In many cases this is impracticable, and non‐compliance is widespread. The most common practice is to use only two valves in series in a double block or double block and bleed arrangement. Installing a third block valve not only increases the cost; it also increases the risk of spurious trip and loss of production. Continuous automatic diagnostic functions are not usually practicable in the process sector. (Generowicz, 2016)
The Changes in the New Edition
The new edition of IEC 61511 will include:
- New requirements for systematic capability
- New requirements for formal functional safety management systems
- New requirements for formal procedures to manage competence
- New security risk assessments, relating to deliberate malicious interference
- More detailed requirements about planning for verification
- Clarification of requirements for risk reduction is spread across multiple SIFs
- New annexes with detailed guidance
- Simplified requirements for hardware fault tolerance
- Requirements for better substantiation of the failure rate data and of uncertainties in the data
- Revised software development requirements
- Additional requirements for bypasses
- Formal review of operations and maintenance of the hazard and risk assessments
- Independent assessment of modifications to systems before implementation.
(Generowicz, 2016)
Systematic Capability
The concept of systematic capability was introduced in the 2010 edition of IEC 61508. Systematic capability is essentially a measure of the effectiveness of quality management techniques applied to components. Requirements for systematic capability are included in the new edition of IEC 61511. (Generowicz, 2016)
Functional Safety Management Systems
The purpose of a functional safety management system is to achieve systematic integrity. Functional safety management has been poorly understood and largely ignored throughout the process sector, particularly by the end users or plant owners. Any organization with responsibility for one or more phases in the lifecycle must now demonstrate a functional safety management system as well as a quality management system. This requirement applies just as much to end users and owners as it does to designers and suppliers. The operation and maintenance of a safety instrumented system must be managed under a formal system of functional safety procedures. (Generowicz, 2016)
Competency
More emphasis has been put on competency requirements for all parties involved in designing, developing, implementing, operating and maintaining SIS.
The wording in the standard has been changed from describing factors that ‘should’ be addressed when considering competence to factors that ‘shall’ be addressed. A new sub‐clause has been added requiring formal procedures to manage competence and requiring periodic assessments of competence of individuals with respect to their responsibilities. There are competency requirements for those in charge too: Managers and leaders need to have adequate knowledge, ability, and experience relating to the activities for which they are accountable. (Generowicz, 2016)
Security Risk Assessment
In the section of the standard dealing with process hazard and risk assessment, a new sub‐clause has been added requiring a security risk assessment. This relates to security of the systems from deliberate malicious interference, as distinct to the risk assessment of materials, process and equipment. (Generowicz, 2016)
Verification
A new sub‐clause has been added, with more detailed requirements about what should be covered in planning when verification is to include testing.
A new sub‐clause has been added specifically requiring verification that non‐safety functions that are integrated with safety function do not interfere with the safety functions. Lack of separation between safety functions and non‐safety functions has been a widespread problem which compromises safety integrity. (Generowicz, 2016)
Multiple SIFs
A new sub‐clause clarifies that if risk reduction is spread across multiple SIFs within the same SIS, then the safety integrity achieved must meet the overall risk reduction requirement taking into account dependencies.
Risk Reduction > 10 000
The requirements for achieving four or more orders of magnitude reduction in risk are specified in much more detail.
In IEC 61511‐3 there is a new Annex J that provides very detailed guidance on the evaluation of dependencies between multiple safety systems or functions. This annex is particularly relevant to where high levels of risk reduction are achieved by splitting risk reduction across multiple systems. (Generowicz, 2016)
Hardware Fault Tolerance
The requirements for HFT have been simplified and aligned with the method ‘Route 2H’ that was introduced in the 2010 edition of IEC 61508.
The level of hardware fault tolerance required has been reduced with the justification that failure rate with increased confidence levels will be used.
SIL 3 can now be claimed with only two block valves in series (fault tolerance of one). An increased level of confidence in the failure data is required. The proposed IEC 61511 edition stops short of specifically requiring the 90% confidence level required by IEC 61508, but it does require an equivalent demonstration of confidence in the data. The ‘systematic capability’ of components and subsystems must be demonstrated. That means that the quality control must be appropriate for the level of SIL claimed. New sub‐clauses have been inserted into the section on ‘Quantification of random failure’ requiring better substantiation of the failure rate data and of uncertainties in the data. The calculated probability of failure will need to consider faults that might never be detected and failures that might be caused by periodic testing. (Generowicz, 2016)
Software Development
The clause on application software has been completely re‐written, though there are no obvious or significant changes in requirements.
The new clause is shorter. The application program development lifecycle is now integrated into the overall safety lifecycle. In the earlier edition it was described separately.
Control of Bypasses in Operation
History has shown us that the application of bypasses and overrides has contributed to the cause of many disasters.
A new sub‐clause has been added requiring additional risk management where SIS devices are bypassed in continuous operation.
A new sub‐clause requires all bypasses to be authorised and logged.
A new sub‐clause requires spare parts to be identified and made available to minimise bypass duration.
Operations and Maintenance Review of Hazard and Risk Assessment
There has often been a lack of communication between the designers and those responsible for operation and maintenance.
A new sub‐clause requires those responsible for operations and maintenance to review the assumptions made in hazard and risk assessment. (Generowicz, 2016)
SIS Modification
A new sub‐clause emphasizes the need to update documentation affected by a modification.
A new sub‐clause requires an independent assessment of the functional safety before any modification is implemented. (Generowicz, 2016)
Annexes
IEC 61511 parts 2 and 3 include many annexes that provide guidance on implementing the standard.
Extensive changes, deletions, and additions have been proposed for the annexes in the new edition. (Generowicz, 2016)
Summary
- The changes in the new edition are primarily aimed at improving systematic safety integrity.
- The objective is to prevent the recurring systematic failures that have been evident for many years throughout the process sector. These failures are all preventable.
- The requirements for hardware fault tolerance have been reduced, but the failure rate data used in calculations must be more reliable. The quality and suitability of components must be demonstrated.
- The guidance and support material has been enhanced in the standard to assist safety and design engineers, safety assessors, and operators.
- Over the past 20 years the standard has been applied widely and shown to be practicable. The changes make the standard simpler and should improve the level of compliance that can be readily achieved.
- Regulators now expect a reasonable level of compliance to the standard.
- Our Duty of Care requires us to be able to demonstrate compliance with IEC 61511.
- Owners, end users and EPC/EPCM contractors will need to improve and to formalize the way they execute engineering activities in order to comply with the standard requirements.
© Generowicz. 2016 - The copyright of the content of this guest blog belongs to Generowicz who has authorized CGE Risk Management Solutions B.V. to provide this content on its website.