic elements &
conforming to IEC 61508
Elements to IEC 61508 used in
sector & product standards
Compliance requirements to
IEC 61508 is a basic safety publication
IEC 61508 and IEC 61511
Process sector safety instrumented
safety systems standard
Manufacturers
and suppliers of
devices
IEC 61508
Safety instrumented
systems designer’s,
integrator’s and
end user’s
IEC 61511
31/10/2016
6
Hardware
Using
Prior Use
Hardware
Devices
Integrating
hardware
devices
complying
with
IEC 61508
Developing
new
Hardware
devices
Follow
IEC 61508
PU: Follow
IEC 61511
Follow
IEC 61511
IEC 61511: Process sector safety
instrumented safety systems standard
Software
Developing
embedded
(system)
software
Developing
application
software:
Full
Variability
Language
Developing
Application
software:
Limited
Variability
Language
or Fixed
Program
Language
Follow
IEC 61508
Follow
IEC 61508
Follow
IEC 61511
Comment: Confusing Figure: Prior Use is focussed on achievement of
Systematic Capability
Design requirements to achieve a specified SIL
Quantify random hardware
failures to meet the target
failure measure for the
specified SIL
Systematic
Safety Integrity
Hardware
Safety Integrity
Comply with the requirements
for Proven in Use (PIU) for the
specified SIL
or
Comply with the requirements
for systematic safety integrity
for the specified SIL
&
Comply with the requirements
for Architectural Constraints
for specified SIL
&
To meet specified
SIL for the SIF
IEC 61508
31/10/2016
7
Design requirements to
achieve a specified SIL
Comply with the HFT requirements
(IEC 61511)
Quantify random hardware
failures
Comply with the requirements for
systematic safety integrity (IEC
61508)
To meet specified
SIL for the SIF
&
orSystematic
Safety Integrity
Hardware
Safety Integrity
Comply with the requirements
based on Prior Use (IEC 61511)
&
or
Comply with the HFT requirements
(IEC 61508)
Comply with Application Program
requirements for LVL & FPL
&IEC 61511
Use of IEC requires an
understanding of both
IEC 61508 and IEC 61511
© Engineering Safety Consultants Limited Page 14
Changes to IEC 61511: Edition 2
1. Background & relationship to IEC 61508
2. Key changes to IEC 61511 Edition 2 (focussed on IEC
61511-1 containing the normative requirements)
3. Current position of IEC 61508
31/10/2016
8
© Engineering Safety Consultants Limited Page 15
The Parts of IEC 61511: Edition 2
• Title: Functional safety - Safety Instrumented
systems for the process industry sector –
• Part 1: Framework, definitions, system, hardware and
application programming requirements
• Part 2: Guidelines for the application of IEC 61511-1
• Part 3: Guidance for the determination of the required
safety integrity levels
© Engineering Safety Consultants Limited Page 16
Changes to IEC 61511: Edition 2
• Process sector implementation of IEC 61508
• 1st edition published 2003
• Part 1 contains normative and informative clauses; Parts 2 & 3 contain only informative clauses.
• This presentation is based on published versions of IEC 61511:
Part 1 + Corrigendum;
Part 2;
Part 3.
• BSI have not yet published these standards
• Part 1 is subject to an Amendment…IEC publication December 2017!
31/10/2016
9
© Engineering Safety Consultants Limited Page 17
The Parts of IEC 61511: Edition 2
IEC 61511 Edition 1
• Part 1 - 84 pages
• Part 2 - 71 pages
• Part 3 - 53 pages
IEC 61511 Edition 2
• Part 1 -80 pages
• Part 2 - 203 pages
• Part 3-102 pages:
© Engineering Safety Consultants Limited Page 18
Clause 1: Scope
• “Pharmaceuticals, food and beverage”’ added
• “Oil refining & oil and gas production” changed to: “Oil
and gas” …..upstream activities e.g. drilling are not
excluded!
• Relationship with IEC 61508 clarified:
– Application programming
– IEC 61508 for developing new hardware or system software
31/10/2016
10
© Engineering Safety Consultants Limited Page 19
Clause 2: Normative References
“The following documents, in whole or in part, are
referenced in this document and are indispensable for its
application”
…does not necessarily mean full compliance is necessary.
• IEC 61508-1 added (was not in Edition1!)
• IEC 61508-1, -2, -3 :2010
• IEC 60654 – Process measurement & control equipment – removed
• IEC 61326 – Measurement, control & laboratory equipment - EMC
requirements - removed
• IEC 61784-3:2010 – Functional safety fieldbuses - added
© Engineering Safety Consultants Limited Page 20
Clause 3: Terms & Definitions
• Aligned with other IEC definitive references (IEV,
ISO/IEC guide 51
• Terms common with IEC 61508 are aligned as far as
possible – some editorial differences but no
difference in technical meaning
• Several new definitions to clarify application of the
standard but no fundamental changes
31/10/2016
11
© Engineering Safety Consultants Limited Page 21
Clause 4: Conformance to the IEC 61511-1-2016
• No change
© Engineering Safety Consultants Limited Page 22
Clause 5: Management of functional safety
Competence management procedure
• 5.2.2.2 Persons, departments or organizations involved in SIS
safety life-cycle activities shall be competent to carry out the
activities for which they are accountable.
• The following items shall be addressed and documented when
considering the competence of persons, departments,
organizations or other units involved in SIS safety life-cycle
activities:
a) engineering knowledge, training and experience appropriate to
the process application;
b) engineering knowledge, training and experience appropriate to
the applicable technology used (e.g., electrical, electronic or
programmable electronic)
…………………….
……………………
31/10/2016
12
© Engineering Safety Consultants Limited Page 23
Clause 5: Management of functional safety
5.2.2.3
A procedure shall be in place to manage competence of all those
involved in the SIS life cycle. Periodic assessments shall be carried
out to document the competence of individuals against the
activities they are performing and on change of an individual within
a role.
SIS safety lifecycle: IEC 61511
Stage 1
Functional Safety
Assessment Stages
Hazard & Risk Analysis
Allocation of safety functions
to protection layers
Installation, commissioning &
validation
Operation & maintenance
Modification
Decommissioning
Design &
engineering
of other risk
reduction
measures
Safety requirements
specification for the SIS
Design & engineering
of the SIS
Stage 2
Stage 3
Stage 4
Stage 5
31/10/2016
13
© Engineering Safety Consultants Limited Page 25
Clause 5: Management of functional safety
Functional safety assessment (FSA)
Membership of the FSA Team shall include at least one senior
competent person not involved in the project design team (Stages
1,2 and 3) or not involved in the operation and maintenance of the
SIS ( for Stages 4 and 5).
Shall be carried prior to hazards being present;
A FSA shall be carried out periodically during the Operations and
Maintenance phase of Safety Lifecycle
SIS safety lifecycle: IEC 61511
Stage 1
Functional Safety
Assessment Stages
Hazard & Risk Analysis
Allocation of safety functions
to protection layers
Installation, commissioning &
validation
Operation & maintenance
Modification
Decommissioning
Design &
engineering
of other risk
reduction
measures
Safety requirements
specification for the SIS
Design & engineering
of the SIS
Stage 2FSA Required to be
undertaken prior to
the hazards being
present
Stage 3
Required to be undertaken
periodicallyStage 4
Stage 5
31/10/2016
14
© Engineering Safety Consultants Limited Page 27
Clause 5: Management of functional safety
• Competence management procedure
• Functional safety assessment (FSA)
– Prior to hazards being present and periodic FSAs
during Operations and Maintenance phase of
Safety Lifecycle and before any modification(s)
• Functional safety audit
– Independent person
• Configuration management
– Software, hardware and procedures used to
develop and execute application program subject
to configuration management & revision control
© Engineering Safety Consultants Limited Page 28
Clause 6:Safety life-cycle requirements
• Any change pertaining to an earlier life-cycle
phase requires re-verification of earlier
phase(s)
• Application program life-cycle included
31/10/2016
15
© Engineering Safety Consultants Limited Page 29
Clause 7:Verification
• Verification planning shall …..address the
following:
Adequacy of life-cycle phase outputs
Correctness of data
Testing strategy, methods, procedures
Verification of non-interference of non-safety
functions integrated with safety functions
Re-verification of any modification(s)
© Engineering Safety Consultants Limited Page 30
Clause 8 : Process Hazard & Risk Assessment
• Security risk assessment added
Threats & consequences (including likelihood)
Measures taken to reduce or remove threats
Reference to ISA TR84.00.09, ISO/IEC 27001:2001,
IEC 62443:2010
31/10/2016
16
© Engineering Safety Consultants Limited Page 31
Clause 9: Allocation of Safety Functions to Protection Layers
A risk reduction >10,000 for any SIS or multiple SIS in
conjunction with a BPCS protection layer… requires a
reconsideration of the application to determine if the risk
reduction requirement of >10,000 can be avoided.
The review shall consider whether:
The process can be modified to remove or reduce hazards at
source;
Additional safety-related systems…… not based on
instrumentation can be introduced;
The severity of the consequence can be reduced (e.g. reducing
the amount of hazardous material).
The likelihood of the specified consequence can be reduced
(e.g. reducing the likelihood of the initiating source of the
hazardous event).
© Engineering Safety Consultants Limited Page 32
Clause 9: Allocation of Safety Functions to Protection Layers
If after further consideration a risk reduction requirement
>10 000 is still required, then consideration should be given
to achieving the safety integrity requirement using a number
of protection layers (e.g., SIS or BPCS) with lower risk
reduction requirements.
If the risk reduction is allocated to multiple protection
layers, then such protection layers shall be independent
from each other or the lack of independence shall be
assessed and shown to be sufficiently low compared to the
risk reduction requirements.
31/10/2016
17
© Engineering Safety Consultants Limited Page 33
Clause 9: Allocation of Safety Functions to Protection Layers
If a risk reduction requirement >10 000 ……is to be
implemented, whether allocated to a single SIS or multiple
SIS or SIS in conjunction with a BPCS protection layer, then
a further risk assessment shall be carried out using a
quantitative methodology to confirm that the safety integrity
requirements are achieved.
The methodology shall take into consideration dependency
and common cause failures between the SIS and:
any other protection layer whose failure would place a demand
on it;
any other SIS reducing the likelihood of the hazardous event;
any other risk reduction means that reduce the likelihood of the
hazardous event (e.g., safety alarms).
© Engineering Safety Consultants Limited Page 34
Clause 9: Allocation of Safety Functions to Protection Layers
31/10/2016
18
© Engineering Safety Consultants Limited Page 35
Clause 10: SIS Safety Requirements Specification
• Proof test implementation
• Written procedures for bypasses
• Application program safety requirements
© Engineering Safety Consultants Limited Page 36
Clause 11: SIS design & engineering
• Design to provide resilience against security risks
• Safety manual to be provided
• All communications to use techniques appropriate for
safety applications
• System behaviour on fault detection
Simplified – compensating measures
• Hardware fault tolerance
Follows IEC 61508 route 2H (see detail)
• Quantification of failure to include proof test coverage
and reliability of utilities
31/10/2016
19
IEC 61511: HFT requirements
Edition 1
Comply with the HFT
requirements
(IEC 61511)
PE Logic
Solvers
Sensors & final
elements and
non PE-Logic
Solvers
For PE Logic Solvers the HFT requirements
are virtually the same as for IEC 61508
SIL Minimum HFT
1 0
2 1
3 2
4 Special requirements apply
(see IEC 61508)
IEC 61511-1 Table 6
The HFT requirements specified in Table 6 may be reduced further
Requirements for further reducing the HFT
IEC 61511 Edition1
The HFT requirements specified in Table 6 may be
reduced by one providing that the dominant failure
mode is to the safe state or dangerous failures are
detected, otherwise the fault tolerance shall be
increased by one:
The hardware devices selected on the basis of prior use
The device allows adjustment of process parameters only
The adjustment of process-related parameters of the device is
protected
The function has a SIL requirement of less than 4
31/10/2016
20
© Engineering Safety Consultants Limited Page 39
Clause 11.4: Minimum Hardware Fault Tolerance
Edition 1: IEC 61511 - Minimum Hardware Fault Tolerance
Edition 1: (PE Logic Solvers)
SIL SFF<60% 60% SFF 90% SFF>90%
1 1 0 0
2 2 1 0
3 3 2 1
4 See IEC 61508 See IEC 61508 See IEC 61508
© Engineering Safety Consultants Limited Page 40
Clause 11.4: Minimum Hardware Fault Tolerance
Edition 1: IEC 61511 - Minimum Hardware Fault Tolerance
Final Elements &
non-PE logic solvers
SIL Note 1 Note 2 Note 3
1 0 0 1
2 0 1 2
3 1 2 3
4 See IEC 61508 See IEC 61508 See IEC 61508
Note 1: – Meets prior use requirements & only process-related parameters can be adjusted &
adjustments protected & SIF < SIL4
Note 2: – Dominant failure mode to safe state and dangerous failures detected
Note 3: – Dominant failure mode not to safe state or dangerous failures not detected
31/10/2016
21
© Engineering Safety Consultants Limited Page 41
Clause 11.4: Minimum Hardware Fault Tolerance
© Engineering Safety Consultants Limited Page 42
Clause 11.4: Minimum Hardware Fault Tolerance
• If the SIS does not comprise FVL or LVL programmable devices
and the HFT specified in the Table would result in additional
failures and lead to decreased process safety then the HFT may be
reduced.
• If an HFT equal to 0 results from applying this reduction, this shall
be justified by providing evidence that the related dangerous
failure modes can be excluded in accordance with clause 11.4.4.
Including consideration of the potential for systematic failures.
• Clause 11.4.4 allows the determination of the achieved HFT for
certain faults to be excluded provided that the likelihood of them
occurring is very low in relation to the safety integrity
requirements. Any such fault exclusions have to be justified and
documented.
• [This reduction to an HFT of zero is shown on the next slide]
31/10/2016
22
© Engineering Safety Consultants Limited Page 43
Clause 11.4: Minimum Hardware Fault Tolerance
© Engineering Safety Consultants Limited Page 44
Clause 11.9: Quantification of random failure
• More detailed and extensive and requiring more rigour than
IEC 61511
Example:
• 11.9.2 The calculated failure measure of each SIF due to random
failures shall take into account all contributing factors including the
following:
……….
……….
(h) The coverage of any periodic proof tests, the associated
proof test procedure and the reliability for the proof test
facilities and procedure;
• 11.9.4 The reliability data used when quantifying the effect of
random failures shall be credible, traceable, documented, justified
and shall be based on field feedback from similar devices used in a
similar operating environment.
31/10/2016
23
© Engineering Safety Consultants Limited Page 45
Clause 11: SIS design & engineering
• Prior Use: no major changes ….now indicates it
relates to systematic failures
Hardware
Using
Prior Use
Hardware
Devices
Integrating
hardware
devices
complying
with
IEC 61508
Developing
new
Hardware
devices
Follow
IEC 61508
PU: Follow
IEC 61511
Follow
IEC 61511
IEC 61511: Process sector safety
instrumented safety systems standard
Software
Developing
embedded
(system)
software
Developing
application
software:
Full
Variability
Language
Developing
Application
software:
Limited
Variability
Language
or Fixed
Program
Language
Follow
IEC 61508
Follow
IEC 61508
Follow
IEC 61511
Comment: Confusing Figure: Prior Use is focussed on achievement of
Systematic Capability
31/10/2016
24
© Engineering Safety Consultants Limited Page 47
Clause 12: SIS application program development
• Streamlined and made more relevant for
application program (FPL and LVL) rather than
embedded software (FVL)
FPL: Fixed Program Language;
LVL: Limited Variability Language;
FVL: Full Variability Language.
© Engineering Safety Consultants Limited Page 48
Clause 13: Factory acceptance test (FAT)
• Changed from informative to normative (when
FAT is specified)
31/10/2016
25
© Engineering Safety Consultants Limited Page 49
Clause 14 & 15:SIS installation, commissioning & validation
• No significant changes
© Engineering Safety Consultants Limited Page 50
Clause 16: SIS operation & maintenance
• Management procedures to review deferrals
and prevent significant delay to proof testing
31/10/2016
26
© Engineering Safety Consultants Limited Page 51
Clause 17: SIS modification
• Not to begin until a Functional Safety
Assessment is completed
• Modification log
© Engineering Safety Consultants Limited Page 52
Clauses 18 & 19: Decommissioning, Information & Documentation
• No significant changes
31/10/2016
27
© Engineering Safety Consultants Limited Page 53
Changes to IEC 61511: Edition 2
1. Background & relationship to IEC 61508
2. Key changes to IEC 61511 Edition 2 (focussed on IEC
61511-1 containing the normative requirements)
3. Current position of the Second Edition
4. Current position of IEC 61508
© Engineering Safety Consultants Limited Page 54
Changes to IEC 61511: Edition 2
1. Background & relationship to IEC 61508
2. Key changes to IEC 61511 Edition 2 (focussed on IEC
61511-1 containing the normative requirements)
3. Current position of IEC 61508
31/10/2016
28
© Engineering Safety Consultants Limited Page 55
Current position: Edition 2
Two Maintenance Teams
MT 61508-1/2 dealing with all aspects of the standard apart from
the software
MT 61508-3 focusing solely with software
Currently MT 61508-3 are preparing a Technical
Specification for the software requirements relating to the
Proven in Use concept in IEC 61508.
It is intended that this Technical Specification will be
incorporated into IEC 61508 Edition 3 as a normative
requirement. It will have implications in the longer term for
such concepts as Prior Use in IEC 61511.
© Engineering Safety Consultants Limited Page 56
Current position: Edition 2
Both Working Groups are in the process of starting the
revision of IEC 61508 Edition 2.
The process will begin with a request for comments from
National Committees within the IEC worldwide. This will
decide whether to move forward with the revision.
A small working group has been set up to carry out a pilot
project with the objective of ensuring that IEC Working
Groups developing standards on functional safety comply
with the requirements of IEC 61508 (since its status is a
Basic Safety Standard)