Transcript PowerPoint-Präsentation

IEC 61511, ed 2. Changes and whats in it for the user?
Cato Bratt / Heidi Fuglum
ABB
Disclamer
 This paper presents some of the changes in “IEC 61511 – Functional safety – safety
instrumented system for the process industry sector”, edition 2
 Is based on the CDV version of the standard
 Is the view of the authors interpretation of the changes.
 Please note that there may be new or different changes to the final published version of
the IEC 61511 ed2.
2
General about IEC 61511
 IEC 61511 first released in 2003
 The use of IEC 61508 in the process industry, intended for the process industry.
 60 people representing 17 countries have been engaged in the committee work.
 Two times each year. The committee is divided into several task teams
- August 2015, planned release of IEC61511 edition 2
 What’s in it for the user?
 Organizations would be re-certified according to the new edition within the 3 years.
 New guidelines and examples are provided making it easier to understand, use and
comply.
3
General changes
 The new edition of IEC 61511 has eliminated inconsistencies, corrected several writing
errors, aligned many definitions with IEC 61508, incorporated lessons learned
 The word “should” is changed to “shall” in many clauses.
 What’s in it for the user?
 The demand mode SIF and continuous mode SIF is now directly defined with regards
IEC 61508
 Systematic Capability (SC) is now included in the new edition of IEC 61511 which was
added in second ed. of IEC 61508.
 Need to document competence,
- engineering knowledge in regard to training and experience on technology and
application on the different equipment
- understanding the consequence of an event and competence on the valid laws and
regulations.
4
Functional Safety Assessment (FSA), Clause 5.2.6
 FSA in 1st edition was focused during the
design phase up to and including the
commissioning.
 In the 2nd edition it is required to have a
FSA to go through the impact assessment
before start of the modification and also
periodically during FSA during operation.
 What’s in it for the user?
 The new requirements with regards to
FSA are more strict (“Shall”) and more
specific than before.
 We expected to see an increased number
of FSA’s connected to operation and
modifications.
5
Verification clause 7
 Verification has a new clause which handles testing (7.2.2). In the original version
testing wasn’t specifically mentioned.
 What’s in it for the user?
 A more holistic approach on the lifecycle activities regarding to all verification activities.
 More descriptive requirements for testing in general.
 Application programming is now put into the general verification clause.
 To avoid repetition in the standard and make it easier to handle and follow for the user.
 Some of the test planning requirements that were only applicable for application
programming is now also applicable for testing of HW as well.
6
Process hazard and risk assessment clause 8
 A new requirements containing security risk assessment (8.2.4).
 Need for a security risk assessment for the SIS and associated devices:
- Description of identified treats that could exploit vulnerabilities and result in security
events
- This shall be considered for the different lifecycle phases (design, implementation,
commissioning, operation and maintenance).
 What’s in it for the user?
 Users’ now need to consider system and network vulnerability; goal is to get a more
robust control network.
 Additional Guidance related to the SIS security is given in IEC61511 2 ed, Annex L
 Refer to the
- ISA-TR84.00.09; Security Countermeasures Related to Safety Instrumented
Systems (SIS)
- IEC 62443-2, “Security for industrial automation and control systems”
7
SIS Safety Requirements Specification (SRS) clause 10
 There are now additional in the Safety Requirement Specification,
- Requirements for proof test procedures (scope, duration, state of the tested device,
state of the process detection of common cause failures, methods and procedures
used to test the diagnostics, prevention of errors)
- Addressing the application program safety requirements.
 Move of application safety requirement specification from clause 12.2 into clause
10.3.2.
 What’s in it for the user?
 Writing requirements is moved to clause 10, that means that SIS integrator(s) also
need to work with clause 10, not only clause 12.
 SIS integrators which has certified their scope of work need to change the certificate,
regarding the revised lifecycle phases included in the work scope.
 Will SIS integrators need to take responsibility in phase 3/clause 10, which used to
traditionally be EPC work? Will this be a possible conflict of roles and responsibilities?
8
SIS design and engineering clause 11
 Align the IEC 61511 with route 2H of IEC 61508
 The Safe Failure Fraction (SFF) is removed,
 New Hardware Fault Tolerance (HFT) table without the SFF (11.4.5).
 What’s in it for the user?
 The use of the SFF has often been discussed.
 Remove SFF means that diagnostics get less importance
 New minimum HFT
 PFD need to be fulfilled, so redundancy may be necessary
9
SIS Application Program Development clause 12
 There have been major changes in the structure of clause 12,
 Application program safety life cycle is moved to clause 6.
 Application program safety requirements specification is moved to clause 10.3.2, and
some description text is moved to part two as guidance.
 What’s in it for the user?
 Clause 12 is completely rewritten
- more readable,
- integrate the aspects of application programming which are covered by the overall
system lifecycle into the relevant system clauses of the standard (e.g. lifecycle
definition, requirements derivation, verification, validation)
- to avoid duplication.
 The focus changed from discussing software to addressing application programming.
10
Clause 16 SIS operation and maintenance
 New requirements for SIS bypassing e.g. continued process operation with an SIS
device or subsystem in bypass due to maintenance, repair or testing.
 The status of all bypasses shall be recorded in a bypass log (16.2.7)
 What’s in it for the user?
 The operator shall be provided with information on the procedures to be applied,
before, during and after bypass, what should be done before removal of the bypass
and then the maximum time permitted to be in the bypass state.
 Bypasses need to be logged either by log book written by operators or logged
automatically in an information system, to be handed over for every shift.
11
Part 2 changes
 What’s in it for the user?
 A lot of new examples are provided so that part 2 will become more relevant to the
change from software to application programming, and on how to comply with this
standard from the application program point of view.
 In general edition 2 part 2 has a lot more guidance text and help to the user. I.e.
application program examples are included in part 2.
12
Part 3 Changes
 What’s in it for the user?
 Additional annexes illustrating new ways to determine the required safety integrity level.
 Existing annexes were reviewed and upgraded as needed.
 A new annex addressing multiple safety systems provides qualitative and quantitative
guidance related to this subject.
13
Post 2nd edition Technical Report (TR) – future work
 The maintenance committee MT 61511, is working on a list of possible Technical
Reports (TR)
 There are several examples of Technical reports which may be written over the next
years. For example:
- Partial SIS
- Compliance of IEC 61511
- Testing and reliability
- Fire& gas detection
- Fiber optics
- Human factors
- Systematic capabilities
14
Conclusion
 More consistent, practicable and clear in the requirements
 Has an improved the structure and more in line with the parent standard IEC 61508.
 Includes many end user requirements and experience
 Highlights user experience
 Increases the need for written procedures to improve functional safety management
 Drives the need for end users to collect reliability data
 Includes focus and attention on Security
 With the improved examples and guidelines in part 2 it should make the standard
easier to read, understand and follow and avoid company/country specific guidelines.
 Also if they proceed with the TR, it will provide a lot more examples for the users to
follow and we will hopefully get fewer accidents and live in a safer world.
15