IEC 61511

Last edit: 22/08/2023

Introduction

IEC 61511 (all parts) is intended as the process industry sector implementation of IEC 61508; it addresses the application of SISs (Safety Instrumented System) in the process industry.

Safety Instrumented Functions (SIF) are protective functions implemented in a Safety Instrumented System (SIS). A typical SIS is comprised of multiple SIFs; typically, each SIS has process sensors that measure a process deviation, a logic solver that executes the functional logic, and final control elements like on/off valves, that bring the process to a safe state. The IEC 61511 series of standards addresses SIS based on the use of electrical, electronic, or programmable electronic technology in the process industry sector. IEC 61511 series also address a process Hazard and Risk Assessment (H&RA) from which the specification for SISs are derived.

The standard recognises that systematic failures come from human errors and they can be reduced with the implementation of solid organisational processes.

The first edition of the standard was issued in 2003. The second edition was published in 2016. The standard has four parts:

  • Part 1 – It is the only normative part of the series. It includes terminology, and requirements for specification, hardware design and application programming, commissioning, validation, operation, maintenance and testing of SIS components.
  • Part 2 – It is an Informative guidance on Part 1. It contains Annex A, that provides guidance and implementation examples of requirements outlined in Part 1.
  • Part 3 – It is an informative part of the series that provides information on available methods to conduct Hazard and Risk Assessment (H&RA) to determine integrity requirements, i.e. Safety Integrity Level (SIL).
  • Part 4 – It is actually a Technical Report. It contains explanation and rationale for changes from Edition 1 to Edition 2.

Compliance with the IEC 61511 standard series will help assure reliable and effective implementation of SIS to achieve risk reduction objectives and thereby improving process safety.

IEC 61511 is recognized as a good engineering practice in most countries and a regulatory requirement in an increasing number of countries. End users in the process industry should use this standard series to develop their internal procedures, work processes, and management systems. Implementing a SIS lifecycle management system provides a framework for managing people, processes, and systems to improve overall safety and operational performance.

The standard applies when devices that meet the requirements of IEC 61508 series are integrated into an overall safety-related control system, to be used in a process sector application. It does not apply to manufacturers wishing to claim that their devices are suitable for use in SISs for the process sector; for this purpose, IEC 61508-2 [6] and IEC 61508-3 [7] have to be used.

The normative part does not contain any formula. The reason is that the spirit of IEC 61511-1 is to define what has to be achieved and not how to achieve it.

The second edition

The Second Edition reinforces the need to design for Functional Safety management rather than a narrow focus on calculations and it can be used to manage the actual performance of the SIS over time. IEC/TR 61511-4 was written to provide a brief introduction to the above issues, with more detailed content remaining in the main parts of the standard. Management of Functional Safety addresses systematic failures, mostly caused by humans, that are not quantifiable with mathematical models. These activities, covering the whole safety lifecycle, are applied through processes and procedures.

In this second edition there is the idea that Safety in not only based upon reliable components but it comes from an holistic approach given by the concept of the Safety Life Cycle. To ensure that Functional Safety can be achieved, several activities (done by different stakeholders, like end users, engineering company, vendors, etc..) need to be done. They are all connected to each other like a chain and the strength of this chain will be only as strong as the weakest link. It is crucial to consider Functional Safety as a lifecycle, which starts with hazard identification and ends with the decommissioning of SIS: all activities in the safety lifecycle are impacted by upstream and downstream activities.

Every SIS project has clear roles and responsibilities. All involved parties are aware of their responsibilities and are competent to fulfil the related activities necessary for Functional Safety. Competencies are kept up to date. All necessary activities in a project are described in a safety plan which can be project specific or a general company specific document. For all relevant activities, a Functional Safety assessment is carried out to demonstrate that a SIF fulfils all requirements and it is compliant to the agreed standards. Performance management during operation is done by collecting field data for SIS Reliability and SIS process demand information. Functional Safety audits are done at regular intervals to demonstrate that the organization remains capable of fulfilling the defined Functional Safety requirements. Assessment and auditing activities are done by individuals independent of the project team. Meaningful documentation of the assessment and audit results are generated, and recommendations tracked for effective closure.

Designing a SIS

Designing a Safety Instrumented System means:

  1. Controlling the effects of random hardware failures and
  2. Avoiding or controlling systematic failures.

The activity can be summarized in the following four parts:

  1. Select devices appropriately, based on prior use or in accordance with IEC 61508.
  2. Ensure minimum redundancy determined by HFT, either in accordance with the process sector approach, defined in IEC 61511-1 or in IEC 61508
  3. Design the architecture and application program to meet the requirements of the Safety Requirements Specification and verify that the specified performance objectives for Integrity, Reliability, and Systematic error control have been met; including aspects such as human capabilities, bypass management, diagnostic coverage, common cause failures, Proof Test interval, MTTR, etc.
  4. Ensure adequate demarcation between the SIS and the BPCS for both hardware and application program, so that the overall risk reduction performance is achieved.

Three methods

The Second Edition allows 3 different methods to determine the required HFT of a Safety Instrumented System:

  1. Route 1H of IEC 61508-2 [6], based on FMEDA analysis and conformance with the related clauses in IEC 61508-2.
  2. Use of the concept of Prior Use (5.3). That means the use of Table 6 of IEC 61511-1 [16], same as table 2.3, in conjunction with the requirements in IEC 61511-1 clauses 11.5 to 11.9.
  3. Route 2H of IEC 61508-2, based on product returns to the manufacturer and conformance with related clauses in IEC 61508-2.

Table 2.3 {2.1.4.1.1} clarifies that, in case a SIL 1 has to be reached, no redundancy is necessary; the same is valid in case of SIL 2 in low demand mode. However, if the system is working in high demand mode, in order to reach a SIL 2 level, an HFT=1 is required.