The Principles of IEC 61508 and IEC 61511 Day 1

The Principles
of
IEC 61508 and IEC 61511
Day 1
C. Timms
Tel: +44 (0) 1339 886618
c.timms@ifb.co.uk
© C & C Technical Support Services 2008 1 IEC 61508/61511 Training

Contents
Topic Page
Background and Scope 4
Management of Functional Safety 22
Hazards and Risk 28
Safety Instrumented Functions (SIF) 68
SIL determination by quantitative method 92
SIL determination by qualitative method 99
Layers of Protection Analysis 122
Case studies 139
Issues 146

Day 1 Objectives
To understand the background and need for the
standards.
To understand how the standards aid regulation
compliance.
To know how to manage functional safety.
To identify hazards and understand risks.
To be able to participate in various qualitative
and quantitative risk assessment methods.
To review some typical case studies.
To understand some of the issues.

Background & Scope
IEC 61508:
IEC 61508 - Functional safety of
electrical/electronic/programmable electronic
safety-related systems
Published 98-99
This is the generic standard for all industry

sectors

IEC 61511 for the
Process Industry Sector
One of a set of specific sector standards
Functional safety: Safety instrumented
systems (SIS) for the process industry sector
Sits below the IEC 61508 generic
standard
Publication – 2003

PROCESS
SECTOR
SAFETY SYSTEM
STANDARDS
Manufacturers & Safety Instrumented

Suppliers of Devices Systems Designers,
Integrators & Users
IEC 61508
IEC 61511
Relationship of IEC 61508 & IEC 61511

IEC 61511- Scope
Process (chemicals, oil & gas, paper,
non-nuclear power generation)
End-to-end safety instrumented system
(SIS)
h/w, application s/w, management and
human factors
Excludes embedded software
Not for equipment vendors
It is lifecycle management with 16 phases
IEC 61511 for the
Process Industry Sector
There are 3 parts:
1. General framework, definitions system
software and hardware requirements
2. Guidelines in the application of Part 1
3. Guidelines in the application of hazard and
risk analysis

Background to IEC 61508
There was little guidance on the required design
integrity of protective functions, other then the
QRA
The advent of PLC’s presented integrity issues
Hardware and software integrity
Engineering safety functions in control systems and
visa versa
The ‘three wise men’ approach to test strategy
Mainly concerned with their concept of criticality
Seldom considered the adequacy of protective
function design

Background:
ANSI/ISA S.84.01
‘Application of Safety Instrumented
Systems for the Process Industries’
US National Standard
Replaced by content of IEC 61511
new standard — ANSI/ISA-84.00.01-2004
Parts 1-3 (IEC 61511 Mod), "Functional
Safety: Safety Instrumented Systems for the
Process Industry Sector,"

Background:
IEC SC65A/WG/TG ‘C’
Chair – Vic Maggioli (ex Dupont)

Dupont, Shell, Dow, BASF, Elf, BNFL,
EDF Energy
ABB, Honeywell, Triconex, Siemens, ICS,
Toshiba
HSE

Background:
UK Aid to Regulation Compliance
Management of Health & Safety at Work Regs, 1992

Every employer MUST comply:
Every employer shall make a suitable and sufficient
assessment of the risks to the health & safety of his
employees ….and of persons not in his employment
Every employer shall make and give effect to such

arrangements as are appropriate…..

Background: Seveso II Directive
Nypro Flixborough -1974,
Cyclohexane
• 28 people were killed
• 36 more injured
DSM, Beek -1975
Naphtha cracker
•28 people were killed
• 107 more injured
ICMESA (Seveso) -1976,
Dioxin release 6km x 1km
• 17,000 people affected
• 2,000 people treated for
poisoning
• 600 evacuated

Background:
Aid to regulation compliance
The European Union Seveso II Directive
Control of Major Accident Hazard
Regulations (COMAH), UK 1999
The European Union 99/92 EC (ATEX) -

Explosive Atmospheres Directive
UK: Dangerous Substances and Explosive
Atmospheres Regulations 2002 (DSEAR)

Background: Safety Case Regulations
Safety Case
Regulations 1992:
Following Piper Alpha -
1988
Background:
Safety Case Regulations
The Offshore Installations (Safety Case)
Regulations (SCR), 1992
Prevention of Fire, Explosion and
Emergency Response (PFEER) on
Offshore Installations Regulations, 1995
The Offshore Installations and Wells
(Design and Construction etc.)
Regulations, 1996

Complying With Regulations
Q: How can this be best achieved?
A: Adopt the best available standards:
IEC 61508 –Functional safety of
electrical/electronic/programmable electronic
safety-related systems – (Generic);
IEC 61511- Functional safety: Safety Instrumented
Systems for the process industry sector- (Process
sector specific).
Q: Why?
A: They are internationally agreed
A: They generally map regulation requirements
A: They will help you manage risk

Mapping regulations / IEC 61511
SEVESO I I & IEC 61511
COMAH/SCR requirement
requirement
Hazards are identified YES YES
Safety critical elements are identified YES YES
Risks are kept as low as reasonably practicable YES YES
Design is appropriate YES YES
Performance standards are set YES YES
Operation against performance standards are verified YES YES
Performance is reviewed and modifications made where necessary YES YES
Change controls YES YES
Operations do not compromise integrity YES YES
Safety critical roles are identified YES YES
People in safety critical roles are assessed as competent YES YES
There is an audit trail for the decision making process YES YES
The integrity of the facility is maintained throughout its lifecycle YES YES

IEC 61511- Scope
Process (chemicals, oil & gas, paper,
non-nuclear power generation)
End-to-end safety instrumented system
(SIS)
h/w, application s/w, management and
human factors
Excludes embedded software
Not for equipment vendors
It is lifecycle management with 16 phases

Overall IEC 61508 Safety Lifecycle
1. Concept
2. Overall scope definition
3. Hazard & risk analysis
4. Overall safety
requirements
5. Safety requirements allocation

Overall planning
6. Overall 7. Overall 8. Overall 9. Safety-related 10. Safety-related systems: 11. External risk
operations & safety installation & systems: Other technology reduction facilities
maintenance validation commissionin
planning planning g planning SIS Realisation Realisation Realisation
12. Overall installation &

commissioning
13. Overall safety validation
14. Overall operation maintenance & Overall modification & retrofit

repair
Back to appropriate overall
Decommissioning or disposal safety lifecycle phase

HSE Statistics on causes of
ACCIDENTS
Operation & Changes After
Maintenance Commissioning
15% 20%
Requirement
Installation &
Specification
Commissioning
44%
6%
Design/
Implementation
15%

Management of functional
safety
(IEC 61511 Part 1)

Management of functional safety
Requirements:
General:
Defined policy and strategy for achieving safety
Defined means of evaluating its achievement
A Safety Management System
To ensure safety instrumented systems are appropriate.
Organization:
Responsible persons, departments & organisations
Identified for each of the lifecycle phases
Competency assurance at each stage
Knowledge, training, experience and application
Knowledge of legal and safety regulations
Understanding of hazards and consequences
Understanding of novelty and complexity of technology

Requirements:
Information maintenance (audit trail)
Hazard and risk assessment results
Safety requirements
The equipment used for SIFs
Organization responsible for functional safety
Procedures for development and maintenance of SIS
Modification information
Evaluation and risk management
Identify hazards and evaluated
The necessary risk reduction measures determined
Planning
Activities, departments and persons (‘Safety Plan’)

Requirements
Implementing and monitoring procedures
Hazard analysis and risk assessment
Design
Assessment activities
Verification activities
Validation activities
Software configuration management
Planning and procedures for
Software procurement
Development
Integration
Verification
Validation
modification

Requirements
Assessment, auditing and revisions
Functional safety assessment (team members)
Stage 1- after hazard and risk assessment, required
protection layers and safety requirement specification
Stage 2 – After design of SIS
Stage 3 – After installation, pre-commissioning and final
validation and operation and maintenance procedures
have been developed
Stage 4 – After gaining operating and maintenance
experience
Stage 5 – Prior to decommissioning of a SIS

Safety lifecycle requirements
(IEC 61511 Part 1)

Hazard & Risk Analysis
(IEC 61511 Part 3)

Hazards and Risk
What is a hazard?
The potential source of harm, damage to property,
production or the environment, production losses
or increased liabilities
Where harm is:
Physical injury or damage to the health of people, either
directly or indirectly as a result of damage to property or
the environment, and/or the physical damage made to
property, production or the environment, production
losses, or increased liabilities

HAZard and OPerability
HAZOP Studies
First introduced by ICI following the Flixborough (Nypro
UK) disaster of 1974
28 people were killed
36 more were injured
Detailed study and reporting technique to identify
hazards by:
systematically questioning every part of a process;
establishing how deviations from design intent can occur
Identify the need for Safeguards

HAZOP Overview
IEC 61822 –
Hazop
HAZOP European Union
studies
Seveso II Directive
application
requires operators
guide
to identify all
hazards.
IDENTIFY
SAFEGUARDS
RAISE
ACTIONS
Mechanical,
Instrument based
process design,
safeguards
procedural etc
Action
Responses &
Closeout
SIL Risk
Assessment

Process Hazard Studies
Hazard Study…………….1……2……3…………..4…………..5………….6
Process Development…...
Process Definition…………….
Process Design……………………...
Procurement and Construction……………………….
Commissioning……………………………………………………….
Operation…………………………………………………………………………..

HAZARD STUDY 1 - PURPOSE
To Ensure that understanding of

the project, the processes and the
materials involved is sufficient to
enable safety, health and
environmental issues to be properly
addressed.

Typical Hazard Study 1 Report
Project Definition Transport and Siting
Process Description External Authorities
Control Philosophy Design Guidelines
Incident Review and Codes
Inherent SHE Organisation
Materials Hazards Emergency Facilities
Personal Safety and Further Studies and
Health Actions
Environment Conclusion
References

Hazard Reduction
Typical hazard reduction prompts that may be
used in the development stage are given below.
Each prompt in the left list below is considered in

turn with each prompt in the right list :
Eliminate Inventory
Minimise Pressure
Substitute Temperature
Moderate Energy release
Simplify Process equipment
Unwanted reaction
Hazard study 2
The purpose of Hazard study 2 is to identify significant
hazards and ensure that there are appropriate measures
to eliminate risk or reduce risks to tolerable levels
Key Aspects
Identification of significant hazardous events
Identification of causes or sequences that lead to
the hazardous event
Consequences
Quantification likelihood of Unmitigated Risks
Identify preventative measures to reduce
likelihood
Emergency measures to reduce consequences
Confirmation of relief and control philosophies

Hazard study 2
Team members
Process, Operations, HS&E, instruments etc.
Flow sheets and equipment details
Control block diagrams
Input from Hazard Study 1

Hazard 2 flow diagram
Hazard Keyword Process equipment
Can it occur?
Causes?
Consequences?
Can it be prevented?
Can it be protected against or

Next keyword mitigate the consequences
(protection measures?
Record measures to be incorporated in the design?

Hazard 2 – Progress record
Plant Area 05/ Sterilizer
area/description
Flow sheet No 05-001 rev 1
Hazard Type Reviewed Possible Hazard Hazard Ref No
Yes No
External fire √ √ 05/1
Internal fire √ √
Internal √ √
explosion
etc
Environmental √ √ 05/2
Pollution
Special items √ √
raised

Hazard 2 - Measures to prevent or
eliminate causes
Measures to prevent causes Reduces hazard due to
Pressure/temperature reduction in High energy levels, stresses

process
Minimize equipment, piping, seals Leaks
and joints
Design for containing maximum Location/layout/spacing
pressure Interactions/confined spaces
Provide pressure relief system
Location/layout/spacing
Operational alarms Wrong operating conditions
Automatic protection systems Wrong operating conditions,
(SIS) dependency on human response
Hazard study 3 - HAZOP
Principles of HAZOP:
To identify Hazards or operability problems
through credible deviations from the design
intent.
The methodology is based on parameters and
“ guideword examination” of elements of a
plant or system

Hazard study 3 - HAZOP
When should the HAZOP study be done?
P&IDs Release for

Flowsheets & Basic Eng Design P&IDs
P&IDs
P&IDs detail design
Interfaces P&IDs and construction
Design of
Safeguards
Trips and Alarms
PHA/Haz 2 HAZOP

Overall HAZOP study procedure
Definition Phase
Scope & objectives--Responsibilities--Select team
Preparation Phase
Plan--Collect Data--Choose recording method
Estimate time required- Arrange the schedule
Examination Phase
Divide system into elements--Examine element for deviations from design intent
Identify possible deviations, cause, consequences, protection needs
Agree actions -repeat for each element
Reporting and Follow-up Phase

Record on worksheets--Sign off records--Produce report
Follow up actions - Restudy where needed- Issue final report
Typical Parameters & Guidewords
Parameter or Guidewords that can give a meaningful combination

Element
Flow Non; more of; less of; reverse; elsewhere, as well as
Temperature Higher; lower
Pressure Higher; lower; reverse.
Level None; higher; lower
Mixing Less; more; none.
Reaction Higher (rate of); lower (rate of); none; reverse;as well as.
Phase Other; reverse; as well as.
Composition Part of; as well as.
Communication None; part of; more of; less of; other; as well as.

Basic Guidewords and Meanings
Guideword Meaning
NO or NOT (or none) None of the design intent is achieved
MORE (more of, higher) Quantitative increase
LESS Quantitative decrease
Qualitative modification or additional
AS WELL AS (more than)
activity occurs
Only some of the design intent is
PART OF
achieved.
REVERSE Logical opposite of design intent
Complete substitution – another activity
OTHER THAN
takes place.

Guidewords relating to location,
order and timing
Guideword Meaning
NO or NOT (or none) None of the design intent is achieved
MORE (more of, higher) Quantitative increase
LESS Quantitative decrease
Qualitative modification or additional
AS WELL AS (more than)
activity occurs
Only some of the design intent is
PART OF
achieved.
REVERSE Logical opposite of design intent
Complete substitution – another activity
OTHER THAN
takes place.

Creating deviations
Combining guidewords with parameters generates deviations, some of
which are credible and some are not credible.
Guideword + Parameter Possible Deviation
The Hazop study team has the

task of deciding what
elements are applicable and
then deciding what deviations
are credible for each element

Causes and consequences
Possible Deviation Causes Consequences

Example
Part for Study
Elements
Material Transfer
FIC
B
A
Level
Study begins
Level Flow Control Temperature
Speed Pressure
Composition
Temperature Reaction
1: Tank A empty No delivery Pump runs Gas flows from B

dry/damaged to A to atmosphere

Example – sheet 1
Part : Transfer of Element: Tank A Parameter: Level
acid from A to B
Deviation NONE Meaning/effect: Tank is empty
Is it possible YES
Causes 1:No supply 2: Extraction exceeds 3:
inflow.
How often? Monthly Monthly
Consequences 1: No transfer 2: Pump damage
Severity Nil Moderate+ Loss of
production
Safeguards Operational None
Acceptable risk N/A NO
What should be Low level detection
done and interlock on pump
Action: Specify safety trip Process and
Instrument engineers.

Example – sheet 2
acid from A to B
Deviation MORE Meaning/effect: Tank overfills
Is it possible YES
Causes 1: Uncontrolled input 2: 3:
How often? Probable
Consequences 1: Overflow to drain to 2: Acid spills
effluent drains
Severity Minor losses of Moderate risk to
material persons
Safeguards Operational + High
level alarm
Acceptable risk Yes NO
What should be Enclose tank overflow
done pipe outlet to drain
Action: Ensure correct Piping designer
response to alarm is
in ops. manual

Example – sheet 3

acid from A to B
Deviation LESS Meaning/effect: Tank runs low
Is it possible YES Same as for NONE:
see page 1
All other parameters, deviations and consequences would be considered

HAZARD Study 4 - Purpose
To check that project has been constructed as design
intended and the actions from previous Hazop Studies have
been completed and incorporated in design and installation.
Key Aspects
Study is review of design and construction done after the
construction is substantially completed but before process
materials are introduced
Equipment and hardware as per design
Validation of completion of Previous Hazop Study actions
Emergency systems and procedures are in place
Operating Instruction are available and employee training is
adequate

To provide an opportunity for those responsible for personal
safety, employee health and environmental protection on the
site to satisfy themselves that the detailed implementation of
the project meets the company, statutory and legislative
requirements.
Key Aspects
Study is done before process materials are introduced or
commencement of operations which ever is sooner
Validation of safety, health and environmental management
systems and procedures are in place
Validation of Emergency Systems are operational

To review early operation to ensure that it is consistent with
design intent with regard to safety, health and
environmental issues, and assumptions defined in earlier
studies are born out in actual operation.
Key Aspects
Done 3-6 months after plant operation
Validation that all documentation has been updated
Modifications made during commissioning and start up have not
altered
the risk profile
Validation of compliance to conditions of consent
Validation of employee occupational health monitoring

Hazards and Risk
If you don’t know what represents a

hazard:
You cannot determine the risks involved
But what is risk?
A combination of the probability of an
occurrence of harm and the severity of that
harm.

Risk
Risk = harm x probability
Individual risk – risks per year of the most exposed
individual (Normally a maximum
value that can be tolerated for all
hazards).
Societal risk – the total risk per year of all

exposed individuals (Risks normally
reduced until the risk reduction is
disproportionate to the cost of risk
reduction).
Asset Loss
Environmental

Risk
There are different levels of risk:
Low or negligible
e.g. being struck by lightning
Approx. the same chance as winning the lottery!
So high to be unacceptable
e.g. Exposure to high levels of radiation
Tolerable or acceptable risk
Lies between negligible and unacceptably high
e.g. driving a car
The benefits outweigh the negatives

Fatality Rates
Activity Probability Activity Probability
(per year) (per year)
Travel Voluntary
Air 2 x 10-6 The pill 2 x 10-5
Train 3 x 10-6 Rock climbing 1.4 x 10-4
Bus 2 x 10-4 Smoking 5 x 10-3
Car 2 x 10-4 Involuntary
Motorcycle 2 x 10-2 Meteorite 6 x 10-11
Occupation Falling aircraft 2 x 10-8
Chemical industry 5 x 10-5 Natural disasters 2 x 10-6
Shipping 9 x 10-4 Cancer 2.5 x 10-5
Coal mining 2 x 10-4 Fire 2 x 10-5
Being murdered (UK) 1.3 x 10-5

Risk
The risks we encounter in our place of

work must also be acceptable
so the:
process design;
protective systems;
procedures;
should all be appropriate to reduce the
risks to an acceptable level.

Tolerability of risk and ALARP:
HSE (1992)
Intolerable
region 1 in 1000 per person/yr (Workers)
1 in 10,000 per person/yr (Public)
The ALARP or
tolerability region Tolerable risk
( Risk is undertaken only if a
benefit is desired)
1 in 1 million per person/yr
Broadly acceptable
region
(No need for detailed working to
demonstrate ALARP)
1 in 10 million per person/yr
Negligible risk
Reducing the Risk
Examples of risk reduction methods:
Design (probability of occurrence)
Mechanical strength (probability of occurrence)
Location (probability of occurrence and consequence)
Control (probability of occurrence)
Alarms (probability of occurrence)
Safety instrumented functions (probability of occurrence)
Other technology SRSs - Mechanical relief
(consequence)

Risk Reduction Layers
Mitigating Systems and
Emergency Response Procedures
Other Protective Layers

e.g. Mechanical Relief
Safety Instrumented Systems
Alarm Layer
Process Control Layer
Process

Risk reduction - general concepts
ACTUAL TOLERABLE INTERMEDIATE INITIAL
REMAINING RISK RISK RISK RISK
Risk with the addition ALARP
Risk with the addition Risk without the
of other risk (As Low As
of other risk addition of any
reduction facilities Reasonably
reduction facilities protective features
and SIS Practicable)
Increasing
risk
NECESSARY MINIMUM RISK REDUCTION
Partial risk covered by other risk

Partial risk covered by SIS
reduction facilities & technology
Total risk reduction

Risk and safety integrity concepts
Consequences
of hazardous
event
External risk Other safety

Process risk reduction SIS related Tolerable risk
facilities technology target
systems
Frequency
of hazardous
event Necessary risk reduction
Safety integrity of external risk reduction

facilities, other safety related technology and
SIS matched to the necessary risk reduction

Name:
Q: What are the parameters that define risk?
A:
Q: What are the three ALARP risk regions?

A:
Q: Name three process risk reduction measures?

A:

Solutions:
Q: What are the parameters that define risk?
A:
Q: What are the three ALARP risk regions?

A:
Q: Name three process risk reduction measures?

A:

Safety Instrumented Function
(SIF)

Risk reduction:
Safety Instrumented Functions
One of the most widely used methods for

protecting against process related
hazards
They contribute to the overall risk
reduction
Possibly making a major contribution

Safety Instrumented Function – SIF
•Protects against a hazard
PSV Flare
•Usually ‘on demand’
Fuel gas system
Logic
Solver PCV
Start fire pump
Logic
PICA Fire Solver
PZA1 Activate area deluge
Inlet
XZV1
LICA
Some SIF’s mitigate
after the event
Outlet
consequences e.g.
Fire & Gas reduce LCV
escalation

SIF = Safety Instrumented Function
One or more One or more

initiators Logic solver final elements
Purpose: to prevent a hazard

Name:
Q: Is the role of a mitigating type SIF to:
(a) prevent a hazard? (b) reduce escalation?
A:
Q: If all of the elements of a typical SIF are 1oo1

how many elements are there?
A:
Q: Name the basic elements of a SIF?

A:
Solutions:
Q: Is the role of a mitigating type SIF to:
(a) prevent a hazard? (b) reduce escalation?
A:
Q: If all of the elements of a typical SIF are 1oo1

how many elements are there?
A:
Q: Name the basic elements of a SIF?

A:

Name: SIF Identification
PSV1
Flare
1oo2 voting
2oo3 voting PCV

Gas Compression
Gas Detection PICA
PZA 001 PZA PZA PZA
XZV3
Inlet
XZV1 XZV2
LZA1
HH
LICA
LZA2
LL
Oil out
XZV4 LCV
Q: Ring the Safety Instrumented Functions, how many are there?

A:
Exercise - SIF Identification
PSV1
Flare
1oo2 voting
2oo3 voting PCV

Gas Compression
Gas Detection PICA
PZA 001 PZA PZA PZA
XZV3
Inlet
XZV1 XZV2
LZA1
HH
LICA
LZA2
LL
Oil out
XZV4 LCV
There are 7 functions

SIF - Initiators
Final elements
Function 1 XZV3 – Gas

Compression
Instrumented
Initiator e.g. PZA1 Protective XZV1/2 – Inlet
System
Function 2
Function 3 XZV4 – Oil Outlet

SIF – Final Element
Initiators
PZA1 Function 1
Final element
Function 2
Instrumented
Confirmed Protective XZV1/2 - Inlet
High Level System
Gas
LZA1 Function 3

Cause & Effects and SIF’s
Effect Final Final Final Final Final Final
Element Element Element Element Element Element
Cause XZV1 XZV2 XZV3 XZV4 5 6
Initiator 1(PZA1) x x x x x
Initiator 2 x x x
Initiator 3 x x x x
Initiator 4 x x x x
Initiator 5 x x x x

Safety Instrumented System
A SIF protects against a single hazard but a

Safety Instrumented System (SIS):
Implements one or more SIFs
Often multiple connectivity between:
An initiator and several final elements;
A final element and several initiators.
The Cause & Effect logic

SIF or not SIF
Which functions are SIF?
Trip functions
Alarm functions that are not pre-alarms to other
SIFs
Switch functions
Interlocks, permissives, inhibits (automatic)
Which functions are not SIF?
Pre-alarms
Process Controls
Manual controls
Overrides

Consequences of Failure
If a SIF fails:
There will be certain consequences which
could result in:
Harm
Damage to equipment and/or loss of production
Damage to the environment

The Criticality of a SIF
Risk = Consequence x Probability
Personnel safety (harm)

Financial Loss
Environmental
SIF’s predominantly reduce the probability of an event:
Premaining = Pdemand x PSIF failure on demand

Criticality of an SIF is expressed in SIL classes: 1 to 4

The relationship between:
Safety Integrity Level & Probability of
Failure on Demand
Safety Integrity Level Probability of Failure

(SIL) on Demand (PFD)
4 <10-4 – >10-5
3 <10-3 – >10-4
2 <10-2 – >10-3
1 <10-1 – >10-2
N.B. The Probability of Failure on Demand (PFD) is dimensionless.
It is based on a relationship between the Failure Rate and the Test Interval
which we will develop later.

Risk Reduction Factor (RRF)
The integrity of a SIF is sometimes

expressed as the Risk Reduction Factor
(RRF).
There is a simple relationship between
RRF and the PFD:
RRF = 1/PFD
e.g. if PFD = 0.1
Then RRF = 10

Failures
SIFs can fail in two ways:
Dangerous failure (hidden, covert or un-revealed)
Loss of protective function
Failure rate can be reduced by hardware fault tolerance
(e.g. 1oo2 or 1oo3 to trip)
Diagnostics can also be used and will be discussed later.
Safe failure (revealed, evident – mostly economic)
Spurious trip or alarm
No loss of protection
Failure rate can be reduced by “revealed failure
robustness” (e.g. 2oo2 or 2oo3 to trip)
Integrity Specification of a SIF
We need to assess the criticality of a SIF
to ensure the design is appropriate for the
task it performs
Where the criticality is dependent on the
contribution the SIF makes to risk
reduction
There are both quantitative and
qualitative methods

The Risk Assessment Team
Irrespective of the method the issues are
complex
Assessment team composition:
Facilitator
Process
Operations/ Maintenance
Safety
Instrument & Control
Technical clerk for record keeping
Other specialists as required
Name:
Q: What is the PFD range for a SIL 2 function?
A:
Q: Write the Risk Reduction Factor expression?

A:
Q: If a SIF has a PFD of 1E-02 how much risk

reduction does it provide?
A:

Solutions:
Q: What is the PFD range for a SIL 2 function?
A:
Q: Write the Risk Reduction Factor expression?

A:
Q: If a SIF has a PFD of 1E-02 how much risk

reduction does it provide?
A:

Name:
Q: Which initiator configuration has the highest

safety integrity:
(a) 1oo2 (b) 2oo2 (c) 2oo3
A:
Q: What benefit is gained by voting initiators?

A:

Solutions:
Q: Which initiator configuration has the highest

safety integrity:
(a) 1oo2 (b) 2oo2 (c) 2oo3
A:
Q: What benefit is gained by voting initiators?

A:

SIL Determination
by
Quantitative Analysis

Quantitative Analysis
A quantitative approach is of value when:
The tolerable risk for a specific consequence is
specified (e.g. No release to atmosphere greater
than 1 in 1000 years);
Numerical targets have been specified for the
Safety Integrity Level (SIL) in terms of the
probability of failure on demand (i.e. IEC 61508
specification);
There is confidence in the reliability data.
One such method is Fault Tree Analysis

Fault Tree Analysis (FTA)
F = Frequency
P = Probability
AND gate
((P1 + P2) x F1)
P1 x P2 Electrical P1 + P2 per year
P1 x F1 fault (P1 )
F1 x P2 Ignition
Etc. source
Welding
Explosion
spark (P2 )
F1 per year
Flammable
gas
OR gate
P1 + P2
F1 + F2

P = 0.1 P = 0.01 P = 0.2
PFD = 0.1
P = 0.1 PFD = 0.1
P = 0.1 0.01/yr Freq = 0.1/yr 0.2/yr
Freq = 0.1/yr Freq = 0.1/yr
Freq = 1/yr 0.2/yr

P = 0.2

Electrical fault P1 + P2 = 0.6 ((P1 + P2) x F1) = 0.06 per year

(P1 = 0.1)
Ignition
source
Welding spark
Explosion
(P2 = 0.5)
Flammable
gas
F1 = 0.1per year

Name: FTA Exercise 1
LIC 100 HLA 01 The level of liquid in a tank is controlled and monitored as
shown in the diagram. The failure frequencies and probability of
failure for all the elements are given in the table below. Use a
fault tree analysis to determine how often the tank is going to
Overflow overflow.
Events Layers PFD Frequency

LCV 100
XZV 200 closure 1.0/year
Level Control 0.1 0.1/year
HLA 01 Alarm 0.25

XZV 200 Operator reliability 0.25
Freq PFD Event

/yr

LIC 100
FTA Solution
HLA 01
Events Layers PFD Frequency
XZV 200 closure 1.0/year
Overflow
Level Control 0.1 0.1/year
HLA 01 Alarm 0.25
LCV 100 Operator 0.25
XZV 200
Freq PFD Event

/yr
1.0 XZV 200 closure
0.1 Level cntl fails
0.1 Level cntl fails
0.25 HLA 01 alarm fails
0.25 Operator fails to
respond to alarm

SIL Determination
by
Qualitative method:
Risk Graphs

Risk Graphs
Consideration of a number of parameters:
Demand rate (W);
Consequence (C);
Occupancy (F) (N.B. safety only);
Probability of avoiding the hazard (P).
They are a relatively quick method
They tend to be conservative
They can be qualitative or semi-quantitative
They work better if semi-quantitative

Personnel Safety Graph
Consequence Personnel Alternatives Demand Rate
Severity Exposure To Avoid
Relatively High = 0.3-3 years
Danger
Low = 3-30 years
Very Low > 30 years
Slight Injury
- - -
Possible 1 - -
Rare
Serious Injuries Not Likely 2 1 -
or 1 Death Possible 2 1 1
START Frequent
Not Likely 3 2 1
Multiple Deaths Rare
3 3 2
Frequent
NR 3 3
Catastrophic
NR NR NR
- = No special safety features required Safety Integrity Level (SIL)
NR = Not recommended. Consider alternatives

Personnel Safety Graph- Summary
Based on one of the methods in IEC 61508 Part 5, Annex D
Calibrated in terms of potential loss of life
Four parameters are considered:
•The Frequency of Demand
• Recommended starting point
•The severity consequences of the SIS failing on demand
•The likelihood of personnel exposure to the hazard
•the occupancy of the area in terms of numbers and duration
•Alternatives to avoid danger
•are there alternative “after the event” factors to reduce the
consequences
•e.g. sufficient independent warning

Risk Matrix
Simple analysis of:
Demand rate (likelihood)
Consequence severity
Relatively quick & conservative
Tends to be rather simplistic
Limits the risk reduction options
Can be qualitative or semi-quantitative
Work better if semi-quantitative

Asset Loss Matrix
Consequence severity Demand Rate or Likelihood
Relatively high
Low Very low
No operational upset or
equipment damage
Minor operational upset or
equipment damage - - -
START Moderate operational upset or
equipment damage - - -
Major operational upset or
equipment damage 1 1 -
Damage to essential equipment,
major economic loss or loss of 2 2 1
containment
Equivalent Integrity Level

Asset Loss graph
The severity of the consequences can be

calibrated:
In ‘cash’ terms if required;
the financial consequences may vary company to
company;
even facility to facility.

Environmental Matrix
Consequence severity Demand Rate
Relatively high
Low Very low
No release or negligible
environmental impact
Release with minor impact on
environment – reportable 1 - -
START Release with moderate impact
on environment 2 1 -
Release with temporary major
impact on environment 3 3 2
Release with permanent major
impact on environment NR NR 3
Equivalent Integrity Level

NR = Not recommended consider alternatives
N.B. Environmental consequences impact on REPUTATION
IEC 61511 Personnel Protection
W3 W2 W1
CA X1
a --- ---
X2
Starting point
for risk reduction
PA 1 a ---
CB FA PB X3
estimation
FB PA 2 1 a
CC PB X4
FA
FB PA 3 2 1
PB X5
Generalized arrangement
(in practical implementations
CD FA
FB PA 4 3 2
the arrangement is specific to X6
PB
the applications to be covered
by the risk graph) b 4 3
C = Consequence parameter --- = No safety requirements
F = Exposure time parameter a = No special safety requirements
P = Possibility of failing to avoid hazard parameter b = A single E/E/PES is not sufficient
W = Demand rate assuming no protection 1, 2, 3, 4 = Safety integrity level

IEC 61511 Safety Parameters
Personnel Safety Risk parameter Classification Comments
Consequence (C) Average number of Fatalities CA Minor injury 1.The classification system
This can be calculated by determining the average has been developed to deal
numbers present when the area is occupied and CB Range 0.01 to 0.1 with injury and death to
multiplying by the vulnerability to the identified hazard. people.
The Vulnerability will be determined by the nature of 2.For the interpretation of CA,
CC Range >0.1 to 1.0 CB, CC and CD, the
the hazard being protected against. The following
factors are proposed consequences of the accident
V=0.01 Small release of flammable or toxic material CD Range > 1.0 to 10 and normal healing shall be
taken into account.
V=0.1 Large release of flammable or toxic material
V=0.5 As above but with a high chance of igniting or
highly toxic.
V=1 Rupture or explosion
Exposure probability in the hazardous zone (F) FA in the hazardous zone. 3. See comment 1 above.
This is calculated by determining the length of time the Occupancy less than 0.1
area is occupied during a normal working period.
NOTE - If the time in the hazardous area is different FB Frequent to permanent
depending on the shift being operated then the exposure in the hazardous
maximum should be selected. zone. Occupancy more
NOTE - It is only appropriate to use FA where it can be than 0.1
shown that the demand rate is random and not related
to when occupancy could be higher than normal. The
latter is the case with demands which occur at
equipment start-up

Personnel Safety Risk parameter Classification Comments
Possibility of avoiding the hazardous event (P) if the PA Adopted if all 4. PA should only be selected if all
protection system fails to operate. conditions in column the following are true:-
4 are satisfied • facilities are provided to alert the
operator that the protection has
failed
Adopted if all the • independent facilities are
conditions are not provided to shut down such that the
PB satisfied hazard can be avoided or which
enable all persons to escape to a
safe area
• the time between the operator
being alerted and a hazardous
event occurring exceeds 1 hour or
is definitely sufficient for the
necessary actions.
Demand rate of the unwanted occurrence (W) given no W1 Demand rate less 5. The purpose of the W factor
protection system. than 0.03 per year Is to estimate the frequency of the
To determine demand rate it is necessary to consider all hazard taking place without the
sources of failure that will lead to a demand on the W2 Demand rate addition of the SIS
protection system. In determining the demand rate, between 0.3 and 6. If the demand rate is very high
limited credit can be allowed for control system 0.03 per year (e.g., 10 per year) the
performance and intervention. The performance which
can be claimed if the control system is not to be
designed and maintained according to IEC61508, is W3 Demand rate
limited to below the performance ranges associated with between 3 and 0.3
SIL1. per year

IEC 61511 Asset Loss
W3 W2 W1
CA ---
a --- ---
X2
Starting point
for risk reduction
FB
PA a
1 ---
a ---
CB PB X3
estimation
FB PA 1
2 1a a
---
CC PB X4
FB PA
3
2 21 1a
PB X5
32
CD
(in practical implementations FB PA 3
4 21
PB
by the risk graph) b
4 43 32
F = not used a = No special safety requirements

Asset Loss Parameters
Asset Loss Classification Comments
Note. No example given
in IEC 61511
Consequence (C) CA Minor operational upset or equipment Monetary values can be assigned to
damage each consequence parameter
CB Moderate operational upset or equipment

damage
CC Major operational upset or equipment

damage
CD
Damage to essential equipment, major
economic loss
Possibility of avoiding the PA Adopted if all conditions in column 4 are NOTE.

hazardous event (P) if the satisfied The same conditions as personnel
protection system fails to PB Adopted if all the conditions are not safety apply
operate. satisfied

IEC 61511 Environmental Impact
W3 W2 W1
CA ---
a --- ---
X2
Starting point
for risk reduction
FB
PA a
1 ---
a ---
CB PB X3
estimation
FB PA 1
2 1a a
---
CC PB X4
FB PA
3
2 21 1a
PB X5
32
CD
(in practical implementations FB PA 3
4 21
PB
by the risk graph) b
4 43 32
F = not used a = No special safety requirements

Environmental Classification Comments
CA A release with minor damage A moderate leak from a flange or valve

that is not very severe but is Small scale liquid spill
large enough to be reported to Small scale soil pollution without affecting
plant management or local ground water
Consequence (C) authorities
CB A cloud of obnoxious vapour travelling beyond

Moderate damage e.g. the unit following flange gasket blow-out or
Release within the fence with compressor seal failure
significant damage
A vapour or aerosol release with or without

CC Substantial damage e.g. liquid fallout that causes temporary damage to
Release outside the fence with plants or fauna
major damage which can be
cleaned up quickly without
significant lasting Liquid spill into a river or sea
consequences A vapour or aerosol release with or without
CD liquid fallout that causes lasting damage to
Serious damage e.g. Release plants or fauna
outside the fence with major Solids fallout (dust, catalyst, soot, ash)
damage which cannot be Liquid release that could affect groundwater
cleaned up quickly or with
lasting consequences
Possibility of avoiding the PA Adopted if all conditions in NOTE.
hazardous event (P) if column 4 are satisfied The same conditions as personnel safety
the protection system PB Adopted if all the conditions apply
fails to operate. are not satisfied

Overall Integrity Requirements
Risks per function System integrity
Safety Dedicated
integrity Function integrity
systems
Required
integrity
Environmental Shutdown
integrity of systems
Function A
Economic Fire & Gas

integrity systems
Function B
Function C
Control
etc systems

The Required Integrity
The required integrity of a function is
determined from the highest of the three
integrity risks:
Safety
Economic
Environmental
The Final Integrity Level = max(SIL, ILp, ILe)
The function should be designed to meet the
highest Integrity Level

Double Jeopardy
Where more than one function is performed by an

initiator:
Analyse each function individually;
Assume all other functions operate;
i.e. there is no double jeopardy;
Then consider the impact of the initiator failing;
i.e. all final elements fail (simultaneous failure);
This will be covered in day 3.

Identifying Demand Causes
A few tips for identifying the causes of a demand

on a SIF:
Many are due to control failure;
Breakdown of pumps, compressors etc.;
Manual operating error;
Operating conditions e.g. start up;
Seasonal weather conditions;
Process blockages;
Loss of utilities e.g. air, cooling water etc.

Exercise – Pressure Protection
H HH
Thermal or fire relief
PICA PZA 1. Determine the consequences of
failure on demand of PZA for:
a) Personnel safety
b) Production/equipment loss
c) Environmental
IA
V 100
2. Suggest improvements to the design
20” 10 km Design
Hydrocarbon Pressure LICA
line 60 Bar L
120 Bar
XZV1
Notes: PCV1
There are two production trains each capable of

handling full feed.
The vessel is operated at a very high level.
1 operator in the area for less than 1hr/shift.
The feed is subject to monthly pressure surges and
the PIC is 90% reliable.

Name: SIL Determination Report Form
Initiator Tag : Description:
Final element Tag : Description:
Design Intent:
Consequences of Failure on Demand:
Classification:
Demand rate (W) :
Personnel consequence severity :
Personnel exposure :
Alternatives to avoid danger :
Personnel Safety SIL :
Product Loss consequence :

Product Loss SIL equivalent :
Environmental consequence :
Environment SIL equivalent :
Overall SIL:
Notes:

Exercise – NGL Backflow Protection
R101
V101 HP
100Bar
LP
IA
4Bar
FZA
LL
FICA
L
Spec.
Break
Pump Notes:
1. Determine the consequences of The NGL unit is in a location not routinely
visited by an operator, but the pump has a
failure on demand of FZA for:
local stop/start.
a) Personnel safety
The NRV is not a tight shut off.
b) Production/equipment loss
The pump has a history of stalling 1 or 2
c) Environmental times a year.
2. Suggest improvements to the design. The plant has a large public exclusion zone

Name: SIL Determination Report Form
Initiator Tag : Description:
Final element Tag : Description:
Design Intent:
Consequences of Failure on Demand:
Classification:
Demand rate (W) :
Personnel consequence severity :
Personnel exposure :
Alternatives to avoid danger :
Personnel Safety SIL :
Product Loss consequence :

Product Loss SIL equivalent :
Environmental consequence :
Environment SIL equivalent :
Overall SIL:
Notes:

Layers of Protection Analysis
(LOPA)

Requires a multi-disciplined team.
Accounts for each identified hazard.
Analyses every cause event for a hazard.
The information for LOPA is developed through
HAZard and OPerability analysis (HAZOP):
Event description;
Severity level;
Initiating cause;
Initiation likelihood;
Layers of protection and/or mitigation.
Requires the acceptable corporate risk criteria to be
specified.
Scenario 1 Scenario N
LOPA Model
Frequency Frequency
‘Common’ layers
that reduce the risk
Enabling for Safety, Societal, Enabling
conditions asset and conditions
environment
Common Common
protection layers protection layers
Total
Common mitigated Common
mitigation likelihood mitigation
Safety Societal Asset Env’t

Severity Severity Severity Severity
Safety Conditional Societal Conditional Asset Conditional Env’t Conditional
modifiers modifiers modifiers modifiers
Safety PFD Societal PFD Asset PFD Env’t PFD

LOPA Example
HAZOP has determined that there is a risk to of

overfilling a tank containing volatile liquid from two
causes:
Pump failure: 2.0 per year
Level control failure: 0.1 per year
Determine the risk to personnel and the
requirements for any additional risk reduction
measures if the Tolerable risk is to be 1.0E-06 for
this hazard.

LOPA Example
LA
LIC
Closed drains

LOPA Process Example – Event 1
1 Impact Event Overfill of tank and loss of
containment
Likelihood are 2 Severity Level S

events/year and
3 Initiating Causes Pump failure
protection are
PFD average 4 Event Frequency 2.0
5 Process design (electrical) 0.1
Protection &
Process control 0.1

Mitigation
Layers
Independent alarm 0.5

6 Restricted access 0.5
Closed drains 0.1
7 No other IPL
8 Intermediate Event 5.0E-04
Frequency
9 Total Mitigated Event
Frequency
10 Tolerable Event
Frequency
11 Required SIS risk
reduction
LOPA Process Example: Event 1
Row 1 = The impact event identified from HAZOP
Row 2 = The severity:
M = Minor; S = Serious; E = Extensive.
Row 3 = The initiating causes (each cause has its own
row)
Row 4 = Likelihood of the cause per year
Row 5 = Independent Protection Layers (IPL) such as:
General process design (e.g. explosion proof electrical)
Basic Process Control System (credit for PFDavg)
Alarms (must be independent of the control loop)
An IPL has to be:
specific for the prevention or mitigation of the
consequences;
independent of other protection layers;
dependable in doing what it was designed to do;
auditable with regular validation, maintenance and testing.

Row 6 = Additional mitigation layers
Note:
Additional mitigation (normally mechanical, structural or
procedural) such as:
pressure relief devices;
dikes, bunds;
restricted access
Additional mitigation that reduces the severity but will not
prevent it such as:
deluge by fire and gas systems
gas and fume alarms
evacuation procedures
PFDs for all mitigation layers should be listed in Row 6
Row 7 = Independent Protection Layer
must satisfy all the IPL criteria such as;
a relief valve;
an existing SIF designed to SIL1 through SIL 3.
Row 8 = Intermediate Event Likelihood

Calculated by multiplying the Initiated Likelihood (Row
4) by the PFDs of the protection and mitigation layers
(Rows 5,6,& 7), 5.0E-04 for this example..

Event 2 is also worked through and

tabulated.
Any additional events would also be
tabulated in the same way.

LOPA Process Example – Event 2
1 Impact Event Overfill of tank and loss of Overfill of tank and loss
containment of containment
Likelihood are 2 Severity Level S S
events/year and
3 Initiating Causes Pump failure Level control fails
protection are
PFD average 4 Event Likelihood 2.0 0.1
5 Process design (electrical) 0.1 0.1
Process control 0.1
Protection &
Mitigation
Independent alarm 0.5 0.5

Layers
6 Restricted access 0.5 0.5

Closed drains 0.1 0.1
7 No other IPL
8 Intermediate Event 5.0E-04 2.50E-04
Frequency
9 Total Mitigated Event 7.5E-04
Frequency
10 Tolerable Event S = 1.0E-06
Frequency
11 Required SIS risk 1.0E-06 / 7.54E-04 = 1.330E-03 (SIL 2)
reduction

LOPA Process Example
Row 9 = Total Intermediate Event Likelihood:
Sum of all Intermediate Event Frequencies
i.e. sum of all Row 8 values (7.5E-04 in this example)
Row 10 = Tolerable Event Frequency for the
selected Severity (S):
This is based on the casualty severity for the event
E.g. 1.0E-07 for this example
Row 11 = Value in Row 10 / Value in Row 9
Tolerable Event Frequency / Sum of Intermediate
Event Frequencies (1.33E-03 in this example)

Vulnerability to the event e.g.:
size of a release, Volatility/toxicity etc.
It may be possible to take additional risk
reduction into account
The LOPA analysis is then repeated with respect
to:
Society
Asset
Environment
Taking credit for specific risk reduction/mitigation

Lopa Exercise
HAZOP has highlighted that a
high pressure and loss of
FOR ILLUSTRATIVE PURPOSES ONLY
containment could result from a
pressure inlet surge or failure of Flare
Protective Layers PFD Frequency
the pressure control.
Pressure surge 2.0/year
If the tolerable risk is 1.0E-05 PSV
determine the SIL required for Pressure Control 0.1 0.1/year

the pressure protective SIF. Operator 0.1
Logic vulnerability
Solver PCV
Area Occupancy 0.1
Relief valve 0.1
PICA
PZ1 Process design: 0.5
Inlet Fully welded pipe
XZV1
10 Barg LICA
Long flow line
with tendency to
Outlet
surge @ 20 Barg
LCV

Name:
Impact Event Initiating Cause 1 Initiating Cause 2
Overpressure and
loss of containment
Event Frequency
from First Stage
Separator
Protection &
Mitigation
Layers
Intermediate Event
Frequency
Total Mitigated Event
Frequency
Tolerable Event
Frequency
Required SIS risk
reduction

LOPA Exercise Solution
Overpressure and
loss of containment
from First Stage Event Frequency
Separator
Protection &
Mitigation
Layers
Intermediate Event
Frequency
Frequency
Tolerable Event
Frequency
Required SIS risk
reduction

LOPA Exercise Solution
Overpressure and
loss of containment
from First Stage Event Frequency
Separator
Protection &
Mitigation
Layers
Intermediate Event
Frequency
Frequency
Tolerable Event
Frequency
Required SIS risk
reduction

Case studies

Typical Findings
100
90
80
70
60
% 50
40
30
20
10
0
SIL 0 SIL 1 SIL 2 SIL 3

Benefits – Brown Field
Typical findings:
Large UK Natural Gas Processing Plant

Benefits – Green Field
Typical findings:
3rd Generation Platform – W. Africa

Benefits
Brown Field Facilities
Audit of existing design
More focus on the critical functions
Less concentration on the secondary functions
The number of functions could be reduced

Test and maintenance intervals can be
extended
Substantial production deferment savings
Considerable maintenance cost savings
Negligible costs, offset many times by savings

Benefits
Green Field Facilities
Full lifecycle ownership
Conception & design – test & maintenance
Reduction in the number of secondary trips
Savings on fitted hardware (e.g. Valves)
Simplified and smaller logic systems
Appropriate design/maintenance from outset
Significant savings in operating costs
Lifetime maintenance and deferment savings
Negligible cost impact on projects

Benefits- UK HSE Position:
HSE Management Board, Feb 2000
“.. IEC61508 will be used as a reference standard for

determining whether a reasonable practical level of safety
has been achieved when E/E/PE systems are used to carry
out safety functions.
The extent to which [HSE] Directorates / Divisions use
IEC61508 will depend on individual circumstances;
whether any sector standards based on IEC61508 have
been developed and whether there exists specific industry
standards or guidelines…” i.e. IEC 61511

Issues
Assessment team composition
Commitment and cost of SIL assessment
Data gathering
Timescale
Complexity
Look for primary functions
Intertrips
Nuisance trips
Primary/secondary functions (i.e. cascade
tripping)
Issues - continued
How to deal with fire and gas
Risk mitigation
Complex functions (e.g. SIF + mechanical relief)
Layers of protection & mitigation
Lifecycle management
Plant changes
Process changes
Reliability data
Verification
Test Feedback

The Principles of IEC 61508 and IEC 61511 Day 1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

The Principles of IEC 61508 and IEC 61511 Day 1

Hochgeladen von

Copyright:

Verfügbare Formate

The Principles

© C & C Technical Support Services 2008 1 IEC 61508/61511 Training

© C & C Technical Support Services 2008 2 IEC 61508/61511 Training

© C & C Technical Support Services 2008 3 IEC 61508/61511 Training

 This is the generic standard for all industry

© C & C Technical Support Services 2008 4 IEC 61508/61511 Training

© C & C Technical Support Services 2008 5 IEC 61508/61511 Training

Manufacturers & Safety Instrumented

Relationship of IEC 61508 & IEC 61511

© C & C Technical Support Services 2008 6 IEC 61508/61511 Training

© C & C Technical Support Services 2008 8 IEC 61508/61511 Training

© C & C Technical Support Services 2008 9 IEC 61508/61511 Training

© C & C Technical Support Services 2008 10 IEC 61508/61511 Training

 Chair – Vic Maggioli (ex Dupont)

© C & C Technical Support Services 2008 11 IEC 61508/61511 Training

Management of Health & Safety at Work Regs, 1992

 Every employer shall make and give effect to such

© C & C Technical Support Services 2008 12 IEC 61508/61511 Training

© C & C Technical Support Services 2008 13 IEC 61508/61511 Training

 The European Union 99/92 EC (ATEX) -

© C & C Technical Support Services 2008 14 IEC 61508/61511 Training

© C & C Technical Support Services 2008 16 IEC 61508/61511 Training

© C & C Technical Support Services 2008 17 IEC 61508/61511 Training

© C & C Technical Support Services 2008 18 IEC 61508/61511 Training

© C & C Technical Support Services 2008 19 IEC 61508/61511 Training

2. Overall scope definition

3. Hazard & risk analysis

5. Safety requirements allocation

12. Overall installation &

13. Overall safety validation

14. Overall operation maintenance & Overall modification & retrofit

© C & C Technical Support Services 2008 20 IEC 61508/61511 Training

© C & C Technical Support Services 2008 21 IEC 61508/61511 Training

© C & C Technical Support Services 2008 22 IEC 61508/61511 Training

© C & C Technical Support Services 2008 23 IEC 61508/61511 Training

© C & C Technical Support Services 2008 24 IEC 61508/61511 Training

© C & C Technical Support Services 2008 25 IEC 61508/61511 Training

© C & C Technical Support Services 2008 26 IEC 61508/61511 Training

© C & C Technical Support Services 2008 27 IEC 61508/61511 Training

© C & C Technical Support Services 2008 28 IEC 61508/61511 Training

© C & C Technical Support Services 2008 29 IEC 61508/61511 Training

© C & C Technical Support Services 2008 30 IEC 61508/61511 Training

© C & C Technical Support Services 2008 31 IEC 61508/61511 Training

Procurement and Construction……………………….

© C & C Technical Support Services 2008 32 IEC 61508/61511 Training

To Ensure that understanding of

© C & C Technical Support Services 2008 33 IEC 61508/61511 Training

© C & C Technical Support Services 2008 34 IEC 61508/61511 Training

Each prompt in the left list below is considered in

© C & C Technical Support Services 2008 36 IEC 61508/61511 Training

© C & C Technical Support Services 2008 37 IEC 61508/61511 Training

Can it be protected against or

Record measures to be incorporated in the design?

© C & C Technical Support Services 2008 38 IEC 61508/61511 Training

Hazard Type Reviewed Possible Hazard Hazard Ref No

External fire √ √ 05/1

© C & C Technical Support Services 2008 39 IEC 61508/61511 Training

Pressure/temperature reduction in High energy levels, stresses

© C & C Technical Support Services 2008 41 IEC 61508/61511 Training

P&IDs Release for

© C & C Technical Support Services 2008 42 IEC 61508/61511 Training

Reporting and Follow-up Phase

Parameter or Guidewords that can give a meaningful combination

This is the generic standard for all industry

Chair – Vic Maggioli (ex Dupont)

Every employer shall make and give effect to such

The European Union 99/92 EC (ATEX) -

If you don’t know what represents a

Societal risk – the total risk per year of all

The risks we encounter in our place of

One of the most widely used methods for

Damage to the environment