IEC61511-2017 2nd Edition PDF
IEC61511-2017 2nd Edition PDF
IEC61511-2017 2nd Edition PDF
1
International Electro technical Commission, IEC
IEC members are National Committees (NCs) and there can only be one per country. Individuals participate
in the IEC's work through the National Committees.
Membership levels
There are two levels of membership:
Full members - NC has access to all technical and managerial activities and functions, at all levels of the IEC,
including voting rights in Council.
Associate members - NC has full access to all working documents but limited voting rights in the technical
work and no eligibility to managerial functions within the IEC.
3
Functional Safety Standards
4
International Electro technical Commission, IEC
5
IEC 61511 – Functional Safety timeline
DIN V 19250
6
Revised IEC 61511:2016 - 2nd Edition
IEC 61511 still is the main standard for “Process” Functional Safety.
7
IEC 61511:2003 Ed. 1 in the last 14 years
Has been worldwide recognized as the “standard for Process Functional Safety”.
8
Revised IEC 61511:2016 - 2nd Edition
Main subjects:
• Systematic Capability – (Prior Use – Proven in Use), SC 1, 2, 3, 4
(Requirement for selection of devices based on prior use).
10
IEC 61511 2nd edition changes Summary
The new 2nd edition of IEC 61511 includes:
Grandfather clause is still excluded, “y”
SIF mode of operation: low demand mode, high demand mode, and continuous mode
Definitions about SIFs used as hazardous event prevention, and mitigation safeguards
New requirements for Functional Safety Management, FSM, systems
New requirements for Functional Safety Assessments, FSA - (e.g. FSA before modification)
Application program SIS safety life-cycle requirements
More detailed requirements for verification activities, (verification requirements and planning)
Process hazard and risk assessment, new requirements for security risk assessment
New security risk assessments, relating to deliberate malicious acts. (e.g. terrorist, sabotage, acts)
More details for SIL 4 applications - SIL 4; 9.2.5 - 9.2.6 - 9.2.7
Allocation of safety functions to protection layers; new BPCS considerations, common causes, operating
mode, dependent failures consideration requirements;
Clarification of requirements for risk reduction; is spread across multiple SIFs
Revised “application program” development requirements – SRS for application program
Additional requirements for bypasses (Design & Engineering, and Operations & Maintenance)
Safety manual covering operation, maintenance, fault detection and constraints of the SIS
New requirements for hardware fault tolerance, HFT (No SFF needed or required)
Requirements for better substantiation of the failure rate data and of uncertainties in the data, Part 2
“prior use” defined and new requirements – Systematic Integrity – “Proven in use”
Proof testing of SIF clarified, defined, and formalized in the SRS.
New requirements for systematic capability, SC, systematic integrity.
SIS operation and maintenance revised – bypasses, etc.
Formal review by operations and maintenance of the hazard and risk assessments
New requirements for formal procedures to manage competence. (Knowledge, training, and skills)
Modification activity shall not begin until a FSA is completed.
More examples and clarifications Part 2. New annexes with detailed guidance – Part 3 of standard11
Clause 1: Scope
12
Users of IEC Standards (Scope)
• Trend in the process industry is toward IEC 61511
e) applies to a wide variety of industries within the process sector for example,
chemicals, oil and gas, pulp and paper, pharmaceuticals, food and beverage,
and non-nuclear power generation.
NOTE 1: Within the process sector some applications may have additional requirements that have to be satisfied.
13
Framework & Scope
14
Clause 1: Scope
Figure 4 in the 1st edition had a diagram showing how a demand mode safety
function could be further split into prevention or mitigation functions. The 2nd
edition removes this distinction and shows continuous mode or demand mode
functions.
15
Clause 2: Normative References
16
Clause 2: Normative References
Clause 2: Normative References
Maintains same relationship to IEC 61508, makes reference to the April 2010
IEC 61508 2nd Ed., and no longer listing several other older IEC standards.
Reference to IEC 61784-3:2010 – Functional Safety Fieldbuses was added
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and instrumented
suppliers of systems designers,
devices integrators and
users
IEC 61508 IEC 61511
Maintains same process sector Safety Instrumented System relationship to IEC 61508
17
Clause 2: Normative References
No significant changes.
18
Clause 4: Conformance to the IEC61511 series
19
Clause 5: Management of functional safety
Safety Life Cycle Activity 10
20
Formal Competency Requirements
21
Functional Safety Management, FSM
• Organization
• Responsibility
• Assurance of staff competency for those involved with the development or
application of functional safety
• Who is doing the functional safety assessment
• Independence of the functional safety assessors from those developing
products or systems under audit
• Configuration and change management
• System operation
• Removal from service after stated "mission time"
• Development processes
22
Revised IEC 61511:2015 - 2nd Edition
23
Revised IEC 61511:2016 - 2nd Edition
Modification After
Setting into Operation Specification
20% 44%
Design &
Operation & Implementation
Maintenance 15%
15% Installation & Setting
into Operation
6%
Objective:
Fault/Failure Avoidance by managing deficiencies of specification-,
design-, development-, installation and operating faults.
25
Functional Safety Assessment, FSA
• IEC 61511:2016 also requires to carry out FSA after validation and before
operations.
26
Clause 5: Management of functional safety, - FSA
27
Clause 6: Safety life cycle requirements
Safety Life Cycle Activity 11
28
Clause 6: Safety lifecycle requirements
Software, application programming lifecycle diagram, (Figure 8), and overview
table, (Table3), have now been moved to clause 6. (Clause 12 Software)
6.2 Requirements
6.2.1 A SIS safety life-cycle incorporating the requirements of the
IEC61511 series shall be defined during safety planning. The safety life-
cycle shall also address the application programming (see 6.3.1).
6.3 Application program SIS safety life-cycle requirements
6.3.1 Each phase of the application program safety life-cycle (see figure 8)
shall be defined in terms of its elementary activities, objectives, required input
information and output results and verification requirements (see table 3).
6.3.2 Methods, techniques and tools shall be applied for each life-cycle phase
in accordance with 12.6.2.
6.3.3 Each phase of the application program safety life-cycle shall be verified
(see clause 7) and the results shall be available as described in clause 19
Figure 8 – Application program safety life-cycle and its relationship to the SIS safety life-cycle
Table 3 – Application program safety life-cycle: overview
Clause 7 7.2.2 Where the verification includes testing, the verification planning shall also address the following:
a) the strategy for integration of application program and hardware and field devices, including the integration of sub-
systems that shall comply with other standards (such as machinery, burner);
b) test scope (describes the test set-up and what type of test to be performed including the hardware, application
programming, and programming devices to be included);
29
Clause 6: Safety lifecycle requirements
6.3 Application program SIS safety life-cycle requirements
6.3.1 Each phase of the application program safety life-cycle (see figure 8)
shall be defined in terms of its elementary activities, objectives, required input
information and output results and verification requirements (see table 3).
30
Clause 7: Verification
Safety Life Cycle Activity 9
31
Clause 7: Verification
Software, application programming, have now been added to clause 7. (from Clause 12)
7.2 Requirements
7.2.1 Verification planning shall be carried out throughout the SIS safety life-cycle and shall
define all activities required for the appropriate phase (Figure 7) of the safety life-cycle,
including the application program. Verification planning shall conform to the IEC 61511 series
by addressing the following:
a) the verification activities;
b) the procedures, measures and techniques to be used for verification including
implementation and resolution of resulting recommendations;
c) when these activities will take place;
d) the persons, departments and organizations responsible for these activities, including
levels of independence;
e) identification of items to be verified;
f) identification of the information against which the verification is carried out;
g) the adequacy of the outputs against the requirements for that phase.
h) correctness of the data
i) how to handle non-conformances;
j) tools and supporting analysis;
k) the completeness of the SIS implementation and the traceability of the requirements;
l) the readability and audit-ability of the documentation;.
m) the testability of the design.
32
Clause 8: Process Hazard and Risk Assessment
Phase 1
33
Cyber Security risk Analysis - Assessment
34
Clause 8: Process hazard and risk assessment
8.2.4 A security risk assessment shall be carried out to identify the security vulnerabilities of
the SIS. It shall result in:
a) a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any
other device connected to the SIS);
b) a description of identified threats that could exploit vulnerabilities and result in security
events (including intentional attacks on the hardware, application programs and related
software, as well as unintended events resulting from human error);
c) a description of the potential consequences resulting from the security events and the
likelihood of these events occurring;
d) consideration of various phases such as design, implementation, commissioning,
operation, and maintenance;
e) the determination of requirements for additional risk reduction;
f) a description of, or references to information on, the measures taken to reduce or remove
the threats.
NOTE 1 Guidance related to SIS security is provided in ISA TR84.00.09.
NOTE 2 The information and control of boundary conditions needed for the security risk assessment are
typically with owner/operating company of a facility, not with the supplier. Where this is the case, the
obligation to comply with 8.2.4 can be with the owner/operating company of the facility.
NOTE 3 The SIS security risk assessment can be included in an overall process automation security risk
assessment.
NOTE 4 The SIS security risk assessment can range in focus from an individual SIF to all SISs within a
company.
35
Clause 9: Allocation of safety functions to protection layers
Phase 2
36
Allocation of safety functions to protection layers
37
Clause 10: SIS safety requirements specification (SRS)
Phase 3
38
Safety Requirement Specifications
• Guidance part 2 “sum of diagnostic test interval and the time to perform the
specified action to achieve or maintain the safe state of the process is less than
the process safety time”.
39
Clause 11: SIS design and engineering
Phase 4
40
SIS design and engineering
41
SIS design and engineering
42
Revised IEC 61511:2016 - 2nd Edition Functional Safety Management
43
Selection of Devices with a specific SIL requirement
Hardware Safety Integrity (3.2.26) Systematic Safety Integrity (3.2.82) Hardware Safety Integrity (3.5.7)
Systematic Capability (3.2.80)
Measures to Control Failures Measures for Failure/Fault Avoidance - Hardware safety integrity architectural
- Requirements for the avoidance of
Hardware Random Failure 3.2.59 and Control Clause 11.5.3 constraints Clause 7.4.4
systematic faults Clause 7.4.6
11.4.5 – 11.4.9 (Table HFT) & App. Program 11.5.4 – 11.5.6 - Requirements for quantifying the effect of
- Fault Control 7.4.7
Systematic failure 3.2.81 random hardware failures Clause 7.4.5
Reliability Data Uncertainties 11.9.4 Systematic Capability (3.2.80) Random Hardware Failure Clause 3.6.5 Requirements for systematic safety integrity
11.5.3.2 Evidence of Device Suitability (Note 1/2/3) - Route 1H based on hardware fault (Systematic Capability) (7.4.2.2)
Route 2H - No need for SFF Note 1: SC is determine in by tolerance and safe failure fraction SFF - Route 1S: compliance with avoidance of
Hardware Safety Integrity 3.2.26 IEC 61508-2 and -3 concepts. (7.4.4.2) Type A and Type B systematic faults (7.4.6 & 7.4.7)
Note 3: Instructions to be specified in - Route 2H based on component reliability - Route 2S: compliance with proven in use
the device safety manual for SCN data from feedback from end users. (7.4.4.3) - Route 3S (pre-existing software elements
Evidence of Device Suitability Clause (Route 2H developed as for IEC 61511) only) IEC 61508-3, 7.4.2.12
11.5.3.1 (Note 1/2/3)
44
Clause 12: SIS application program development
45
Clause 12: SIS application program development
Lifecycle steps, and requirements specification covered before in clause 12 have been
moved to other clauses. (Application Programming).
Clause 3: Definitions: 3.2.75; 3.2.76.1; 3.2.77; 3.2.1; 3.2.81.
Clause 6: Clause 6.3 Application program SIS safety life-cycle requirements – 6.3.1
Clause 7: Verification – Requirements, 7.2.2
Clause 8: Process hazard and risk assessment - 8.2.4 A security risk assessment, b).
Clause 9: Allocation of safety functions to protection layers – independent, 9.3.5, Note 1.
Clause 10: SIS safety requirements specification (SRS) - 10.3.2 Application program safety
requirements.
Clause 16: SIS operation and maintenance - 16.3.1.6 Any change to the application
program…
Clause 17: SIS Modifications – 17.2.3; 17.2.5; 17.2.6. (FSA)
46
Clause 13: Factory acceptance test (FAT)
47
Clause 13: Factory acceptance test (FAT)
48
Clause 14: SIS installation and commissioning
Phase 5
14.1 Objectives
Note The purpose of commissioning
activities is to ensure that each of the
SIS devices is individually ready to
operate, as specified in the designed
phase.
49
Clause 15: SIS safety validation
50
Clause 15: SIS safety validation
15.2 Requirements
15.2.1 Validation planning of the SIS shall be carried out throughout the SIS safety life-cycle and
shall define all activities and equipment required for validation. The following items shall be
included:
a) the validation activities including validation of the SIS with respect to the SRS including
implementation and resolution of resulting recommendations;
b) validation of all relevant process operating modes of the process and its associated equipment
including;
- preparation for use including setting and adjustment;
- start-up, automatic, manual, semi-automatic, steady state of operation;
- re-setting, shutdown, maintenance;
- other modes identified in previous phases of the SIS safety life-cycle.
c) the procedures, measures and techniques to be used for validation, including how validation
activities can be performed, without putting the plant and process at risk of the hazardous events
the SIS is to protect against;
d) when these activities shall take place;
e) the persons, departments and organizations responsible for these activities and the levels of
independence for validation activities;
f) reference to information against which validation shall be carried out (e.g. cause and effect chart)
g) the equipment and facilities that needs to be installed or made available(e.g. isolation valves and
leak detection equipment that will be needed for the testing of valves).
NOTE: Examples of validation activities include loop testing, logic testing, calibration procedures, simulation of application program.
51
Clause 15: SIS safety validation (Definitions)
3.2.86 validation (Planned activity part of Phase 5)
confirmation by examination and provision of objective evidence that the
particular requirements for a specific intended use are fulfilled.
Note 1 to entry: In the IEC61511 series this means demonstrating that the SIF(s) and SIS after
installation meet the SRS in all respects.
52
Clause 16: SIS Operation and Maintenance
Phase 6
53
Validation, Operation, and Maintenance
• Requirements for Operation and maintenance planning for the SIS clause
16.2.1, Maintenance plan (Programmed or Predictive maintenance plan).
• Persons responsible for operations and maintenance shall review the hazard
& risk analysis, assessments.
• Any change to the application program requires a full validation and a proof
test of any SIF impacted by the change.
54
Clause 17: SIS Modifications
Phase 7
55
Clause 17: SIS modifications
56
Clause 17: SIS modifications
17.2.7 Appropriate information shall be maintained for all changes to the SIS.
The information shall include: (Modification Procedure)
a) a description of the modification or change;
b) the reason for the change;
c) identified hazards and SIFs which may be affected;
d) an analysis of the impact of the modification activity on the SIS;
e) all approvals required for the changes;
f) tests used to verify that the change was properly implemented and the SIS
performs as required;
g) details of all SIS modification activities (e.g., a modification log);
h) appropriate configuration history;
i) tests used to verify that the change has not adversely impacted parts of the
SIS which were not modified.
57
Clause 18: SIS Decommissioning
Clause 18: SIS Decommissioning
Phase 8
Decommissioning:
There are no significant changes
to clause 18 on SIS.
58
Clause19 Information and Documentation requirements
Functional Safety Information
59
Clause19: Information and documentation requirements
60
Questions
61