01: Safety lifecycle of IEC 61511

Introduction to the safety lifecycle of IEC 61511

The safety lifecycle of IEC 61511 was defined for the process industry sector from parent standard IEC 61508. The safety lifecycle is essentially a flowchart depicting the stages of different activities needed to assess hazards and then develop protection layers to prevent or mitigate risk. The safety lifecycle from IEC 61511 focuses on Safety Instrumented Systems (SIS) as one of the critical specialist protection layers that need careful specification, design, testing and maintenance.

The term safety often gets used in the context of occupational safety, where the main focus is often slips, trips and falls. However, process safety and functional safety have a different focus.

Safety is a general term that has been defined as “Freedom from danger, risk, or injury”, or “Freedom from unacceptable risk”. It involves people, processes and the planet being protected from harm, or any other event which could be considered undesirable.

Process safety involves keeping processes under control and stopping loss of containment of hazardous materials from pipes, vessels and process equipment. It is the concern of many different disciplines including materials experts, process experts, mechanical, electrical, control and instrumentation, as well as process safety professionals.

Functional safety is a part of the overall plant Process Safety approach. When hazardous events occur, we need to know that instrumentation and automation devices such as sensors, logic solvers and final elements such as valves will bring the process to a safe state. When applied correctly, functional safety principles should ensure that each hazardous event is prevented or mitigated by equipment designed with the correct level of integrity that is appropriate for the risk posed.

The IEC 61511 safety life-cycle for SIL rated SIS systems

A key element throughout the safety life-cycle is functional safety management (FSM). Companies that use SIS as part of their risk reduction measures will need to set up a solid FSM system. A well-designed FSM system will have measures to ensure that all personnel are competent in the part of the lifecycle they are responsible for. It will provide effective policies, planning and procedures to control all life-cycle activities that go into the the initial SIS design, and its upkeep or modification.

As activities occur in the life-cycle, another key theme of functional safety standards is the need for verification. This is nothing particularly new. Put in simple terms, if a person completes an activity then someone else should be responsible for checking or verifying it. This is something that is commonplace in engineering, but should take on a new level of rigour and importance when systems are being designed for safety.

A key element throughout the safety life-cycle is functional safety management (FSM)

Why is  a functional safety lifecycle needed?

The safety life cycle IEC 61508 defined the original need, being the sector-specific standard that IEC 61511 is based upon. IEC 61508 was designed to account for the unpredictability of dangerous failure and specifically in recognition that failure can creep into systems from multiple sources and stages of life.

The life-cycle origins were influenced by many different organisations, including UK regulator HSE - the Health and Safety Executive. The book "Out of Control" concluded that accidents involving control system failure were dominated by inadequate specification.

Although this was just one study, it did involve researching multiple accidents. It should be noted that the hazard owner is effectively responsible for setting requirements, as well as operating, maintaining and modifying an SIS after it has been placed in service. So, even if an end user contracts-out the design and installation of an SIS, this particular study suggests that around 80% of the primary causes of system failure are introduced before or after the design and installation stage.

What are the tricky parts of the safety lifecycle of IEC 61511?

It is perhaps just as important to know what is NOT specified as what is required in the many clauses referenced by the IEC 61511 safety life-cycle. Many projects involving functional safety and SIS get off on the wrong foot by making the false assumption that simply copying the life-cycle from the standard will be sufficient.

Examples of IEC 61511 challenges:

Responsibilities

IEC 61511 has NO guidance on WHO is responsible for each SIS safety life-cycle activity. It's ultimately the hazard owner's duty to demonstrate adequate safety, and that cannot be fully transferred to 3rd parties. Management allocation of responsibility and accountability is a crucial aspect that the standards simply do not, and cannot define.

Procedures and methods

There are no specific procedures, techniques or methods that have to be dutifully followed in IEC 61511. This is great for flexibility, but makes it challening to demonstrate conformance and completeness.

Other Protection Layers

Ther are no requirements in IEC 61511 for safety functions that are not instrumented (e.g. relief valves), or for other non-instrumented safety-related activities which may reduce risk. Other standards will apply to those.

Device SIL Capability

IEC 61511 is not a means for manufacturers to make claims about SIL capability of their devices. Users can make "prior-use" claims according to IEC 61511, but that requires documented experience of real use and failure records over quite a long time period. IEC 61508 can provide manufacturers an alternative route for "proven-in-use".

Software

IEC 61511 is not a means for manufacturers or others to make SIL claims about embedded software or applications with full variability languages - FVL (FVL includes C, C++ etc.). IEC 61508 is the reference source for embedded and FVL software.

>
Success message!
Warning message!
Error message!