P REMIER

CONSULTING

SERVICES

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory

Applying IEC 61511 proven-in-use. Making the right choices for Process Safety.
Robin McCrea-Steele, Mr. Premier Consulting Services Irvine, California USA April, 2003

KEY WORDS
IEC 61508, IEC 61511, ANSI ISA S-84.01, Proven in use, Prior use, SIS Safety Instrumented System, SIF Safety Instrumented Function, Diagnostic Coverage, SFF Safe Failure Fraction, Minimum Hardware Fault Tolerance, SIL Safety Integrity Level

ABSTRACT
Process industry sector specific international standard IEC 61511 is being adopted by most national safety governing bodies around the world. Although SIS hardware manufacturers are referred to IEC 61508, the Prior Use Clause of IEC 61511 would appear to open the door for the use of field elements as well as Logic Solvers that have not been designed to meet IEC 61508. It could be argued that the standards are usually only enforced after a safety or environmental incident. However, it is not a good feeling for the plant manager to get his wake-up call from an attorney. The questions asked are: Should I use non-certified hardware for my Safety Instrumented System (SIS)? What are the restrictions? Who has the burden of proof? What level of documentation is involved? How do you define similar prior operating and physical environments? Can I use a transmitter with proven experience in a control system environment for my SIS? Can I use a noncertified PLC (Logic Solver) for safety? This paper reviews the conditions and guidelines outlined in the standards. Issues addressing safe failure fraction, minimum hardware fault tolerance, operating environment restrictions, etc, are analyzed for safety, practicality and lifecycle costs. The conclusions provide the plant operator with the elements conducive to making an intelligent decision when faced with the options of using third party certified subsystems or proven inuse non-certified equipment in a SIS.

www.safetyusersgroup.com

Page 1 / 8

P REMIER

CONSULTING

SERVICES

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory

INTRODUCTION
Plant accidents in the COG (Chemical, Oil and Gas) industry, as well as other process plants, have driven national and international Safety and Environmental Agencies to regulate and enforce existing and emerging safety standards. Punitive charges and specially litigation costs, have reached orders of magnitude beyond previously imaginable, prompting industrial risk insurers interest in safe design. Plant owners and operators are responding by implementing good safety engineering practices. However, under the current worldwide economy and market conditions, the challenge is to spend the money wisely. At the end of the day, it all boils down to who do you trust for your plant safety? It is generally understood that the process sector safety instrumented system manufacturers and suppliers of devices are required to design their hardware and software following the umbrella international standard IEC 61508. Furthermore, the safety instrumented system designers, integrators and users should follow the industry specific international standard IEC 61511.

PROCESS SECTOR SAFETY INSTRUMENTED SYSTEM

Manufacturers & Suppliers of Devices IEC 61508

Safety Instrumented Systems Designers, Integrators & Users IEC 61511

Relationship between IEC 61511 & IEC 61508

IEC 61511 Clause 3 defines three basic categories of software languages for the SIS. FPL Fixed Program Language, where the user is limited to adjustments of a few parameters. (i.e. range, alarm level, etc. on a smart transmitter). LVL Limited Variability Language, designed to be comprehensive to process sector users. Provides the capability to combine predefined, application specific, library functions to implement safety requirement specifications. Examples of this are ladder diagram, function block diagram and sequential function chart. FVL Full Variability Language, designed to be comprehensive to computer programmers, and provides the capability to implement a wide variety of functions and applications. Examples are Ada, C, Pascal, Instruction List, Assembler languages, C++, Java, SQL.

www.safetyusersgroup.com

Page 2 / 8

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory With the above defined software categories, the relationship between IEC 61511 and IEC 61508 can be expanded per the following graph:
P REMIER CONSULTING SERVICES

PROCESS SECTOR PROCESS SECTOR SAFETY SAFETY INSTRUMENTED INSTRUMENTED SYSTEM SYSTEM STANDARD STANDARD

PROCESS PROCESS SECTOR SECTOR HARDWARE HARDWARE

PROCESS PROCESS SECTOR SECTOR SOFTWARE SOFTWARE

DEVELOPING DEVELOPING NEW NEW HARDWARE HARDWARE DEVICES DEVICES

USING USING PROVEN IN PROVEN IN USE USE HARDWARE HARDWARE DEVICES DEVICES

USING USING HARDWARE HARDWARE DEVELOPED DEVELOPED AND AND VALIDATED VALIDATED ACCORDING ACCORDING TO IEC 61508 TO IEC 61508

DEVELOPING DEVELOPING EMBEDDED EMBEDDED (SYSTEM) (SYSTEM) SOFTWARE SOFTWARE

DEVELOPING DEVELOPING APPLICATION APPLICATION SOFTWARE SOFTWARE USING FVL USING FVL FULL FULL VARIABILITY VARIABILITY LANGUAGES LANGUAGES

FOLLOW FOLLOW IEC 61508 IEC 61508

FOLLOW FOLLOW IEC 61511 IEC 61511

FOLLOW FOLLOW IEC 61511 IEC 61511

FOLLOW FOLLOW IEC 61508-3 IEC 61508-3

DEVELOPING DEVELOPING APPLICATION APPLICATION SOFTWARE SOFTWARE USING LVL USING LVL LIMITED LIMITED VARIABILITY VARIABILITY LANGUAGES LANGUAGES OR FPL OR FPL FIXED FIXED PROGRAMS PROGRAMS

FOLLOW FOLLOW IEC 61508-3 IEC 61508-3

FOLLOW FOLLOW IEC 61511 IEC 61511

In a nutshell, what the above IEC 61511 graph defines is that if you are a manufacturer developing new hardware, and/or developing embedded system software, you should design per IEC 61508 parts 2 and 3. If on the other hand, you are a system designer / integrator / user, implementing a SIS with hardware developed and validated according to IEC 61508 or if you are using proven in use hardware devices, you may follow IEC 61511. Additionally, if you are developing application software using FPL or LVL, you may use IEC 61511. Finally, if you are developing application software using FVL, you are required to follow IEC 61508-3. This is important to understand, because a user or integrator may decide to develop special function blocks in C++ or other FVL to incorporate into a custom library and use in application programs over and over. In this case, IEC 61508-3 needs to be followed, which involves a whole level of documentation and validation higher than IEC 61511.

www.safetyusersgroup.com

Page 3 / 8

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory IEC 61511 Clause 3 also defines SIF , SIS and SFF, which are all very important to understand, as these are critical to the selection of required redundancy and diagnostic coverage in the implementation of a SIS with proven in use subsystems.
P REMIER CONSULTING SERVICES

SIF - Safety Instrumented Function. Safety Function with a specified Safety Integrity Level (SIL), which is necessary to achieve functional safety. It is important to emphasize that the SIL is assigned to each independent SIF and not to the SIS. SIS Safety Instrumented System. Instrumented system used to implement one or more SIFs. A SIS may have any combination of sensors, logic solvers and final elements. Several SIFs may share one Logic Solver. SFF Safe Failure Fraction. The fraction of safe failures and dangerous detected failures in relation to the total failures. SFF = SU + SD + DD / SU + SD + DD + DU SD: Safe Detected SU: Safe Undetected DD: Dangerous Detected DU: Dangerous Undetected.

IEC 61508-2 Annex C establishes the guidelines for Diagnostic Coverage and Safe Failure Fraction. The basic steps are: Perform FMEA Failure Mode and Effect Analysis to determine the effect of each component on the subsystem. Categorize each failure mode as safe or dangerous. Calculate the probability of safe and dangerous failures. Estimate the fraction of safe and dangerous failures that are detected by the diagnostics tests. Calculate the SFF safe failure fraction of the subsystem. MINIMUM HARDWARE FAULT TOLERANCE The PFDavg of the hardware is only one measure of compliance to a SIL. Other factors such as safe failure fraction, diagnostic coverage, common cause factor, proof testing interval, mean time to repair and redundancy need to be considered. IEC 61511 Clause 11.4 defines the minimum fault tolerance as the ability to undertake the required safety function in the presence of one or more dangerous faults. The minimum hardware fault tolerance is defined to alleviate the shortcomings in the SIF design assumptions, along with uncertainties in component failure rates. What this basically is saying, is that vendor or field failure rate data may not be that reliable or accurate, thus a minimum hardware redundancy is imposed to compensate any shortcomings. Furthermore, additional redundancy may be required over and above the minimum hardware fault tolerance in order to comply with the SIL safety integrity level target for the safety function, depending on the application and proof test interval. IEC 61511 Clause 11.4 defines the minimum hardware fault tolerance for the logic solver and for the sensors and final elements:

www.safetyusersgroup.com

Page 4 / 8

P REMIER

CONSULTING

SERVICES

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory

P.E. Logic Solvers IEC 61511 Clause 11.4 Table 5 PE Logic Solvers
SIL
SFF

1 2 3 4

< 1 2 3

Minimum Hardware Fault Tolerance SFF 60% to 90% SFF > 90% 60%

0 1 2
Special requirements apply See IEC 61508

0 0 1

A hardware fault tolerance of n means that n+1 faults will prevent the safety action from occurring. As an example, for a SIL 2 application, a logic solver with a SFF of between 60% and 90% will require a minimum hardware fault tolerance of 1. This means that it at least must be dual redundant (tolerate one fault). The standard clearly states that logic solvers shall be designed per IEC 61508 or comply with prior use clause 11.5 of IEC 61511. Is this a break? Is it to my advantage to employ the prior use clause and implement my SIS with a non-certified PLC? What are the implications? These questions will be addressed in the next section.

Sensors and final elements IEC 61511 Clause 11.4 Table 6 Sensors, final elements and non-PE logic solvers
SIL
Minimum Hardware Fault Tolerance (See clauses 11.4.3 and 11.4.4) *

1 2 3 4

0 1 2
Special requirements apply See IEC 61508

At first observation, the above table is extremely restrictive. For a SIL 2 safety function the minimum hardware fault tolerance required is 1, which implies dual redundant sensors or final elements. However, it can get even more restrictive if the safe failure fraction is not higher than 50%. See clause 11.4.3 * Clause 11.4.3 - The minimum hardware fault tolerance number applies, provided the dominant failure mode is the safe state or dangerous failures are detected. Otherwise the minimum hardware fault tolerance number is increased by 1. This means that in our previous example, for a SIL 2 SIF with components that have a SFF lower than 50%, the minimum hardware fault tolerance is increased to 2 and requires triplicated field elements.

www.safetyusersgroup.com

Page 5 / 8

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory The good news is that employing field elements proven in similar applications and physical environments, the minimum redundancy requirement is relaxed. See clause 11.4.4.
P REMIER CONSULTING SERVICES

* Clause 11.4.4 minimum hardware fault tolerance number may be reduced by 1 if compliance with all of the following; o Prior use criteria is fully met. o Adjustments are limited to process parameters only. This implies that if the above criteria are met, the SIL 2 example could be met with a single sensor or final element. This is not a blank check allowing a single transmitter. A full SIL validation of the SIF needs to be made, and may in effect require dual or triple field elements, depending on the failure rates, test intervals, etc. The requirements to comply with the proven in use clause will be analyzed in the next section.

REQUIREMENTS FOR SELECTION OF SIS COMPONENTS

IEC 61511 clause 11.5.2 outlines the requirements for the selection of components and subsystems in a safety instrumented system, by saying that the suitability shall be demonstrated by consideration of: - Manufacturers hardware and embedded software. - Appropriate application languages and tools. The above refers to the fact that it is not only necessary to analyze the hardware, but attention is also placed on the embedded software / firmware / operating system, the application software and the configuration and maintenance tools.

PROVEN-IN-USE CRITERIA
As a differentiator from the proven-in-use term in IEC 61508, the process industry specific standard IEC 61511 clause 11.5.3 addresses this as PRIOR USE. IEC 61511 Prior use criteria establishes that the evidence of suitability should include the following basic points: The manufacturers Quality Manual. Adequate identification and specification of the components and sub-systems Demonstration of performance in similar operating profiles and physical environments. The volume of operating experience.

The standard does acknowledge the fact that there are many field devices that have been used successfully in other operating profiles over the years, and that it would be limiting to allow only hardware previously proven in SIS applications. Therefore the standard states, For field devices (not logic solvers), performance in non-safety applications should be deemed to satisfy the requirement. This does not waiver the requirements for similar physical environment, and the rest of the criteria items. The standard further expands the prior use requirements for FPL, LVL and FVL programmable components of the SIS.

www.safetyusersgroup.com

Page 6 / 8

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory FPL - Clause 11.5.4 establishes that Fixed Programmable Language components and subsystems (i.e. smart transmitters, smart positioners, etc) are required to comply with clauses 11.5.2 and 11.5.3 with the following additional issues:
P REMIER CONSULTING SERVICES

Unused features shall be identified and shall be unlikely to jeopardize the required SIF mitigation. For SIL 3 applications, a Safety Manual, including constraints for operation, maintenance and fault detection, should be documented.

What this means is that if the field element vendor cannot provide an acceptable Safety manual, the plant operator needs to develop, document and maintain its own Safety manual for that device. This is not a trivial task, which users are not happy having to do. It should be noted that the requirement for a safety manual for SIL 3 applications applies for s single FPL device. If redundant smart transmitters are used, for example, safe action is designed into a 1oo2 configuration. LVL Clause 11.5.5 establishes that Limited Variability Language programmable components and sub-systems (i.e. Logic Solvers) are required to comply with all of the above clauses 11.5.2 through 11.5.4 in addition to: - Differences between operational profiles and physical environments shall require an assessment based on analysis and testing. - Complexity of functionality shall be assessed. - Unsafe failure modes are understood - Embedded software has good history of use in safety applications. - Logic solver is protected against unauthorized modifications. - For SIL 2 and SIL 3 applications, a formal assessment shall be carried out to demonstrate that measures are implemented to detect faults during program execution and take appropriate action. Additionally, typical configurations should be tested with test cases representative of the intended operational profile. - Additionally, For SIL 2 and SIL 3, documented fault insertion testing should be performed, and a Safety Manual, including constraints for operation, maintenance and fault detection should be documented. The above criteria points for qualifying non-certified logic solvers for use in safety applications based on the IEC 61511 Prior Use clause, is a steep cliff to climb. Even if the plant operator decided that this was the best way to go, and developed his own safety manual, performed fault insertion tests, verified typical configurations in the representative operational and physical environment, demonstrated the fault detection capabilities during program execution and documented and maintained every one of the clauses requirements, the question remains: Is plant management prepared to defend this installation in the case of a safety or environmental inspection and unto a court of law? FVL - Clause 11.5.6 establishes that Full Variability Language programmable components and sub-systems (i.e. Logic Solvers) are required to comply with IEC 61508-2 and IEC 61508-3. This fundamentally precludes the use of the prior use clause in IEC 61511 for logic solvers when the application programming uses full variability languages, such as C, Ada, C++, Pascal, Assembler Languages, etc.

www.safetyusersgroup.com

Page 7 / 8

P REMIER

CONSULTING

SERVICES

robin.mccrea-steele@invensys.com PCS@invensys.com Visit our Domain in the Safety Users Group Directory

CONCLUSIONS
Applying the proven-in-use clause of IEC 61511 is a tempting proposition for plant operators, opening the door to a wider range of hardware products for implementation of their safety instrumented system. Meeting the requirements for field elements (considering redundant configurations for the higher SIL applications) is achievable and an industry accepted solution. As more field devices go through the certification process, less of the burden of proof will be on the user. In the case of logic solvers, the scenario is much more complex. Meeting the prior use clause is extremely difficult and completely impractical. In addition, the price to pay is: a- Higher lifecycle cost due to documentation, testing and maintenance. b- Burden of proof unto safety regulatory agencies and risk insurers. c- Susceptibility to litigation with no recourse to third party certification responsibility. The vendor is also off the hook. U.S. President Ronald Reagans famous quotation: Trust, but Verify is ever prevalent. Third party verification is a valid remedy for insomnia.

References
IEC 61511, Functional Safety: Safety Instrumented Systems for the process industry sector, International Electrotechnical Commission, FDIS Issue, 2002. IEC-61508, Functional Safety of electrical/electronic/programmable electronic safety related systems , International Electrotechnical Commission, International Standard, 1998 Guidelines for Safe Automation of Chemical Processes, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993. Adamski, Robert S., Design Critical Control or Emergency Shut Down Systems for Safety AND Reliability, Automatizacion 96, Panamerican Automation Conference, Caracas, Venezuela, May 1996. Martel, Troy J., Safety System Engineering, International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas, 1994.

******************

www.safetyusersgroup.com

Page 8 / 8