IEC61511 Standard

Overview

Andre Kneisel
Instrumentation Engineer
Chevron C.T. Refinery

SAFA Symposium 2011

August 5th , 2011

Presentation Overview

Provide some understanding of the key aspects of Functional

Safety and the applicable standards - IEC61511.

Attempt to explain some of the associated terminology and

acronyms which are frequently used.

Answer the question: How do we determine if a safety

function is required, and if it is required how reliable it should
be?

Answer the question: How do we calculate the reliability of a

given safety function?

2
Presentation Overview

Explore what the impact is of including explosion protection

devices (such as IS Isolators) in the reliability calculations.

Explore the impact of including the probability of ignition in

the SIL selection process.

3
INTRODUCTION
What is Functional Safety?

It is the application of systems to maintain or

achieve a safe state for a process and its
associated equipment.
For the purpose of this presentation we are referring to
automated Safety Systems which generally operate without
operator intervention. We are not referring to mitigation
systems such as deluge systems or emergency response
systems. These are largely outside the IEC61511 standard.

4
IEC 61511 Overview
What is IEC-61511?

The Newly Released International Standard for the Design,

Implementation, Operation, Maintenance, Testing &
Decommissioning of Safety Instrumented Systems for the
Process Industries.

Performance vs. Prescriptive Based Standard

Focus on Management of Functional Safety & Design Lifecycle

Focus on SIS Design / Performance that Mitigates Risk

Appropriately

Accepted by CENELEC (European Committee for Electrotechnical

Standardization) as European standard in 2003.

Accepted by ANSI (American National Standards Institute) as

United States standard, ANSI/ISA 84.00.01-2004 Parts 1-3 (IEC
61511 modified).

5
IEC61511 WHAT IT IS NOT

IEC61511 is not a prescriptive standard in terms of

prescribing what safety functions should be implemented. An
engineer would not find a list of recommended safety
functions for a particular process or type of equipment in the
standard.

The standard also does not provide a guide for the required
reliability (SIL) of safety functions. It is, in fact, quite
possible for two different companies both implementing the
same process and equipment to arrive at different target SIL
values for the same safety functions.

6
IEC 61508
SAFETY-RELATED SYSTEMS

Process Industries IEC 61511

Safety Instrumented Systems
Manufacturing Industries IEC
62061
Industrial Robots
Machine Tools
IEC 61508 is the
umbrella standard
that covers different
industrial sectors.

Transportation
Railway Signaling Each sector can
Braking Systems
develop its own
standard using its
Lifts terminology, but
Medical must follow the
framework and core
Miscellaneous Electro-medical
requirements of IEC
apparatus 61508
Radiography

7
Relationship between
IEC 61508 & IEC 61511

PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS

Safety instrumented
systems designers,
Manufacturers and integrators and
suppliers of users
devices
IEC 61511 ANSI/ISA-
84.00.01-2003 (IEC
IEC 61508 61511 Mod)

8
IEC 61511 Overview (contd)
Functional Safety: Safety Instrumented Systems for the
Process Industry Sector

Part 1-Framework,defintions,system, hardware and

software requirements

Part 2-Guidelines for Part 1

Part 3-Guidance for determining required Safety Integrity

Levels

9
IEC 61511 Overview :
SIS Lifecycle (contd)
FUNCTIONAL SAFETY
MANAGEMENT
Hazard & Risk Analysis
Clause 8 Verification
1 HAZARD &
Management Safety RISK
of Functional Lifecycle Allocation of Safety Functions to ANALYSIS
Safety and Structure Protection Layers
Functional
Safety
and
Planning 2
Clause 9 EPC Engineering,
Assessment
and auditing Procurement &
DESIGN BASIS Construction
Safety Requirements Specification
for the Safety Instrumented System
Clause 10 & 12
(Includes
3
Implementation,
Commissioning, and
Design and Engineering of Safety Design and Development
Instrumented System of Other Means of Validation).
Clauses 11 & 12 Risk Reduction
4 Clause 9
O&M Operations
Installation, Commissioning and EPC
and Maintenance
Validation
Clauses 14 & 15
Detailed including provisions
5 Engineering
for Management Of
Operation and Maintenance Change (MOC)
6 Clause 16

Modification Clause
Clause 5 Clause 6.2 7 Clause 17 O&M 7,12.4, &
12.7

Decommisioning
10 11 8 Clause 18 9

10
TERMS AND DEFINITIONS

SIS SAFETY INSTRUMENTED SYSTEM

A SIS is an instrumented system used to implement one or more

safety functions. A SIS is composed of input sensor(s), logic
solver(s) and final element(s).
Typically a single SIS implements multiple safety instrumented
functions and is normally independent of the control systems.

In the past SIS were known as Emergency Shutdown Systems

(ESD) or as Safety Systems. Typically the Logic Solver is a high
reliability programmable system with redundant power supplies,
CPUs and IO modules. However, the logic solver may also just
be a simple system comprising of relays and contacts used to
implement some tripping logic.

11
TERMS AND DEFINITIONS

SIS- Typical Configuration

LOGIC SOLVER

Power Output Input PT

CPU 3
Supply Module Module

REACTOR
PT
1
TT
2
PT
2
TT
3
TT
1

SIS
Power CPU Output Input
Supply Module Module

FINAL ELEMENTS INPUT SENSORS

BPCS

12
TERMS AND DEFINITIONS

SIF Safety Instrumented Function

A SIF is a function implemented by a safety instrumented system

which is intended to achieve or maintain a safe state for the
process with respect to a specific hazardous event.

Different SIFs can use the same final elements. It is common for
different hazards to cause the shutdown of the same unit in
which case the final elements are shared between different SIFs.

It is possible, but less common, for the input sensors to be

shared between different safety functions.

13
TERMS AND DEFINITIONS

SIF Typical Configuration

14
TERMS AND DEFINITIONS

PFD Probability of Failure on Demand

PFD is the likelihood (between 0 and 1) that a safety function will

fail to perform as required.

Examples:

Sensor fails to detect a dangerous condition due to an

internal fault.

Block valve fails to close due sticking.

The PFD of a safety function increases over time as shown on the

following slide.

15
TERMS AND DEFINITIONS

PFD Probability of Failure on Demand

The PFD of a safety function increases over time as shown

below.

16
TERMS AND DEFINITIONS

SIL Safety Integrity Level

The SIL of a safety instrumented function is the measure of the

reliability of the function, i.e. the probability of the function
performing its intended function and is based directly on the
average PFD of the safety instrumented function over its
intended life span.

The SIL value is a discrete value 1 to 4, with 1 being the least

reliable and 4 being the most reliable. For instance a PFD AVG of
5x10-3 would equate to a SIL 2.

17
TERMS AND DEFINITIONS

SIL Safety Integrity Level

SIL Safety Availability PFD Average Range Risk Reduction

Range (chance of failing) Factor

1 0.9 to < 0.99 10-1 to > 10-2 10 to < 100

2 0.99 to < 0.999 10-2 to > 10-3 100 to < 1,000

3 0.999 to < 0.9999 10-3 to > 10-4 1,000 to < 10,000

4 0.9999 to < 0.99999 10-4 to > 10-5 10,000 to <

100,000

18
TERMS AND DEFINITIONS

SIL Safety Integrity Level

Key Concept:
A SIL value is normally associated with an entire safety function,
however individual SIF components may be certified in terms of
IEC51508 to have a SIL value. For instance a Logic Solver may be
certified SIL 3.
This means that the logic solver may be used as part of a SIL 3
safety instrumented function.

It does not mean that any safety instrumented function using

this logic solver will automatically meet SIL 3.

19
TERMS AND DEFINITIONS

Proof Tests

These are tests which are carried out to ensure the functioning of
a safety instrumented function.

Key Concept:
The PFDAVG of a safety instrumented function is directly related to the
proof test frequency. Consequently the SIL of a safety instrumented
function is also directly related to the proof test frequency.

20
TERMS AND DEFINITIONS

Annual Proof Test

21
TERMS AND DEFINITIONS

Proof Test Every Four Years Same SIF

22
SIL SELECTION

In the past when deciding what Safety Functions to implement,

engineers either based their decisions on prescriptive standards
(where available) or in many cases based their decisions on
good engineering practice or past experience.

IEC61511 requires that a company should follow a SIL selection

process as part of the Hazard and Risk Analysis Phase. The
standard is not prescriptive with regard to what SIL selection
method to use, but does propose some example methods:

Risk Graph Method

Risk Matrix Method

Quantitative - Layer Of Protection Analysis (LOPA)

As Low as Reasonably Practical (ALARP)

23
SIL SELECTION

Key Concept:
The target SIL of a SIF is based on the amount of Risk
Reduction needed to reduce the risk of the consequence
scenario to an acceptable level (as determined by company
policy).
TARGET SIL = Total Risk Reduction needed risk reduction
by non-SIS
non protection layers.

24
SIL SELECTION
LOPA EXAMPLE

25
SIL SELECTION
LOPA EXAMPLE

Using the LOPA example of the previous slide:

If the company's risk policy states that the maximum loss per
hazard may not exceed 1x 10-5 fatalities per year or R100,000
per year, then the risk must be reduced by a minimum factor of
7.175 which equates to an additional SIL1 safety function (RRF
10-100).

If, on the other hand, the company's risk policy states that the
maximum loss per hazard may not exceed 1x 10 -4 fatalities per
year or R100,000 per year, then no additional safety function
is required!

26
SIL SELECTION
RISK MATRIX EXAMPLE

RR=6 5 4 3 2 1

1 Likely
NR (0) 1 2 3 NS (4) NS
7 6 5 4 3 2

2 Occasional

Decreasing Likelihood NR (0) NR (0) 1 2 3 NS (4)

8 7 6 5 4 3

3 Seldom
NR (0) NR (0) NR (0) 1 2 3
9 8 7 6 5 4

4 Unlikely
NR (0) NR (0) NR (0) NR (0) 1 2
10 9 8 7 6 5

5 Remote
NR (0) NR (0) NR (0) NR (0) NR (0) 1
10 10 9 8 7 6

6 Rare
NR (0) NR (0) NR (0) NR (0) NR (0) NR (0)

Consequence Decreasing Consequence/Impact

Indices 6 5 4 3 2 1

Incidental Minor Moderate Major Severe Catastrophic

The probability of ignition must be taken into account

when selecting the likelihood.

27
SIL SELECTION
RISK MATRIX EXAMPLE

If, in the example on the previous slide, the likelihood (with all
protection layers present and enabling events accounted for, but
no safety function allowed for) of a severe consequence
occurring is assessed as seldom, then the risk matrix indicates
that an additional SIL2 safety function is required.

28
SIL CALCULATION
FAILURE RATES

Reliability data for SIL rated equipment is normally provided in

terms of Failure Rates S, DD, and DU. (e.g. failures per hour)

S = Safe Failure Rate. This is the rate for the equipment failing
to a safe state. For instance, a block valve failing into the closed
position.

DD = Dangerous Detected Failure Rate. This is the rate for the

equipment failing into an unsafe state, however with diagnostic
notification which will ensure that operators are made aware of
the failure.

du = Dangerous Undetected Failure Rate. This is the rate for the

equipment failing into an unsafe state, without diagnostic
notification. For instance, a block valve stuck in the open position
or a relay with contacts welded in the closed position.

THIS IS THE FAILURE RATE USED FOR CALCULATING THE PROBABILITY OF A

FAILURE ON DEMAND (PFD).
29
SIL CALCULATION
PFD CALCULATION

30
SIL CALCULATION
INCORRECT METHOD

Interface Interface
IS Logic IS Final
Isolator Solver Isolator Element
Sensor

XV
PT

SIL2 SIL4 SIL3 SIL3 SIL2

SIL2 FOR THE WHOLE SAFETY FUNCTION

Key Concept:
The safety Integrity Level (SIL) of the whole safety function is not equal
to the lowest SIL of the components. This is a common mistake.

31
SIL CALCULATION
CORRECT METHOD

Note:
The PFD of the whole safety function can be influenced by the inclusion of
intrinsic safety components which are used for explosion protection.

Interface Interface
IS Logic IS Final
Isolator Solver Isolator Element
Sensor

PT XV

Key Concept:
To calculate the SIL of the whole safety function it is necessary to combine the PFDs of
the individual components to calculate an overall PFD and overall SIL value. 32
SIL CALCULATION

33
SIL CALCULATION
Methods to Increase SIL of Safety Function

Use voting architectures. Typically 2oo3

voting or 1oo2 voting is used to increase the
achieved SIL value. Note that 2oo2 voting
actually decreases the achieved SIL value.

Use higher reliability components. In most

cases the limiting component is the final
element.

Increase the proof testing frequency.

34
SIL CALCULATION
Using Voting Architectures
Interface Interface
IS Logic IS Final
Isolator Solver Isolator Elements
Sensors

XV
PT
1 out of 2

Voting
2 out of 3
PT XV
Voting

PT

Note:
When using voting architectures it is necessary to use more
sophisticated calculation methods or software tools such as
exSILentia to perform SIL calculations.

35
CONCLUSION

The IEC61511 standard provides a framework for the

activities required to implement Safety Instrumented
Systems in the process industries.

The hazard analysis and SIL selection processes form a

fundamental part of the safety lifecycle and must be
performed in the initial stages of the lifecycle.

The SIL selection process and risk tolerance parameters

must be prescribed by the companys or organizations
policy.

36
CONCLUSION

The selection of a safety instrumented functions SIL

can be strongly influenced by the probability of ignition.
Measures to reduce the probability of ignition reduce
the requirement for high SIL safety functions.

When calculating the actual achieved SIL of a safety

instrumented function, it is important to take the PFD of
all components into account. This means that in
applications where Intrinsically Safe barriers or isolators
are used for explosion protection, these components
should be included in the calculations.
It should be noted that these components generally
have low PFD values in relation to other components .

37
Questions?
Andre Kneisel
Tel: 021-508-3044
Cell: 083-300-2022
Email: aypk@chevron.com

38
ABBREVIATIONS
ESD Emergency Shutdown

IPL Independent Protection Layer

PCS Process Control System (such as DCS or PLC)

PFD Probability of Failure on Demand

PHA Process Hazards Analysis

SAT Site Acceptance Test

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

SRS Safety Requirements Specification

39
REFERENCES

International Electrotechnical Commission IEC61511-1

Standard

Chevron Corporation CVX-SIS-101/102/201/202 Training

Manuals

Exida exSILentia Integrated Safety Lifecycle Tool

40