IEC61511-2017 2nd Edition PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 61

Canadian Society for Chemical Engineering (CSChE)

67th Canadian Chemical Engineering Conference


EDMONTON, AB
OCTOBER 22-25, 2017
MONDAY, 23 OCTOBER, 2017

Guillermo Pacanins, P. Eng.,


FS Senior Expert TÜV (Rheinland), PH&RA, SIS
Process Safety Advisor
ACM Facility Safety

1
International Electro technical Commission, IEC

The International Electro technical


Commission(IEC) is the world’s leading
organization that prepares and publishes
Millions of devices that contain electronics, and use or International Standards for all electrical, electronic
produce electricity, rely on IEC International Standards and related technologies.
and Conformity Assessment Systems to perform, fit and Over 10,000 experts from industry, commerce,
work safely together. government, test and research labs, academia
and consumer groups participate in IEC
Founded in 1906, the IEC (International Electro technical Standardization work.
Commission) is the world’s leading organization for the
preparation and publication of International Standards Globally relevant
for all electrical, electronic and related technologies. The IEC is one of three global sister organizations
These are known collectively as “electro technology”. (IEC, ISO, ITU) that develop International
Standards for the world.
IEC provides a platform to companies, industries and
governments for meeting, discussing and developing the When appropriate, IEC cooperates with ISO
International Standards they require. (International Organization for Standardization) or
ITU (International Telecommunication Union) to
All IEC International Standards are fully consensus- ensure that International Standards fit together
based and represent the needs of key stakeholders of seamlessly and complement each other. Joint
every nation participating in IEC work. Every member committees ensure that International Standards
country, no matter how large or small, has one vote combine all relevant knowledge of experts working
and a say in what goes into an IEC International in related areas.
Standard.
http://www.iec.ch/about/
2
http://www.iec.ch/about/ http://www.iec.ch/about/

IEC members are National Committees (NCs) and there can only be one per country. Individuals participate
in the IEC's work through the National Committees.
Membership levels
There are two levels of membership:

Full members - NC has access to all technical and managerial activities and functions, at all levels of the IEC,
including voting rights in Council.

Associate members - NC has full access to all working documents but limited voting rights in the technical
work and no eligibility to managerial functions within the IEC.

3
Functional Safety Standards

4
International Electro technical Commission, IEC

IEC 61511 Ed. 2

5
IEC 61511 – Functional Safety timeline

IEC 61511 Ed. 1 Ed. 2


IEC 61508 Ed. 1 Ed. 2
ANSI/ISA S84.01 1996 ANSI/ISA S84.01 2004

DIN V 19250

DIN V 19250: 1989-01 ANSI American National Standards Institute


Control technology; fundamental safety aspects to be considered for ISA International Society of Automation
measurement and control equipment
DIN V VDE 0801 "Principles for computers in safety-related systems"
DIN Deutsches Institut für Normung. - V Vornorm
VDE Verband der Elektrotechnik Elektronik Informationstechnik

6
Revised IEC 61511:2016 - 2nd Edition

IEC 61511 still is the main standard for “Process” Functional Safety.

• First published in 2003 – IEC 61511:2003 first edition, Ed 1.


• Since February 2016 the 2nd edition has been in effect – IEC 61511:2016
• The second edition cancels and replaces the first edition, Ed 1.
• The objective of this standard has been and still is to facilitate the use of
SIFs and their application in the area of Process Functional Safety.

IEC 61511-1 Ed. 2.1 en:2017 - IEC 61511-1:2016+A1:2017


Note: SIFs are considered to be composed of electrical, electronic and programmable electronic devices. (“electro technology”).

7
IEC 61511:2003 Ed. 1 in the last 14 years

Has been worldwide recognized as the “standard for Process Functional Safety”.

Has influenced the design development of safety instrumented functions.


SIS are engineered, designed and managed to fulfill the requirements of IEC 61511.
Subsystems such as Sensors, Logic Solver, Actuators are assessed /qualified and certified.
Hardware/Software-Design acc. to IEC 61508

Has been part of the development of sector/application dependent standards:


IEC 61511:2003 for the process industry sector.

8
Revised IEC 61511:2016 - 2nd Edition

Main subjects:
• Systematic Capability – (Prior Use – Proven in Use), SC 1, 2, 3, 4
(Requirement for selection of devices based on prior use).

• Security Levels – SL (Risk Analysis EUC, process - CHAZOP), (Safety Security


differences)
• Formal review by operations and maintenance of the hazard and risk
assessments
• Allocation of safety functions to protection layers; new BPCS considerations,
common cause, operating modes, dependent failures consideration requirements
• “Prior use” defined and new requirements. (Proven in Use IEC 61508:2010)
• Application program SIS safety life-cycle requirements
• Safety Manual - (Documentation requirements)
• Functional Safety Management – Audits
• Functional Safety Assessment, FSA
9
Important differences between the 1st and 2nd editions of
IEC 61511

10
IEC 61511 2nd edition changes Summary
The new 2nd edition of IEC 61511 includes:
 Grandfather clause is still excluded, “y”
 SIF mode of operation: low demand mode, high demand mode, and continuous mode
 Definitions about SIFs used as hazardous event prevention, and mitigation safeguards
 New requirements for Functional Safety Management, FSM, systems
 New requirements for Functional Safety Assessments, FSA - (e.g. FSA before modification)
 Application program SIS safety life-cycle requirements
 More detailed requirements for verification activities, (verification requirements and planning)
 Process hazard and risk assessment, new requirements for security risk assessment
 New security risk assessments, relating to deliberate malicious acts. (e.g. terrorist, sabotage, acts)
 More details for SIL 4 applications - SIL 4; 9.2.5 - 9.2.6 - 9.2.7
 Allocation of safety functions to protection layers; new BPCS considerations, common causes, operating
mode, dependent failures consideration requirements;
 Clarification of requirements for risk reduction; is spread across multiple SIFs
 Revised “application program” development requirements – SRS for application program
 Additional requirements for bypasses (Design & Engineering, and Operations & Maintenance)
 Safety manual covering operation, maintenance, fault detection and constraints of the SIS
 New requirements for hardware fault tolerance, HFT (No SFF needed or required)
 Requirements for better substantiation of the failure rate data and of uncertainties in the data, Part 2
 “prior use” defined and new requirements – Systematic Integrity – “Proven in use”
 Proof testing of SIF clarified, defined, and formalized in the SRS.
 New requirements for systematic capability, SC, systematic integrity.
 SIS operation and maintenance revised – bypasses, etc.
 Formal review by operations and maintenance of the hazard and risk assessments
 New requirements for formal procedures to manage competence. (Knowledge, training, and skills)
 Modification activity shall not begin until a FSA is completed.
 More examples and clarifications Part 2. New annexes with detailed guidance – Part 3 of standard11
Clause 1: Scope

12
Users of IEC Standards (Scope)
• Trend in the process industry is toward IEC 61511

Process Sector SIS


Standards

Manufacturers & Suppliers of devices SIS Designers, Integrators & Users


IEC 61508 IEC 61511

e) applies to a wide variety of industries within the process sector for example,
chemicals, oil and gas, pulp and paper, pharmaceuticals, food and beverage,
and non-nuclear power generation.
NOTE 1: Within the process sector some applications may have additional requirements that have to be satisfied.

13
Framework & Scope

• Scope now includes pharmaceuticals, food and beverage, and non-nuclear


power generation. (Before chemicals, oil and gas, pulp and paper)

• SIFs in continuous or demand mode of operation, both could be safety


instrumented preventing or mitigating functions.

• Low demand, high demand, or continuous operating modes.

• Definition of “protection layer”, preventing or mitigating.

• Definition of safety function, and safe state, with respect to an identified


hazardous event.

14
Clause 1: Scope
Figure 4 in the 1st edition had a diagram showing how a demand mode safety
function could be further split into prevention or mitigation functions. The 2nd
edition removes this distinction and shows continuous mode or demand mode
functions.

1st Edition 2nd Edition

15
Clause 2: Normative References

16
Clause 2: Normative References
Clause 2: Normative References
Maintains same relationship to IEC 61508, makes reference to the April 2010
IEC 61508 2nd Ed., and no longer listing several other older IEC standards.
Reference to IEC 61784-3:2010 – Functional Safety Fieldbuses was added

PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS

Safety
Manufacturers and instrumented
suppliers of systems designers,
devices integrators and
users
IEC 61508 IEC 61511

Maintains same process sector Safety Instrumented System relationship to IEC 61508
17
Clause 2: Normative References

No significant changes.

18
Clause 4: Conformance to the IEC61511 series

Clause 4 Conformance to the IEC 61511-1:2016


There are no significant changes to clause 4 Conformance to the IEC 61511
international standard.

Quality Management Conformance


Conformance to the IEC 61511-1:2016
To conform to the IEC 61511-1:2016, it shall be shown that each of the
requirements outlined in Clause 5 through Clause 19 has been satisfied to the
defined criteria and therefore the clauses’ objectives have been met.

19
Clause 5: Management of functional safety
Safety Life Cycle Activity 10

20
Formal Competency Requirements

• IEC 61511:2003 required personnel accountable for the management of


functional safety to be competent to carry out management activities.

• IEC 61511:2016 specifies a list of items to consider when evaluating the


competency of personnel involved in the process safety life cycle activities.
(Evaluation of personnel competency must be “documented”).

• A documented procedure must be in place to verify and assess the


competency of personnel involved in the functional safety activities.

• IEC 61511:2016 requires to conduct periodic functional safety competency


assessments.

21
Functional Safety Management, FSM

• Organization
• Responsibility
• Assurance of staff competency for those involved with the development or
application of functional safety
• Who is doing the functional safety assessment
• Independence of the functional safety assessors from those developing
products or systems under audit
• Configuration and change management
• System operation
• Removal from service after stated "mission time"
• Development processes

22
Revised IEC 61511:2015 - 2nd Edition

What is the intent? Functional Safety Management, FSM


• To have and use safety related procedures, tools, templates
• To implement a Safety plan and Verification & Validation plan
• To assign responsible and competent personnel in the area of Functional Safety.
• To have document control procedure, Management of Change, (life cycle
documentation, maintainable documentation)
• To review testing procedures/checklists, (verification)
• To carryout functional safety assessments and validations
• To employ and educate safety competent personnel.
• To Assure that safety integrity will be maintained within the SIL target
during the life time of the SIS.
• To carry out periodical safety audits.

23
Revised IEC 61511:2016 - 2nd Edition

Functional Safety Management

Modification After
Setting into Operation Specification
20% 44%

Design &
Operation & Implementation
Maintenance 15%
15% Installation & Setting
into Operation
6%

Objective:
Fault/Failure Avoidance by managing deficiencies of specification-,
design-, development-, installation and operating faults.

Souce: „Out Of Control“, from UK, HSE (september 2004)


24
Functional Safety Management, FSM

3.2.80 and 3.2.81


Systematic failures can be avoided or reduced by Functional Safety Management!

• Systematic safety integrity / capability


Reduction/avoidance of systematic failures in hard- and software (caused
by development, embedded in a SIS)

Reduction/avoidance of systematic failures during specification,


realisation, planning, installation, validation, operation, maintenance and
modification of a SIS

3.2.82 Systematic safety integrity


part of the safety integrity of the SIS relating to systematic failures in a dangerous
mode of failure.
NOTE 1: Systematic safety integrity cannot usually be quantified (as distinct from hardware safety integrity).
NOTE 2: See 3.2.26 hardware safety integrity also.

25
Functional Safety Assessment, FSA

• IEC 61511:2016 also requires to carry out FSA after validation and before
operations.

• Additionally is required to carry out FSA periodically during phase 6 of the


safety Life cycle, Operations & Maintenance.

• Phase 7, Modification activity shall not begin until a FSA is completed;


including the application program .

• When planning the approved modification activities a FSA must be included.


(planning documentation would be used for verification purposes)

26
Clause 5: Management of functional safety, - FSA

5.2.6.1.5 Prior to the hazards being


present the FSA team shall undertake
functional safety assessment(s)…

5.2.6.1.10 A FSA shall also be


carried out periodically during the
operations and maintenance
phase…

5.2.6.1.9 In cases where a FSA is


carried out on a modification the
assessment shall consider the
impact analysis carried out…

27
Clause 6: Safety life cycle requirements
Safety Life Cycle Activity 11

28
Clause 6: Safety lifecycle requirements
Software, application programming lifecycle diagram, (Figure 8), and overview
table, (Table3), have now been moved to clause 6. (Clause 12 Software)
6.2 Requirements
6.2.1 A SIS safety life-cycle incorporating the requirements of the
IEC61511 series shall be defined during safety planning. The safety life-
cycle shall also address the application programming (see 6.3.1).
6.3 Application program SIS safety life-cycle requirements
6.3.1 Each phase of the application program safety life-cycle (see figure 8)
shall be defined in terms of its elementary activities, objectives, required input
information and output results and verification requirements (see table 3).
6.3.2 Methods, techniques and tools shall be applied for each life-cycle phase
in accordance with 12.6.2.
6.3.3 Each phase of the application program safety life-cycle shall be verified
(see clause 7) and the results shall be available as described in clause 19
Figure 8 – Application program safety life-cycle and its relationship to the SIS safety life-cycle
Table 3 – Application program safety life-cycle: overview
Clause 7 7.2.2 Where the verification includes testing, the verification planning shall also address the following:
a) the strategy for integration of application program and hardware and field devices, including the integration of sub-
systems that shall comply with other standards (such as machinery, burner);
b) test scope (describes the test set-up and what type of test to be performed including the hardware, application
programming, and programming devices to be included);
29
Clause 6: Safety lifecycle requirements
6.3 Application program SIS safety life-cycle requirements
6.3.1 Each phase of the application program safety life-cycle (see figure 8)
shall be defined in terms of its elementary activities, objectives, required input
information and output results and verification requirements (see table 3).

Figure 8 – Application program


safety life-cycle and its relationship
to the SIS safety life-cycle

30
Clause 7: Verification
Safety Life Cycle Activity 9

31
Clause 7: Verification
Software, application programming, have now been added to clause 7. (from Clause 12)
7.2 Requirements
7.2.1 Verification planning shall be carried out throughout the SIS safety life-cycle and shall
define all activities required for the appropriate phase (Figure 7) of the safety life-cycle,
including the application program. Verification planning shall conform to the IEC 61511 series
by addressing the following:
a) the verification activities;
b) the procedures, measures and techniques to be used for verification including
implementation and resolution of resulting recommendations;
c) when these activities will take place;
d) the persons, departments and organizations responsible for these activities, including
levels of independence;
e) identification of items to be verified;
f) identification of the information against which the verification is carried out;
g) the adequacy of the outputs against the requirements for that phase.
h) correctness of the data
i) how to handle non-conformances;
j) tools and supporting analysis;
k) the completeness of the SIS implementation and the traceability of the requirements;
l) the readability and audit-ability of the documentation;.
m) the testability of the design.
32
Clause 8: Process Hazard and Risk Assessment
Phase 1

33
Cyber Security risk Analysis - Assessment

• IEC 61511:2016 requires to carry out a security risk assessment to identify


any security vulnerabilities of the SIS.

• Security risk assessment also includes intentional attacks on the hardware,


application programs and related software, as well as unintended events
resulting from human error .

• Security risk assessment must also determine requirements for additional


risk reduction measures or controls against the identified threats.
Including a description of, or references to information on, the measures or
controls taken to reduce or remove the threats.

34
Clause 8: Process hazard and risk assessment
8.2.4 A security risk assessment shall be carried out to identify the security vulnerabilities of
the SIS. It shall result in:
a) a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any
other device connected to the SIS);
b) a description of identified threats that could exploit vulnerabilities and result in security
events (including intentional attacks on the hardware, application programs and related
software, as well as unintended events resulting from human error);
c) a description of the potential consequences resulting from the security events and the
likelihood of these events occurring;
d) consideration of various phases such as design, implementation, commissioning,
operation, and maintenance;
e) the determination of requirements for additional risk reduction;
f) a description of, or references to information on, the measures taken to reduce or remove
the threats.
NOTE 1 Guidance related to SIS security is provided in ISA TR84.00.09.
NOTE 2 The information and control of boundary conditions needed for the security risk assessment are
typically with owner/operating company of a facility, not with the supplier. Where this is the case, the
obligation to comply with 8.2.4 can be with the owner/operating company of the facility.
NOTE 3 The SIS security risk assessment can be included in an overall process automation security risk
assessment.
NOTE 4 The SIS security risk assessment can range in focus from an individual SIF to all SISs within a
company.
35
Clause 9: Allocation of safety functions to protection layers
Phase 2

36
Allocation of safety functions to protection layers

• If a SIL 4 SIF requires to be implemented, whether allocated to a single SIS


or multiple SIS or SIS in conjunction with a BPCS protection layer, then a
further risk assessment shall be carried out using a quantitative methodology
to confirm that the safety integrity requirements are achieved.
• The risk reduction claimed for a BPCS protection layer shall be ≤10.
• No more than two BPCS protection layers shall be used, or no more than
one BPCS protection layer shall be used if the BPCS is the initiating event.
• New requirements for preventing common cause, common mode and
dependent failures.
• A hot backup controller is not considered to be independent of the primary
controller because it is subject to common cause failure.
• New definitions:
Common cause failures. (Failure of function results from a single cause)
Common mode failures. (Concurrent failures of redundant devices)
Dependent failures.

37
Clause 10: SIS safety requirements specification (SRS)
Phase 3

38
Safety Requirement Specifications

• Application program safety requirements specifications are now included with


all the other safety requirements specifications.

• Definition of “Process Safety Time” clause 3.2.52.1.

• Guidance part 2 “sum of diagnostic test interval and the time to perform the
specified action to achieve or maintain the safe state of the process is less than
the process safety time”.

• Requirements for Proof Test implementation in the SRS. (Written procedures).

• Definition of “Bypass” clause 3.2.4.

• Requirements for bypasses. (Including written procedures).

39
Clause 11: SIS design and engineering
Phase 4

40
SIS design and engineering

• New Table 6 for Minimum Hardware Fault Tolerance, HFT


SIL Minimum required HFT
1 (Any mode) 0
2 (low demand mode) 0
2 (high demand/continuous mode) 1
3 (Any mode) 1
4 (Any mode) 2

Table 6 – Minimum HFT requirements according to SIL

• No more requirements for Safety Failure Fraction, SFF.


• Consistency with IEC 61508:2010, Clause 7.4.4.3 Route 2H
• A safety manual covering operation, maintenance, fault detection and
constraints associated with the SIS shall be available, clause 11.2.13.
• Requirements for system behavior on detection of a fault.
Where the compensating measures depends on an operator taking specific action in response to an
alarm (e.g., opening or closing a valve) then the alarm shall be considered part of the SIS.

41
SIS design and engineering

Selection of Devices for use in SIS


• Requirements for the selection of devices based on prior use, clause 11.5.3
• The reliability data used when quantifying the effect of random failures shall
be credible, traceable, documented and justified. (Random Hardware Failures).
• Reliability data used in the calculation determined with an upper bound
statistical confidence limit of no less then 70 %, cannot be properly
implemented without reliability data collection from end users.
• New definition of prior use Clause 3.2.51. (Proven in use).
The amount of operational experience to gain credible statistical reliability data is typically much higher compared to the
operational experience necessary to get evidence of prior use.

• Systematic Capability, SC N number, indicates the SIL N number requirement


for devices, to be in accordance with instructions specified according to IEC
61508, avoidance of systematic faults.
• Definitions for Safety Integrity, Systematic Safety Integrity, and Hardware
Safety Integrity.

42
Revised IEC 61511:2016 - 2nd Edition Functional Safety Management

Safety integrity according IEC 61508 / IEC 61511


Three main aspects define the max. SIL that can be achieved

• Hardware safety integrity


1. Hardware Fault Tolerance and SFF of the elements of a Safety
Instrumented system SIS (architectural constraints tables in IEC 61508
and IEC 61511)
2. PFDAVG (low demand) or PFH (high demand or continuous mode) of a
Safety Instrumented Function, SIF

• Systematic safety integrity / capability


3a. Reduction/avoidance of systematic failures in hard- and software (caused
by development, embedded in a SIS) Tolerance against systematic and common cause failures
3b. Reduction/avoidance of systematic failures during specification,
realisation, planning, installation, validation, operation, maintenance and
modification of a SIS

 Systematic failures can be avoided or reduced by Functional Safety Management!

43
Selection of Devices with a specific SIL requirement

Selection of Devices with a specific SIL requirement


Clause 11.5
Safety Integrity 3.2.68

General requirements Clause 11.5.2


Clause 11.5.2.1 Devices to be in accordance with
11.5.3 through 11.5.6

IEC 61511:2016 IEC 61508:2010


Functional and Safety Integrity Functional and Safety Integrity
Functional Safety 3.2.23 Safety Integrity IEC 61508-4 Clause 3.5.4 – (3.5.6)
Safety Integrity 3.2.68 Compliance Routes 1S, 2S, 3S. (7.4.2.2)
Prior Use 3.2.51 Proven in Use IEC 61508-4 Clause 7.4.10

Hardware Safety Integrity (3.2.26) Systematic Safety Integrity (3.2.82) Hardware Safety Integrity (3.5.7)
Systematic Capability (3.2.80)
Measures to Control Failures Measures for Failure/Fault Avoidance - Hardware safety integrity architectural
- Requirements for the avoidance of
Hardware Random Failure 3.2.59 and Control Clause 11.5.3 constraints Clause 7.4.4
systematic faults Clause 7.4.6
11.4.5 – 11.4.9 (Table HFT) & App. Program 11.5.4 – 11.5.6 - Requirements for quantifying the effect of
- Fault Control 7.4.7
Systematic failure 3.2.81 random hardware failures Clause 7.4.5

Reliability Data Uncertainties 11.9.4 Systematic Capability (3.2.80) Random Hardware Failure Clause 3.6.5 Requirements for systematic safety integrity
11.5.3.2 Evidence of Device Suitability (Note 1/2/3) - Route 1H based on hardware fault (Systematic Capability) (7.4.2.2)
Route 2H - No need for SFF Note 1: SC is determine in by tolerance and safe failure fraction SFF - Route 1S: compliance with avoidance of
Hardware Safety Integrity 3.2.26 IEC 61508-2 and -3 concepts. (7.4.4.2) Type A and Type B systematic faults (7.4.6 & 7.4.7)
Note 3: Instructions to be specified in - Route 2H based on component reliability - Route 2S: compliance with proven in use
the device safety manual for SCN data from feedback from end users. (7.4.4.3) - Route 3S (pre-existing software elements
Evidence of Device Suitability Clause (Route 2H developed as for IEC 61511) only) IEC 61508-3, 7.4.2.12
11.5.3.1 (Note 1/2/3)

44
Clause 12: SIS application program development

45
Clause 12: SIS application program development
Lifecycle steps, and requirements specification covered before in clause 12 have been
moved to other clauses. (Application Programming).
Clause 3: Definitions: 3.2.75; 3.2.76.1; 3.2.77; 3.2.1; 3.2.81.
Clause 6: Clause 6.3 Application program SIS safety life-cycle requirements – 6.3.1
Clause 7: Verification – Requirements, 7.2.2
Clause 8: Process hazard and risk assessment - 8.2.4 A security risk assessment, b).
Clause 9: Allocation of safety functions to protection layers – independent, 9.3.5, Note 1.
Clause 10: SIS safety requirements specification (SRS) - 10.3.2 Application program safety
requirements.
Clause 16: SIS operation and maintenance - 16.3.1.6 Any change to the application
program…
Clause 17: SIS Modifications – 17.2.3; 17.2.5; 17.2.6. (FSA)

- Provides longer lists of specific items that need to be addressed


- The application program and its documentation shall be reviewed by a competent person
not involved in the original development.
- The approach used for review and the review results, shall be documented. Clause 19
- IEC 61511 does not address the use of full variability languages or SIL 4
application; it still refers readers to 61508 in such cases.
- The old V-model diagram of software development and testing no longer appears.

46
Clause 13: Factory acceptance test (FAT)

47
Clause 13: Factory acceptance test (FAT)

This clause is now normative (it was informative before).

13.2.2 The planning for a FAT shall specify the following:

j) Hazards posed by the testing especially dealing with stored energy;


k) A clear diagram of the test-set up;
l) Recording of tests conducted, data, results and observations whilst the tests
are being conducted.

48
Clause 14: SIS installation and commissioning
Phase 5

Clause 14: No significant changes.

14.1 Objectives
Note The purpose of commissioning
activities is to ensure that each of the
SIS devices is individually ready to
operate, as specified in the designed
phase.

49
Clause 15: SIS safety validation

50
Clause 15: SIS safety validation
15.2 Requirements
15.2.1 Validation planning of the SIS shall be carried out throughout the SIS safety life-cycle and
shall define all activities and equipment required for validation. The following items shall be
included:
a) the validation activities including validation of the SIS with respect to the SRS including
implementation and resolution of resulting recommendations;
b) validation of all relevant process operating modes of the process and its associated equipment
including;
- preparation for use including setting and adjustment;
- start-up, automatic, manual, semi-automatic, steady state of operation;
- re-setting, shutdown, maintenance;
- other modes identified in previous phases of the SIS safety life-cycle.
c) the procedures, measures and techniques to be used for validation, including how validation
activities can be performed, without putting the plant and process at risk of the hazardous events
the SIS is to protect against;
d) when these activities shall take place;
e) the persons, departments and organizations responsible for these activities and the levels of
independence for validation activities;
f) reference to information against which validation shall be carried out (e.g. cause and effect chart)
g) the equipment and facilities that needs to be installed or made available(e.g. isolation valves and
leak detection equipment that will be needed for the testing of valves).
NOTE: Examples of validation activities include loop testing, logic testing, calibration procedures, simulation of application program.
51
Clause 15: SIS safety validation (Definitions)
3.2.86 validation (Planned activity part of Phase 5)
confirmation by examination and provision of objective evidence that the
particular requirements for a specific intended use are fulfilled.
Note 1 to entry: In the IEC61511 series this means demonstrating that the SIF(s) and SIS after
installation meet the SRS in all respects.

3.2.87 verification (Planned activity part of SLC auditing activity 10 FSM)


confirmation by examination and provision of objective evidence that the
requirements have been fulfilled.
Note 1 to entry: In the IEC61511 series this is the activity of demonstrating for each phase of the relevant
SIS safety life-cycle by analysis and/or tests, that, for specific inputs, the outputs meet in all respects the
objectives and requirements set for the specific phase.
Note 2: Example verification activities include:
– reviews on outputs (documents from all phases of the safety life-cycle) to ensure compliance with
the objectives and requirements of the phase taking into account the specific inputs to that phase;
– design reviews;
– tests performed on the designed products to ensure that they perform according to their
specification;
– integration tests performed where different parts of a system are put together in a step-by-step
manner and by the performance of environmental tests to ensure that all the parts work together in
the specified manner.

52
Clause 16: SIS Operation and Maintenance
Phase 6

53
Validation, Operation, and Maintenance

• Requirements for Operation and maintenance planning for the SIS clause
16.2.1, Maintenance plan (Programmed or Predictive maintenance plan).

• Operating and Maintenance written procedures, part of “Safety Manual”.

• Monitoring and status recording all discrepancies between expected behavior


and actual behavior, all in writing. (Documentation requirements during
operations and maintenance).

• Persons responsible for operations and maintenance shall review the hazard
& risk analysis, assessments.

• Any change to the application program requires a full validation and a proof
test of any SIF impacted by the change.

54
Clause 17: SIS Modifications
Phase 7

55
Clause 17: SIS modifications

17.2.3 Prior to carrying out any modification to a SIS (including the


application program) an analysis shall be carried out to determine the impact
on functional safety as a result of the proposed modification. When the
analysis shows that the proposed modification could impact safety then there
shall be a return to the first phase of the SIS safety life-cycle affected by the
modification.
17.2.4 Safety planning for the modification and re-verification shall be
available. Modifications and re-verifications shall be carried out in accordance
with the planning.
17.2.5 All documentation affected by the modification shall be updated.
17.2.6 Modification activity shall not begin until a FSA is completed in
accordance with 5.2.6.1.9 and after proper authorisation.

56
Clause 17: SIS modifications

17.2.7 Appropriate information shall be maintained for all changes to the SIS.
The information shall include: (Modification Procedure)
a) a description of the modification or change;
b) the reason for the change;
c) identified hazards and SIFs which may be affected;
d) an analysis of the impact of the modification activity on the SIS;
e) all approvals required for the changes;
f) tests used to verify that the change was properly implemented and the SIS
performs as required;
g) details of all SIS modification activities (e.g., a modification log);
h) appropriate configuration history;
i) tests used to verify that the change has not adversely impacted parts of the
SIS which were not modified.

57
Clause 18: SIS Decommissioning
Clause 18: SIS Decommissioning
Phase 8

Decommissioning:
There are no significant changes
to clause 18 on SIS.

58
Clause19 Information and Documentation requirements
Functional Safety Information

59
Clause19: Information and documentation requirements

19.2.9 Current documentation pertaining to the following shall be maintained:


a) the results of the hazard and risk assessment and the related assumptions;
b) the equipment used for SIF together with its safety requirements;
c) the organization responsible for maintaining functional safety;
d) the procedures necessary to achieve and maintain functional safety of the SIS;
e) the modification information as defined in 17.2.5;
f) the safety manual(s);
g) design, implementation, test and validation.
NOTE Further details of the requirements for information are included in 12.4.2, 14, 15 and 16.3.3.

60
Questions

61

You might also like