Applying IEC 61511 Making the right choices for Process Safety..pdf

P REMIER CONSULTING SERVICES [email protected] [email protected]

Visit our Domain in the Safety Users Group Directory

www.safetyusersgroup.com / 8

Applying IEC 61511 “proven-in-use”. Making the right choices for Process Safety. Robin McCrea-Steele, Mr. Premier Consulting Services Irvine, California � USA April, 2003

KEY WORDS IEC 61508, IEC 61511, ANSI ISA S-84.01, Proven in use, Prior use, SIS Safety Instrumented System, SIF Safety Instrumented Function, Diagnostic Coverage, SFF Safe Failure Fraction, Minimum Hardware Fault Tolerance, SIL Safety Integrity Level

ABSTRACT Process industry sector specific international standard IEC 61511 is being adopted by most national safety governing bodies around the world. Although SIS hardware manufacturers are referred to IEC 61508, the “Prior Use Clause” of IEC 61511 would appear to open the door for the use of field elements as well as Logic Solvers that have not been designed to meet IEC 61508. It could be argued that the standards are usually only enforced after a safety or environmental incident. However, it is not a good feeling for the plant manager to get his wake-up call from an attorney. The questions asked are: Should I use non-certified hardware for my Safety Instrumented System (SIS)? What are the restrictions? Who has the burden of proof? What level of documentation is involved? How do you define similar prior operating and physical environments? Can I use a transmitter with proven experience in a control system environment for my SIS? Can I use a non-certified PLC (Logic Solver) for safety? This paper reviews the conditions and guidelines outlined in the standards. Issues addressing safe failure fraction, minimum hardware fault tolerance, operating environment restrictions, etc, are analyzed for safety, practicality and lifecycle costs. The conclusions provide the plant operator with the elements conducive to making an intelligent decision when faced with the options of using third party certified subsystems or proven in-use non-certified equipment in a SIS.




INTRODUCTION Plant accidents in the COG (Chemical, Oil and Gas) industry, as well as other process plants, have driven national and international Safety and Environmental Agencies to regulate and enforce existing and emerging safety standards. Punitive charges and specially litigation costs, have reached orders of magnitude beyond previously imaginable, prompting industrial risk insurers’ interest in “safe design”. Plant owners and operators are responding by implementing good safety engineering practices. However, under the current worldwide economy and market conditions, the challenge is to spend the money wisely. At the end of the day, it all boils down to “who do you trust for your plant safety”? It is generally understood that the process sector safety instrumented system manufacturers and suppliers of devices are required to design their hardware and software following the umbrella international standard IEC 61508. Furthermore, the safety instrumented system designers, integrators and users should follow the industry specific international standard IEC 61511.

Relationship between IEC 61511 & IEC 61508

PROCESS SECTOR SAFETY

INSTRUMENTED SYSTEM

Safety Instrumented Systems Designers, Integrators & Users

IEC 61511

Manufacturers & Suppliers of Devices

IEC 61508

IEC 61511 Clause 3 defines three basic categories of software languages for the SIS.

• FPL � Fixed Program Language, where the user is limited to adjustments of a few parameters. (i.e. range, alarm level, etc. on a smart transmitter).

• LVL � Limited Variability Language, designed to be comprehensive to process sector

users. Provides the capability to combine predefined, application specific, library functions to implement safety requirement specifications. Examples of this are ladder diagram, function block diagram and sequential function chart.

• FVL � Full Variability Language, designed to be comprehensive to computer

programmers, and provides the capability to implement a wide variety of functions and applications. Examples are Ada, C, Pascal, Instruction List, Assembler languages, C++, Java, SQL.




With the above defined software categories, the relationship between IEC 61511 and IEC 61508 can be expanded per the following graph:


INSTRUMENTED SYSTEM

STANDARD


INSTRUMENTED SYSTEM

STANDARD

PROCESS SECTOR

HARDWARE

PROCESS SECTOR

HARDWARE

DEVELOPING NEW

HARDWARE DEVICES

FOLLOWIEC 61508

DEVELOPING NEW

HARDWARE DEVICES

FOLLOWIEC 61508

USING “PROVEN IN

USE”HARDWARE

DEVICES

FOLLOWIEC 61511

USING “PROVEN IN

USE”HARDWARE

DEVICES

FOLLOWIEC 61511

USING HARDWAREDEVELOPED

AND VALIDATED ACCORDING TO IEC 61508

FOLLOWIEC 61511

USING HARDWAREDEVELOPED

AND VALIDATED ACCORDING TO IEC 61508

FOLLOWIEC 61511

DEVELOPING EMBEDDED

(SYSTEM) SOFTWARE

FOLLOWIEC 61508-3

DEVELOPING EMBEDDED

(SYSTEM) SOFTWARE

FOLLOWIEC 61508-3

DEVELOPING APPLICATION

SOFTWARE USING “FVL”

FULL VARIABILITY LANGUAGES

FOLLOWIEC 61508-3


SOFTWARE USING “FVL”

FULL VARIABILITY LANGUAGES

FOLLOWIEC 61508-3


SOFTWARE USING “LVL”

LIMITED VARIABILITY LANGUAGES

OR “FPL”FIXED

PROGRAMS

FOLLOWIEC 61511


SOFTWARE USING “LVL”

LIMITED VARIABILITY LANGUAGES

OR “FPL”FIXED

PROGRAMS

FOLLOWIEC 61511

PROCESS SECTOR

SOFTWARE

PROCESS SECTOR

SOFTWARE

In a nutshell, what the above IEC 61511 graph defines is that if you are a manufacturer developing new hardware, and/or developing embedded system software, you should design per IEC 61508 parts 2 and 3. If on the other hand, you are a system designer / integrator / user, implementing a SIS with hardware developed and validated according to IEC 61508 or if you are using proven in use hardware devices, you may follow IEC 61511. Additionally, if you are developing application software using FPL or LVL, you may use IEC 61511. Finally, if you are developing application software using FVL, you are required to follow IEC 61508-3. This is important to understand, because a user or integrator may decide to develop special function blocks in C++ or other FVL to incorporate into a custom library and use in application programs over and over. In this case, IEC 61508-3 needs to be followed, which involves a whole level of documentation and validation higher than IEC 61511.




IEC 61511 Clause 3 also defines SIF , SIS and SFF, which are all very important to understand, as these are critical to the selection of required redundancy and diagnostic coverage in the implementation of a SIS with proven in use subsystems.

• SIF - Safety Instrumented Function. Safety Function with a specified Safety Integrity Level (SIL), which is necessary to achieve functional safety. It is important to emphasize that the SIL is assigned to each independent SIF and not to the SIS.

• SIS � Safety Instrumented System. Instrumented system used to implement one or more

SIF�s. A SIS may have any combination of sensors, logic solvers and final elements. Several SIF�s may share one Logic Solver.

• SFF � Safe Failure Fraction. The fraction of safe failures and dangerous detected failures

in relation to the total failures. SFF = SU + SD + DD / SU + SD + DD + DU SD: Safe Detected SU: Safe Undetected DD: Dangerous Detected DU: Dangerous Undetected.

IEC 61508-2 Annex C establishes the guidelines for Diagnostic Coverage and Safe Failure Fraction. The basic steps are:

• Perform FMEA Failure Mode and Effect Analysis to determine the effect of each component on the subsystem.

• Categorize each failure mode as safe or dangerous. • Calculate the probability of safe and dangerous failures. • Estimate the fraction of safe and dangerous failures that are detected by the

diagnostics tests. • Calculate the SFF safe failure fraction of the subsystem.

MINIMUM HARDWARE FAULT TOLERANCE The PFDavg of the hardware is only one measure of compliance to a SIL. Other factors such as safe failure fraction, diagnostic coverage, common cause β factor, proof testing interval, mean time to repair and redundancy need to be considered. IEC 61511 Clause 11.4 defines the minimum fault tolerance as the ability to undertake the required safety function in the presence of one or more dangerous faults. The minimum hardware fault tolerance is defined to alleviate the shortcomings in the SIF design assumptions, along with uncertainties in component failure rates. What this basically is saying, is that vendor or field failure rate data may not be that reliable or accurate, thus a minimum hardware redundancy is imposed to compensate any shortcomings. Furthermore, additional redundancy may be required over and above the minimum hardware fault tolerance in order to comply with the SIL safety integrity level target for the safety function, depending on the application and proof test interval. IEC 61511 Clause 11.4 defines the minimum hardware fault tolerance for the logic solver and for the sensors and final elements:




P.E. Logic Solvers

IEC 61511 – Clause 11.4 Table 5 PE Logic Solvers

Minimum Hardware Fault Tolerance SIL SFF < 60% SFF 60% to 90% SFF > 90% 1 1 0 0 2 2 1 0 3 3 2 1 4 Special requirements apply � See IEC 61508

A hardware fault tolerance of �n� means that �n+1� faults will prevent the safety action from occurring. As an example, for a SIL 2 application, a logic solver with a SFF of between 60% and 90% will require a minimum hardware fault tolerance of 1. This means that it at least must be dual redundant (tolerate one fault). The standard clearly states that logic solvers shall be designed per IEC 61508 or comply with �prior use� clause 11.5 of IEC 61511. Is this a break? Is it to my advantage to employ the �prior use� clause and implement my SIS with a non-certified PLC? What are the implications? These questions will be addressed in the next section. Sensors and final elements

IEC 61511 – Clause 11.4 Table 6 Sensors, final elements and non-PE logic solvers

SIL Minimum Hardware Fault Tolerance

(See clauses 11.4.3 and 11.4.4) * 1 0 2 1 3 2 4 Special requirements apply � See IEC 61508

At first observation, the above table is extremely restrictive. For a SIL 2 safety function the minimum hardware fault tolerance required is 1, which implies dual redundant sensors or final elements. However, it can get even more restrictive if the safe failure fraction is not higher than 50%. See clause 11.4.3 * Clause 11.4.3 - The minimum hardware fault tolerance number applies, provided the dominant failure mode is the safe state or dangerous failures are detected. Otherwise the minimum hardware fault tolerance number is increased by 1. This means that in our previous example, for a SIL 2 SIF with components that have a SFF lower than 50%, the minimum hardware fault tolerance is increased to 2 and requires triplicated field elements.




The good news is that employing field elements proven in similar applications and physical environments, the minimum redundancy requirement is relaxed. See clause 11.4.4. * Clause 11.4.4 minimum hardware fault tolerance number may be reduced by 1 if compliance with all of the following;

o Prior use criteria is fully met. o Adjustments are limited to process parameters only.

This implies that if the above criteria are met, the SIL 2 example could be met with a single sensor or final element. This is not a blank check allowing a single transmitter. A full SIL validation of the SIF needs to be made, and may in effect require dual or triple field elements, depending on the failure rates, test intervals, etc. The requirements to comply with the proven in use clause will be analyzed in the next section. REQUIREMENTS FOR SELECTION OF SIS COMPONENTS IEC 61511 clause 11.5.2 outlines the requirements for the selection of components and subsystems in a safety instrumented system, by saying that the suitability shall be demonstrated by consideration of:

- Manufacturers hardware and embedded software. - Appropriate application languages and tools.

The above refers to the fact that it is not only necessary to analyze the hardware, but attention is also placed on the embedded software / firmware / operating system, the application software and the configuration and maintenance tools. PROVEN-IN-USE CRITERIA As a differentiator from the �proven-in-use� term in IEC 61508, the process industry specific standard IEC 61511 clause 11.5.3 addresses this as �PRIOR USE�. IEC 61511 � �Prior use� criteria establishes that the evidence of suitability should include the following basic points:

- The manufacturers Quality Manual. - Adequate identification and specification of the components and sub-systems - Demonstration of performance in similar operating profiles and physical

environments. - The volume of operating experience.

The standard does acknowledge the fact that there are many field devices that have been used successfully in other operating profiles over the years, and that it would be limiting to allow only hardware previously proven in SIS applications. Therefore the standard states, “For field devices (not logic solvers), performance in non-safety applications should be deemed to satisfy the requirement”. This does not waiver the requirements for similar physical environment, and the rest of the criteria items. The standard further expands the �prior use� requirements for FPL, LVL and FVL programmable components of the SIS.




FPL - Clause 11.5.4 establishes that Fixed Programmable Language components and subsystems (i.e. smart transmitters, smart positioners, etc) are required to comply with clauses 11.5.2 and 11.5.3 with the following additional issues:

- Unused features shall be identified and shall be unlikely to jeopardize the required SIF mitigation.

- For SIL 3 applications, a Safety Manual, including constraints for operation, maintenance and fault detection, should be documented.

What this means is that if the field element vendor cannot provide an acceptable �Safety manual�, the plant operator needs to develop, document and maintain its own Safety manual for that device. This is not a trivial task, which users are not happy having to do. It should be noted that the requirement for a safety manual for SIL 3 applications applies for s single FPL device. If redundant smart transmitters are used, for example, safe action is designed into a 1oo2 configuration.

LVL � Clause 11.5.5 establishes that Limited Variability Language programmable components and sub-systems (i.e. Logic Solvers) are required to comply with all of the above clauses 11.5.2 through 11.5.4 in addition to:

- Differences between operational profiles and physical environments shall require an assessment based on analysis and testing.

- Complexity of functionality shall be assessed. - Unsafe failure modes are understood - Embedded software has good history of use in safety applications. - Logic solver is protected against unauthorized modifications. - For SIL 2 and SIL 3 applications, a formal assessment shall be carried out to

demonstrate that measures are implemented to detect faults during program execution and take appropriate action. Additionally, typical configurations should be tested with test cases representative of the intended operational profile.

- Additionally, For SIL 2 and SIL 3, documented fault insertion testing should be performed, and a �Safety Manual�, including constraints for operation, maintenance and fault detection should be documented.

The above criteria points for qualifying non-certified logic solvers for use in safety applications based on the IEC 61511 �Prior Use� clause, is a steep cliff to climb. Even if the plant operator decided that this was the best way to go, and developed his own safety manual, performed fault insertion tests, verified typical configurations in the representative operational and physical environment, demonstrated the fault detection capabilities during program execution and documented and maintained every one of the clauses requirements, the question remains: Is plant management prepared to defend this installation in the case of a safety or environmental inspection and unto a court of law?

FVL - Clause 11.5.6 establishes that Full Variability Language programmable components and sub-systems (i.e. Logic Solvers) are required to comply with IEC 61508-2 and IEC 61508-3.

This fundamentally precludes the use of the �prior use� clause in IEC 61511 for logic solvers when the application programming uses full variability languages, such as C, Ada, C++, Pascal, Assembler Languages, etc.




CONCLUSIONS Applying the proven-in-use clause of IEC 61511 is a tempting proposition for plant operators, opening the door to a wider range of hardware products for implementation of their safety instrumented system. Meeting the requirements for field elements (considering redundant configurations for the higher SIL applications) is achievable and an industry accepted solution. As more field devices go through the certification process, less of the burden of proof will be on the user. In the case of logic solvers, the scenario is much more complex. Meeting the �prior use� clause is extremely difficult and completely impractical. In addition, the price to pay is:

a- Higher lifecycle cost due to documentation, testing and maintenance. b- Burden of proof unto safety regulatory agencies and risk insurers. c- Susceptibility to litigation with no recourse to third party certification responsibility.

The vendor is also off the hook. U.S. President Ronald Reagan�s famous quotation: “Trust, but Verify” is ever prevalent. Third party verification is a valid remedy for insomnia. References • IEC 61511, � Functional Safety: Safety Instrumented Systems for the process industry

sector�, International Electrotechnical Commission, FDIS Issue, 2002.

• IEC-61508, “Functional Safety of electrical/electronic/programmable electronic safety related systems” , International Electrotechnical Commission, International Standard, 1998

• �Guidelines for Safe Automation of Chemical Processes�, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993.

• Adamski, Robert S., “Design Critical Control or Emergency Shut Down Systems for Safety AND Reliability,� Automatizacion 96, Panamerican Automation Conference, Caracas, Venezuela, May 1996.

• Martel, Troy J., �Safety System Engineering,” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas, 1994.

******************

Applying IEC 61511 Making the right choices for Process Safety..pdf

Documents

Transcript of Applying IEC 61511 Making the right choices for Process Safety..pdf