IEC 61511, ed 2. Changes and whats in it for the user? Cato Bratt / Heidi Fuglum ABB Disclamer This paper presents some of the changes in “IEC 61511 – Functional safety – safety instrumented system for the process industry sector”, edition 2 Is based on the CDV version of the standard Is the view of the authors interpretation of the changes. Please note that there may be new or different changes to the final published version of the IEC 61511 ed2. 2 General about IEC 61511 IEC 61511 first released in 2003 The use of IEC 61508 in the process industry, intended for the process industry. 60 people representing 17 countries have been engaged in the committee work. Two times each year. The committee is divided into several task teams - August 2015, planned release of IEC61511 edition 2 What’s in it for the user? Organizations would be re-certified according to the new edition within the 3 years. New guidelines and examples are provided making it easier to understand, use and comply. 3 General changes The new edition of IEC 61511 has eliminated inconsistencies, corrected several writing errors, aligned many definitions with IEC 61508, incorporated lessons learned The word “should” is changed to “shall” in many clauses. What’s in it for the user? The demand mode SIF and continuous mode SIF is now directly defined with regards IEC 61508 Systematic Capability (SC) is now included in the new edition of IEC 61511 which was added in second ed. of IEC 61508. Need to document competence, - engineering knowledge in regard to training and experience on technology and application on the different equipment - understanding the consequence of an event and competence on the valid laws and regulations. 4 Functional Safety Assessment (FSA), Clause 5.2.6 FSA in 1st edition was focused during the design phase up to and including the commissioning. In the 2nd edition it is required to have a FSA to go through the impact assessment before start of the modification and also periodically during FSA during operation. What’s in it for the user? The new requirements with regards to FSA are more strict (“Shall”) and more specific than before. We expected to see an increased number of FSA’s connected to operation and modifications. 5 Verification clause 7 Verification has a new clause which handles testing (7.2.2). In the original version testing wasn’t specifically mentioned. What’s in it for the user? A more holistic approach on the lifecycle activities regarding to all verification activities. More descriptive requirements for testing in general. Application programming is now put into the general verification clause. To avoid repetition in the standard and make it easier to handle and follow for the user. Some of the test planning requirements that were only applicable for application programming is now also applicable for testing of HW as well. 6 Process hazard and risk assessment clause 8 A new requirements containing security risk assessment (8.2.4). Need for a security risk assessment for the SIS and associated devices: - Description of identified treats that could exploit vulnerabilities and result in security events - This shall be considered for the different lifecycle phases (design, implementation, commissioning, operation and maintenance). What’s in it for the user? Users’ now need to consider system and network vulnerability; goal is to get a more robust control network. Additional Guidance related to the SIS security is given in IEC61511 2 ed, Annex L Refer to the - ISA-TR84.00.09; Security Countermeasures Related to Safety Instrumented Systems (SIS) - IEC 62443-2, “Security for industrial automation and control systems” 7 SIS Safety Requirements Specification (SRS) clause 10 There are now additional in the Safety Requirement Specification, - Requirements for proof test procedures (scope, duration, state of the tested device, state of the process detection of common cause failures, methods and procedures used to test the diagnostics, prevention of errors) - Addressing the application program safety requirements. Move of application safety requirement specification from clause 12.2 into clause 10.3.2. What’s in it for the user? Writing requirements is moved to clause 10, that means that SIS integrator(s) also need to work with clause 10, not only clause 12. SIS integrators which has certified their scope of work need to change the certificate, regarding the revised lifecycle phases included in the work scope. Will SIS integrators need to take responsibility in phase 3/clause 10, which used to traditionally be EPC work? Will this be a possible conflict of roles and responsibilities? 8 SIS design and engineering clause 11 Align the IEC 61511 with route 2H of IEC 61508 The Safe Failure Fraction (SFF) is removed, New Hardware Fault Tolerance (HFT) table without the SFF (11.4.5). What’s in it for the user? The use of the SFF has often been discussed. Remove SFF means that diagnostics get less importance New minimum HFT PFD need to be fulfilled, so redundancy may be necessary 9 SIS Application Program Development clause 12 There have been major changes in the structure of clause 12, Application program safety life cycle is moved to clause 6. Application program safety requirements specification is moved to clause 10.3.2, and some description text is moved to part two as guidance. What’s in it for the user? Clause 12 is completely rewritten - more readable, - integrate the aspects of application programming which are covered by the overall system lifecycle into the relevant system clauses of the standard (e.g. lifecycle definition, requirements derivation, verification, validation) - to avoid duplication. The focus changed from discussing software to addressing application programming. 10 Clause 16 SIS operation and maintenance New requirements for SIS bypassing e.g. continued process operation with an SIS device or subsystem in bypass due to maintenance, repair or testing. The status of all bypasses shall be recorded in a bypass log (16.2.7) What’s in it for the user? The operator shall be provided with information on the procedures to be applied, before, during and after bypass, what should be done before removal of the bypass and then the maximum time permitted to be in the bypass state. Bypasses need to be logged either by log book written by operators or logged automatically in an information system, to be handed over for every shift. 11 Part 2 changes What’s in it for the user? A lot of new examples are provided so that part 2 will become more relevant to the change from software to application programming, and on how to comply with this standard from the application program point of view. In general edition 2 part 2 has a lot more guidance text and help to the user. I.e. application program examples are included in part 2. 12 Part 3 Changes What’s in it for the user? Additional annexes illustrating new ways to determine the required safety integrity level. Existing annexes were reviewed and upgraded as needed. A new annex addressing multiple safety systems provides qualitative and quantitative guidance related to this subject. 13 Post 2nd edition Technical Report (TR) – future work The maintenance committee MT 61511, is working on a list of possible Technical Reports (TR) There are several examples of Technical reports which may be written over the next years. For example: - Partial SIS - Compliance of IEC 61511 - Testing and reliability - Fire& gas detection - Fiber optics - Human factors - Systematic capabilities 14 Conclusion More consistent, practicable and clear in the requirements Has an improved the structure and more in line with the parent standard IEC 61508. Includes many end user requirements and experience Highlights user experience Increases the need for written procedures to improve functional safety management Drives the need for end users to collect reliability data Includes focus and attention on Security With the improved examples and guidelines in part 2 it should make the standard easier to read, understand and follow and avoid company/country specific guidelines. Also if they proceed with the TR, it will provide a lot more examples for the users to follow and we will hopefully get fewer accidents and live in a safer world. 15