Exida - Overview of IEC 61511 PDF

e ida.
com
excellence in dependable-automation
Overview of IEC 61511
Functional Safety: Safety Instrumented

Systems for the Process Industry Sector
Copyright © 2000, exida.com

All Rights Reserved
Version 1.0
e ida.com Course Logistics
• Course materials & location

– Handouts and course binder
– Exercises, additional resources, instructional surveys, and
progress reviews
– Tent Card, reference & training products / courses survey of
M&C
• Course attendance & participation
– Certificate of course completion
– Continuing education units (CEU)
• Breaks
– Lunch
– Stretch, refreshment, etc.
• Personal belongings
2 Copyright © 2000, exida.com

e ida.com exida Resources
• Books
• Application Software
• Web-based online software
• Online discussion and knowledge base
• Online SIS engineering data
• Member newsletter
Phone (215) 896-7170 Internet Address: info@exida.com
www.exida.com
e ida.com
Course Development Team
• Developers: Edward M. Marszal, PE

Dr. William Goble
Rainer Faller
• Reviewers: Rachel Amkreutz
Harry Cheddie

e ida.com
Introduction of Course Participants
• Instructor
– Name
– Background/experience
• Classmates
– Name, company, position
– Background/experience
– What would you like to get from this course?

e ida.com
General Course Objectives
• Understand the applicability, content, and

benefits of using the IEC 61511 Standard
• Understand the Safety Lifecycle
• Understand the purpose and outputs of
hazard and risk assessments
• Understand how risk is allocated to layers of
protection and SIL are selected
• Understand safety requirements specification
e ida.com
General Course Objectives (cont’d)
• Develop an understanding of the tasks

performed during the SIS design phase
• Understand FAT, Installation and
Commissioning
• Understand the impacts of modification and
decommissioning
• Develop a knowledge of functional safety
management

ee ida .com
ida.com
excellence in
dependable automation
Pre-Exercise
• Please complete the Pre-Exercise

• Answer questions to the best of your ability
• The results will help the instructor emphasize
class content needed by class members

e ida.com
Performance Objectives Day 1
• Explain the applicability of IEC 61511

• Define and enumerate tasks associated with
each phase of the safety lifecycle
• Understand hazards and risk analysis
• Understand risk and how it is allocated to
layers of protection, including SIL selection
• Identify information required for safety
requirements specification
e ida.com
Section 1:
Introduction
• What is IEC 61511?
• When is IEC 61511 Applied?
• Relation to other standards
• Benefits
• Key Issues

e ida.com
What is IEC 61511?
• Process Sector Specific Implementation of

IEC61508
• Sets minimum standards and performance
levels for instrumentation used for safety
• Creates a rational and consistent approach to
SIS engineering, called the “safety life cycle”
The standard is intended to lead to a high level of
consistency within the process industries, which
will have both safety and economic benefits.

e ida.com
What does the standard contain?
• Defines the relationship between IEC61508

and IEC61511
• Requires allocation of safety requirements to
safety instrumented functions
• Relates safety functions to other functions
• Requires identification of safety requirements
• Specifies requirements for system
architecture, hardware configuration,
application software, and system integration
e ida.com

(continued)
• Specifies requirements for functional safety, but does
not specify the responsibility for implementation
• Uses a safety life cycle, and defines and defines a list
of activities required for functional safety
• Requires hazard and risk assessment to identify
safety requirements
• Establishes numerical targets for safety instrumented
system performance

e ida.com

(continued)
• Specifies techniques/measures for achieving
performance targets (Safety Integrity Levels)
• Provides a framework for establishing safety
integrity levels
• Defines information needed during the safety
life cycle

e ida.com
Technical Requirements
Development of the Allocation and safety Design of Safety

overall safety requirements and safety Instrumented Systems
requirements (concept, requirements specification Clause 11
scope, definition, hazard Clause 9 and 10
and risk analysis) Design of SIS Software
Clause 8 Clause 12
Factory Acceptance Test, Operation, maintenance,

Installation, modification, retrofit, All technical
Commissioning, and decommissioning, and requirements are listed in
Safety Validation disposal
Clause 13 and 14 Clause 15, and 16
Part 1 of the Standard!

e ida.com
Support Parts
• References - Clause 2 (Part 1)

• Definitions and Abbreviations – Clause 3(Part 1)
• Conformance - Clause 4 (Part 1)
• Management of Functional Safety – Clause 5 (Part 1)
• Information Requirements – Clause 17 (Part 1)
• Differences – Annex “A” (Part 1)
• Guidelines for the Application of Part 1 – Part 2
• Risk Based Approaches to the Development of
Safety Integrity Requirements – Part 3

e ida.com
When do I apply IEC61511?
• When integrating instrumentation into a

safety function in the process industries
– Process industries include chemicals, oil refining,
oil and gas production, pulp and paper, non-
nuclear power generation, etc.
• When plant personnel, the public, or the
environment are protected from a process
plant incident by instrumented functions
• Techniques are applicable to asset
protection, but not required
e ida.com
When must IEC 61508 be used

instead of IEC 61511?
• When manufacturers wish to claim the
devices are suitable for safety applications
• When “high variability” languages are used in
a programmable system

e ida.com
How is it related to IEC 61508?
Process Sector Safety

System Standard
Process Sector Process Sector
Hardware Software
Develop Use Proven Use Develop Develop Develop

New in Use Hardware Embedded Application Application
Hardware Hardware Developed (System) Software Software
Devices Devices and Software Using Full Using
Validated Variability Limited
According to Languages Variability
Follow Follow IEC 61508 Follow Languages or
IEC 61508 IEC 61511 IEC 61508 Fixed
Follow Programs
Follow IEC 61508 Follow
IEC 61511 IEC 61511

e ida.com
IEC 61511 vs. ISA S84

Which one should I follow?
• IEC61508 is a broad standard covering
nuclear applications to toasters
• S84 is ANSI endorsed, covering the United
States and Canada
• IEC61508 stipulates S84 is sector standard in
US
• IEC 61511 is expected to be ISO endorsed
globally, ANSI will drop S84 endorsement
• USE 61511!
e ida.com
IEC 61511 vs. ANSI/ISA S84.01

Both are effectively the same
• Each of the steps required by S84 is also
required by IEC61511
• They are represented somewhat differently
– 61511 does not show conceptual process design
– S84 does not show Design and Development of
Other Means of Risk Reduction
– Multiple tasks in S84 lifecycle are combined in a
single task in 61511 lifecycle

e ida.com
Benefits of Compliance
• Good engineering practice – compilation of

best practices of industry by consensus
• Quality procedures specified by standards
have proven to increase productivity,
decrease cost of engineering, operation, and
maintenance, and increase process up-time
• Safety life cycle procedures will decrease risk
• Compliance with legislation and regulation

e ida.com
Key issues
• Safety Lifecycle
• Hazard and Risk Analysis
• Quantitative Verification
• Management System
• Certification

e ida.com
Summary:
Introduction
• What is IEC 61511?
• When is IEC 61511 Applied?
• Relation to other standards
• Benefits
• Key Issues

e ida.com
Section 2:
The Safety Life Cycle
• Safety Lifecycle Objectives
• IEC 61511 Safety Lifecycle
• ANSI/ISA S84.01 Safety Lifecycle
• Lifecycle Phases

ee ida .com
ida.com
excellence in
Safety Lifecycle Objectives
• To structure, in a systematic manner, the

different phases in order to achieve the
required functional safety of E/E/PES
• To document key information relevant to
Functional Safety
• To provide a framework for safer, more
reliable systems
• To reduce system implementation cost

e ida.com
IEC 61511 Safety Life Cycle

Risk Analysis and Protection Layer Design
Management of Safety Sub-clause 8 Verification
Functional Lifecycle
Safety and Structure
Allocation of Safety Functions to Safety Instrumented
Functional and
Systems or Other Means of Risk Reduction
Safety Planning
Sub-clause 9
Assessment
Safety Requirements Specification for

the Safety Instrumented System ANALYSIS
Sub-clause 10
Design and Development of Design and Development of Other

Safety Instrumented System Means of Risk Reduction
Sub-clause 11 Sub-clause 9
Installation, Commissioning, and Validation

Sub-clause 14
REALIZATION
Sub-
Operation and Maintenance
Sub-clause 15
OPERATION Sub-
clause
clause
Clause 5 Decommissioning 7, 12.7
6.2 Modification
Sub-clause 15.4 Sub-clause 16

e ida.com
Safety Life Cycle – ISA 84.01
Start SIS Installation,

Commissioning Not Covered
Define Target and Pre-startup by S84.01
SIL Acceptance Test
Conceptual
Process Design Establish
Develop Safety
Pre-startup Operating and
Specification
Hazard Analysis/ Safety Review Maintenance
Risk Assessment (Assessment) Procedures
SIS Conceptual
Design SIS startup,
Develop non- Covered by
operation,
SIS Layers S84.01
SIS Detailed maintenance,
Design Periodic
Functional Tests
SIS Decommission
No
Required?
Yes Modify, SIS
Decommission? Decommissioning
28 Modify Copyright © 2000, exida.com

e ida.com
Hazard / Risk Analysis
• Objective
– Identify process hazards, estimate their
Risk analysis
risks and decide if that risk is tolerable
and
protection • Tasks
layer design
– Hazard Identification (eg, HAZOP)
Subclause 8 – Analysis of Likelihood and
Consequence
– Consideration of non-SIS Layers of
Protection

e ida.com
SIL Selection
• Objective
– Specify the required risk reduction, or
Allocation of difference between existing and tolerable
Safety Functions risk levels – in terms of SIL
to Safety • Tasks
Instrumented
– Compare process risk against tolerable
Systems or Other
risk
Means of Risk
Reduction – Use decision guidelines to select required
risk reduction
Subclause 9 – Document selection process

e ida.com
Safety Requirements
Specification
• Objective
– Specify all requirements of SIS
Safety
needed for detailed engineering and
Requirements
Specification for process safety information purposes
the Safety • Tasks
Instrumented
System – Identify and describe safety functions
– Document SIL
Subclause 10
– Document action taken – Logic,
Cause and Effect Diagram, etc.

e ida.com
Conceptual /
Detailed Design
• Objective
– Select and configure equipment
Design and used in the SIS (including
Engineering of programming)
Safety
Instrumented • Tasks
System – Specify system technology and
architecture
Subclauses 11,
– Specify field instrumentation
12
– Configuration / Programming
– Select vendors, review bids
e ida.com
Installation and
Commissioning
• Objective
– Install equipment, after acceptance
Installation,
testing, and prepare for operation
Commissioning
• Tasks
Subclauses 13
and 14 – Factory Acceptance Testing Field
and control room equipment
installation
– Confirm equipment operation
– Instrumentation Calibration

e ida.com
Safety Review
Validation
• Objectives
– Verify that the SIS is designed,
Validation installed, and operating according the
the Safety Requirements
Subclauses 13 • Tasks
– Verify operation of field instruments
– Validate logic and operation
– Verify SIL of installed equipment
– Produce OSHA and EPA required
documentation – Certifications if req.
e ida.com
Operation and
Maintenance
• Objective
– Operate and maintain the SIS so that
Operation and the specified SIL is maintained
Maintenance • Tasks
Subclause 15 – Establish procedures for operating
and maintaining the SIS
– Perform periodic function test on an
interval that allows the specified SIL
to be achieved with the installed
equipment

e ida.com
Modification and
Decommissioning
• Objective
– Ensure changes to the system are
Modification and safe and appropriately reviewed
Decommissioning
• Tasks
Subclauses 15.4 – Establish procedures for change
and 16
management
– Review safety functions prior to
taking an SIS out of service

e ida.com
Application Exercise 1
• Safety Life Cycle

– List safety lifecycle tasks and responsibilities for
completion in your organization

e ida.com
Summary:
The Safety Life Cycle
• Safety Lifecycle Objectives
• IEC 61511 Safety Lifecycle
• ANSI/ISA S84.01 Safety Lifecycle
• Lifecycle Phases

e ida.com
Section 3:
Hazard and Risk Analysis
• Objectives and Requirements
• Identifying Safety Instrumented Functions
• Process Hazards Analysis

e ida.com
Overview
• Objective
– Identify hazardous events, quantify their risk, and
identify required safety instrumented function
• Inputs
– Process design, equipment layout, staffing
arrangement
• Outputs
– A description of required safety instrumented
functions
e ida.com
Objectives and Requirements
• Determine and document the hazards and hazardous

events of the process and associated equipment
• Determine the sequence of events leading to the
hazardous event
• Determine the process risks associated with the
hazardous event - describing the consequence and
likelihood and additional risk reduction required
• Determine the safety functions required to achieve
the necessary risk reduction and how the
requirements are allocated
• Determine if any of the safety functions are safety
instrumented functions
e ida.com
How do you know when to apply a

SIF?
• Process Experience
– Most process units are not new
– Designers learn from past incidents and near-
misses and incorporate prevention systems
• Process Hazards Analysis (PHA)
– Organized and systematic study for identification
and analysis of the significance of potential
hazards
– Proactive team effort identifies what could go
wrong

e ida.com
How can I identify the SIF that should

be used on my process?
• Review the design documentation
– Process Hazards Analysis Report
– Process Licensor P&IDs
– Detailed Design Contractor P&IDs

e ida.com
Identifying SIF from PHA Reports

What does a PHA contain?
• There are a variety of PHA methods
– Hazard and Operability Studies (HAZOP)
– Checklist
– What-if? PHA will use various techniques to
identify hazards
• Discussions of hazards include
consequences and safeguards (both SIS and
non-SIS)
• Additional safeguards may be recommended
e ida.com
Summary:
Hazard and Risk Analysis
• Identifying Safety Instrumented Functions
• Process Hazards Analysis

e ida.com
Section 4:
Requirement Allocation/SIL Selection
• Risk / Risk Reduction
• Consequence Analysis
• Likelihood Analysis
• SIL Selection

e ida.com
Overview
• Objective
– Allocation of safety functions to protective layers
and for each SIF, the associated Safety Integrity
Level SIL
• Inputs
– A description of the SIF and hazards requiring risk
reduction
• Outputs
– Description of allocation of safety requirements,
including SIL
e ida.com
Risk Terms
Risk and Hazard
• The objective of SIS is to reduce the risk of
the hazards in a process to a tolerable level
– Risk – Combination of the probability of
occurrence of harm and the severity of that harm
– Harm – Physical injury or damage to the health of
people either directly, or indirectly as a result of
damage to property of the environment
– Hazard – Potential source of harm

e ida.com
Risk Terms
Tolerable Risk
• The risk reduction the SIF must provide is the
difference or process risk and tolerable risk
– Process Risk – Risk arising from the process
conditions caused by abnormal events
– Tolerable Risk – Risk which is accepted given a
context based on the current values of society
– Necessary Risk Reduction – The risk reduction
required to ensure that the risk is reduced to a
tolerable level

e ida.com
Risk Reduction - ALARP
High Risk
Intolerable Region
ALARP or Tolerable
Region
Broadly Acceptable
Region
Negligible
50 Risk Copyright © 2000, exida.com
ee ida .com
ida.com
excellence in
Risk Reduction - putting it in context
• Examples of fatality risk figures

– Road accident 100cpm 1.0x10-4/yr
– Car accident 150cpm 1.5x10-4/yr
– Accident at work 10cpm 1.0x10-5/yr
– Falling Aircraft 0.02cpm 2.0x10-8/yr
– Lightning strike 0.1cpm 1.0x10-7/yr
– Insect/Snake bite 0.1cpm 1.0x10-7/yr
– Smoking (20 per day) 5000cpm 5.0x10-3/yr
– cpm = chances per million of the population per year

e ida.com
Risk Reduction – ALARP

Quantitative Risk Guidance
High Risk
Intolerable Region
10-3/yr (workers) 10-4/yr (public)
Numerical Targets for

tolerable risk are from
HSE Tolerability of
ALARP or Tolerable
Risk Guidance Region
10-5/yr (workers) 10-6/yr (public)
Broadly Acceptable
Negligible Risk Region
e ida.com
Effect of SIS
Risk after Inherent

non-SIS Risk of the
L Mitigation Process
(I.e., No
Increasing Risk
i Mitigation)
k
e Non-SIS
Non-SIS
SIL 1 Consequence
likelihood
l reduction, e.g.,
reduction,
e.g. relief
containment
i SIL 2 dikes
valves
h
SIL 3 SIS Risk
o Reduction Unacceptable
Risk Region
o
d Final Risk
after
ALARP
Acceptable Risk Risk Region
Region Mitigation
Consequence
e ida.com
How do I analyze likelihood?
• Consequence analysis can be performed in a

number of ways
– Qualitative Estimation - Expert Judgement
– Quantitative - Statistical Analysis
– Quantitative – Fault Propagation Modeling
• Result is frequency of unwanted event

e ida.com
Fault Propagation Modeling
• Used when statistical analysis alone is

inadequate
• Analyze chain-of-events that leads to an
accident
• Use failure data of individual components not
entire system
• Combine failures using probability logic

ee ida .com
ida.com Layer of Protection
excellence in
Analysis
M
Plant and
I Emergency Emergency response layer
T Response
I
G Passive protection layer
Dike
A
T
I Relief valve,
O Active protection layer
Rupture disk
N P
R Safety Emergency Shut Down
E Instrumented Safety layer
V System
E Trip level alarm
N Process shutdown
T Operator Process control layer
Intervention
I
O Process alarm
N Basic
Process Process Process control layer
Control value Normal behaviour
System
e ida.com
How do I analyze consequences?
• Consequence analysis can be performed in a

number of ways
– Qualitative Estimation - Expert Judgement
– Semi-Quantitative - Risk Indices
– Quantitative - Statistical Analysis
– Quantitative - Hazardous Potential Release
Modeling

e ida.com
Consequence Analysis Results
Typical Consequence Analysis • Size of impact zone and

Results for a toxic chemical release
occupancy of that zone
112 meters are combined for
87 meters
probable loss
• Result depends on
consequence of
concern, typically
Injury Zone 23 meters probable loss of life and
Fatality Zone
9 meters probable injury
Probable Loss of Life: 0.27
Probable Injuries: 2.56
e ida.com
Assigning SIL - Qualitative
Risk Matrix Risk Graph

W3 W2 W1
CA X1
a --- ---
2 3* 3* FA
PA X2
CB 1 a ---
PB X3
FB 2 1 a
1 2 3* CC
FA
FB
PA P
B X4
3 2 1
PA P
B X5
FA
CD PA 4 3 2
NR 1 3* FB
PB
X6
b 4 3
--- = No safety requirements
A = No special safety requirements
B = A single E/E/PS is not sufficient
1,2,3,4 = Safety Integrity Level

e ida.com
Assigning SIL - Quantitative
• Risk is frequency times consequence

• Tolerable risk for an event can be expressed
as frequency by considering consequence
• Necessary risk reduction can be calculated
and expressed as frequency of failure of the
SIS
• Allowable failure of frequency is converted to
SIS using the tables in the standard

e ida.com
Safety Integrity Levels
Safety Integrity Probability of failure Risk Reduction

Level on demand per year Factor
(Demand mode of operation)
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000
SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10

e ida.com
Summary:
Requirement Allocation/SIL Selection
• Risk / Risk Reduction
• Consequence Analysis
• Likelihood Analysis
• SIL Selection

e ida.com
Section 5:
Safety Requirements Specification
• Safety Instrumented Functions
• Logic Description Techniques

e ida.com
Overview
• Objective
– Specify requirements of each SIF of a SIS,
including functional and safety integrity
requirements
• Inputs
– Description of allocation of safety requirements
• Outputs
– SIS safety requirements; software safety
requirements
e ida.com
Objectives
• Define the requirements of the SIS

– Requirements spelled out for EACH SIF
– Includes Functional Requirements, “What does
the system do”
– Includes Performance Requirements, “How well
does the system perform these functions” – in this
case Safety Integrity Level (SIL)

e ida.com
Requirements
• The SRS shall contain:

– A description of all the safety instrumented
functions necessary to achieve the required
functional safety
– Requirements sufficient to design the SIS
– A definition of any individually safe process states
which, when occurring concurrently, create a
separate hazard (e.g., overload of emergency
storage, relief, flare systems)

e ida.com
Requirements
• The SRS shall contain

– The assumed sources of demand and demand
rate on the safety instrumented function
– Requirement for proof test intervals
– Response time requirements for the SIS to bring
the process to a safe state
– The safety integrity level for each safety
instrumented function
– A description of SIS process measurements and
their trip points

e ida.com
Requirements

– A description of SIS process output actions
– A functional relationship between process inputs
and outputs, including logic, mathematical
functions, and any required permissives
– Requirements for manual shutdown
– Requirements for resetting the SIS after a
shutdown
– Maximum allowable spurious trip rate

e ida.com
Requirements

– Failure modes and desired response of the SIS
(for example, alarms, automatic shutdown, etc.)
– Any specific requirements related to the
procedures for starting up and restarting the SIS
– All interfaces between the SIS and any other
system
– A description of the modes of operation of the
plant and identification of safety instrumented
functions required to operate within each mode
e ida.com
Requirements
• The SRS shall include

– The application software requirements
– Requirements for overrides / inhibits / bypasses
– The specification of any action necessary to
achieve or maintain a safe state in the event of
fault(s) being detected in the SIS
– The minimum and worst-case repair time for the
SIS
– Dangerous combinations of output states of SIS
must be addressed

ee ida .com
ida.com
excellence in
Safety Instrumented Function

Loop 1
Sensors
Final elements
Logic
Solver
Loop 2
Loop 4
Loop 3
Logic
Solver
Loop 5
Loop
71 6 Copyright © 2000, exida.com
e ida.com Methods for Logic
Specification
Binary Logic Diagram
PSL
101
HY
Cause and Effect Diagram
LSL
OR 415
105
Effects
PSV 1201
PSV 1234
XV 1217
XJ 1217
Plain Text
Causes
Low Pressure or Low Level shall
indicated by deenergization of the PSLL-0203 X X
inputs from LSL -105 and PSL -105, BSL-0252 X X
shall deenergize output HY-415
causing the shutoff valve to close. XL-0288 X X
e ida.com
• Safety Requirements Specification

– Review a sample safety requirements
specification to determine if it is complete

e ida.com
Summary:
Safety Requirements Specification
• Safety Instrumented Functions
• Logic Description Techniques

e ida.com
Daily Progress Review
• Were today’s objectives clearly covered?

• Did today’s presentation / activities meet your
goals?
• Was the level and pace of instruction right for
you?

e ida.com
Performance Objectives Day 2
• Identify the tasks performed during SIS

design and engineering
• Understand factory acceptance testing,
installation and commissioning
• Understand modification and
decommissioning
• Understand the management tasks and
requirements for functional safety

e ida.com
Section 6:
SIS Design and Engineering
• System Technology and Architecture
• Field Device Considerations
• Interfaces and Communication
• Probability of Failure

e ida.com
Design
• Choose Technology - Relays, PLC, Safety

PLC
• Choose Sensors - Switch, Analog
Transmitter, Safety Rated Transmitter
• Select level of system integration,
communications needs
• Design the startup and shutdown logic
• Design logic to implement safety
requirements
e ida.com
Failure Modes
• With a safety system, the failure mode

counts! Two failure modes
• are significant:
Safe failures Dangerous failures
t initiating t inhibiting
t spurious t potentially
t costly downtime
dangerous
t must find by testing

e ida.com
Technology
Relay Systems
• Relays/Modules
Relays/Modules perform
perform logic
logic
Hardwired Logic • Reprogrammed
Reprogrammed byby rewiring
rewiring
Inherently Fail-Safe Logic
Advantages
Advantages Considerations
Considerations
• Fail-safe
Fail-safe for
for special
special relays
relays • Nuisance
Nuisance trips
trips
and
and inherent
inherent fail-safe
fail-safe logic
logic • No
No diagnostics
diagnostics on on relays
relays
• Low
Low initial
initial cost
cost • Complexity
Complexity ofof large
large systems
systems
• Reprogramming
Reprogramming
• Documentation
Documentation
• High
High cost
cost of
of ownership
ownership

e ida.com
Technology
Programmable Electronic Systems
• Microcomputers perform the logic
• I/O modules sense inputs and generate outputs
Advantages: Considerations:
1. Diagnostics 1. Fail danger failure modes
2. Flexibility, Modular 2. Software unpredictability
3. Cabinet space savings 3. Communications security
4. Calculation capability 4. Cost
5. Communications
6. Documentation
e ida.com
General Requirements
• Design in accordance with SRS

• Common components designed to highest
SIL of all SIF
• Separate BPCS and SIS
• Requirements for maintenance and testing
should be considered
• Manual means of activating final elements
should be provided
e ida.com
Fault Tolerance Requirements
• Fault Tolerance – ability of a functional unit to

continue to perform a required function in the
presence of faults and errors
Simple Devices Complex Devices
Integrity Level Min. Fault Toler. Typical Arch. Min. Fault Toler. Typical Arch.
SIL 1 0 Single, 1oo1 0 Single, 1oo1
SIL 2 0 Single,1oo1 1 1oo2, 2oo3
SIL 3 1 1oo2, 2oo3 2 1oo3
SIL 4 2 1oo3 **Special Requirements Apply **

e ida.com
Selection of Components and Sub-

systems
• Designed in accordance with IEC61508-2
and –3
– TÜV approval
• “Proven in Use”
– Consideration of mfr. Quality management
– Consideration of performance of device in similar
“operating profile”
Sufficient operational time is required to establish a claimed
failure rate to a single sided confidence limit of at least 70%

e ida.com
Field Devices
• If energize to trip is used a method must be

applied to ensure circuit integrity
• Each device shall have its own dedicated
wiring, except:
– Multiple switches in series indicating same
condition
– Multiple final elements on single output
– Digital bus system meeting performance
requirements of SIF
• Smart sensors are remote write protected
e ida.com
Interfaces
• Operator Interface
– SIS protective action has occurred
– Protective functions have been bypassed
– Status of sensors and final elements including
failures and diagnostics
• Maintenance/Engineering Interface
– SIS operating information including diagnostics,
voting and fault handling - troubleshooting
– Add, delete, modify application software
e ida.com
SIF Probability of Failure
• Check Reliability / Safety Metrics for each

Safety Instrumented Function
• Verify that PFDavg meets target SIL range
• If necessary: change technology, equipment,
or architecture.
• Document all results

e ida.com
Factors affecting SIF Failure

Probability
• SIF Architecture
• Failure rates of subsystems
• Susceptibility to common cause failure
• Diagnostic coverage of testing
• Proof test intervals
• Repair times (Diagnosis + Repair)
• Climatic and mechanical conditions

e ida.com
Probability of Failure
Modeling Methods
Markov
Analysis
λD
Fault Tree U
Analysis
Block Diagram

e ida.com
• SIS Design and Engineering Principles

– Demonstrate some principles of SIS Design
Engineering

e ida.com
Summary:
SIS Design and Engineering
• System Technology and Architecture
• Field Device Considerations
• Interfaces and Communication
• Probability of Failure

e ida.com
Section 7:
FAT, Installation and Commissioning
• Factory Acceptance Testing
• Commissioning Activities
• Validation (PSAT)

e ida.com
Overview
• Objectives
– Integrate and test the SIS.
– Validate the SIS meets requirements of the SRS
• Inputs
– SIS Design, SIS Test Plan, SIS safety
requirements, Validation Plan
• Outputs
– Fully functioning SIS in conformance with SRS
– Validation of SIS
e ida.com
Factory Acceptance Testing
• If required, specified in SRS

• FAT proceeds according to written plan
• FAT should be documented
– If failure occurs, reason for failure and corrective
action and re-test should be documented
The objective of a Factory Acceptance Test (FAT) is to test the

logic solver and associated software together to ensure it satisfies
the requirements defined in the Safety Requirements Specification.
By testing the logic solver and associated software prior to
installing in a plant, errors can be readily identified and corrected
e ida.com
Commissioning Activities
• SIS components installed per design

• Grounding has been properly connected
• Energy sources connected and operational
• No physical damage present
• All instruments calibrated
• All devices operational
• Logic solver input/output operational
• Interfaces operational
e ida.com
Validation
Pre-Startup Safety Acceptance Test
• The Validation or PSAT will consist of the following
activities
– The SIS performs under all normal and abnormal modes as
identified in the SRS
– Confirmation that adverse interaction of the BPCS and other
systems do not affect the proper operation of the SIS
– The proper shutdown sequence is achieved
– The SIS properly communicates
– Sensors, logic solvers, and actuators perform according to
the SRS
– Confirmation of proper SIS operation on Bad PV
– Proper shutdown sequence is activated

e ida.com
Validation
• The Validation or PSAT will consist of the
following activities
– The SIS performs under all normal and abnormal
modes as identified in the SRS
– The SIS provides the proper annunciation and
display
– Computation of the SIS are correct
– SIS reset functions operate as defined in SRS

e ida.com
Validation
• The Validation or PSAT will consist of the
following activities
– Bypass functions operate properly
– Manual shutdown operates properly
– Proof test intervals are documented in
maintenance procedures
– Diagnostic alarm functions perform as required
– Confirmation SIS performs as required on loss of
power and returns to proper state upon re-
application of power

e ida.com
Validation Documentation
• Version of the SIS validation planning

• Tools and equipment used, including calibration data
• Test results
• Version of test specification
• Criteria for test acceptance
• Version of SIS
• Discrepancies between expected and actual results
• Decisions taken when discrepancies occur

e ida.com
Pre-startup Tasks
• Prior to placing the SIS into service, the

following tasks should be performed
– All bypass functions shall be returned to their
normal position
– All process isolation valves shall be set according
to the process start-up requirements
– All test materials shall be removed
– All forces shall be removed

e ida.com
Summary:
FAT, Installation, and Commissioning
• Factory Acceptance Testing
• Commissioning Activities
• Validation (PSAT)

e ida.com
Section 8:
SIS Operation and Maintenance
• Procedures
• Training
• Proof Testing

e ida.com
Overview
• Objective
– Ensure functional safety of the SIS is maintained
• Inputs
– Safety requirements specification
– SIS Design
– SIS operation and maintenance
• Outputs
– SIS operation and maintenance

e ida.com
Objectives
• Ensure that the required SIL of each SIF is

maintained during operation and
maintenance
• Operate and maintain the SIS such that the
designed functional safety is maintained

e ida.com
Planning Requirements
• Routine and abnormal operations

• Proof testing, preventative and breakdown
maintenance activities
• Procedures, measures and techniques to be
used for operation and maintenance
• Verification and adherence to operations and
maintenance procedures
• Timing for these activities
• Resources responsible for the activities
e ida.com
Procedures
• Routine actions required to maintain the “as

designed” functional safety of the SIS
• Actions necessary to prevent an unsafe condition
during maintenance
• Information to be maintained for system failure and
demand rates
• Information to be maintained for audit and test results
• Maintenance procedures for when faults occur
• Ensuring test equipment is calibrated and maintained

e ida.com
Training
• Ensure that:
– Understand how the SIS functions (trip points and
resulting actions)
– Hazard SIS is preventing
– Operation of bypass switches and circumstances
for their use
– Operation of manual switches and when they are
to be activated (I.e., reset switches)
– Action taken on diagnostic alarms

e ida.com
Proof testing and Inspection
• Periodic proof tests are conducted using

written procedures
• The entire SIS shall be tested
• Test interval is based on SIS, and will be re-
evaluated based on system performance at a
periodic interval

ee ida .com
ida.com
excellence in
Periodic Inspection Interval
The test period is a parameter which significantly

1/PFD(t) affects the average probability of failure on
IEC61511
demand and hence the safety integrity level
SIL 4
SIL 3
1/PFDavg
SIL 2
SIL 1
test period
time

ee ida .com
ida.com
excellence in
Periodic Inspection Interval
1/PFD(t)
Decreasing the test interval decreases the
IEC61511 average failure probability, increasing the safety
integrity of the system
SIL 4
SIL 3
1/PFDavg
SIL 2
test
SIL 1 period
time

ee ida .com
ida.com
excellence in
Proof Test Documentation
• The user shall maintain

proof test records that
include
– Description of Test
2
– Date of Test
– Persons involved
– Identifier of system
– Test Results

e ida.com
• Exercise 7
– Describe some operational requirements for SIS

e ida.com
Summary:
Operation and Maintenance
• Procedures
• Training
• Proof Testing

e ida.com
Section 9:
Modification and Decommissioning
• SIS Modifications
• Management of Change
• SIS Decommissioning

e ida.com
SIS Modification
• If modification are performed to an SIS

– Modifications must be properly planned, reviewed,
and approved
– Required safety integrity must be maintained
• Procedures for modification must be in place
• A full analysis of the impact on functional
safety is required
• Work will not begin without proper
authorization

e ida.com
When is management of change

required?
• If operating procedure changes are required
• The process is changed significantly
• Safety requirement specification changes
• Software or firmware changes
• Failure or demand rate is higher than
expected

e ida.com
When is Management of Change not

required?
• “Replacement in kind” of components
• Changes do not affect safety requirements
• Regular calibration and maintenance

e ida.com
Considerations for modification
• Technical basis of the change

• Impact of change on safety
• Modifications to operating procedures
• Necessary time period for changes
• Authorization requirements
• Impact on existing equipment
• Process state during change (online change)

e ida.com
Modification Documentation
• Modification documentation should contain

the following information at a minimum
– Description of change
– Reason for change
– Hazards which might be impacted
– Analysis of impact on SIS
– Required approvals
– Verification tests
– Configuration history
e ida.com
SIS Decommissioning
• When SIS are decommissioned

– Conduct appropriate safety review and obtain
required authorization
– Ensure required SIF remain operational during
decommissioning activities
• Update Hazard and Risk Assessment
– Functional safety during decommissioning
– Impact of SIS decommissioning on adjacent
operating units and facility services

e ida.com
Summary:
Modification and Decommissioning
• SIS Modifications
• Management of Change
• SIS Decommissioning

e ida.com
Section 10:
Management of Functional Safety
• Planning
• Verification
• SIS Functional Safety Audit
• Documentation

e ida.com
Overview
• Objective
– Identify the management activities that are necessary to
ensure functional safety objectives are met
• Requirements
– The policy and strategy for achieving safety shall be
identified together with the means for evaluating its
achievement and shall be communicated within the
organization
– A safety management system shall be in place so as to
ensure that safety instrumented systems have the ability to
place and/or maintain the process in a safe state

e ida.com
Resources
• Resources shall be informed of their responsibilities

• Resources shall be competent to carry out activities
for which they are accountable
• Knowledge of application
• Knowledge of SIS technology
• Safety engineering knowledge
• Knowledge of regulatory requirements
• Adequate management and leadership skills
• Understanding of potential event consequences
• The SIL of the safety instrumented functions
• The novelty and complexity of the application and SIS

e ida.com
Planning
• Define required activities

• Resources responsible for activities
• Timing of activities
• Planning shall be updated as necessary
through the entire safety lifecycle

e ida.com
Implementation and Monitoring
• Implement procedures for resolution of

recommendations
– Hazard and risk assessment
– Assessment activities
– Verification activities
– Validation activities
• Verify quality management of suppliers
• Implement procedures for evaluating
performance of SIS against requirements

e ida.com
Functional Safety Assessment
• Performed by team, one competent senior

person not involved in the design, minimum
• May be performed after the stages below,
must be done at least for stage 3
– Stage 1 – After hazard and risk assessment and
safety requirements specification
– Stage 2 – After SIS design
– Stage 3 – After commissioning and validation
– Stage 4 – After experience in ops and maint.
– Stage 5 – After modification
e ida.com
Functional Safety Assessment

Stage 3 Requirements
• Hazard and risk analysis completed,
recommendations completed or resolved
• Recommendations from previous functional safety
assessment resolved
• SIS designed, constructed and installed per SRS
• Operating, and maintenance procedures in place
• Validation activities completed
• Employee training complete
• Plans for further functional safety assessments done

e ida.com
Audits and Revisions
• Procedures for auditing compliance with the

requirements of the standard defined
– Frequency of audits
– Degree of independence of auditor
– Recording and follow up
• Management of change procedures in place

e ida.com
Verification vs. Validation
• Verification
– The activity of demonstrating for each phase of the
relevant safety lifecycle by analysis and/or tests,
that, for specific inputs, the deliverables meet in all
respects the objectives and requirements set for
the specific phase
• Validation
– The activity of demonstrating that the safety
instrumented system under consideration after
installation meets in all respects the safety
requirements specification.
e ida.com
Verification
• Performed for each phase of the safety

lifecycle
• Demonstrate the deliverables meet the
requirements of that phase

e ida.com
Documentation Requirements
• Describe the installation, system or

equipment and the use of it
• Be accurate
• Be easy to understand
• Suit the purpose for which it is intended
• Be available in an accessible and
maintainable form

e ida.com
Documentation to be maintained
• The results of the hazard and risk assessment and

the related assumptions
• The equipment used for safety instrumented
functions together with its safety requirements
• Organization responsible for maintaining functional
safety
• The procedures necessary to achieve and maintain
functional safety of the SIS
• Modification information
• Design, implementation, test and validation
ee ida .com
ida.com
excellence in
Documentation ControlControl
Documentation
• All relevant Documents shall be

– Revised
– Amended
– Reviewed
– Approved
– Under Control of a Document Control Scheme
A Document Control Scheme is mandatory

e ida.com
• Functional Safety Management

– Describe the objectives of functional safety
management

e ida.com
Summary:
Functional Safety Management
• Planning
• Verification
• SIS Functional Safety Audit
• Documentation

e ida.com
Post Instructional Test
• Answer the questions to the best of your

ability
• This test can be used to determine
effectiveness of this course
• Instructor will review questions and answers
to enhance your learning

e ida.com
Final Course Evaluation
• Course Evaluations help us provide the

highest quality training programs
• Please complete the form and return it to your
instructor

Exida - Overview of IEC 61511 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exida - Overview of IEC 61511 PDF

Uploaded by

Copyright:

Available Formats

e ida.

Overview of IEC 61511

Functional Safety: Safety Instrumented

Copyright © 2000, exida.com

• Course materials & location

2 Copyright © 2000, exida.com

Phone (215) 896-7170 Internet Address: info@exida.com

Course Development Team

• Developers: Edward M. Marszal, PE

4 Copyright © 2000, exida.com

Introduction of Course Participants

5 Copyright © 2000, exida.com

General Course Objectives

• Understand the applicability, content, and

General Course Objectives (cont’d)

• Develop an understanding of the tasks

7 Copyright © 2000, exida.com

• Please complete the Pre-Exercise

8 Copyright © 2000, exida.com

Performance Objectives Day 1

• Explain the applicability of IEC 61511

10 Copyright © 2000, exida.com

What is IEC 61511?

• Process Sector Specific Implementation of

11 Copyright © 2000, exida.com

What does the standard contain?

• Defines the relationship between IEC61508

What does the standard contain?

13 Copyright © 2000, exida.com

What does the standard contain?

14 Copyright © 2000, exida.com

Development of the Allocation and safety Design of Safety

Factory Acceptance Test, Operation, maintenance,

15 Copyright © 2000, exida.com

• References - Clause 2 (Part 1)

16 Copyright © 2000, exida.com

When do I apply IEC61511?

• When integrating instrumentation into a

When must IEC 61508 be used

18 Copyright © 2000, exida.com

How is it related to IEC 61508?

Process Sector Safety

Develop Use Proven Use Develop Develop Develop

19 Copyright © 2000, exida.com

IEC 61511 vs. ISA S84

IEC 61511 vs. ANSI/ISA S84.01

21 Copyright © 2000, exida.com

• Good engineering practice – compilation of

22 Copyright © 2000, exida.com

23 Copyright © 2000, exida.com

24 Copyright © 2000, exida.com

25 Copyright © 2000, exida.com

Safety Lifecycle Objectives

• To structure, in a systematic manner, the

26 Copyright © 2000, exida.com

IEC 61511 Safety Life Cycle

Safety Requirements Specification for

Design and Development of Design and Development of Other

Installation, Commissioning, and Validation

27 Copyright © 2000, exida.com

Safety Life Cycle – ISA 84.01

Start SIS Installation,

28 Modify Copyright © 2000, exida.com