Process Sector Functional Safety - IEC 61511 Changes in 2 Edition · 2020. 9. 2. · made in...

31/10/2016

1

© Engineering Safety Consultants Limited

Process Sector Functional Safety - IEC 61511

Changes in 2nd Edition

Ron Bell

Engineering Safety Consultants Ltd

[email protected]

www.esc.uk.net©

© Engineering Safety Consultants Limited Page 2

Changes to IEC 61511: Edition 2

Please Note: The presentation covers some of the key changes that have been made in Edition 2 of IEC 61511-1 and takes into account the recent Corrigendum that was issued to correct some of the errors in the published version of Edition 2.

The presentation in not intended deal with all the changes that have been made but those that are covered in the presentation are indicative of some of the key changes.

To indicate an overall theme, in respect of specific changes, not all the paragraphs in the slides may have changed and during the actual presentation this would have been explained.

31/10/2016

2



1. Background & relationship to IEC 61508

2. Key changes to IEC 61511 Edition 2 (focussed on IEC

61511-1 containing the normative requirements)

3. Current position of the Second Edition

4. Current position of IEC 61508








31/10/2016

3


IEC 61508 and Functional Safety

IEC 61508

Title: Functional safety of electrical,

electronic & programmable

electronic safety-related systems….

A eight Part international standard covering

all safety lifecycle activities...concept......

specification...design...implementation…operation

maintenance & modification

IEC 61508 and Functional Safety

Part 0: Functional safety and IEC 61508 (IEC TR 61508-0)

Part 1: General requirements

Part 2: Requirements for electrical, Electronic, programmable

electronic systems

Part 3: Software requirements

Part 4: Definitions and abbreviations

Part 5: Examples of methods for the determination of safety integrity

levels

Part 6: Guidelines on the application of Parts 2 & 3

Part 7: Overview of techniques and measures

Parts 1, 2 & 3 contain normative & informative requirements

Parts 0, 5, 6 & 7 contain only informative requirements

A “shall” is a normative requirement

A “should” is an informative requirement

Notes are informative

31/10/2016

4

The Parts of IEC 61508

Part 0: Functional safety and IEC 61508 (IEC TR

61508-0)

Part 1: General requirements

Part 2: Requirements for electrical, electronic,

programmable electronic systems

Part 3: Software requirements

Part 4: Definitions and abbreviations

Part 5: Examples of methods for the determination of

safety integrity levels

Part 6: Guidelines on the application of Parts 2 & 3

Part 7: Overview of techniques and measures

Standalone & and sector/product standards

Standalone

IEC

61508

Elements to

IEC 61508

Elements to IEC 61508 used in Sector implementations

IEC 62061: Machinery

IEC 61511: Process

IEC 61513: Nuclear**

Sector & product implementations

IEC 61800-5-2

Power drives

EN 50128 / EN 50129**Railway applications

31/10/2016

5

Standalone & and sector/product standards

Market benefits of generic elements

IEC

61508

Sector & product standards

Large market for generic elements &

conforming to IEC 61508

Elements to IEC 61508 used in

sector & product standards

Compliance requirements to

IEC 61508 is a basic safety publication

IEC 61508 and IEC 61511

Process sector safety instrumented

safety systems standard

Manufacturers

and suppliers of

devices

IEC 61508

Safety instrumented

systems designer’s,

integrator’s and

end user’s

IEC 61511

31/10/2016

6

Hardware

Using

Prior Use

Hardware

Devices

Integrating

hardware

devices

complying

with

IEC 61508

Developing

new

Hardware

devices

Follow

IEC 61508

PU: Follow

IEC 61511

Follow

IEC 61511

IEC 61511: Process sector safety

instrumented safety systems standard

Software

Developing

embedded

(system)

software

Developing

application

software:

Full

Variability

Language

Developing

Application

software:

Limited

Variability

Language

or Fixed

Program

Language

Follow

IEC 61508

Follow

IEC 61508

Follow

IEC 61511

Comment: Confusing Figure: Prior Use is focussed on achievement of

Systematic Capability

Design requirements to achieve a specified SIL

Quantify random hardware

failures to meet the target

failure measure for the

specified SIL

Systematic

Safety Integrity

Hardware

Safety Integrity

Comply with the requirements

for Proven in Use (PIU) for the

specified SIL

or


for systematic safety integrity

for the specified SIL

&


for Architectural Constraints

for specified SIL

&

To meet specified

SIL for the SIF

IEC 61508

31/10/2016

7

Design requirements to

achieve a specified SIL

Comply with the HFT requirements

(IEC 61511)

Quantify random hardware

failures

Comply with the requirements for

systematic safety integrity (IEC

61508)

To meet specified

SIL for the SIF

&

orSystematic

Safety Integrity

Hardware

Safety Integrity


based on Prior Use (IEC 61511)

&

or

Comply with the HFT requirements

(IEC 61508)

Comply with Application Program

requirements for LVL & FPL

&IEC 61511

Use of IEC requires an

understanding of both

IEC 61508 and IEC 61511







31/10/2016

8


The Parts of IEC 61511: Edition 2

• Title: Functional safety - Safety Instrumented

systems for the process industry sector –

• Part 1: Framework, definitions, system, hardware and

application programming requirements

• Part 2: Guidelines for the application of IEC 61511-1

• Part 3: Guidance for the determination of the required

safety integrity levels



• Process sector implementation of IEC 61508

• 1st edition published 2003

• Part 1 contains normative and informative clauses; Parts 2 & 3 contain only informative clauses.

• This presentation is based on published versions of IEC 61511:

Part 1 + Corrigendum;

Part 2;

Part 3.

• BSI have not yet published these standards

• Part 1 is subject to an Amendment…IEC publication December 2017!

31/10/2016

9


The Parts of IEC 61511: Edition 2

IEC 61511 Edition 1

• Part 1 - 84 pages



IEC 61511 Edition 2

• Part 1 -80 pages


• Part 3-102 pages:


Clause 1: Scope

• “Pharmaceuticals, food and beverage”’ added

• “Oil refining & oil and gas production” changed to: “Oil

and gas” …..upstream activities e.g. drilling are not

excluded!

• Relationship with IEC 61508 clarified:

– Application programming

– IEC 61508 for developing new hardware or system software

31/10/2016

10


Clause 2: Normative References

“The following documents, in whole or in part, are

referenced in this document and are indispensable for its

application”

…does not necessarily mean full compliance is necessary.

• IEC 61508-1 added (was not in Edition1!)

• IEC 61508-1, -2, -3 :2010

• IEC 60654 – Process measurement & control equipment – removed

• IEC 61326 – Measurement, control & laboratory equipment - EMC

requirements - removed

• IEC 61784-3:2010 – Functional safety fieldbuses - added


Clause 3: Terms & Definitions

• Aligned with other IEC definitive references (IEV,

ISO/IEC guide 51

• Terms common with IEC 61508 are aligned as far as

possible – some editorial differences but no

difference in technical meaning

• Several new definitions to clarify application of the

standard but no fundamental changes

31/10/2016

11


Clause 4: Conformance to the IEC 61511-1-2016

• No change


Clause 5: Management of functional safety

Competence management procedure

• 5.2.2.2 Persons, departments or organizations involved in SIS

safety life-cycle activities shall be competent to carry out the

activities for which they are accountable.

• The following items shall be addressed and documented when

considering the competence of persons, departments,

organizations or other units involved in SIS safety life-cycle

activities:

a) engineering knowledge, training and experience appropriate to

the process application;

b) engineering knowledge, training and experience appropriate to

the applicable technology used (e.g., electrical, electronic or

programmable electronic)

…………………….

……………………

31/10/2016

12



5.2.2.3

A procedure shall be in place to manage competence of all those

involved in the SIS life cycle. Periodic assessments shall be carried

out to document the competence of individuals against the

activities they are performing and on change of an individual within

a role.

SIS safety lifecycle: IEC 61511

Stage 1

Functional Safety

Assessment Stages

Hazard & Risk Analysis

Allocation of safety functions

to protection layers

Installation, commissioning &

validation

Operation & maintenance

Modification

Decommissioning

Design &

engineering

of other risk

reduction

measures

Safety requirements

specification for the SIS

Design & engineering

of the SIS

Stage 2

Stage 3

Stage 4

Stage 5

31/10/2016

13



Functional safety assessment (FSA)

Membership of the FSA Team shall include at least one senior

competent person not involved in the project design team (Stages

1,2 and 3) or not involved in the operation and maintenance of the

SIS ( for Stages 4 and 5).

Shall be carried prior to hazards being present;

A FSA shall be carried out periodically during the Operations and

Maintenance phase of Safety Lifecycle

SIS safety lifecycle: IEC 61511

Stage 1

Functional Safety

Assessment Stages

Hazard & Risk Analysis

Allocation of safety functions

to protection layers

Installation, commissioning &

validation

Operation & maintenance

Modification

Decommissioning

Design &

engineering

of other risk

reduction

measures

Safety requirements

specification for the SIS

Design & engineering

of the SIS

Stage 2FSA Required to be

undertaken prior to

the hazards being

present

Stage 3

Required to be undertaken

periodicallyStage 4

Stage 5

31/10/2016

14



• Competence management procedure

• Functional safety assessment (FSA)

– Prior to hazards being present and periodic FSAs

during Operations and Maintenance phase of

Safety Lifecycle and before any modification(s)

• Functional safety audit

– Independent person

• Configuration management

– Software, hardware and procedures used to

develop and execute application program subject

to configuration management & revision control


Clause 6:Safety life-cycle requirements

• Any change pertaining to an earlier life-cycle

phase requires re-verification of earlier

phase(s)

• Application program life-cycle included

31/10/2016

15


Clause 7:Verification

• Verification planning shall …..address the

following:

Adequacy of life-cycle phase outputs

Correctness of data

Testing strategy, methods, procedures

Verification of non-interference of non-safety

functions integrated with safety functions

Re-verification of any modification(s)


Clause 8 : Process Hazard & Risk Assessment

• Security risk assessment added

Threats & consequences (including likelihood)

Measures taken to reduce or remove threats

Reference to ISA TR84.00.09, ISO/IEC 27001:2001,

IEC 62443:2010

31/10/2016

16


Clause 9: Allocation of Safety Functions to Protection Layers

A risk reduction >10,000 for any SIS or multiple SIS in

conjunction with a BPCS protection layer… requires a

reconsideration of the application to determine if the risk

reduction requirement of >10,000 can be avoided.

The review shall consider whether:

The process can be modified to remove or reduce hazards at

source;

Additional safety-related systems…… not based on

instrumentation can be introduced;

The severity of the consequence can be reduced (e.g. reducing

the amount of hazardous material).

The likelihood of the specified consequence can be reduced

(e.g. reducing the likelihood of the initiating source of the

hazardous event).



If after further consideration a risk reduction requirement

>10 000 is still required, then consideration should be given

to achieving the safety integrity requirement using a number

of protection layers (e.g., SIS or BPCS) with lower risk

reduction requirements.

If the risk reduction is allocated to multiple protection

layers, then such protection layers shall be independent

from each other or the lack of independence shall be

assessed and shown to be sufficiently low compared to the

risk reduction requirements.

31/10/2016

17



If a risk reduction requirement >10 000 ……is to be

implemented, whether allocated to a single SIS or multiple

SIS or SIS in conjunction with a BPCS protection layer, then

a further risk assessment shall be carried out using a

quantitative methodology to confirm that the safety integrity

requirements are achieved.

The methodology shall take into consideration dependency

and common cause failures between the SIS and:

any other protection layer whose failure would place a demand

on it;

any other SIS reducing the likelihood of the hazardous event;

any other risk reduction means that reduce the likelihood of the

hazardous event (e.g., safety alarms).



31/10/2016

18


Clause 10: SIS Safety Requirements Specification

• Proof test implementation

• Written procedures for bypasses

• Application program safety requirements


Clause 11: SIS design & engineering

• Design to provide resilience against security risks

• Safety manual to be provided

• All communications to use techniques appropriate for

safety applications

• System behaviour on fault detection

Simplified – compensating measures

• Hardware fault tolerance

Follows IEC 61508 route 2H (see detail)

• Quantification of failure to include proof test coverage

and reliability of utilities

31/10/2016

19

IEC 61511: HFT requirements

Edition 1

Comply with the HFT

requirements

(IEC 61511)

PE Logic

Solvers

Sensors & final

elements and

non PE-Logic

Solvers

For PE Logic Solvers the HFT requirements

are virtually the same as for IEC 61508

SIL Minimum HFT

1 0

2 1

3 2

4 Special requirements apply

(see IEC 61508)

IEC 61511-1 Table 6

The HFT requirements specified in Table 6 may be reduced further

Requirements for further reducing the HFT

IEC 61511 Edition1

The HFT requirements specified in Table 6 may be

reduced by one providing that the dominant failure

mode is to the safe state or dangerous failures are

detected, otherwise the fault tolerance shall be

increased by one:

The hardware devices selected on the basis of prior use

The device allows adjustment of process parameters only

The adjustment of process-related parameters of the device is

protected

The function has a SIL requirement of less than 4

31/10/2016

20


Clause 11.4: Minimum Hardware Fault Tolerance

Edition 1: IEC 61511 - Minimum Hardware Fault Tolerance

Edition 1: (PE Logic Solvers)

SIL SFF<60% 60% SFF 90% SFF>90%

1 1 0 0

2 2 1 0

3 3 2 1

4 See IEC 61508 See IEC 61508 See IEC 61508



Edition 1: IEC 61511 - Minimum Hardware Fault Tolerance

Final Elements &

non-PE logic solvers

SIL Note 1 Note 2 Note 3

1 0 0 1

2 0 1 2

3 1 2 3

4 See IEC 61508 See IEC 61508 See IEC 61508

Note 1: – Meets prior use requirements & only process-related parameters can be adjusted &

adjustments protected & SIF < SIL4

Note 2: – Dominant failure mode to safe state and dangerous failures detected

Note 3: – Dominant failure mode not to safe state or dangerous failures not detected

31/10/2016

21





• If the SIS does not comprise FVL or LVL programmable devices

and the HFT specified in the Table would result in additional

failures and lead to decreased process safety then the HFT may be

reduced.

• If an HFT equal to 0 results from applying this reduction, this shall

be justified by providing evidence that the related dangerous

failure modes can be excluded in accordance with clause 11.4.4.

Including consideration of the potential for systematic failures.

• Clause 11.4.4 allows the determination of the achieved HFT for

certain faults to be excluded provided that the likelihood of them

occurring is very low in relation to the safety integrity

requirements. Any such fault exclusions have to be justified and

documented.

• [This reduction to an HFT of zero is shown on the next slide]

31/10/2016

22




Clause 11.9: Quantification of random failure

• More detailed and extensive and requiring more rigour than

IEC 61511

Example:

• 11.9.2 The calculated failure measure of each SIF due to random

failures shall take into account all contributing factors including the

following:

……….

……….

(h) The coverage of any periodic proof tests, the associated

proof test procedure and the reliability for the proof test

facilities and procedure;

• 11.9.4 The reliability data used when quantifying the effect of

random failures shall be credible, traceable, documented, justified

and shall be based on field feedback from similar devices used in a

similar operating environment.

31/10/2016

23


Clause 11: SIS design & engineering

• Prior Use: no major changes ….now indicates it

relates to systematic failures

Hardware

Using

Prior Use

Hardware

Devices

Integrating

hardware

devices

complying

with

IEC 61508

Developing

new

Hardware

devices

Follow

IEC 61508

PU: Follow

IEC 61511

Follow

IEC 61511

IEC 61511: Process sector safety

instrumented safety systems standard

Software

Developing

embedded

(system)

software

Developing

application

software:

Full

Variability

Language

Developing

Application

software:

Limited

Variability

Language

or Fixed

Program

Language

Follow

IEC 61508

Follow

IEC 61508

Follow

IEC 61511

Comment: Confusing Figure: Prior Use is focussed on achievement of

Systematic Capability

31/10/2016

24


Clause 12: SIS application program development

• Streamlined and made more relevant for

application program (FPL and LVL) rather than

embedded software (FVL)

FPL: Fixed Program Language;

LVL: Limited Variability Language;

FVL: Full Variability Language.


Clause 13: Factory acceptance test (FAT)

• Changed from informative to normative (when

FAT is specified)

31/10/2016

25


Clause 14 & 15:SIS installation, commissioning & validation

• No significant changes


Clause 16: SIS operation & maintenance

• Management procedures to review deferrals

and prevent significant delay to proof testing

31/10/2016

26


Clause 17: SIS modification

• Not to begin until a Functional Safety

Assessment is completed

• Modification log


Clauses 18 & 19: Decommissioning, Information & Documentation

• No significant changes

31/10/2016

27














31/10/2016

28


Current position: Edition 2

Two Maintenance Teams

MT 61508-1/2 dealing with all aspects of the standard apart from

the software

MT 61508-3 focusing solely with software

Currently MT 61508-3 are preparing a Technical

Specification for the software requirements relating to the

Proven in Use concept in IEC 61508.

It is intended that this Technical Specification will be

incorporated into IEC 61508 Edition 3 as a normative

requirement. It will have implications in the longer term for

such concepts as Prior Use in IEC 61511.


Current position: Edition 2

Both Working Groups are in the process of starting the

revision of IEC 61508 Edition 2.

The process will begin with a request for comments from

National Committees within the IEC worldwide. This will

decide whether to move forward with the revision.

A small working group has been set up to carry out a pilot

project with the objective of ensuring that IEC Working

Groups developing standards on functional safety comply

with the requirements of IEC 61508 (since its status is a

Basic Safety Standard)

Process Sector Functional Safety - IEC 61511 Changes in 2 Edition · 2020. 9. 2. · made in...

Documents

Transcript of Process Sector Functional Safety - IEC 61511 Changes in 2 Edition · 2020. 9. 2. · made in...