The IEC 61511:2016 is the second edition and the current international standard issued by the International Electrotechnical Commission (IEC) for functional safety of safety instrumented systems (SIS) for the process industry sector. The standard provides a safety-based risk approach to ensure SIS’s safety that needs protection from internal and external hazards.
IEC 61511 is a simplified derivative form of IEC 61508 catering for the more consistent equipment architectures found in the process industries. The standard is applied directly to many industrial processes, such as chemical, power, pulp and paper, pharmaceuticals, power, and refineries.
The International Society of Automation (ISA) adopted the IEC 61511:2016 standard in late 2017.
This article provides an overview of the IEC 61511 standard.
Application of IEC 61508 and IEC 61511 standards in Process Safety
Stakeholders involved in safety instrumented systems (SIS) must have a foundational knowledge of functional safety and the IEC 61511 standard requirements and relation to IEC 61508.
The IEC 61508 standard applies to a broad range of industries and primarily focuses on the manufacturers and suppliers of component devices, such as field devices and logic solvers. In process safety, IEC 61508 applies to the development of:
- New hardware devices
- Embedded (system) software
- Application programs using a great variety of programming languages
On the other hand, the IEC 61511 standard applies to safety instrumented designers, integrators, and users. In process safety, IEC 61511 applies to:
- Developing application programs using a limited variety of fixed programming languages
- Using hardware designed, manufactured, and assessed according to IEC 61508
In addition, IEC 61511 applies to utilizing “prior use” hardware devices, where the end-user (or manufacturer) has proven that their device has achieved functional and safety requirements. This proof is documented through a built-in system of accurate data gathering. The data is used to demonstrate that the device has operated with the same software version, in similar applications and environments, and for a sufficient period without any dangerous failures.
Three Parts of IEC 61511
The process industry is among the largest industrial sectors, covering petrochemical, pharmaceutical, and chemical. The IEC 61511 standard assists these process industries to maintain requisite safety standards. The standard focuses on Safety Instrumented Systems (SIS).
IEC 61511 is entitled “Functional Safety – Safety instrumented systems for the process industry sector” and is published in three parts:
- Part 1: The first part is normative and covers framework, definitions, and system requirements for hardware and software
- Part 2: The second part is informative and covers how industries can apply the requirements described in Part 1
- Part 3: The third part is also informative and offers guidance on how an entity can determine different Safety Integrity Level (SIL) requirements
Scope of IEC 61511
The IEC 61511 standard is a process industry derivative of the functional safety standard IEC 61508. This derivative standard is developed to reduce the encumbrance and complexity of IEC 61508.
The scope of IEC 61511 is to define requirements for the application and implementation of SIS in the process industry. The functional safety requirements are described based on a life-cycle approach – from concept to operation, maintenance, and decommissioning. Additionally, the standard establishes requirements for designing and managing SIS to achieve specified SIL and reduce risk.
While the previous paragraph describes what IEC 61511 is, it is equally important to understand what the standard is not. It does not prescribe what safety functions should be implemented, and it does not contain a recommendation of safety functions for a particular process or type of equipment. Additionally, the standard does not provide a detailed guide for the required reliability (SIL) of safety functions. Hence, it is quite possible for different organizations implementing the same process and hardware to arrive at different target SIL values for equivalent safety functions.
For an engineer to understand the requirements of IEC 61511, it is vital to have a solid knowledge of the key terms and concepts used in the standard.
Functional Safety is the ability of the safety instrumented systems (SIS) to carry out the actions necessary to maintain or achieve the safe state of the physical processes and control systems that depend on SIS.
Safety Instrumented System (SIS)
A SIS is a system composed of input sensors (e.g., temperature transmitters), logic solvers (e.g., PLCs), and output final elements (e.g., valves). It is used to implement single or multiple safety functions. A single SIS can implement single or multiple safety instrumented functions (SIF) independent of the basic process control systems (BPCS).
Safety Instrumented Function (SIF)
A SIF is a single automated and autonomous safety function implemented by a SIS for the process and equipment dependent on the SIS to achieve or maintain a safe state.
Safety Integrity Level (SIL)
The SIL indicates the level of risk reduction provided by a safety instrumented function (SIF) being implemented by a safety instrumented system (SIS). There are four SIL levels, each represented by a discrete number between 1 to 4. The higher the SIL level, the more reliable the SIF is expected to be. The SIL value is associated with each component that makes up the SIF and then also calculated for the overall designed safety function.
Basic Process Control System (BPCS)
A BPCS is a system that responds to input signals from a process, equipment, and/or an operator and generates output signals causing the process and its associated equipment to operate in the desired way. A BPCS cannot perform any safety instrumented functions rated with a SIL of 1 or higher unless it meets proven in use requirements.
Common Cause Failure
It is defined as the simultaneous (or near-simultaneous) failures of two or more devices, functions, or systems due to the same cause or initiating event.
Common Mode Failure
It is defined as the failure that causes two or more devices, functions, or systems to fail at the same time for the same reason. A common mode failure is particularly dangerous as it can lead to the failure of all devices, functions, or systems with the same configuration. For example, suppose all network devices have the same firmware and version. In that case, they have the same inherent vulnerabilities that, if exploited, could lead to a cascading incident leading to a full network outage.
Process Hazard and Risk Assessment
IEC 61511 requires a process hazard and risk assessment (H&RA) to be carried out to identify the hazards, define the requirements specifications for each safety instrumented function (SIF), and the associated risk reduction for a process. The most widely applied techniques used to conduct H&RA is Hazard and Operability (HAZOP). More information on HAZOP, its strengths and limitations, and the high-level HAZOP workshop process are viewable here.
Layer of Protection Analysis (LOPA)
Layers of Protection Analysis (LOPA) is a technique used to analyze the level of risk on a system with existing independent protection layers (IPLs) and to determine if additional IPLs should be added to mitigate a particular incident scenario to an acceptable tolerable level.
Functional Safety Assessment
Functional Safety Assessment (FSA) is an evidence-based investigation to evaluate the functional safety achieved by one or more SIS and/or other protection layers.
Safety Requirements Specifications
Safety Requirements Specifications (SRS) for a Safety Instrumented System (SIS) incorporates all the analysis done during the Hazard and Risk Assessment (e.g., HAZOP/PHA and LOPA) reviews and aligning this with the performance criteria, reliability, and expected operating regime of the organization.
The second edition of the IEC 61511 standard stipulates that individuals involved in the SIS safety life-cycle activities need to be competent to perform the work for which they are accountable. It requires a formal documented procedure to manage the competence of all individuals involved within the SIS safety life-cycle.
To be compliant with the standard’s requirements, organizations should maintain a competency matrix for their personnel to identify gaps in knowledge and experience, identifying and prioritizing formal training and informal on-the-job learning needs.
Components of Functional Safety Management
Organizations that have implemented Safety Instrumented Functions in managing risk need to demonstrate that they have taken reasonable steps to comply with the IEC 61511 standard. The Functional Safety Management (FSM) plan specifies the desired path and success metrics on how functional safety will be ensured throughout the SIS safety life-cycle stages. Just like there exists a Quality Assurance Plan or a Risk Management Plan, there should also be a Functional Safety Management plan.
The requirement for Functional Safety Management planning is applicable to all engineering and functional safety system stakeholders – owners, engineers, suppliers, operators, and maintainers. Functional Safety Management planning ensures that we achieve the required system and safety integrity.
IEC 61511 outlines requirements for the “Management of functional safety” and defines the following objectives:
- Define the Life-cycle Model
- Define responsibilities
- Specify management and technical activities
- Establish the documentation framework
- Facilitate and demonstrate compliance with the standards
- Plan the verification, validation, and assessment activities
- Provide a dynamic planning document that can be maintained throughout the life-cycle
- Ensure buy-in for the plan implementation from the risk owners
In fact, functional safety management is a specific application of quality management, and it includes the following main elements:
- Establishment and review of requirements
- Design and development of inputs, outputs, review, verification, and validation
- Change control
SIS Safety Life-cycle
The concept of Safety Life-cycle is necessary for compliance with IEC 61511. According to the standard, the functional safety life-cycle is constructed as follows:
- Analyze the hazards and document the safety requirement specifications
- Translate these requirement specifications into system design using appropriate hardware and software subsystems and design methodologies
- Validate the system conforms to all the specifications and modify to the desired specifications as required.
- Ensure the operation and maintenance of the system and its performance remains consistent with the SIS safety requirements, design and the operational and maintenance plan.
The safety life-cycle is divided into three phases.
Phase 1 – Analysis
The detailed analysis of process hazards compares the probability of a risk scenario against its consequences. For the analysis to be successful, the organization must define the maximum tolerable risk. During this phase, each risk scenario is analyzed in detail and assigned adequate protection layers. The most important outcome is the Safety Requirements Specification (SRS) documentation.
The following are the main steps of the phase:
- Implement a Hazard Analysis (e.g. HAZOP).
- Define and assign adequate protection layers to risk scenarios.
- Determine the SIL to be assigned to each Safety Instrumented Function (SIF).
- Develop the Safety Requirements Specification (SRS) documentation.
- Perform a Functional Safety Assessment (FSA-1).
Phase 2 – Design & Implementation
The foundation of this phase is the Safety Instrumented Functions (SIF) defined during the analysis phase. The design of hardware and software subsystems must conform with the safety requirements specified in the SRS. The most important part of this phase is the validation of the Safety Instrumented System (SIS) which usually takes place during the Site Acceptance Tests (SAT).
The following steps are implemented during this phase:
- Select appropriate technology.
- Design the Safety Instrumented Functions (SIF) in accordance with the outcomes of Phase 1.
- Verify the compliance of SIFs with the Safety Integrity Levels (SIL) required by the SRS.
- Procure, construct and install products and equipment.
- Perform SIS tests: Factory Acceptance Test (FAT) and Site Acceptance Test (SAT).
- Validate the Safety Instrumented System.
- Perform Functional Safety Assessment (FSA-2).
Phase 3 – Operation & Maintenance
This phase is the one with the longest duration since it covers the operation and maintenance of the Safety Instrumented System. The key factors to a successful execution of this phase are the development of an adequate, efficient and effective maintenance plan and the development of safety culture which should span across all organizational functions.
The key steps to this phase are the following:
- Develop a SIS Maintenance Plan.
- Train all personnel to raise safety awareness and create a safety culture.
- Monitor and audit compliance with the Maintenance Plan.
- Manage bypasses to ensure consistency and compliance.
- Manage the supply chain of spare parts.
- Register all failures for lessons learned and possible process modification.
- Monitor continuous compliance with the requirements defined in the SRS.
- Implement change management procedures to handle SIS modifications.
- Perform Functional Safety Assessment (FSA-3).
Typical protection layers and risk reduction means
The IEC 61511 introduces the concept of layers of protection and emphasizes on the independence between these layers. According to the standard, the typical protection layers and the associated risk reduction means are shown in the following table
Connectivity between Functional Safety and IACS Cybersecurity
The functional safety-related control systems have become more complicated with the steady introduction of programmable logic and commodity IT devices/networks to monitor and control Industrial Automation and Control Systems (IACS). There is a growing need to appropriately recognize and manage threats to the continuous safe operation of the safety control systems from cyber incidents.
To address these emerging threats, the second edition of the IEC 61511:2016 requires the following for SIS:
- The persons involved in the SIS safety life-cycle activities should be competent, and the competency must be evaluated against criteria that include the following:
- engineering knowledge, training, and experience with the technology
- safety engineering, legal and regulatory requirements knowledge
- understanding of the potential consequence of a safety-related event
- The security risk assessment must be conducted on SIS in identifying cyber-related vulnerabilities
- Cyber requirements need to be specified once the cybersecurity vulnerability and threat analyses are performed.
- Design of the SIS must provide resilience against cyber incidents
- The interfaces for engineering and maintenance functions must only be accessible through access-control security authentication and secure channel communication.
- Ensure accuracy of field data (compare between digital and analog signals)
- Ensure integrity of data sent from the sensors, PLCs, HMIs, etc.
- Guidance on cybersecurity risk analysis must be sought from the ISA/IEC 62443 standard
Note: While IEC 61508 requires a security risk assessment carried out only if a hazard analysis identifies a malicious or unauthorized cyber event as being reasonably foreseeable, the IEC 61511 unequivocally requires the security risk assessment must be conducted.
Benefits of functional safety
Process industries should invest in functional safety for many good reasons:
- Safety of people. It is vital to minimize the risks that might affect employees, contractors, and the general population.
- Protection of mission-critical equipment.
- Protection of the environment.
- Regulatory and legislative compliance. When an accident occurs, auditors will analyze the in-depth degree of compliance, leading to severe legal consequences for the company.
- Lower insurance policy costs.
- Brand reputation. Even a small-scale incident can have an immediate reputational impact through social media and networks. The brand image is one of the greatest assets for companies; a reputational hit could damage profits and shareholder confidence.
- Safeguard production reliability and safety. The loss of production resulting from an accident can be substantial and can even have tremendous implications, such as its closure.
How ORIGNIX helps
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyber Process Risk Assessment (cyberPRA) methodology is based on ISA/IEC 62443 and IEC 61511 industry standards. The assessment identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.
To learn how our customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis.