Compliance with IEC 61511 in the process industry

Compliance with IEC 61511

What do we have to do to be compliance with IEC 61511? This Standard introduces the concept of Safety Life Cycle and, therefore, the answer is associated with the fulfillment of each phase of this cycle. Our intention is to explain it, in a simple way, for the not so expert.

In the image we have tried to divide the life cycle of the SIS into 8 main parts, the blue one for Phase 1 Analysis, the red one for Phase 2 Design & Implementation, and the green one for Phase 3 Operation & Maintenance.

Each of these parts is necessary for rigorous compliance with IEC 61511. The adoption of all these good safety practices in the process industry varies greatly by sector. The most advanced are the Oil & Gas, Chemical and Power Generation industries, others are emerging, such as the Pharmaceutical, Paper and Water industries, and not so much the Food & Beverage sector.

Let’s briefly see what we consider most important in each of the three phases. It must be remembered that, in practice, not everything comes down to complying with the Standard, but it is very important to create a good safety culture at the plant, especially starting with the Company’s Management.

Phase of Analysis

Process Hazard Analysis (PHA): The first thing to do is this analysis, with the right team of people and without time restrictions. It is a rigorous and systematic evaluation to identify the risks of the process, its causes, its consequences, the frequency of occurrence, and the safety measures or safeguards we will take to minimize or reduce the risk.
Determination of SIL: In many cases, the way to reduce the risk of a dangerous scenario is to introduce a SIS protection layer, that is, a Safety Instrumented Function (SIF). We must assign a Risk Reduction Factor (RRF) to this protection layer and, therefore, a specific SIL level (1, 2, 3, or exceptionally 4).
Safety Requirements Specification (SRS): It is the final document of this first phase where we must define and describe in detail each SIF, as well as the initial parameters that we will need to perform the SIL verification (LT, TI, PTC, Beta, MTTR, Start-up time, etc.). The main parameters that are defined for each SIF are the required SIL, the RRF and the MTTFS.
Functional Safety Assessment (FSA): It consists of a third-party assessment to confirm that the work done in this first phase has been correct.

Phase of Design & Implementation

Selection of products: We must select the technologies and manufacturers of each of the SIFs (type of sensor to measure pressure, temperature, flow, etc., type of valve and actuator, model of safety PLC, Logic Solver as PLC or Relays, etc.) Selected devices must be certified for the required SIL or justify the so-called “proven in use” or “prior use”.
Design: The detailed design must be carried out defining all the components of each Safety Function. We will need the support of the manufacturers, and the information in the “Safety Manuals” to obtain the final parameters, especially the PTC parameter (“Proof Test Coverage”, or Cpt) that quantifies the effectiveness that we will have in the Proof Tests to detect potential dangerous failures.
SIL Verification: By using some calculation software (exSILentia, Safeguard Profiler, SILcet, etc.) we verify that the design of each SIF complies with what is specified in the SRS document (SIL, RRF, MTTFS). This verification process must be repeated every time we modify the design (by change of manufacturer, architectures, change of some calculation parameter or required SIL, etc.)
SIS Tests: There are several types of tests depending on the degree of progress of the project. The “Factory Acceptance Tests” (FAT) are carried out at the factory, and the “Site Acceptance Tests” (SAT) in the plant. These two tests, depending on how they were performed, can be considered as part of the final Validation of the SIS.
Validation of the SIS: It is a very important milestone that consists of validating, through inspections and testing, that the installed and commissioned SIS and its associated SIFs achieve the requirements as stated in the SRS (clause 15 of the IEC 61511). It is normal to use the Site Acceptance Tests for this validation.
Functional Safety Assessment (FSA): It consists of a third-party assessment of the design and installation of the SIS and its associated SIFs. In the assessment team there must be at least one expert who has not been involved in the design.

Phase of Operation & Maintenance

SIS Maintenance Plan: This phase of the life cycle is the longest, in which we must ensure that the integrity of all Safety Functions (SIF) is maintained. There must be a specific SIS Maintenance Plan that defines the activities, procedures, responsible persons, etc. The main changes of edition 2 of IEC 61511, published in 2016, affect this third phase.
Effectiveness of Maintenance: It is important to ensure that we meet the parameters defined in the SRS, especially the frequency of proof tests, its effectiveness quantified with the PTC (or Cpt) parameter, and the assumptions made when calculating the beta factor (common cause failures). It is important to record and document SIS failures.
SIS Monitoring: The behavior of the SIS must be monitored so that its integrity is maintained, specifically if there are changes in the demand rate of any SIF, if any parameter used in the calculation of the Probability of Failure changes, or if there are discrepancies between the expected behavior of the SIS and the actual one.
Modification of the SIS: Over time changes may arise due to different causes. Clause 17 of IEC 61511 sets the guidelines to follow. We must ensure that the safety integrity required by the SIS is maintained after the modifications made.
Functional Safety Assessment (FSA): An FSA mut be done periodically during this phase to ensure that maintenance and operation is carried out in accordance with the assumptions made during the design. In the assessment team there must be at least one expert who is not involved in the O&M.

CONCLUSIONS

As we have seen, a 100% compliance with IEC 61511 is not simple and has a cost, or not if we consider it an investment in Plant Safety and Plant Image that will have a huge return when we have avoided an accident.

In many countries, compliance with IEC 61511 is not mandatory, but it is a great guide of recommendations that is widely recognized worldwide. From here we encourage you to follow it and implement it little by little. Complying with this standard by only 50% is already a good step in the right direction.

It should also be considered that the use of this Standard, as in many others, requires large doses of interpretation by the user. There are few absolute answers “right / wrong” and, therefore, the experience and good practices of the engineer are fundamental.

Finally, emphasize the enormous importance of “systematic failures“ that are closely related to human errors and that we can minimize them with a good Management of the Functional Safety of the Plant.