IEC 61508 and IEC 61511: application state and trends

PLENARY LECTURE IEC 61508 and IEC 61511: application state and trends Pasquale Fanelli a a Invensys Operations Management, Sesto San Giovanni (Milan), Italy pasquale.fanelli@invensys.com IEC 61508 ed. 2.0 "Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems" and IEC 61511 ed. 1.0 "Functional Safety - Safety Instrumented Systems for the Process Industry Sector" are International Standards published by the International Electrotechnical Commission (IEC). The main objectives of IEC 61508 with the status of a basic safety publication are to facilitate the development of product and application sector international standards and to enable the development of E/E/PE safety-related systems where product or application sector international standards do not exist. The horizontal standard IEC 61511 has been developed as a process sector implementation of IEC 61508. IEC 61511 gives requirements for the specification, design, installation, operation, maintenance and testing of a safety instrumented system (SIS). The presentation introduces the current application state of the activities to be implemented to execute the IEC 61508 and IEC 61511 lifecycle phases in conformity with standard requirements. The current application state starts from Management of Functional Safety to go through activities such as process hazard & risk assessment, safety functions allocation, risk reduction target allocation to safety instrumented functions (SIF), SIF SIL determination, SIS safety requirements specification (SRS), SIS implementation activities, SIS operation & maintenance, SIS modification and decommissioning. The current application state includes the lack of Regulatory Codes requirements about IEC 61508 and IEC 61511 applicability, objective interpretative issues of IEC 61508 and IEC 61511 requirements, applicability issues in real projects of IEC 61508 and IEC 61511, consistency of reliability data and certification issues of SIS sub-systems and devices. At conclusion of presentation an excursus of the IEC 61508 and IEC 61511 application current and favourable trends are given with consideration also to users expectations. 1. IEC 61508, IEC 61511 and IEC 62061 background 1.1 IEC 61508 ed. 1 The international standard IEC 61508 ed. 1 in effect since 2000 states a performance based approach by the introduction of the safety integrity level (SIL) of the safety instrumented functions (SIFs) implemented by the safety-related instrumented systems. IEC 61508 introduces and addresses both hardware safety integrity and systematic safety integrity as function of design, integration, verification and validation, operation, maintenance and testing. Furthermore the standard IEC 61508 introduced the safety lifecycle for safety-related instrumented systems and the management of functional safety (FSM). The standard IEC 61508 found in a couple of years a wide application for safety-related instrumented systems such as PSD, ESD, BMS, critical TMC, HIPS and F&G thanks to the easiness of adopting the safety integrity level (SIL) as performance indicator of safety PLCs used as PE logic solvers of safety-related instrumented systems. The immediate success of SIL was due to the large diffusion of safety PLCs as PE logic solvers of safety-related instrumented systems since the middle nineties and the concurrent general adoption, especially in EU countries, of German Standards DIN V 19250 "Fundamental safety aspects for measurements and control equipment" and DIN V VDE 0801 Principles for computers in safety-related systems. As matter of fact the PES (programmable electronic system) AK (AnforderungsKlasse or Requirement Classes from 1 to 8) were introduced in DIN V 19250 and DIN V VDE 0801 was applied to determine if the AK requirements, based on the safety classification in relation with AK class itself, were met by the PES. After the issue of IEC 61508 the SIL as integrity ranking was immediately successful also thanks to the the historical adoption of AK requirement classes; four years later in spite of withdrawal of DIN V 19250 common practice was to report AK class joined to SIL requirement of safety PLCs. The certification according to IEC 61508 requirements and specifically IEC 61508-2 for hardware requirements and IEC 61508-3 for software requirements of safety-related instrumented systems was to move from several national standards such as DIN V 19250, DIN V 19251 and DIN V VDE 0801 to a unique international standard addressing the requirements of the E/E/PE safety-related instrumented systems including logic solver, sensor and final element sub-systems. The consolidated practice of EPC

Contractors in Europe to require for the safety PLCs a certification of compliance with DIN standards issued by German TÜV (Technical Inspection Agency) explains the immediate diffusion of the certification of compliance with IEC 61508 of safety PLCs immediately after the publication of the standard even if the standard itself did not require a certification of compliance. In the last decade the requirement of a certification of compliance with IEC 61508 was expanded from PE logic solvers to any active device of a safety-related instrumented system including sensors, barriers, relays, solenoid valves, shutdown valves/actuators/positioners, electric motor contactors. 1.2 IEC 61511 One of the objectives of the international standard IEC 61508 as meta-standard is to facilitate the development of product and application sector standards. The generic application of the functional safety requirements dictated by IEC 61508 found a specific application with the issue of international standard IEC 61511 in effect since 2003 focused to process industry sector including O&G, oil refining, petrochemical/chemical, P&P, conventional power generation. The simpler approach of IEC 61511 did not significantly alter the basic approach introduced by IEC 61508 to functional safety issues. The concurrent introduction in USA of ANSI/ISA S84.00.01 (mod. IEC 61511) in 2004 replacing the ANSI/ISA S84.01 (Ed. stating three SIL classes instead of four) further spread over the diffusion of a unique approach to functional safety all over the world including the high economic growth areas such as PRC, ME, India, Brazil covering the most of new installations in the process industry. IEC 61511 simplifies the approach even in the title replacing the generic E/E/PE safety-related systems with Safety Instrumented Systems (SIS) and de facto is the international standard that it can be confidently entrusted to place and/or maintain the process in a safe state. One of the most important statements of IEC 61511 is the correlation between IEC 61511 and IEC 61508 mandating the compliance with IEC 61508 for SIS devices Mfrs. and Suppliers and with IEC 61511 for SIS designers, integrators and users. This statement not only saved all the work previously done in particular on the conformity of logic solvers to IEC 61508 but further boosted the functional safety culture and practice due to the much simpler approach to SIS safety lifecycle activities. The adoption of the equivalent standard in US in 2004 eased the IEC 61511 application thanks to the publication by ANSI/ISA of Technical Report ISA TR-84.00.04 Part 1 Guidelines for the Implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511) and TR-84.00.04 Part 2 Example implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511). Besides the IEC 61511 part 2 as application guidelines, other guidelines on IEC 61511 application were published such as OLF 070 Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf issued by Norwegian Oil Industry Association, the EEMUA 222 Guide to the application of IEC 61511 to safety instrumented systems in the UK process industries, and CEI65-186 Linea guida per l'applicazione della Norma della serie CEI EN 61511 Sicurezza funzionale - sistemi strumentati di sicurezza per il settore dell'industria di processo issued by Italian CEI. IEC 61511 is currently under revision and the new edition will come out very likely on the current year with update of definitions and revision of requirements related mainly to hardware failure rates and fault tolerance (HFT), fault detection, SRS, application software, SIS O&M and testing, prior use (PU) and security. 1.3 IEC 61508 ed. 2 The 2 nd. edition of IEC 61508 published on April 2010 introduced main changes such as the update of definitions, Management of Functional Safety (FSM), IEC 61508 compliant items, SIF mode of operation, Overall SRS, classified failure rates, System Design Requirements Specification, systematic capability, hardware integrity compliance, systematic integrity compliance, on-chip redundancy requirements for integrated circuits (IC), application specific integrated circuits (ASICS), FGPA (Field Programmable Grid Arrays), functional safety assessment (FSA), common cause analysis (CCA), safety manual for compliant items, proven in use (PIU) requirements and security. The impact of a so vast number of revisions and changes after one full decade of application of IEC 61508 ed. 1 is limited only in the process industry SIS applications since, in compliance with IEC 61511, the requirements of IEC 61508 apply - with a few exceptions - to SIS device Mfrs. only. 1.4 IEC 62061 The international standard IEC 62061 "Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems" states the requirements of the safety-related control systems for industrial machinery. IEC 62061 applies to safety-related control systems based on E/E/PE technology used, also combined, to execute safety control functions on non-portable machines by hand and group of machines working coordinately. IEC 62061 is a sector standard derived from IEC 61508 with requirements concerning both hardware and software of safety instrumented functions aimed to

minimize the occupational risk of machinery operators during machine operation, maintenance/cleaning. Management of Functional Safety (FSM), quantified occupational risk reduction target, hardware and software integrity requirements - even if simplified for industrial machinery application - are the main features of this performance based standard. The installation of machinery packages (e.g. compressors, steam turbines, turbogas, diesel generators) in the process industry sector mandates the compliance both with IEC 61511 and IEC 62061. A guideline on IEC 62061 application was published by IEC as Technical Report IEC/TR 62061-1 ed 1.0 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery. An application guide was published in Italy by CEI as CEI CLC/TR 62061-1 "Guida all applicazione delle Norme ISO 13849-1 ed IEC 62061 nella progettazione di sistemi di controllo relativi alla sicurezza per macchinari. 2. Legislation and IEC 61508, IEC 61511, IEC 62061 2.1 Legislation and EC 61508 The European Committee for Electrotechnical Standardization (CENELEC) supports IEC (International Electrotechnical Commission) "to be globally recognized as the provider of standards and conformity assessment and related services needed to facilitate international trade in the fields of electricity, electronics and associated technologies". CENELEC publishes both standards requested to shape the EU Internal Market and harmonized standards in support of EU legislation. Since the CENELEC Standards (EN) must be transposed into EU member countries national standards, products and services compliant to European standards (EN) get easier access to the EU market independently of manufacturer or supplier original country. Member countries must also withdraw any conflicting national standard: the EN prevails over any national standard (e.g. German standards DIN V 19250, DIN V 19251, DIN V VDE 0801 were withdrawn in August 2004). CENELEC ratified the international standard IEC 61508 Parts 1 to 7 as European Norm EN 61508-1 7:2001. The EN 61508-1 7:2001 have been finally transposed in EU member countries as national standards (norms) starting from 2002 (e.g. in U.K. as BS EN 61508-1 7:2002). CENELEC ratified the IEC 61508 ed. 2 in May 2010 immediately after the publication as European Norm EN 61508-1 7:2010. In Italy the EN 61508-1 7:2010 has been transposed as CEI EN 61508-1 7:2011 issued in English and French languages as the original standard. Even if laws and regulations may refer to standards ( norm in French, German and Italian languages) so making the compliance with norms compulsory, so far there is no automatic legal obligation to apply CEI EN 61508-1 7:2011 in Italy and the same situation occurs in other EU Countries. Compliance with EU harmonized standards applied to meet the essential requirements of EU Legislation, provides a presumption of conformity with the corresponding harmonization requirements of EU Legislation. To claim this presumption of conformity the harmonized standards must be published in the EU Official Journal (OJEU). The harmonized standards use is on voluntary basis. "Manufacturers, other economic operators or conformity assessment bodies are free to choose any other technical solution that provides compliance with the mandatory legal requirements.", as stated by European Commission definition of European Harmonized Standards. Consistently since in OJEU the only standard reported is the EN 62061 for Machinery we can derive that the regulatory compliance with EN 61508 and EN 61511 is transferred to national standardization. The result does not change in EU countries such as for instance Italy where a law (L. 186/68) mandates the compliance with Italian Electrotechnical Committee (CEI) for electrical and electronic installations, materials, devices, systems. The applicable CEI Norms shall be used, but the same law does not state any sanction for the violation. EN 61508 and EN 61511 are not listed in OJEU even for ATEX and Pressure Equipment Directive (PED) applications. Only thanks to the mention in the harmonized norm EN 764-7 the application of IEC 61508 is stated for safety instrumented functions protecting unfired pressure equipment falling under PED Directive. IEC states in IEC 61508-1 ed. 2.0 (ratified as EN) Foreword p. 5: "IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies". The same p. 5 in IEC 61508-1 ed. 1.0 (ratified as EN) states: "The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any equipment declared to be in conformity with one of its standards". We can infer ten years after the first edition that IEC formalizes the role of the independent certification bodies and being not responsible of the services carried out by the independent certification bodies cannot be in any case responsible of declaration of conformity to the standard since this responsibility is transferred to these third parties without any formal assignment or assignment criteria stated by IEC. In any case by this statement IEC recognises the role and responsibility of the independent certification bodies. The provision for (almost) any SIS active device by Mfr. of a compliance certificate with IEC 61508 issued by an independent certification body has been de facto formalized by IEC after a decade of practice. The EN 61508 application success without national, local, sector regulatory authorities' prescriptions can be explained by the convergent interest of SIS device Manufacturers to offer on the market the same device and for EPC Contractors to reuse SIS engineering with practically no differences

worldwide. Another driving factor being represented by the industrial insurance companies focused on an effective major accident (large fire, explosion, toxic cloud, environmental impact) risk reduction. The BP Texas City, Buncefield and BP Horizon accidents showed that huge economic losses, including company loss of reputation, can derive from insufficient protection layers and the application of IEC 61508 and IEC 61511 could have played a fundamental role in risk reduction. The independent (from IEC) certification bodies, in particular the German TÜV Rheinland (the first historically to certify the safety PLCs), TÜV Nord, TÜV Süd, RW TÜV, are very active in this market area and play an important role in the IEC 61508 standard application. The issue is that IEC 61508 compliance even if assessed and certified by independent certification bodies does not have any part in device European Conformity (CE) Mark approval such as for PED and ATEX. CE Marking demonstrates equipment conformity to Essential Safety Requirements of all the applicable European Directives for that product. Seveso Directive is out of this virtuous cycle. 2.2 Legislation and IEC 61511 CENELEC ratified the international standard IEC 61511 Parts 1 to 3 as European Norm EN 61511-1 3:2004. The EN 61511-1 3:2004 have been finally transposed in EU member countries as national standards (norms) starting from 2004 (e.g. in U.K. as BS EN 61511-1 3:2004). In Italy the EN 61511-1 3:2004 has been transposed as CEI EN 61511-1 3:2004 issued in English and French languages as the original standard. The same considerations made above for the European Norm EN 61508 applies to EN 61511. 2.3 Legislation and IEC 62061 CENELEC ratified the international standard IEC 62061 as European Norm EN 62061:2005. The EN 62061:2005 have been finally transposed in EU member countries as national standards (norms) starting from 2005 (e.g. in U.K. as BS EN 62061:2005). In Italy the EN 62061:2005 has been transposed as CEI EN 62061:2005 issued in Italian and English language as the original standard. After the publishing in 2010 by CENELEC of the norm EN 62061:2005 + Amending Corrigendum AC:2010 became an harmonised standard under the Directive 2006/42/EC for Machinery and published in OJEU. Compliance with harmonised standard EN 62061:2005 + Amending Corrigendum AC:2010 provides a presumption of conformity with the corresponding Machinery Directive Health & Safety essential requirements related to Safety and reliability of control systems. 3. Current application state of IEC 61508, IEC 61511, IEC 62061 3.1 Certification of Compliance The current application state of IEC 61508 is massive for the Manufacturers of active SIS devices including sensors, barriers, relays, solenoid valves, shutdown valves/actuators/positioners. For electric devices such as electric motor contactors and occasionally electric motors and electric circuit breakers the situation is unclear characterized by a reduced number of Manufacturers and even a reduced awareness about the IEC 61508 requirements compliance in terms of safety integrity of electric devices. Since the middle 90s with a prevailing use of PES as SIS logic solvers compliant with DIN V 19250 AK requirement classes, the specific measures set forth in the German standard DIN V VDE 0801 were used for PES design, coding, integration, testing evaluation by independent third parties. The German TÜV Rheinland acting as Technical Inspection Authority started to evaluate PES and issue PES certificates of compliance with German Norms DIN V 19250 and DIN V VDE 0801. This was prodromic to PES Certification of Compliance with IEC 61508 after the standard coming into force. Other German TÜVs and other private organizations extended their certification services to the most of SIS devices. Being the certification mentioned - see above - in IEC 61508 ed. 2.0, but without execution requirements, the independent third parties execute all the formal verifications with no or insufficient consistency. The results of certification are in some cases contradictory such as in the case of BPCS and SIS independency requirements differently interpreted by the Certification Bodies. Certification Reports and Restrictions to Use should be part of the Certification, but the absence of unique certification criteria make this very important documentation less important than the Certificate itself. The Certification of Compliance with IEC 61511 for the Process Industry sector is complementary to IEC 61508 Certification of SIS devices, and generally applies to SIS implementation and integration activities. Even if missing any specific requirement in IEC 61511 about Management of Functional Safety (FSM) certification, currently the SIS FSM certification of the organizations responsible of SIS design and integration is widely applied. As far as IEC 62061 is concerned the situation is the same above reported for IEC 61508 with a wide diffusion of certification of compliance. In addition being harmonised the compliance with EN 62061:2005 + AC:2010t is binding. The Machinery Directive in Art. 14 p. 1 states: "Member States shall notify the

Commission and the other Member States of the bodies which they have appointed to carry out the assessment of conformity for placing on the market referred to in Article 12(3) and (4), together with the specific conformity assessment procedures and categories of machinery for which these bodies have been appointed and the identification numbers assigned to them beforehand by the Commission. Member States shall notify the Commission and other Member States of any subsequent amendment". 3.2 Process Hazard and Risk Assessment Being the most of the current SIS installations provided in the Process Industry, the Process Hazard and Risk Assessment as primary activity of SIS safety life-cycle shall be executed in accordance with IEC 61511. Being IEC 61511 clause 8 "Process Hazard and Risk Assessment" and clause 9 "Allocation of safety functions to protection layers" generic, the practice of these phases gives highly inconsistent results. For MAH process industries HazOp studies are executed to cover hazard and operability issues for normal and abnormal operations such as start-up, shutdown, emergency shutdown, maintenance operations. Other studies such as Hazid and What-if are occasionally executed. The HazOp studies are purely qualitative and in spite of HazOp guidelines such as IEC 61882 and corporate procedures the results dramatically depend upon several and variable factors, such as HazOp team composition, team expertise, team leadership capabilities, session scheduling, project execution advancement state, novelty of the process, language of communication. The HazOp study qualitatively determines process deviations, causes of deviation, consequences of deviations, safeguards - including the safety instrumented functions and alarms - already allocated or to be allocated according to the agreed HazOp Actions. The quality of HazOp and the awareness of the HazOp team on functional safety issues severely affects the subsequent SIL assignment activity. The missing classification of initiating event likelihood and of severity of consequences makes the HazOp study useless for SIL assignment study and potentially inconsistent. The merging of HazOp and SIL study ("extended" HazOp) by the introduction of purely qualitative risk assessment during the HazOp makes both activities dependant on the same team and same leadership potentially leading to SIL class over- or under-rating according to team and leader expertise. The IEC 61511 clause 8 and 9 requirements are nominally matched but ineffectively in several application cases. The same applies to IEC 62061. 3.3 SIL Assignment The SIF SIL assignment - known also as SIL determination, SIL assessment, SIL review, SIL study, SIL allocation or even SIL classification since missing the standardized definition of the activity - is executed worldwide by applying four main methodologies: CRG (Calibrated Risk Graph), LOPA (Layer of Protection Analysis), Risk Matrix, "Extended" HazOp. Being Risk Matrix and "Extended" HazOp purely qualitative the results are inconsistent even with the same SIL assignment team depending on the activity progress state. CRG and LOPA being semi-quantitative methodologies provide more consistent results but are severely affected by the SIL Assignment Procedure assigned to the team. The IEC 61511 informative Part 3 does provides scarce and in some cases contradictory information on these very important methodologies with a dramatic impact on the results. CRG and LOPA being primarily based on consequence qualitative determination very often in real application give as result a SIL upgrade or downgrade for the same hazardous event according to the Corporate Mitigated Target Risk. CRG consistency of results is severely affected by the W factor definition open to different interpretations, such as for LOPA the enabling events and conditional modifiers are concerned. A further issue of SIL assignment is represented by the qualitative evaluation of environmental impact consequences due to deficiency of information and by the economic impact consequences optionally included being not required by the standard. 3.4 Safety Requirements Specification The Safety Requirements Specification (SRS) according to IEC 61511 Clause 10 is a mandatory document or collection of documents to be provided but only occasionally the SRS is as of today provided to SIS design and engineering team. As part of SRS documents should be provided such as C&EM, SIF specification inclusive of all the required SIF information and data, SIF individual and concurrent safe state, allowable spurious trip, override requirements, SIF and SIS downgrading, manual shutdown requirements, dangerous combinations of SIS output states, abnormal conditions and many others. 3.5 Functional Safety Assessment IEC 61511-1 sub-clause 5.2.6.1.4 states at least one functional safety assessment (FSA) shall be carried out to ensure the hazards arising from a process and its associated equipment are properly controlled. The FSAs actually carried out by independent and expert third parties on SIS before start-up are occasional. 3.6 Management of Functional Safety The IEC 61511-1 clause 5 states the requirements concerning the Management of Functional Safety (FSM) associated to SIS safety lifecycle activities. The ISA-TR84.00.04-2005 "Guidelines for the

Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod)" specifically addresses the FSM by defining a Roles & Responsibilities Matrix including the experiences and skills required for the disciplines represented in the R&RM. In spite of importance of a full and efficient FSM implementation, this process is made difficult due to criminal and civil liabilities associable to accidents potentially having a direct association to the approval responsibility defined in the FSM R&RM for SIS safety lifecycle activity. 4. Trends 4.1 Current trends The current trend of IEC 61508 and IEC 61511 application is absolutely satisfactory in the process industry with the exception of only a few sectors reluctant to any change of the approach to process safety. The same successful trend applies to machinery sector where the compliance with IEC 62061 starting from 2011 is full. 4.2 Favourable trends - EN 61508 and EN 61511 Norms harmonization to Seveso Directive; - IEC 61508 Certification Bodies notified by EU Authorities; - IEC 61508 Certification Plan and Activities covered by IEC 61508; - SIS active components all covered by IEC 61508 Certification; - IEC 61508 application guidelines issue; - IEC 61508 derived standards for non-process industry and road tunnels; - SIS full compliance with IEC 61508 cyber-security requirements - Safety Manuals and Restrictions to Use to cover the 100% of SIS active and passive components; - HazOp team and leader competent and expert in functional safety; - HazOp to fully determine initiating causes and consequences of hazardous events; - HazOp to fully determine the occurrence of hazardous events in abnormal conditions; - QRA application to be set up as HazOp action whenever consequences lead to SIL 3; - Mitigation Risk Targets for Safety and Environment to be set per industry sector; - Introduction of SIL, EIL, AIL respectively for Safety, Environment and Assets risk mitigation; - SIL Assignment methodologies (CRG and LOPA) to be fully defined on IEC 61508 and/or IEC 61511-3; - Independency criteria of DCS alarms, DCS interlocks, DCS permissives to be fully defined on IEC 61511; - SRS to be fully defined on IEC 61511-1 including I/O channels segregation criteria; - FSA activities to be fully defined on IEC 61511-2; - Management of Functional Safety (FSM) to be fully defined on IEC 61511-2; - Full Variability Language software currently to be executed under IEC 61508-3 requirements to be defined under EC-61511-1 to avoid misinterpretations and double standard compliance inconsistencies; - Minimum hardware fault tolerance to be uniquely defined for IEC 61508 and IEC 61511; - SIL verification methodologies (simplified equations, RBD, FTA) to be fully reported on IEC-61511-3; - Qualified FMEDA mandatory for the definition of failure rates and SFF for each SIS device; - Mission time definition mandatory for each SIS device; - Expert systems risk reduction capability recognition. In spite of the efforts of four generations of engineers the goal of an accident-free process industry has still to be reached, but we glimpse a light at the end of tunnel. References EN 61508, 2010, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems IEC, CH EN 61511, 2003, Functional Safety: Safety Instrumented Systems for the Process Industry IEC, CH EN 62061, 2005, Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems IEC, CH