International Standards such as IEC 61508 and IEC 61511 are prepared by committees of experts from different fields and functions, and are not mandatory in the design or manufacturing, unless the end user or local legislation specifies their direct or indirect compliance.
As an example, we will say that OSHA in USA and COMAH in UK require companies to follow Best Practices or what is known as RAGAGEP (Recognized And Generally Accepted Good Engineering Practice). Companies under OSHA PSM or COMAH regulation need to demostrate that they are following RAGAGEP. Both organizations accept that designing the SIS according to IEC 61511 (or the equivalent ISA 84) meets its requirements.
In the European Union, the Directive applicable to the prevention of accidents involving dangerous substances is Directive 2012/18/EU, known as the Seveso III Directive. This Directive requires the elaboration of a Risk Analysis and the installation of prevention and risk reduction measures for serious accidents.
We show here the text of one of the clauses of this Directive:
Directive 2012/18/UE – Clause 15: In order to demonstrate that all that is necessary has been done to prevent major accidents, and to prepare emergency plans and response measures, the operator should, in the case of establishments where dangerous substances are present in significant quantities, provide the competent authority with information in the form of a safety report. That safety report should contain details of the establishment, the dangerous substances present, the installation or storage facilities, possible major- accident scenarios and risk analysis, prevention and intervention measures and the management systems available, in order to prevent and reduce the risk of major accidents and to enable the necessary steps to be taken to limit the consequences thereof. The risk of a major accident could be increased by the probability of natural disasters associated with the location of the establishment. This should be considered during the preparation of major-accident scenarios.
Standard IEC 61508
IEC 61508 was published at the end of the 90s, in 2002 a general review was carried out and the last edition was published in 2010.
It is an “umbrella” standard that provides the basis for use in electrical, electronic and programmable electronic device safety applications, and includes the mechanical components needed in the Safety Functions. This standard applies to all industries (process, robots, machinery, rail, etc.) and is used by manufacturers to certify their products (sensors, PLCs, actuators, valves, etc.) for Safety Instrumented Functions up to a certain SIL level (Safety Integrity Level).
IEC 61508 has 7 parts:
- Part 1: General requirements.
- Part 2: Requirements for E/E/PE safety-related systems.
- Part 3: Software requirements.
- Part 4: Definitions and abbreviations.
- Part 5: Examples of methods for the determination of safety integrity levels.
- Part 6: Guidelines on the application of Parts 2 and 3.
- Part 7: Overview of techniques and measures.
Parts 1 to 4 are normative, and parts 5-7 are informative with examples, guides, recommendations, methodologies, techniques, etc.
Standard IEC 61511
Since 2002, two new specific standards were introduced, IEC 61511 for the process industries (Oil & Gas, Chemistry, Power, Pharmacy, Paper, Food and Beverages, Water, etc.), and IEC 62061 for machinery safety. Both make direct reference to IEC 61508.
IEC 61511 was published in 2003 and the last update is from 2016. It is an standard totally oriented to the End User Safety Functions that covers the entire Life Cycle of the Safety Instrumented System (SIS).
IEC 61511 has 3 parts (parts 2 and 3 are informative):
- Part 1: Framework, definitions, system, hardware and software requirements
- Part 2: Guidelines in the application of IEC 61511-1
- Part 3: Guidance for the determination of the required safety integrity levels
In edition 2 of 2016, based on the experience of new accidents, many of the “informative” clauses of the standard became mandatory. To maintain the integrity of the Safety Functions (SIF), the SIL study, the design of the SIS according to the standard and the performance of proof tests are no longer sufficient.
Clauses 16 and 17 of IEC 61511-1 refer to the Operation and Maintenance phase of the SIS and were substantially modified in edition 2. There are crucial parameters to determine the SIL of a Safety Function such as, for example, how often a dangerous scenario occurs, what is the frequency of the proof tests and their effectiveness, and the value of the hardware failure rates, but it is necessary to ensure that they do not change after several years of operation.
Are the parameters and assumptions made in the original SIS design 10 years ago correct? The answer is not in many cases. The Plant changes, processes change, personnel change, procedures change, legislation changes, maintenance budgets change, and all this can affect the integrity of the SIS.
Clause 16.1 of the standard defines the objectives of the maintenance phase in which we must ensure the following:
- That the required SIL of each SIF does not change over time.
- That the SIS is operated and maintained without affecting the safety integrity.
For achieving these objectives, Clause 16 contains specific requirements and defines activities that must be carried out to comply with IEC 61511.
This last edition 2 has introduced other changes such as those related to Cybersecurity (clause 8.2.4), the SRS specification (10.2), the FAT tests (13.1), the periodic Functional Safety Assessment during the O&M phase of the plant (188.8.131.52.10), the use of the bypass, etc. In addition, IEC 61511 has been aligned with route 2H of IEC 61508-2: 2010 and the SFF (Safe Failure Fraction) parameter has been removed.