Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IEC 61508 ed. 2.0 "Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related
Systems" and IEC 61511 ed. 1.0 "Functional Safety - Safety Instrumented Systems for the Process
Industry Sector" are International Standards published by the International Electrotechnical Commission
(IEC). The main objectives of IEC 61508 with the status of a basic safety publication are to facilitate the
development of product and application sector international standards and to enable the development of
E/E/PE safety-related systems where product or application sector international standards do not exist.
The horizontal standard IEC 61511 has been developed as a process sector implementation of IEC 61508.
IEC 61511 gives requirements for the specification, design, installation, operation, maintenance and
testing of a safety instrumented system (SIS). The presentation introduces the current application state of
the activities to be implemented to execute the IEC 61508 and IEC 61511 lifecycle phases in conformity
with standard requirements. The current application state starts from Management of Functional Safety to
go through activities such as process hazard & risk assessment, safety functions allocation, risk reduction
target allocation to safety instrumented functions (SIF), SIF SIL determination, SIS safety requirements
specification (SRS), SIS implementation activities, SIS operation & maintenance, SIS modification and
decommissioning. The current application state includes the lack of Regulatory Codes requirements about
IEC 61508 and IEC 61511 applicability, objective interpretative issues of IEC 61508 and IEC 61511
requirements, applicability issues in real projects of IEC 61508 and IEC 61511, consistency of reliability
data and certification issues of SIS sub-systems and devices. At conclusion of presentation an excursus of
the IEC 61508 and IEC 61511 application current and favourable trends are given with consideration also
to users expectations.
Contractors in Europe to require for the safety PLCs a certification of compliance with DIN standards
issued by German TV (Technical Inspection Agency) explains the immediate diffusion of the certification
of compliance with IEC 61508 of safety PLCs immediately after the publication of the standard even if the
standard itself did not require a certification of compliance.
In the last decade the requirement of a certification of compliance with IEC 61508 was expanded from PE
logic solvers to any active device of a safety-related instrumented system including sensors, barriers,
relays, solenoid valves, shutdown valves/actuators/positioners, electric motor contactors.
1.2 IEC 61511
One of the objectives of the international standard IEC 61508 as meta-standard is to facilitate the
development of product and application sector standards. The generic application of the functional safety
requirements dictated by IEC 61508 found a specific application with the issue of international standard
IEC 61511 in effect since 2003 focused to process industry sector including O&G, oil refining,
petrochemical/chemical, P&P, conventional power generation. The simpler approach of IEC 61511 did not
significantly alter the basic approach introduced by IEC 61508 to functional safety issues. The concurrent
introduction in USA of ANSI/ISA S84.00.01 (mod. IEC 61511) in 2004 replacing the ANSI/ISA S84.01 (Ed.
stating three SIL classes instead of four) further spread over the diffusion of a unique approach to
functional safety all over the world including the high economic growth areas such as PRC, ME, India,
Brazil covering the most of new installations in the process industry. IEC 61511 simplifies the approach
even in the title replacing the generic E/E/PE safety-related systems with Safety Instrumented Systems
(SIS) and de facto is the international standard that it can be confidently entrusted to place and/or
maintain the process in a safe state. One of the most important statements of IEC 61511 is the correlation
between IEC 61511 and IEC 61508 mandating the compliance with IEC 61508 for SIS devices Mfrs. and
Suppliers and with IEC 61511 for SIS designers, integrators and users. This statement not only saved all
the work previously done in particular on the conformity of logic solvers to IEC 61508 but further boosted
the functional safety culture and practice due to the much simpler approach to SIS safety lifecycle
activities. The adoption of the equivalent standard in US in 2004 eased the IEC 61511 application thanks
to the publication by ANSI/ISA of Technical Report ISA TR-84.00.04 Part 1 Guidelines for the
Implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511) and TR-84.00.04 Part 2 Example
implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511). Besides the IEC 61511 part 2 as
application guidelines, other guidelines on IEC 61511 application were published such as OLF 070
Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on
the Norwegian Continental Shelf issued by Norwegian Oil Industry Association, the EEMUA 222 Guide to
the application of IEC 61511 to safety instrumented systems in the UK process industries, and CEI65-186
Linea guida per l'applicazione della Norma della serie CEI EN 61511 Sicurezza funzionale - sistemi
strumentati di sicurezza per il settore dell'industria di processo issued by Italian CEI.
IEC 61511 is currently under revision and the new edition will come out very likely on the current year with
update of definitions and revision of requirements related mainly to hardware failure rates and fault
tolerance (HFT), fault detection, SRS, application software, SIS O&M and testing, prior use (PU) and
security.
1.3 IEC 61508 ed. 2
nd.
The 2 edition of IEC 61508 published on April 2010 introduced main changes such as the update of
definitions, Management of Functional Safety (FSM), IEC 61508 compliant items, SIF mode of operation,
Overall SRS, classified failure rates, System Design Requirements Specification, systematic capability,
hardware integrity compliance, systematic integrity compliance, on-chip redundancy requirements for
integrated circuits (IC), application specific integrated circuits (ASICS), FGPA (Field Programmable Grid
Arrays), functional safety assessment (FSA), common cause analysis (CCA), safety manual for compliant
items, proven in use (PIU) requirements and security. The impact of a so vast number of revisions and
changes after one full decade of application of IEC 61508 ed. 1 is limited only in the process industry SIS
applications since, in compliance with IEC 61511, the requirements of IEC 61508 apply - with a few
exceptions - to SIS device Mfrs. only.
1.4 IEC 62061
The international standard IEC 62061 "Safety of machinery - Functional safety of safety-related electrical,
electronic and programmable electronic control systems" states the requirements of the safety-related
control systems for industrial machinery. IEC 62061 applies to safety-related control systems based on
E/E/PE technology used, also combined, to execute safety control functions on non-portable machines by
hand and group of machines working coordinately. IEC 62061 is a sector standard derived from IEC 61508
with requirements concerning both hardware and software of safety instrumented functions aimed to
minimize the occupational risk of machinery operators during machine operation, maintenance/cleaning.
Management of Functional Safety (FSM), quantified occupational risk reduction target, hardware and
software integrity requirements - even if simplified for industrial machinery application - are the main
features of this performance based standard.
The installation of machinery packages (e.g. compressors, steam turbines, turbogas, diesel generators) in
the process industry sector mandates the compliance both with IEC 61511 and IEC 62061.
A guideline on IEC 62061 application was published by IEC as Technical Report IEC/TR 62061-1 ed
1.0 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control
systems for machinery. An application guide was published in Italy by CEI as CEI CLC/TR 62061-1
"Guida allapplicazione delle Norme ISO 13849-1 ed IEC 62061 nella progettazione di sistemi di controllo
relativi alla sicurezza per macchinari.
worldwide. Another driving factor being represented by the industrial insurance companies focused on an
effective major accident (large fire, explosion, toxic cloud, environmental impact) risk reduction. The BP
Texas City, Buncefield and BP Horizon accidents showed that huge economic losses, including company
loss of reputation, can derive from insufficient protection layers and the application of IEC 61508 and IEC
61511 could have played a fundamental role in risk reduction. The independent (from IEC) certification
bodies, in particular the German TV Rheinland (the first historically to certify the safety PLCs), TV Nord,
TV Sd, RW TV, are very active in this market area and play an important role in the IEC 61508
standard application.
The issue is that IEC 61508 compliance even if assessed and certified by independent certification bodies
does not have any part in device European Conformity (CE) Mark approval such as for PED and ATEX.
CE Marking demonstrates equipment conformity to Essential Safety Requirements of all the applicable
European Directives for that product. Seveso Directive is out of this virtuous cycle.
2.2 Legislation and IEC 61511
CENELEC ratified the international standard IEC 61511 Parts 1 to 3 as European Norm EN 6151113:2004. The EN 61511-13:2004 have been finally transposed in EU member countries as national
standards (norms) starting from 2004 (e.g. in U.K. as BS EN 61511-13:2004). In Italy the EN 6151113:2004 has been transposed as CEI EN 61511-13:2004 issued in English and French languages as
the original standard.
The same considerations made above for the European Norm EN 61508 applies to EN 61511.
2.3 Legislation and IEC 62061
CENELEC ratified the international standard IEC 62061 as European Norm EN 62061:2005. The EN
62061:2005 have been finally transposed in EU member countries as national standards (norms) starting
from 2005 (e.g. in U.K. as BS EN 62061:2005). In Italy the EN 62061:2005 has been transposed as CEI
EN 62061:2005 issued in Italian and English language as the original standard.
After the publishing in 2010 by CENELEC of the norm EN 62061:2005 + Amending Corrigendum AC:2010
became an harmonised standard under the Directive 2006/42/EC for Machinery and published in OJEU.
Compliance with harmonised standard EN 62061:2005 + Amending Corrigendum AC:2010 provides a
presumption of conformity with the corresponding Machinery Directive Health & Safety essential
requirements related to Safety and reliability of control systems.
Commission and the other Member States of the bodies which they have appointed to carry out the
assessment of conformity for placing on the market referred to in Article 12(3) and (4), together with the
specific conformity assessment procedures and categories of machinery for which these bodies have been
appointed and the identification numbers assigned to them beforehand by the Commission. Member
States shall notify the Commission and other Member States of any subsequent amendment".
3.2 Process Hazard and Risk Assessment
Being the most of the current SIS installations provided in the Process Industry, the Process Hazard and
Risk Assessment as primary activity of SIS safety life-cycle shall be executed in accordance with IEC
61511. Being IEC 61511 clause 8 "Process Hazard and Risk Assessment" and clause 9 "Allocation of
safety functions to protection layers" generic, the practice of these phases gives highly inconsistent results.
For MAH process industries HazOp studies are executed to cover hazard and operability issues for normal
and abnormal operations such as start-up, shutdown, emergency shutdown, maintenance operations.
Other studies such as Hazid and What-if are occasionally executed. The HazOp studies are purely
qualitative and in spite of HazOp guidelines such as IEC 61882 and corporate procedures the results
dramatically depend upon several and variable factors, such as HazOp team composition, team expertise,
team leadership capabilities, session scheduling, project execution advancement state, novelty of the
process, language of communication. The HazOp study qualitatively determines process deviations,
causes of deviation, consequences of deviations, safeguards - including the safety instrumented functions
and alarms - already allocated or to be allocated according to the agreed HazOp Actions. The quality of
HazOp and the awareness of the HazOp team on functional safety issues severely affects the subsequent
SIL assignment activity. The missing classification of initiating event likelihood and of severity of
consequences makes the HazOp study useless for SIL assignment study and potentially inconsistent. The
merging of HazOp and SIL study ("extended" HazOp) by the introduction of purely qualitative risk
assessment during the HazOp makes both activities dependant on the same team and same leadership
potentially leading to SIL class over- or under-rating according to team and leader expertise. The IEC
61511 clause 8 and 9 requirements are nominally matched but ineffectively in several application cases.
The same applies to IEC 62061.
3.3 SIL Assignment
The SIF SIL assignment - known also as SIL determination, SIL assessment, SIL review, SIL study, SIL
allocation or even SIL classification since missing the standardized definition of the activity - is executed
worldwide by applying four main methodologies: CRG (Calibrated Risk Graph), LOPA (Layer of Protection
Analysis) , Risk Matrix, "Extended" HazOp. Being Risk Matrix and "Extended" HazOp purely qualitative the
results are inconsistent even with the same SIL assignment team depending on the activity progress state.
CRG and LOPA being semi-quantitative methodologies provide more consistent results but are severely
affected by the SIL Assignment Procedure assigned to the team. The IEC 61511 informative Part 3 does
provides scarce and in some cases contradictory information on these very important methodologies with
a dramatic impact on the results. CRG and LOPA being primarily based on consequence qualitative
determination very often in real application give as result a SIL upgrade or downgrade for the same
hazardous event according to the Corporate Mitigated Target Risk. CRG consistency of results is severely
affected by the W factor definition open to different interpretations, such as for LOPA the enabling events
and conditional modifiers are concerned. A further issue of SIL assignment is represented by the
qualitative evaluation of environmental impact consequences due to deficiency of information and by the
economic impact consequences optionally included being not required by the standard.
3.4 Safety Requirements Specification
The Safety Requirements Specification (SRS) according to IEC 61511 Clause 10 is a mandatory
document or collection of documents to be provided but only occasionally the SRS is as of today provided
to SIS design and engineering team. As part of SRS documents should be provided such as C&EM, SIF
specification inclusive of all the required SIF information and data, SIF individual and concurrent safe
state, allowable spurious trip, override requirements, SIF and SIS downgrading, manual shutdown
requirements, dangerous combinations of SIS output states, abnormal conditions and many others.
3.5 Functional Safety Assessment
IEC 61511-1 sub-clause 5.2.6.1.4 states at least one functional safety assessment (FSA) shall be carried
out to ensure the hazards arising from a process and its associated equipment are properly controlled. The
FSAs actually carried out by independent and expert third parties on SIS before start-up are occasional.
3.6 Management of Functional Safety
The IEC 61511-1 clause 5 states the requirements concerning the Management of Functional Safety
(FSM) associated to SIS safety lifecycle activities. The ISA-TR84.00.04-2005 "Guidelines for the
Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod)" specifically addresses the FSM by defining
a Roles & Responsibilities Matrix including the experiences and skills required for the disciplines
represented in the R&RM. In spite of importance of a full and efficient FSM implementation, this process is
made difficult due to criminal and civil liabilities associable to accidents potentially having a direct
association to the approval responsibility defined in the FSM R&RM for SIS safety lifecycle activity.
4. Trends
4.1 Current trends
The current trend of IEC 61508 and IEC 61511 application is absolutely satisfactory in the process
industry with the exception of only a few sectors reluctant to any change of the approach to process safety.
The same successful trend applies to machinery sector where the compliance with IEC 62061 starting
from 2011 is full.
4.2 Favourable trends
- EN 61508 and EN 61511 Norms harmonization to Seveso Directive;
- IEC 61508 Certification Bodies notified by EU Authorities;
- IEC 61508 Certification Plan and Activities covered by IEC 61508;
- SIS active components all covered by IEC 61508 Certification;
- IEC 61508 application guidelines issue;
- IEC 61508 derived standards for non-process industry and road tunnels;
- SIS full compliance with IEC 61508 cyber-security requirements
- Safety Manuals and Restrictions to Use to cover the 100% of SIS active and passive components;
- HazOp team and leader competent and expert in functional safety;
- HazOp to fully determine initiating causes and consequences of hazardous events;
- HazOp to fully determine the occurrence of hazardous events in abnormal conditions;
- QRA application to be set up as HazOp action whenever consequences lead to SIL 3;
- Mitigation Risk Targets for Safety and Environment to be set per industry sector;
- Introduction of SIL, EIL, AIL respectively for Safety, Environment and Assets risk mitigation;
- SIL Assignment methodologies (CRG and LOPA) to be fully defined on IEC 61508 and/or IEC 61511-3;
- Independency criteria of DCS alarms, DCS interlocks, DCS permissives to be fully defined on IEC 61511;
- SRS to be fully defined on IEC 61511-1 including I/O channels segregation criteria;
- FSA activities to be fully defined on IEC 61511-2;
- Management of Functional Safety (FSM) to be fully defined on IEC 61511-2;
- Full Variability Language software currently to be executed under IEC 61508-3 requirements to be
defined under EC-61511-1 to avoid misinterpretations and double standard compliance inconsistencies;
- Minimum hardware fault tolerance to be uniquely defined for IEC 61508 and IEC 61511;
- SIL verification methodologies (simplified equations, RBD, FTA) to be fully reported on IEC-61511-3;
- Qualified FMEDA mandatory for the definition of failure rates and SFF for each SIS device;
- Mission time definition mandatory for each SIS device;
- Expert systems risk reduction capability recognition.
In spite of the efforts of four generations of engineers the goal of an accident-free process industry has still
to be reached, but we glimpse a light at the end of tunnel.
References
EN 61508, 2010, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
Systems
IEC, CH
EN 61511, 2003, Functional Safety: Safety Instrumented Systems for the Process Industry
IEC, CH
EN 62061, 2005, Safety of machinery - Functional safety of safety-related electrical, electronic and
programmable electronic control systems
IEC, CH