3 IEC 61511

ida .com e

excellence in dependable-automation

Overview of IEC 61511

Functional Safety: Safety Instrumented Systems for the Process Industry Sector

Copyright © 2000, exida.comAll Rights Reserved

Version 1.0

2

ida .com e


Copyright © 2000, exida.com

Course Logistics

• Course materials & location– Handouts and course binder– Exercises, additional resources, instructional surveys, and

progress reviews– Tent Card, reference & training products / courses survey of

M&C

• Course attendance & participation– Certificate of course completion– Continuing education units (CEU)

• Breaks– Lunch– Stretch, refreshment, etc.

• Personal belongings

3

ida .com e



exida Resources

• Books• Application Software• Web-based online software• Online discussion and knowledge base• Online SIS engineering data• Member newsletter

Phone (215) 896-7170 Internet Address: [email protected]

www.exida.com

4

ida .com e



Course Development Team

• Developers: Edward M. Marszal, PEDr. William GobleRainer Faller

• Reviewers: Rachel AmkreutzHarry Cheddie

5

ida .com e



Introduction of Course Participants

• Instructor– Name– Background/experience

• Classmates– Name, company, position– Background/experience– What would you like to get from this course?

6

ida .com e



General Course Objectives

• Understand the applicability, content, and benefits of using the IEC 61511 Standard

• Understand the Safety Lifecycle• Understand the purpose and outputs of

hazard and risk assessments• Understand how risk is allocated to layers of

protection and SIL are selected• Understand safety requirements specification

7

ida .com e



General Course Objectives (cont’d)

• Develop an understanding of the tasks performed during the SIS design phase

• Understand FAT, Installation and Commissioning

• Understand the impacts of modification and decommissioning

• Develop a knowledge of functional safety management

8

ida .com e



ida.comeexcellence in dependable automation

Pre-Exercise

• Please complete the Pre-Exercise• Answer questions to the best of your ability• The results will help the instructor emphasize

class content needed by class members

9

ida .com e



Performance Objectives Day 1

• Explain the applicability of IEC 61511• Define and enumerate tasks associated with

each phase of the safety lifecycle• Understand hazards and risk analysis• Understand risk and how it is allocated to

layers of protection, including SIL selection• Identify information required for safety

requirements specification

10

ida .com e



Section 1:Introduction• What is IEC 61511?• When is IEC 61511 Applied?• Relation to other standards• Benefits• Key Issues

11

ida .com e



What is IEC 61511?

• Process Sector Specific Implementation of IEC61508

• Sets minimum standards and performance levels for instrumentation used for safety

• Creates a rational and consistent approach to SIS engineering, called the “safety life cycle”

The standard is intended to lead to a high level of consistency within the process industries, which

will have both safety and economic benefits.

12

ida .com e



What does the standard contain?

• Defines the relationship between IEC61508 and IEC61511

• Requires allocation of safety requirements to safety instrumented functions

• Relates safety functions to other functions• Requires identification of safety requirements • Specifies requirements for system

architecture, hardware configuration, application software, and system integration

13

ida .com e



What does the standard contain? (continued)• Specifies requirements for functional safety, but does

not specify the responsibility for implementation• Uses a safety life cycle, and defines and defines a list

of activities required for functional safety• Requires hazard and risk assessment to identify

safety requirements• Establishes numerical targets for safety instrumented

system performance

14

ida .com e



What does the standard contain? (continued)• Specifies techniques/measures for achieving

performance targets (Safety Integrity Levels)• Provides a framework for establishing safety

integrity levels• Defines information needed during the safety

life cycle

15

ida .com e



Technical Requirements

Development of the overall safety

requirements (concept, scope, definition, hazard

and risk analysis)Clause 8

Allocation and safety requirements and safety

requirements specificationClause 9 and 10

Design of Safety Instrumented Systems

Clause 11

Factory Acceptance Test, Installation,

Commissioning, and Safety ValidationClause 13 and 14

Design of SIS SoftwareClause 12

Operation, maintenance, modification, retrofit, decommissioning, and

disposalClause 15, and 16

All technical requirements are listed in

Part 1 of the Standard!

16

ida .com e



Support Parts

• References - Clause 2 (Part 1)• Definitions and Abbreviations – Clause 3(Part 1)• Conformance - Clause 4 (Part 1)• Management of Functional Safety – Clause 5 (Part 1)• Information Requirements – Clause 17 (Part 1)• Differences – Annex “A” (Part 1)• Guidelines for the Application of Part 1 – Part 2• Risk Based Approaches to the Development of

Safety Integrity Requirements – Part 3

17

ida .com e



When do I apply IEC61511?

• When integrating instrumentation into a safety function in the process industries– Process industries include chemicals, oil refining,

oil and gas production, pulp and paper, non-nuclear power generation, etc.

• When plant personnel, the public, or the environment are protected from a process plant incident by instrumented functions

• Techniques are applicable to asset protection, but not required

18

ida .com e



When must IEC 61508 be used instead of IEC 61511?• When manufacturers wish to claim the

devices are suitable for safety applications• When “high variability” languages are used in

a programmable system

19

ida .com e



How is it related to IEC 61508?

Process Sector Safety System Standard

Process Sector Hardware

Process Sector Software

Develop New

Hardware Devices

Follow IEC 61508

Use Proven in Use

Hardware Devices

Follow IEC 61511

Use Hardware Developed

and Validated

According to IEC 61508

Follow IEC 61511

Develop Embedded (System) Software

Follow IEC 61508

Develop Application

Software Using Full Variability Languages

Follow IEC 61508

Develop Application

Software Using

Limited Variability

Languages or Fixed

ProgramsFollow

IEC 61511

20

ida .com e



IEC 61511 vs. ISA S84Which one should I follow?• IEC61508 is a broad standard covering

nuclear applications to toasters• S84 is ANSI endorsed, covering the United

States and Canada• IEC61508 stipulates S84 is sector standard in

US• IEC 61511 is expected to be ISO endorsed

globally, ANSI will drop S84 endorsement• USE 61511!

21

ida .com e



IEC 61511 vs. ANSI/ISA S84.01 Both are effectively the same• Each of the steps required by S84 is also

required by IEC61511• They are represented somewhat differently

– 61511 does not show conceptual process design– S84 does not show Design and Development of

Other Means of Risk Reduction– Multiple tasks in S84 lifecycle are combined in a

single task in 61511 lifecycle

22

ida .com e



Benefits of Compliance

• Good engineering practice – compilation of best practices of industry by consensus

• Quality procedures specified by standards have proven to increase productivity, decrease cost of engineering, operation, and maintenance, and increase process up-time

• Safety life cycle procedures will decrease risk • Compliance with legislation and regulation

23

ida .com e



Key issues

• Safety Lifecycle • Hazard and Risk Analysis• Quantitative Verification• Management System• Certification

24

ida .com e



Summary:Introduction• What is IEC 61511?• When is IEC 61511 Applied?• Relation to other standards• Benefits• Key Issues

25

ida .com e



Section 2:The Safety Life Cycle• Safety Lifecycle Objectives• IEC 61511 Safety Lifecycle• ANSI/ISA S84.01 Safety Lifecycle• Lifecycle Phases

26

ida .com e




Safety Lifecycle Objectives

• To structure, in a systematic manner, the different phases in order to achieve the required functional safety of E/E/PES

• To document key information relevant to Functional Safety

• To provide a framework for safer, more reliable systems

• To reduce system implementation cost

27

ida .com e



IEC 61511 Safety Life Cycle

Verification

Sub-clause 7, 12.7

Sub-clause

6.2Clause 5

Management of Functional Safety and Functional

Safety Assessment

Safety Lifecycle Structure

and Planning

Risk Analysis and Protection Layer Design Sub-clause 8

Allocation of Safety Functions to Safety Instrumented Systems or Other Means of Risk ReductionSub-clause 9

Safety Requirements Specification for the Safety Instrumented SystemSub-clause 10

Design and Development of Safety Instrumented System

Sub-clause 11

Design and Development of Other Means of Risk Reduction

Sub-clause 9

Installation, Commissioning, and ValidationSub-clause 14

Operation and MaintenanceSub-clause 15

ModificationSub-clause 15.4

DecommissioningSub-clause 16

ANALYSIS

REALIZATION

OPERATION

28

ida .com e



Safety Life Cycle – ISA 84.01

Start

ConceptualProcess Design

Hazard Analysis/Risk Assessment

Develop non-SIS Layers

Develop SafetySpecification

SIS ConceptualDesign

SIS Detailed Design

SIS Installation,Commissioningand Pre-startup Acceptance Test

SISRequired?

No

Yes

EstablishOperating andMaintenanceProcedures

Pre-startup Safety Review(Assessment)

Define TargetSIL

SIS startup,operation,

maintenance,Periodic

Functional Tests

Modify,Decommission?

Modify

Decommission

SIS Decommissioning

Covered byS84.01

Not Coveredby S84.01

29

ida .com e



Hazard / Risk Analysis

• Objective– Identify process hazards, estimate their

risks and decide if that risk is tolerable• Tasks

– Hazard Identification (eg, HAZOP)– Analysis of Likelihood and

Consequence– Consideration of non-SIS Layers of

Protection

Risk analysis and

protection layer design

Subclause 8

30

ida .com e



SIL Selection

• Objective– Specify the required risk reduction, or

difference between existing and tolerable risk levels – in terms of SIL

• Tasks– Compare process risk against tolerable

risk– Use decision guidelines to select required

risk reduction– Document selection process

Allocation of Safety Functions

to Safety Instrumented

Systems or Other Means of Risk

Reduction

Subclause 9

31

ida .com e



Safety Requirements Specification

• Objective– Specify all requirements of SIS

needed for detailed engineering and process safety information purposes

• Tasks– Identify and describe safety functions– Document SIL– Document action taken – Logic,

Cause and Effect Diagram, etc.

Safety Requirements

Specification for the Safety

Instrumented System

Subclause 10

32

ida .com e



Conceptual / Detailed Design

• Objective– Select and configure equipment

used in the SIS (including programming)

• Tasks– Specify system technology and

architecture– Specify field instrumentation– Configuration / Programming– Select vendors, review bids

Design and Engineering of

Safety Instrumented

System

Subclauses 11, 12

33

ida .com e



Installation and Commissioning

• Objective– Install equipment, after acceptance

testing, and prepare for operation• Tasks

– Factory Acceptance Testing Field and control room equipment installation

– Confirm equipment operation– Instrumentation Calibration

Installation, Commissioning

Subclauses 13 and 14

34

ida .com e



Safety Review Validation

• Objectives– Verify that the SIS is designed,

installed, and operating according the the Safety Requirements

• Tasks– Verify operation of field instruments– Validate logic and operation– Verify SIL of installed equipment – Produce OSHA and EPA required

documentation – Certifications if req.

Validation

Subclauses 13

35

ida .com e



Operation and Maintenance

• Objective– Operate and maintain the SIS so that

the specified SIL is maintained• Tasks

– Establish procedures for operating and maintaining the SIS

– Perform periodic function test on an interval that allows the specified SIL to be achieved with the installed equipment

Operation and Maintenance

Subclause 15

36

ida .com e



Modification and Decommissioning

• Objective– Ensure changes to the system are

safe and appropriately reviewed• Tasks

– Establish procedures for change management

– Review safety functions prior to taking an SIS out of service

Modification and Decommissioning

Subclauses 15.4 and 16

37

ida .com e



Application Exercise 1

• Safety Life Cycle– List safety lifecycle tasks and responsibilities for

completion in your organization

38

ida .com e



Summary:The Safety Life Cycle• Safety Lifecycle Objectives• IEC 61511 Safety Lifecycle• ANSI/ISA S84.01 Safety Lifecycle• Lifecycle Phases

39

ida .com e



Section 3:Hazard and Risk Analysis• Objectives and Requirements• Identifying Safety Instrumented Functions• Process Hazards Analysis

40

ida .com e



Overview

• Objective– Identify hazardous events, quantify their risk, and

identify required safety instrumented function• Inputs

– Process design, equipment layout, staffing arrangement

• Outputs– A description of required safety instrumented

functions

41

ida .com e



Objectives and Requirements

• Determine and document the hazards and hazardous events of the process and associated equipment

• Determine the sequence of events leading to the hazardous event

• Determine the process risks associated with the hazardous event - describing the consequence and likelihood and additional risk reduction required

• Determine the safety functions required to achieve the necessary risk reduction and how the requirements are allocated

• Determine if any of the safety functions are safety instrumented functions

42

ida .com e



How do you know when to apply a SIF?• Process Experience

– Most process units are not new– Designers learn from past incidents and near-

misses and incorporate prevention systems• Process Hazards Analysis (PHA)

– Organized and systematic study for identification and analysis of the significance of potential hazards

– Proactive team effort identifies what could go wrong

43

ida .com e



How can I identify the SIF that should be used on my process?• Review the design documentation

– Process Hazards Analysis Report– Process Licensor P&IDs– Detailed Design Contractor P&IDs

44

ida .com e



Identifying SIF from PHA ReportsWhat does a PHA contain?• There are a variety of PHA methods

– Hazard and Operability Studies (HAZOP)– Checklist – What-if? PHA will use various techniques to

identify hazards• Discussions of hazards include

consequences and safeguards (both SIS and non-SIS)

• Additional safeguards may be recommended

45

ida .com e



Summary:Hazard and Risk Analysis• Objectives and Requirements• Identifying Safety Instrumented Functions• Process Hazards Analysis

46

ida .com e



Section 4:Requirement Allocation/SIL Selection• Objectives and Requirements• Risk / Risk Reduction• Consequence Analysis• Likelihood Analysis• SIL Selection

47

ida .com e



Overview

• Objective– Allocation of safety functions to protective layers

and for each SIF, the associated Safety Integrity Level SIL

• Inputs– A description of the SIF and hazards requiring risk

reduction• Outputs

– Description of allocation of safety requirements, including SIL

48

ida .com e



Risk TermsRisk and Hazard• The objective of SIS is to reduce the risk of

the hazards in a process to a tolerable level– Risk – Combination of the probability of

occurrence of harm and the severity of that harm– Harm – Physical injury or damage to the health of

people either directly, or indirectly as a result of damage to property of the environment

– Hazard – Potential source of harm

49

ida .com e



Risk TermsTolerable Risk• The risk reduction the SIF must provide is the

difference or process risk and tolerable risk– Process Risk – Risk arising from the process

conditions caused by abnormal events– Tolerable Risk – Risk which is accepted given a

context based on the current values of society– Necessary Risk Reduction – The risk reduction

required to ensure that the risk is reduced to a tolerable level

50

ida .com e


Copyright © 2000, exida.comNegligible RiskNegligible Risk

Intolerable RegionIntolerable Region

ALARP or Tolerable ALARP or Tolerable RegionRegion

Broadly Acceptable Broadly Acceptable RegionRegion

Risk Reduction - ALARP

High RiskHigh Risk

51

ida .com e



Risk Reduction - putting it in context

• Examples of fatality risk figures– Road accident 100cpm 1.0x10-4/yr– Car accident 150cpm 1.5x10-4/yr– Accident at work 10cpm 1.0x10-5/yr– Falling Aircraft 0.02cpm 2.0x10-8/yr– Lightning strike 0.1cpm 1.0x10-7/yr– Insect/Snake bite 0.1cpm 1.0x10-7/yr– Smoking (20 per day) 5000cpm 5.0x10-3/yr

– cpm = chances per million of the population per year


52

ida .com e



Negligible Risk

10-3/yr (workers) 10-4/yr (public)

10-5/yr (workers)

Intolerable Region

ALARP or Tolerable Region

Broadly Acceptable Region

Numerical Targets for tolerable risk are from

HSE Tolerability of Risk Guidance

10-6/yr (public)

Risk Reduction – ALARPQuantitative Risk Guidance

High Risk

ida .com e



Increasing Risk

Consequence

Likelihood Final Risk

after Mitigation

Risk after non-SIS Mitigation

Inherent Risk of the Process (I.e., No Mitigation)

SIL 1

SIL 2

SIL 3

Acceptable Risk Region

ALARP Risk Region

Unacceptable Risk Region

Non-SIS Consequence reduction, e.g., containment dikes

Non-SIS likelihood reduction, e.g. relief valves

SIS Risk Reduction

Effect of SIS

54

ida .com e



How do I analyze likelihood?

• Consequence analysis can be performed in a number of ways– Qualitative Estimation - Expert Judgement– Quantitative - Statistical Analysis– Quantitative – Fault Propagation Modeling

• Result is frequency of unwanted event

55

ida .com e



Fault Propagation Modeling

• Used when statistical analysis alone is inadequate

• Analyze chain-of-events that leads to an accident

• Use failure data of individual components not entire system

• Combine failures using probability logic

56

ida .com e




Trip level alarm

Process alarm

Processvalue Normal behaviour

SafetyInstrumentedSystem

BasicProcessControlSystem

OperatorIntervention

Relief valve,Rupture disk

Dike

Active protection layer

Passive protection layer

Emergency response layerPlant andEmergency Response

PREVENTION

Safety layer

Process control layer

Process control layer

Emergency Shut Down

Process shutdown

MITIGATION

Layer of Protection Analysis

57

ida .com e



How do I analyze consequences?

• Consequence analysis can be performed in a number of ways– Qualitative Estimation - Expert Judgement– Semi-Quantitative - Risk Indices– Quantitative - Statistical Analysis– Quantitative - Hazardous Potential Release

Modeling

58

ida .com e



Consequence Analysis Results

• Size of impact zone and occupancy of that zone are combined for probable loss

• Result depends on consequence of concern, typically probable loss of life and probable injury

Typical Consequence Analysis Results for a toxic chemical release

Injury Zone

Fatality Zone

87 meters112 meters

23 meters

9 meters

Probable Loss of Life: 0.27Probable Injuries: 2.56

59

ida .com e



Assigning SIL - Qualitative

a

1

2

3

4

b

W3

---

a

1

2

3

4

W2

---

---

a

1

2

3

W1

--- = No safety requirementsA = No special safety requirementsB = A single E/E/PS is not sufficient1,2,3,4 = Safety Integrity Level

X1

X2

X3

X4

X5

X6

CA

PA

PB

PB

PB

PB

PA

PA

PA

FB

FACD

FB

FA

CC

FB

FACB

3*

3*

3*2

1

NR 1 3*

2

Risk Matrix Risk Graph

60

ida .com e



Assigning SIL - Quantitative

• Risk is frequency times consequence• Tolerable risk for an event can be expressed

as frequency by considering consequence• Necessary risk reduction can be calculated

and expressed as frequency of failure of the SIS

• Allowable failure of frequency is converted to SIS using the tables in the standard

ida .com e



Safety Integrity Level

SIL 4

SIL 3

SIL 2

SIL 1

Probability of failure on demand per year

(Demand mode of operation)

Risk Reduction Factor

>=10-5 to <10-4

>=10-4 to <10-3

>=10-3 to <10-2

>=10-2 to <10-1

100000 to 10000

10000 to 1000

1000 to 100

100 to 10

Safety Integrity Levels

62

ida .com e



Summary:Requirement Allocation/SIL Selection• Objectives and Requirements• Risk / Risk Reduction• Consequence Analysis• Likelihood Analysis• SIL Selection

63

ida .com e



Section 5:Safety Requirements Specification• Objectives and Requirements• Safety Instrumented Functions• Logic Description Techniques

64

ida .com e



Overview

• Objective– Specify requirements of each SIF of a SIS,

including functional and safety integrity requirements

• Inputs– Description of allocation of safety requirements

• Outputs– SIS safety requirements; software safety

requirements

65

ida .com e



Objectives

• Define the requirements of the SIS– Requirements spelled out for EACH SIF– Includes Functional Requirements, “What does

the system do”– Includes Performance Requirements, “How well

does the system perform these functions” – in this case Safety Integrity Level (SIL)

66

ida .com e



Requirements

• The SRS shall contain:– A description of all the safety instrumented

functions necessary to achieve the required functional safety

– Requirements sufficient to design the SIS– A definition of any individually safe process states

which, when occurring concurrently, create a separate hazard (e.g., overload of emergency storage, relief, flare systems)

67

ida .com e



Requirements

• The SRS shall contain– The assumed sources of demand and demand

rate on the safety instrumented function– Requirement for proof test intervals– Response time requirements for the SIS to bring

the process to a safe state– The safety integrity level for each safety

instrumented function– A description of SIS process measurements and

their trip points

68

ida .com e



Requirements

• The SRS shall contain– A description of SIS process output actions– A functional relationship between process inputs

and outputs, including logic, mathematical functions, and any required permissives

– Requirements for manual shutdown– Requirements for resetting the SIS after a

shutdown– Maximum allowable spurious trip rate

69

ida .com e



Requirements

• The SRS shall contain– Failure modes and desired response of the SIS

(for example, alarms, automatic shutdown, etc.)– Any specific requirements related to the

procedures for starting up and restarting the SIS– All interfaces between the SIS and any other

system– A description of the modes of operation of the

plant and identification of safety instrumented functions required to operate within each mode

70

ida .com e



Requirements

• The SRS shall include– The application software requirements– Requirements for overrides / inhibits / bypasses– The specification of any action necessary to

achieve or maintain a safe state in the event of fault(s) being detected in the SIS

– The minimum and worst-case repair time for the SIS

– Dangerous combinations of output states of SIS must be addressed

71

ida .com e




Sensors

Final elements

Loop 1

Loop 2

Loop 3

Loop 4

Loop 5

Loop 6

LogicSolver

LogicSolver

Safety Instrumented Function

ida .com e



Methods for Logic Specification

PS

V 1

201

PS

V 1

234

XV

121

7

XJ

1217

PSLL-0203

BSL-0252

XL-0288

Causes

Effects

PSLPSL101101

LSLLSL105105

HYHY415415OROR

Low Pressure or Low Level shall Low Pressure or Low Level shall indicated by deenergization of the indicated by deenergization of the inputs from LSLinputs from LSL--105 and PSL105 and PSL--105, 105, shall deenergize output HYshall deenergize output HY--415 415 causing the shutoff valve to close.causing the shutoff valve to close.

X

X X

X

X X

Cause and Effect Diagram

Binary Logic Diagram

Plain Text

73

ida .com e




• Safety Requirements Specification– Review a sample safety requirements

specification to determine if it is complete

74

ida .com e



Summary:Safety Requirements Specification• Objectives and Requirements• Safety Instrumented Functions• Logic Description Techniques

75

ida .com e



Daily Progress Review

• Were today’s objectives clearly covered?• Did today’s presentation / activities meet your

goals?• Was the level and pace of instruction right for

you?

76

ida .com e



Performance Objectives Day 2

• Identify the tasks performed during SIS design and engineering

• Understand factory acceptance testing, installation and commissioning

• Understand modification and decommissioning

• Understand the management tasks and requirements for functional safety

77

ida .com e



Section 6:SIS Design and Engineering• System Technology and Architecture• Field Device Considerations• Interfaces and Communication• Probability of Failure

78

ida .com e



Design

• Choose Technology - Relays, PLC, Safety PLC

• Choose Sensors - Switch, Analog Transmitter, Safety Rated Transmitter

• Select level of system integration, communications needs

• Design the startup and shutdown logic• Design logic to implement safety

requirements

ida .com e



Failure Modes

• With a safety system, the failure mode counts! Two failure modes

• are significant:Safe failures

t initiatingt spurioust costly downtime

Dangerous failures

t inhibitingt potentially

dangeroust must find by testing

ida .com e



TechnologyRelay Systems

• Relays/Modules perform logic• Reprogrammed by rewiring• Relays/Modules perform logic• Reprogrammed by rewiring

Considerations

• Nuisance trips• No diagnostics on relays• Complexity of large systems• Reprogramming• Documentation• High cost of ownership

Considerations

• Nuisance trips• No diagnostics on relays• Complexity of large systems• Reprogramming• Documentation• High cost of ownership

Advantages

• Fail-safe for special relays and inherent fail-safe logic

• Low initial cost

Advantages

• Fail-safe for special relays and inherent fail-safe logic

• Low initial cost

Hardwired LogicInherently Fail-Safe Logic

ida .com e



TechnologyProgrammable Electronic Systems

• Microcomputers perform the logic• I/O modules sense inputs and generate outputs

Considerations:Considerations:

1.1. Fail danger failure modesFail danger failure modes

2.2. Software unpredictabilitySoftware unpredictability

3.3. Communications securityCommunications security

4.4. CostCost

Advantages:Advantages:

1.1. DiagnosticsDiagnostics

2.2. Flexibility, ModularFlexibility, Modular

3.3. Cabinet space savingsCabinet space savings

4.4. Calculation capabilityCalculation capability

5.5. CommunicationsCommunications

6.6. DocumentationDocumentation

82

ida .com e



General Requirements

• Design in accordance with SRS• Common components designed to highest

SIL of all SIF• Separate BPCS and SIS• Requirements for maintenance and testing

should be considered• Manual means of activating final elements

should be provided

83

ida .com e



Fault Tolerance Requirements

• Fault Tolerance – ability of a functional unit to continue to perform a required function in the presence of faults and errors

Simple Devices Complex DevicesIntegrity Level Min. Fault Toler. Typical Arch. Min. Fault Toler. Typical Arch.

SIL 1 0 Single, 1oo1 0 Single, 1oo1

SIL 2 0 Single,1oo1 1 1oo2, 2oo3

SIL 3 1 1oo2, 2oo3 2 1oo3

SIL 4 2 1oo3 **Special Requirements Apply **

84

ida .com e



Selection of Components and Sub-systems• Designed in accordance with IEC61508-2

and –3– TÜV approval

• “Proven in Use”– Consideration of mfr. Quality management– Consideration of performance of device in similar

“operating profile”Sufficient operational time is required to establish a claimed failure rate to a single sided confidence limit of at least 70%

85

ida .com e



Field Devices

• If energize to trip is used a method must be applied to ensure circuit integrity

• Each device shall have its own dedicated wiring, except:– Multiple switches in series indicating same

condition– Multiple final elements on single output– Digital bus system meeting performance

requirements of SIF• Smart sensors are remote write protected

86

ida .com e



Interfaces

• Operator Interface– SIS protective action has occurred– Protective functions have been bypassed– Status of sensors and final elements including

failures and diagnostics• Maintenance/Engineering Interface

– SIS operating information including diagnostics, voting and fault handling - troubleshooting

– Add, delete, modify application software

87

ida .com e



SIF Probability of Failure

• Check Reliability / Safety Metrics for each Safety Instrumented Function

• Verify that PFDavg meets target SIL range• If necessary: change technology, equipment,

or architecture.• Document all results

88

ida .com e



Factors affecting SIF Failure Probability• SIF Architecture• Failure rates of subsystems• Susceptibility to common cause failure• Diagnostic coverage of testing• Proof test intervals• Repair times (Diagnosis + Repair)• Climatic and mechanical conditions

89

ida .com e



Probability of Failure Modeling Methods

λDUFault Tree

Analysis

Markov Analysis

Block Diagram

90

ida .com e




• SIS Design and Engineering Principles– Demonstrate some principles of SIS Design

Engineering

91

ida .com e



Summary:SIS Design and Engineering• System Technology and Architecture• Field Device Considerations• Interfaces and Communication• Probability of Failure

92

ida .com e



Section 7:FAT, Installation and Commissioning• Objectives and Requirements• Factory Acceptance Testing• Commissioning Activities• Validation (PSAT)

93

ida .com e



Overview

• Objectives– Integrate and test the SIS.– Validate the SIS meets requirements of the SRS

• Inputs– SIS Design, SIS Test Plan, SIS safety

requirements, Validation Plan• Outputs

– Fully functioning SIS in conformance with SRS– Validation of SIS

94

ida .com e



Factory Acceptance Testing

• If required, specified in SRS• FAT proceeds according to written plan• FAT should be documented

– If failure occurs, reason for failure and corrective action and re-test should be documented

The objective of a Factory Acceptance Test (FAT) is to test the logic solver and associated software together to ensure it satisfies the requirements defined in the Safety Requirements Specification. By testing the logic solver and associated software prior to installing in a plant, errors can be readily identified and corrected

95

ida .com e



Commissioning Activities

• SIS components installed per design• Grounding has been properly connected• Energy sources connected and operational• No physical damage present• All instruments calibrated• All devices operational• Logic solver input/output operational• Interfaces operational

96

ida .com e



ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the following

activities– The SIS performs under all normal and abnormal modes as

identified in the SRS– Confirmation that adverse interaction of the BPCS and other

systems do not affect the proper operation of the SIS– The proper shutdown sequence is achieved– The SIS properly communicates– Sensors, logic solvers, and actuators perform according to

the SRS– Confirmation of proper SIS operation on Bad PV– Proper shutdown sequence is activated

97

ida .com e



ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the

following activities– The SIS performs under all normal and abnormal

modes as identified in the SRS– The SIS provides the proper annunciation and

display– Computation of the SIS are correct– SIS reset functions operate as defined in SRS

98

ida .com e



ValidationPre-Startup Safety Acceptance Test• The Validation or PSAT will consist of the

following activities– Bypass functions operate properly– Manual shutdown operates properly– Proof test intervals are documented in

maintenance procedures– Diagnostic alarm functions perform as required– Confirmation SIS performs as required on loss of

power and returns to proper state upon re-application of power

99

ida .com e



Validation Documentation

• Version of the SIS validation planning• Tools and equipment used, including calibration data• Test results• Version of test specification• Criteria for test acceptance• Version of SIS• Discrepancies between expected and actual results• Decisions taken when discrepancies occur

100

ida .com e



Pre-startup Tasks

• Prior to placing the SIS into service, the following tasks should be performed– All bypass functions shall be returned to their

normal position– All process isolation valves shall be set according

to the process start-up requirements– All test materials shall be removed– All forces shall be removed

101

ida .com e



Summary:FAT, Installation, and Commissioning• Objectives and Requirements• Factory Acceptance Testing• Commissioning Activities• Validation (PSAT)

102

ida .com e



Section 8:SIS Operation and Maintenance• Objectives and Requirements• Procedures• Training• Proof Testing

103

ida .com e



Overview

• Objective– Ensure functional safety of the SIS is maintained

• Inputs– Safety requirements specification– SIS Design– SIS operation and maintenance

• Outputs– SIS operation and maintenance

104

ida .com e



Objectives

• Ensure that the required SIL of each SIF is maintained during operation and maintenance

• Operate and maintain the SIS such that the designed functional safety is maintained

105

ida .com e



Planning Requirements

• Routine and abnormal operations• Proof testing, preventative and breakdown

maintenance activities• Procedures, measures and techniques to be

used for operation and maintenance• Verification and adherence to operations and

maintenance procedures• Timing for these activities• Resources responsible for the activities

106

ida .com e



Procedures

• Routine actions required to maintain the “as designed” functional safety of the SIS

• Actions necessary to prevent an unsafe condition during maintenance

• Information to be maintained for system failure and demand rates

• Information to be maintained for audit and test results• Maintenance procedures for when faults occur• Ensuring test equipment is calibrated and maintained

107

ida .com e



Training

• Ensure that:– Understand how the SIS functions (trip points and

resulting actions)– Hazard SIS is preventing– Operation of bypass switches and circumstances

for their use– Operation of manual switches and when they are

to be activated (I.e., reset switches)– Action taken on diagnostic alarms

108

ida .com e



Proof testing and Inspection

• Periodic proof tests are conducted using written procedures

• The entire SIS shall be tested• Test interval is based on SIS, and will be re-

evaluated based on system performance at a periodic interval

109

ida .com e




SIL 1

SIL 2

SIL 3

SIL 4

IEC61511 1/PFD(t)

time

1/PFDavg

test period

Periodic Inspection Interval

The test period is a parameter which significantly affects the average probability of failure on demand and hence the safety integrity level

110

ida .com e




SIL 1

SIL 2

SIL 3

SIL 4

IEC61511

testperiod

1/PFD(t)

1/PFDavg

time

Decreasing the test interval decreases the average failure probability, increasing the safety integrity of the system

Periodic Inspection Interval

111

ida .com e




2

Proof Test Documentation

• The user shall maintain proof test records that include– Description of Test– Date of Test– Persons involved– Identifier of system– Test Results

112

ida .com e




• Exercise 7– Describe some operational requirements for SIS

113

ida .com e



Summary:Operation and Maintenance• Objectives and Requirements• Procedures• Training• Proof Testing

114

ida .com e



Section 9:Modification and Decommissioning• SIS Modifications• Management of Change• SIS Decommissioning

115

ida .com e



SIS Modification

• If modification are performed to an SIS– Modifications must be properly planned, reviewed,

and approved– Required safety integrity must be maintained

• Procedures for modification must be in place• A full analysis of the impact on functional

safety is required• Work will not begin without proper

authorization

116

ida .com e



When is management of change required?• If operating procedure changes are required• The process is changed significantly• Safety requirement specification changes• Software or firmware changes• Failure or demand rate is higher than

expected

117

ida .com e



When is Management of Change not required?• “Replacement in kind” of components• Changes do not affect safety requirements• Regular calibration and maintenance

118

ida .com e



Considerations for modification

• Technical basis of the change• Impact of change on safety• Modifications to operating procedures• Necessary time period for changes• Authorization requirements• Impact on existing equipment• Process state during change (online change)

119

ida .com e



Modification Documentation

• Modification documentation should contain the following information at a minimum– Description of change– Reason for change– Hazards which might be impacted– Analysis of impact on SIS– Required approvals– Verification tests– Configuration history

120

ida .com e



SIS Decommissioning

• When SIS are decommissioned– Conduct appropriate safety review and obtain

required authorization– Ensure required SIF remain operational during

decommissioning activities• Update Hazard and Risk Assessment

– Functional safety during decommissioning– Impact of SIS decommissioning on adjacent

operating units and facility services

121

ida .com e



Summary:Modification and Decommissioning• SIS Modifications• Management of Change• SIS Decommissioning

122

ida .com e



Section 10:Management of Functional Safety• Objectives and Requirements• Planning• Verification• SIS Functional Safety Audit• Documentation

123

ida .com e



Overview

• Objective– Identify the management activities that are necessary to

ensure functional safety objectives are met

• Requirements– The policy and strategy for achieving safety shall be

identified together with the means for evaluating its achievement and shall be communicated within the organization

– A safety management system shall be in place so as to ensure that safety instrumented systems have the ability to place and/or maintain the process in a safe state

124

ida .com e



Resources

• Resources shall be informed of their responsibilities• Resources shall be competent to carry out activities

for which they are accountable• Knowledge of application• Knowledge of SIS technology• Safety engineering knowledge• Knowledge of regulatory requirements• Adequate management and leadership skills• Understanding of potential event consequences• The SIL of the safety instrumented functions• The novelty and complexity of the application and SIS

125

ida .com e



Planning

• Define required activities• Resources responsible for activities• Timing of activities• Planning shall be updated as necessary

through the entire safety lifecycle

126

ida .com e



Implementation and Monitoring

• Implement procedures for resolution of recommendations– Hazard and risk assessment– Assessment activities– Verification activities– Validation activities

• Verify quality management of suppliers• Implement procedures for evaluating

performance of SIS against requirements

127

ida .com e



Functional Safety Assessment

• Performed by team, one competent senior person not involved in the design, minimum

• May be performed after the stages below, must be done at least for stage 3– Stage 1 – After hazard and risk assessment and

safety requirements specification– Stage 2 – After SIS design– Stage 3 – After commissioning and validation– Stage 4 – After experience in ops and maint.– Stage 5 – After modification

128

ida .com e



Functional Safety AssessmentStage 3 Requirements• Hazard and risk analysis completed,

recommendations completed or resolved• Recommendations from previous functional safety

assessment resolved• SIS designed, constructed and installed per SRS• Operating, and maintenance procedures in place• Validation activities completed• Employee training complete• Plans for further functional safety assessments done

129

ida .com e



Audits and Revisions

• Procedures for auditing compliance with the requirements of the standard defined– Frequency of audits– Degree of independence of auditor– Recording and follow up

• Management of change procedures in place

130

ida .com e



Verification vs. Validation

• Verification – The activity of demonstrating for each phase of the

relevant safety lifecycle by analysis and/or tests, that, for specific inputs, the deliverables meet in all respects the objectives and requirements set for the specific phase

• Validation– The activity of demonstrating that the safety

instrumented system under consideration after installation meets in all respects the safety requirements specification.

131

ida .com e



Verification

• Performed for each phase of the safety lifecycle

• Demonstrate the deliverables meet the requirements of that phase

132

ida .com e



Documentation Requirements

• Describe the installation, system or equipment and the use of it

• Be accurate• Be easy to understand• Suit the purpose for which it is intended• Be available in an accessible and

maintainable form

133

ida .com e



Documentation to be maintained

• The results of the hazard and risk assessment and the related assumptions

• The equipment used for safety instrumented functions together with its safety requirements

• Organization responsible for maintaining functional safety

• The procedures necessary to achieve and maintain functional safety of the SIS

• Modification information• Design, implementation, test and validation

134

ida .com e




Documentation ControlDocumentation Control

• All relevant Documents shall be – Revised– Amended– Reviewed– Approved– Under Control of a Document Control Scheme

A Document Control Scheme is mandatory

135

ida .com e




• Functional Safety Management– Describe the objectives of functional safety

management

136

ida .com e



Summary:Functional Safety Management• Objectives and Requirements• Planning• Verification• SIS Functional Safety Audit• Documentation

137

ida .com e



Post Instructional Test

• Answer the questions to the best of your ability

• This test can be used to determine effectiveness of this course

• Instructor will review questions and answers to enhance your learning

138

ida .com e



Final Course Evaluation

• Course Evaluations help us provide the highest quality training programs

• Please complete the form and return it to your instructor

3 IEC 61511

Documents

Transcript of 3 IEC 61511