Functional Safety Assessment and Conformance to IEC 61511

4.1 A conformance example

To conform to IEC 61511, the standard requires that: 

"Each of the requirements outlined in Clause 5 through Clause 19 has been satisfied to the defined criteria and therefore the clauses' objectives have been met" IEC 61511-1 Clause 4.

In practice, however, this is somewhat easier said than it is achieved. Let's take a relatively simple example from one of the shortest IEC 61511 clauses:

14.1 Objective - SIS installation and commissioning

"The objective of the requirements of Clause 14 are to:

  • install the SIS according to the specification and drawings;
  • commission the SIS so that it is ready for final system validation."

Meeting the above stated objectives will require reading the remaining clause 14.2 and its sub-clauses 14.2.1 to 14.2.5:

14.2.1 requires "installation and commissioning planning", and lists four (4) elements that must be in the plan.

14.2.2 requires that devices are properly installed based on the design and installation plan(s).

14.2.3 requires commissioning activities, and lists a minimum of nine (9) specific confirmation checks.

14.2.4 requires commissioning records to be kept, including any failures and reasons for failure.

14.2.5 requires impact assessment by a competent person of all non-conformances found during commissioning.

So, to conform with the stated objectives of Clause 14 there are five (5) specific sub-clauses that must be met. However, sub-clause 14.2.1 and 14.2.3 have 13 different elements for checking. A functional safety assessment leader would be looking to raise questions and/or create a checklist for specific evidence that 16 elements in total have been fulfilled.

4.2 Demonstrating conformance

All relevant clauses in the whole IEC 61511 standard can be broken down in a similar way to the above example. Although there is still expert judgement required, it is entirely possible to create a checklist and questionnaire which looks for evidence that "shall" requirements have been met in each clause and sub-clause.

The following sections in this chapter explain the concept of Functional Safety Assessment (for conformance demonstration) and then estimates the number of questions that typically come up in each part of the standard. Hopefully this is a clear indication of the level of effort required for demonstrating conformance at each stage.

Do you want to print this guide?

We plan to have a free printable PDF version of this guide which you can download and keep. Request your copy now.

4.3 Functional Safety Assessment

Functional Safety Assessment is an activity which is proposed at several stages in the SIS safety lifecycle, and mandated in IEC 61511 to be carried out at least once prior to startup of an SIS and at intervals during the operations stage. The activity must be led by a senior competent person, who is not involved with the step or steps being analyzed.

Note that FSA planning should be included at the start of any project where an SIS is expected to be needed. If the SIS already exists, then plan for an operations and maintenance FSA stage 4.

There are five stages at which functional safety assessment is recommended, as shown in the following diagram.

IEC 61511 safety life-cycle

The IEC 61511 safety life-cycle and associated FSA stages

Producing huge amounts of paper should not be a goal of any SIS project or operation. However, there must be sufficient evidence upon which an independent assessor can make a judgement for FSA conformance purposes. The goal should be to produce a trail of evidence at each stage to allow an effective independent assessment to take place.

From experience, it is highly recommended to start FSA review activities as early as possible after the hazard and risk assessment and SIL determination stage. Don't wait for the safety requirements specification to be complete.

4.4 Assessment table

The following table is a summary created by eFunctionalSafety for this Ultimate Guide To The Process Safety Life-cycle which summarizes the approximate level of effort required for each stage of conformance, separated by the relevant IEC 61511 clause numbers.

The intent is to provide an overview of the level of effort required for those planning to undertake a Functional Safety Assessment.

The table columns are as follows:

  1. Life-cycle stage and clause number.
  2. Number of sub-clauses and sub bullet-points or sections.
  3. Number of FSA questions (according to the eFunctionalSafety FSA protocol).
Turn to LANDSCAPE if using mobile:

Item 1

Clauses

FSA Questions

Clause 05, 06, 07, 19

Functional safety management, life-cycle planning, verification, documentation

119

36

Clause 08, 09

Process hazard and risk assessment, allocation of safety functions to protection layers

44

41

Clause 10

SIS Safety requirements specification

55

50

Clause 11

SIS Design & Engineering

110

48

Clause 12

SIS Application Program Development

86

57

Clause 13

Factory Acceptance Testing

25

16

Clause 14

SIS Installation and Commissioning

16

33

Clause 15

SIS Safety Validation

58

43

Clause 16

SIS Operation and Maintenance

57

48

Clause 17

SIS Modification, decommissioning

23

18

4.5 FSA Notes

The stages of FSA suggested in the standard do not necessarily line up in a linear way with how projects work in practice. This is perhaps best explained with FSA Stage 1 which is intended to analyze all stages up to and including clause 10 (the SRS). However, it is fairly commonplace for requirements to be split into multiple documents which gather in detail as a project progresses. A specific case is the Application Program (software) requirements. These will not be available in any depth until logic solver equipment selection has taken place, which often happens much later in a project than would be advisable for the FSA 1 activity to take place.

In some cases the number of clauses and associated conformance questions may be limited by the type of project, or by decisions made during a project.

For example, if a programmable logic solver system is not part of the SIS scope, then Clause 12 of the standard will not be applicable, and the SRS elements that relate to software will not be needed. Likewise, if equipment is not selected based upon prior use claims, then this will reduce Clause 11 requirements from 110 to around 80. This limitation of the relevant clauses for conformance should be something that is clearly outlined in FSA planning at each stage by the lead independent assessor.

Some companies have the impression that a simple system with very few SIF will somehow limit the conformance assessment activity significantly. However, this is a bit of a misunderstanding. For example, assessing the SRS for a single SIS and SIF will still require asking and answering at least 50 questions related to that part of the life-cycle. There is certainly additional effort if there are a large number number of uniquely designed SIF, but this effort does not reduce to zero even if there is only one SIF in the system.

Need to complete an FSA or Audit?

GET THE FSA TEMPLATE SET

4.6 Conformance results

From experience of conducting many different FSA's including all the stages listed above, the results can depend highly on the functional safety maturity of the Duty Holder's personnel and the personnel leading the project activities from supporting companies.

Typical results for conformance to IEC 61511 shows that around 60% to 75% of clauses can be shown to be adequately met when concluding an FSA activity on a new-build project (ie. not including operations, maintenance and decommissioning).

IEC 61511 conformance assessment typically results in around 60% to 75% of clauses adequately met when concluding an FSA activity on a new-build project.

The above statistic suggests that 100% conformance to IEC 61511 is not only difficult but also unlikely on a new-build project of any complexity. This is for a few reasons:

  1. There are a large number of elements to check, but evidence is not always easy to find within a restricted time and budget.
  2. Full conformance is often a judgement call by the assessor. In some cases a project or duty holder may meet a requirement such as "employee training has been completed", but in the view of the assessor the training is not sufficient.

Companies with existing systems who are conducting FSA at Stage 4 of the SIS safety life-cycle should be aiming at 100% compliance. However, this may not be immediately achievable.

4.6 Functional Safety Audit & Revision

Functional safety audit and revision (abbreviated FSAR here, but not in IEC 61511) is intentionally separated from FSA in the IEC 61511 standard. The idea is that FSAR is an audit of procedures and records to determine whether an appropriate functional safety management system is in place and being followed.

However, the distinction between FSA and FSAR may be somewhat overplayed if an FSA is already being planned or conducted on a project. The person leading any FSA activity must take account of the detailed life-cycle phases of the stages being assessed. By definition, every stage of the life-cycle includes management, planning and verification activities, so the FSA must take these into account. In this sense, FSA’s already include elements of an audit.

One thing that is clear about the distinction between FSA and FSAR is that FSAR does not have the specific goal of making a judgement about the functional safety achieved by each SIF design, whereas FSA does have that goal.

Somewhat like a Quality or Gap audit, an FSAR cannot be conducted until functional safety procedures are in place, and they have in place long enough to produce sufficient evidence documents about whether the procedures are being followed. However, it is entirely feasible that some procedures will be put in place and followed at least once during an SIS project development, meaning an FSAR alongside an FSA activity is an entirely valid prospect even for a new-build.

An FSAR also involves the important aspect of making recommendations for improvement, including possible revising of procedures or systems under management-of-change control. From experience, this is no different in an FSA given that non-conformances would lead to an action for change.

>