IEC 61511-1:2016

IEC 61511-1 ®
Edition 2.0 2016-02
REDLINE VERSION
INTERNATIONAL
STANDARD
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 1: Framework, definitions, system, hardware and software application
programming requirements
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 15 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
IEC 61511-1 ®
Edition 2.0 2016-02
REDLINE VERSION
INTERNATIONAL
STANDARD
colour
inside
Functional safety – Safety instrumented systems for the process industry

sector –
Part 1: Framework, definitions, system, hardware and software application

programming requirements
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.01 ISBN 978-2-8322-3216-3

– 2 – IEC 61511-1:2016 RLV  IEC 2016
CONTENTS
FOREWORD . 5
INTRODUCTION . 2
1 Scope . 9
2 Normative references. 14
3 Terms, definitions and abbreviations . 15
3.1 Terms . 15
3.2 Terms and definitions . 15
3.3 Abbreviations . 38
4 Conformance to the IEC 61511-1:2016 . 39
5 Management of functional safety . 39
5.1 Objective . 39
5.2 Requirements . 39
5.2.1 General . 39
5.2.2 Organization and resources . 39
5.2.3 Risk evaluation and risk management . 40
5.2.4 Safety planning . 40
5.2.5 Implementing and monitoring . 40
5.2.6 Assessment, auditing and revisions . 41
5.2.7 SIS configuration management . 44
6 Safety life-cycle requirements . 44
6.1 Objectives . 44
6.2 Requirements . 45
6.3 Application program SIS safety life-cycle requirements . 47
7 Verification . 50
7.1 Objective . 50
7.2 Requirements . 50
8 Process H&RA . 52
8.1 Objectives . 52
8.2 Requirements . 52
9 Allocation of safety functions to protection layers . 53
9.1 Objectives . 53
9.2 Requirements of the allocation process . 54
9.3 Additional requirements for safety integrity level 4 .
9.3 Requirements on the basic process control system as a protection layer . 56
9.4 Requirements for preventing common cause, common mode and dependent
failures . 58
10 SIS safety requirements specification (SRS) . 58
10.1 Objective . 58
10.2 General requirements . 58
10.3 SIS safety requirements . 58
11 SIS design and engineering . 60
11.1 Objective . 61
11.2 General requirements . 61
11.3 Requirements for system behaviour on detection of a fault . 63
11.4 Requirements for Hardware fault tolerance . 63

11.5 Requirements for selection of components and subsystems devices . 65
11.5.1 Objectives . 67
11.5.2 General requirements . 67
11.5.3 Requirements for the selection of components and subsystems devices
based on prior use . 67
11.5.4 Requirements for selection of FPL programmable components and
susbsystems devices (e.g., field devices) based on prior use . 69
11.5.5 Requirements for selection of LVL programmable components and
subsystems (for example, logic solvers) devices based on prior use . 69
11.5.6 Requirements for selection of FVL programmable components and
subsystems (for example, logic solvers) devices . 70
11.6 Field devices . 70
11.7 Interfaces . 71
11.7.1 General . 71
11.7.2 Operator interface requirements . 71
11.7.3 Maintenance/engineering interface requirements . 72
11.7.4 Communication interface requirements . 73
11.8 Maintenance or testing design requirements . 73
11.9 SIF probability of failure Quantification of random failure . 74
12 Requirements for application software, including selection criteria for utility software .
12.1 Application software safety life-cycle requirements .
12.2 Application software safety requirements specification .
12.3 Application software safety validation planning .
12.4 Application software design and development .
12.5 Integration of the application software with the SIS subsystem .
12.6 FPL and LVL software modification procedures .
12.7 Application software verification .
12 SIS application program development . 92
12.1 Objective . 92
12.2 General requirements . 92
12.3 Application program design . 93
12.4 Application program implementation . 94
12.5 Requirements for application program verification (review and testing) . 95
12.6 Requirements for application program methodology and tools . 96
13 Factory acceptance test (FAT) . 76
13.1 Objective . 96
13.2 Recommendations. 96
14 SIS installation and commissioning . 98
14.1 Objectives . 98
14.2 Requirements . 98
15 SIS safety validation . 99
15.1 Objective . 99
15.2 Requirements . 99
16 SIS operation and maintenance . 102
16.1 Objectives . 102
16.2 Requirements . 102
16.3 Proof testing and inspection . 104
16.3.1 Proof testing . 104
16.3.2 Inspection . 105

– 4 – IEC 61511-1:2016 RLV  IEC 2016
16.3.3 Documentation of proof tests and inspection . 105
17 SIS modification . 105
17.1 Objectives . 105
17.2 Requirements . 106
18 SIS decommissioning . 106
18.1 Objectives . 106
18.2 Requirements . 107
19 Information and documentation requirements . 107
19.1 Objectives . 107
19.2 Requirements . 107
Bibliography . 108

Figure 1 – Overall framework of the IEC 61511 series . 8
Figure 2 – Relationship between IEC 61511 and IEC 61508 . 11
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508 (see clause 1) . 12
Figure 4 – Relationship between safety instrumented functions and other functions . 14
Figure 5 – Programmable electronic system (PES): structure and terminology . 28
Figure 7 6 – Example of SIS architectures comprising three SIS subsystems . 32
Figure 8 7 – SIS safety life-cycle phases and FSA stages . 45
Figure 10 8 – Application program safety life-cycle and its relationship to the SIS
safety life-cycle . 48
Figure 9 – Typical protection layers and risk reduction methods found
in process plants means . 57
Figure 11 – Application software safety life cycle (in realization phase) .
Figure 12 − Software development life cycle (the V-model) .
Figure 13 – Relationship between the hardware and software architectures of SIS .

Table 1 – Abbreviations used in IEC 61511 . 38
Table 2 – SIS safety life-cycle overview (1 of 2). 46
Table 3 – Application program safety life-cycle: overview (1 of 2) . 49
Table 3 4 – Safety integrity levels requirements: probability of failure on demand
PFDavg . 54
Table 4 5 – Safety integrity levels requirements: average frequency of dangerous
failures of the SIF . 54
Table 5 – Minimum hardware fault tolerance of PE logic solvers .
Table 6 – Minimum hardware fault tolerance of sensors and final elements and non-PE
logic solvers .
Table 6 – Minimum HFT requirements according to SIL . 66
Table 7 – Application software safety life cycle: overview .

INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 1: Framework, definitions, system,
hardware and software application programming requirements

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This redline version of the official IEC Standard allows the user to identify the changes
made to the previous edition. A vertical bar appears in the margin wherever a change
has been made. Additions are in green text, deletions are in strikethrough red text.

– 6 – IEC 61511-1:2016 RLV  IEC 2016
International Standard IEC 61511-1 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement, control and
automation.
This second edition cancels and replaces the first edition published in 2003. This edition
constitutes a technical revision. This edition includes the following significant technical
changes with respect to the previous edition:
• references and requirements to software replaced with references and requirements to
application programming;
• functional safety assessment requirements provided with more detail to improve
management of functional safety.
• management of change requirement added;
• security risk assessment requirements added;.
• requirements expanded on the basic process control system as a protection layer;
• requirements for hardware fault tolerance modified and should be reviewed carefully to
understand user/integrator options.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/777/FDIS 65A/784/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 61511 series, published under the general title Functional safety –
safety instrumented systems for the process industry sector, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC website under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of September 2016 have been included in this copy.

IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

INTRODUCTION
Safety instrumented systems (SISs) have been used for many years to perform safety
instrumented functions (SIFs) in the process industries. If instrumentation is to be effectively
used for SIFs, it is essential that this instrumentation achieves certain minimum standards
and performance levels.
The IEC 61511 series addresses the application of SISs for the process industries. The
IEC 61511 series also requires addresses a process Hazard and Risk Assessment (H&RA) to
be carried out to enable the specification for SISs to be derived. Other safety systems'
contributions are only considered so that their contribution can be taken into account when
considering with respect to the performance requirements for the SIS. The SIS includes all
components and subsystems devices necessary to carry out each SIF from sensor(s) to final
element (s).
The IEC 61511 series has two concepts which are fundamental to its application: SIS safety
life-cycle and safety integrity levels (SILs).
The IEC 61511 series addresses SISs which are based on the use of
electrical/electronic/programmable electronic technology. Where other technologies are used
for logic solvers, the basic principles of the IEC 61511 series should be applied to ensure the
functional safety requirements are met. The IEC 61511 series also addresses the SIS sensors
and final elements regardless of the technology used. The IEC 61511 series is process
industry specific within the framework of the IEC 61508 series (see Annex A).
The IEC 61511 series sets out an approach for SIS safety life-cycle activities to achieve these
minimum standards principles. This approach has been adopted in order that a rational and
consistent technical policy is used.
In most situations, safety is best achieved by an inherently safe process design. However in
some instances this is not possible or not practical. If necessary, this may be combined with a
protective system or systems to address any residual identified risk. Protective systems can
rely on different technologies (chemical, mechanical, hydraulic, pneumatic, electrical,
electronic, and programmable electronic). To facilitate this approach, the IEC 61511 series:
• requires addresses that a H&RA is carried out to identify the overall safety requirements;
• requires addresses that an allocation of the safety requirements to the SIS is carried out;
• works within a framework which is applicable to all instrumented methods means of
achieving functional safety;
• details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
The IEC 61511 series on SIS for the process industry:
• addresses all SIS safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
• enables existing or new country specific process industry standards to be harmonized with
the IEC 61511 series.
The IEC 61511 series is intended to lead to a high level of consistency (e.g., of underlying
principles, terminology, and information) within the process industries. This should have both
safety and economic benefits. Figure 1 below shows an overall framework of the IEC 61511
series.
In jurisdictions where the governing authorities (e.g., national, federal, state, province, county,
city) have established process safety design, process safety management, or other
requirements regulations, these take precedence over the requirements defined in the
IEC 61511 series.
– 8 – IEC 61511-1:2016 RLV  IEC 2016

Support
Technical
parts
requirements
PART 1
References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of the safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
SIS application
safety
Clause 6
instrumented programming
PART 1
Clause 12
systems
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1
PART 2
Operation and maintenance,
Guidance for the
modification and retrofit,
decommissioning or disposal of determination of the
required safety
safety instrumented systems
integrity levels
Clauses 16, 17, and 18
PART 3
IEC
Figure 1 – Overall framework of the IEC 61511 series

FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 1: Framework, definitions, system,
hardware and software application programming requirements

1 Scope
This part of IEC 61511 gives requirements for the specification, design, installation, operation
and maintenance of a safety instrumented system (SIS), so that it can be confidently
entrusted to place and/ achieve or maintain a safe state of the process. IEC 61511-1 has
been developed as a process sector implementation of IEC 61508:2010.
In particular, IEC 61511-1:
a) specifies the requirements for achieving functional safety but does not specify who is
responsible for implementing the requirements (e.g., designers, suppliers,
owner/operating company, contractor). This responsibility will be assigned to different
parties according to safety planning, project planning and management, and national
regulations;
b) applies when equipment devices that meets the requirements of the IEC 61508 series
published in 2010, or IEC 61511-1:2016 [11.5], is integrated into an overall system that is
to be used for a process sector application. It does not apply to manufacturers wishing to
claim that devices are suitable for use in SISs for the process sector (see IEC 61508-
2:2010 and IEC 61508-3:2010);
c) defines the relationship between IEC 61511 and IEC 61508 (see Figures 2 and 3);
d) applies when application software is programs are developed for systems having limited
variability language or when using fixed programmes programming language devices, but
does not apply to manufacturers, SIS designers, integrators and users that develop
embedded software (system software) or use full variability languages (see IEC 61508-
3:2010);
e) applies to a wide variety of industries within the process sector for example, chemicals, oil
refining, oil and gas production, pulp and paper, pharmaceuticals, food and beverage, and
non-nuclear power generation;
NOTE 1 Within the process sector some applications, (for example, off-shore), may have additional
requirements that have to be satisfied.
f) outlines the relationship between SIFs and other instrumented functions (see Figure 4);
g) results in the identification of the functional requirements and safety integrity requirements
for the SIF taking into account the risk reduction achieved by other means methods;
h) specifies life-cycle requirements for system architecture and hardware configuration,
application software programming, and system integration;
i) specifies requirements for application software programming for users and integrators of
SISs (clause 12).
In particular, requirements for the following are specified:
– safety life-cycle phases and activities that are to be applied during the design and
development of the application software (the software safety life-cycle model). These
requirements include the application of measures and techniques, which are intended to
avoid faults in the software and to control failures which may occur;
– information relating to the software safety validation to be passed to the organization
carrying out the SIS integration;

– 10 – IEC 61511-1:2016 RLV  IEC 2016
– preparation of information and procedures concerning software needed by the user for the
operation and maintenance of the SIS;
– procedures and specifications to be met by the organization carrying out modifications to
safety software;
j) applies when functional safety is achieved using one or more SIFs for the protection of
personnel, protection of the general public or protection of the environment;
k) may be applied in non-safety applications for example asset protection;
l) defines requirements for implementing SIFs as a part of the overall arrangements for
achieving functional safety;
m) uses a SIS safety life-cycle (see Figure 7) and defines a list of activities which are
necessary to determine the functional requirements and the safety integrity requirements
for the SIS;
n) requires specifies that a H&RA is to be carried out to define the safety functional
requirements and safety integrity levels (SIL) of each SIF;
NOTE 2 Figure 9 presents an overview of risk reduction methods means.
o) establishes numerical targets for average probability of failure on demand (in demand
mode) and average frequency of dangerous failures per hour for the safety integrity levels
(in demand mode or continuous mode) for each SIL;
p) specifies minimum requirements for hardware fault tolerance (HFT);
q) specifies measures and techniques required for achieving the specified SIL;
r) defines a maximum level of functional safety performance (SIL 4) which can be achieved
for a SIF implemented according to IEC 61511-1;
s) defines a minimum level of functional safety performance (SIL 1) below which
IEC 61511-1 does not apply;
t) provides a framework for establishing the SIL but does not specify the SIL required for
specific applications (which should be established based on knowledge of the particular
application and on the overall targeted risk reduction);
u) specifies requirements for all parts of the SIS from sensor to final element(s);
v) defines the information that is needed during the SIS safety life-cycle;
w) requires specifies that the design of the SIS takes into account human factors;
x) does not place any direct requirements on the individual operator or maintenance person:

PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and
instrumented
suppliers of
systems designers,
devices
integrators and
users
IEC 61508
IEC 61511
IEC
Figure 2 – Relationship between IEC 61511 and IEC 61508
NOTE 3 IEC 61508 is also used by safety instrumented designers, integrators and users where directed in
IEC 61511.
– 12 – IEC 61511-1:2016 RLV  IEC 2016

PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARDS
PROCESS
PROCESS
SECTOR
SECTOR
SOFTWARE AND
HARDWARE
APPLICATION
PROGRAM
DEVELOPING USING PRIOR USING DEVELOPING DEVELOPING DEVELOPING
NEW USE HARDWARE EMBEDDED APPLICATION APPLICATION
HARDWARE HARDWARE DEVELOPED (SYSTEM) PROGRAM PROGRAM
DEVICES DEVICES AND SOFTWARE USING FULL USING LIMITED
ASSESSED VARIABILITY VARIABILITY
ACCORDING LANGUAGES OR FIXED
TO IEC 61508  PROGRAM
LANGUAGES
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
IEC 61508 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511
IEC
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508 (see clause 1)
NOTE 4 Subclause 7.2.2 in IEC 61511-1:2016 and IEC 61511-2:2016 contain guidance on handling integration of sub-systems that comply with other standards (such as
machinery , burner, etc.).
Start
Is it an
No Yes
instrumented
function?
Safety
Yes No No Yes
instrumented
Safety
related function?
?
Not
relevant
Continuous
Demand
Safety instrumented
Mode
protection function
Mitigation
Prevention
Type?
Other Safety Safety Safety
Basic process
means of instrumented instrumented instrumented
control and/or asset
control
risk prevention mitigation
protection function
function function
reduction function
Standard specifies activities which are to be carried out but requirements are not detailed.

IEC  3243/02
– 14 – IEC 61511-1:2016 RLV  IEC 2016

Start
Is this an
No Yes
Instrumented
function?
No
Safety
Yes No Yes
Safety
instrumented
Function?
function?
Continuous
Demand
Not relevant Mode?
Other
Continuous
Other means of Demand mode
instrumented
Mode SIF
Mode SIF
risk reduction means of risk
reduction
Standard specifies activities which are to be carried out but requirements are not detailed
IEC
Figure 4 – Relationship between safety instrumented functions and other functions
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60654-1:1993, Industrial-process measurement and control equipment – Operating
conditions – Part 1: Climatic conditions
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 1: General Requirements
IEC 60654-3:1998, Industrial-process measurement and control equipment – Operating
conditions – Part 3: Mechanical influences
IEC 61326-1:Electrical equipment for measurement, control and laboratory use – EMC
requirements
IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 3: Software requirements
IEC 61511-2: Functional safety – Safety instrumented systems for the process industry sector
– Part 2: Guidelines in the application of IEC 61511-1
3 Terms, definitions and abbreviations
3.1 Terms
Terms are listed alphabetically in 3.2.
3.2 Terms and definitions
For the purposes of this document, the following definitions apply.
In some cases these definitions differ from the definitions of the same terms in IEC 61508-4:2010. In some cases
this is due to the terminology used in the process sector. In other cases these definitions have been aligned with
other relevant definitive references (e.g., IEC 60050 the International Electrotechnical Vocabulary,
ISO/IEC Guide 51:2013). However, unless otherwise stated, there is no difference in the technical meaning
between these definitions and the definitions of the same terms in IEC 61508-4:2010.
3.2.1
architecture
configuration
arrangement specific configuration of hardware and/or software elements components in a
system
NOTE This term differs from the definition in IEC 61508-4 to reflect differences in the process sector terminology.
Note 1 to entry: In the IEC 61511 series this can mean, for example, arrangement of SIS subsystems, the internal
structure of a SIS subsystem arrangement of software programs or the internal structure of SIS application
programs.
3.2.2
asset protection
function allocated to a system design and designed for the purpose of preventing loss or
damage to assets
3.2.3
basic process control system
BPCS
system which responds to input signals from the process, its associated equipment, other
programmable systems and/or operators and generates output signals causing the process
and its associated equipment to operate in the desired manner but which does not perform
any SIF with a claimed SIL ≥ 1
NOTE See Clause A.2.
Note 1 to entry: A BPCS includes all of the devices necessary to ensure that the process operates in the desired
manner.
Note 2 to entry: A BPCS typically may implement various functions such as process control functions,
monitoring, and alarms.
3.2.4
bypass
action or facility to prevent all or parts of the SIS functionality from being executed

– 16 – IEC 61511-1:2016 RLV  IEC 2016
Note 1 to entry: Examples of bypassing include:
– the input signal is blocked from the trip logic while still presenting the input parameters and alarm to the
operator;
– the output signal from the trip logic to a final element is held in the normal state preventing final element
operation;
– a physical bypass line is provided around the final element;
– preselected input state (e.g., on/off input) or set is forced by means of an engineering tool (e.g., in the
application program).
Note 2 to entry: Other terms are also used to refer to bypassing, such as override, defeat, disable, force, or
inhibit or muting.
3.2.5
channel
element device or group of elements devices that independently perform(s) a specified
function
Note 1 to entry: The elements devices within a channel could include input/output (I/O) modules devices, logic
systems solvers (see 3.2.40), sensors, and final elements.
Note 2 to entry: A dual channel (i.e., a two-channel) configuration is one with two channels that independently
perform the same function. Channels may be identical or diverse.
Note 3 to entry: The term can be used to describe a complete system or a portion of a system (e.g., sensors or
final elements).
Note 4 to entry: Channel describes SIS hardware architectural features often used to meet hardware fault
tolerance requirements.
3.2.5
coding
see “programming”
3.2.6
common cause
3.2.6.1
common cause failures, pl
failure, which is the result of one or more events, causing failures of two or more separate
channels in a multiple channel system, leading to system failure
concurrent failures of different devices, resulting from a single event, where these failures are
not consequences of each other
Note 1 to entry: All the failures due to a common cause do not necessarily occur exactly at the same time and this
may allow time to detect the occurrence of the common cause before a SIF is actually failed.
Note 2 to entry: Common cause failures can also lead to common mode failures.
Note 3 to entry: The potential for common cause failures reduces the effect of system redundancy or fault
tolerance (e.g., increases the probability of failure of two or more channels in a multiple channel system).
Note 4 to entry: Common cause failures are dependent failures. They may be due to external events (e.g.,
temperature, humidity, overvoltage, fire, and corrosion), systematic fault (e.g., design, assembly or installation
errors, bugs), human error (e.g., misuse), etc.
Note 5 to entry: By extension, a common cause failure (in singular form) is a failure belonging to a set of
concurrent failures (plural form) according to 3.2.6.1 definition.
3.2.6.2
common mode failures, pl
failure of two or more channels in the same way, causing the same erroneous result
concurrent failures of different devices characterized by the same failure mode (
...

IEC 61511-1 ®
Edition 2.0 2016-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Functional safety – Safety instrumented systems for the process industry
sector –
Part 1: Framework, definitions, system, hardware and application programming
requirements
Sécurite fonctionnelle – Systèmes instrumentes de sécurité pour le secteur des
industries de transformation –
Partie 1: Cadre, définitions, exigences pour le système, le matériel et la
programmation d'application
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 15 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished

Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient 20 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres
et en français, ainsi que les termes équivalents dans 15
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.

Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC 65 000 entrées terminologiques électrotechniques, en anglais
en utilisant différents critères (numéro de référence, texte, et en français, extraites des articles Termes et Définitions des
comité d’études,…). Elle donne aussi des informations sur les publications IEC parues depuis 2002. Plus certaines entrées
projets et les publications remplacées ou retirées. antérieures extraites des publications des CE 37, 77, 86 et

CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished

Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 61511-1 ®
Edition 2.0 2016-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Functional safety – Safety instrumented systems for the process industry

sector –
Part 1: Framework, definitions, system, hardware and application programming

requirements
Sécurite fonctionnelle – Systèmes instrumentes de sécurité pour le secteur des

industries de transformation –

Partie 1: Cadre, définitions, exigences pour le système, le matériel et la

programmation d'application
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.01 ISBN 978-2-8322-3159-3

– 2 – IEC 61511-1:2016  IEC 2016
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 9
2 Normative references. 12
3 Terms, definitions and abbreviations . 13
3.1 Terms . 13
3.2 Terms and definitions . 13
3.3 Abbreviations . 31
4 Conformance to the IEC 61511-1:2016 . 33
5 Management of functional safety . 33
5.1 Objective . 33
5.2 Requirements . 33
5.2.1 General . 33
5.2.2 Organization and resources . 33
5.2.3 Risk evaluation and risk management . 34
5.2.4 Safety planning . 34
5.2.5 Implementing and monitoring . 34
5.2.6 Assessment, auditing and revisions . 35
5.2.7 SIS configuration management . 37
6 Safety life-cycle requirements . 37
6.1 Objectives . 37
6.2 Requirements . 38
6.3 Application program SIS safety life-cycle requirements . 40
7 Verification . 43
7.1 Objective . 43
7.2 Requirements . 43
8 Process H&RA . 45
8.1 Objectives . 45
8.2 Requirements . 45
9 Allocation of safety functions to protection layers . 46
9.1 Objectives . 46
9.2 Requirements of the allocation process . 46
9.3 Requirements on the basic process control system as a protection layer . 49
9.4 Requirements for preventing common cause, common mode and dependent
failures . 50
10 SIS safety requirements specification (SRS) . 50
10.1 Objective . 50
10.2 General requirements . 50
10.3 SIS safety requirements . 50
11 SIS design and engineering . 53
11.1 Objective . 53
11.2 General requirements . 53
11.3 Requirements for system behaviour on detection of a fault . 54
11.4 Hardware fault tolerance . 55
11.5 Requirements for selection of devices . 56

11.5.1 Objectives . 56
11.5.2 General requirements . 56
11.5.3 Requirements for the selection of devices based on prior use . 56
11.5.4 Requirements for selection of FPL programmable devices (e.g., field
devices) based on prior use . 57
11.5.5 Requirements for selection of LVL programmable devices based on
prior use . 58
11.5.6 Requirements for selection of FVL programmable devices . 59
11.6 Field devices . 59
11.7 Interfaces . 59
11.7.1 General . 59
11.7.2 Operator interface requirements . 59
11.7.3 Maintenance/engineering interface requirements . 60
11.7.4 Communication interface requirements . 60
11.8 Maintenance or testing design requirements . 61
11.9 Quantification of random failure . 61
12 SIS application program development . 63
12.1 Objective . 63
12.2 General requirements . 63
12.3 Application program design . 64
12.4 Application program implementation . 65
12.5 Requirements for application program verification (review and testing) . 66
12.6 Requirements for application program methodology and tools . 67
13 Factory acceptance test (FAT) . 68
13.1 Objective . 68
13.2 Recommendations. 68
14 SIS installation and commissioning . 69
14.1 Objectives . 69
14.2 Requirements . 69
15 SIS safety validation . 70
15.1 Objective . 70
15.2 Requirements . 70
16 SIS operation and maintenance . 73
16.1 Objectives . 73
16.2 Requirements . 73
16.3 Proof testing and inspection . 75
16.3.1 Proof testing . 75
16.3.2 Inspection . 76
16.3.3 Documentation of proof tests and inspection . 76
17 SIS modification . 76
17.1 Objectives . 76
17.2 Requirements . 77
18 SIS decommissioning . 77
18.1 Objectives . 77
18.2 Requirements . 78
19 Information and documentation requirements . 78
19.1 Objectives . 78
19.2 Requirements . 78

– 4 – IEC 61511-1:2016  IEC 2016
Bibliography . 80

Figure 1 – Overall framework of the IEC 61511 series . 8
Figure 2 – Relationship between IEC 61511 and IEC 61508 . 10
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508 . 11
Figure 4 – Relationship between safety instrumented functions and other functions . 12
Figure 5 – Programmable electronic system (PES): structure and terminology . 24
Figure 6 – Example of SIS architectures comprising three SIS subsystems . 27
Figure 7 – SIS safety life-cycle phases and FSA stages . 38
Figure 8 – Application program safety life-cycle and its relationship to the SIS safety
life-cycle . 41
Figure 9 – Typical protection layers and risk reduction means . 49

Table 1 – Abbreviations used in IEC 61511 . 32
Table 2 – SIS safety life-cycle overview (1 of 2). 39
Table 3 – Application program safety life-cycle: overview (1 of 2) . 42
Table 4 – Safety integrity requirements: PFD . 47
avg
Table 5 – Safety integrity requirements: average frequency of dangerous failures of the
SIF . 47
Table 6 – Minimum HFT requirements according to SIL . 55

INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 1: Framework, definitions, system,
hardware and application programming requirements

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61511-1 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement, control and
automation.
This second edition cancels and replaces the first edition published in 2003. This edition
constitutes a technical revision. This edition includes the following significant technical
changes with respect to the previous edition:
• references and requirements to software replaced with references and requirements to
application programming;
• functional safety assessment requirements provided with more detail to improve
management of functional safety.
• management of change requirement added;

– 6 – IEC 61511-1:2016  IEC 2016
• security risk assessment requirements added;.
• requirements expanded on the basic process control system as a protection layer;
• requirements for hardware fault tolerance modified and should be reviewed carefully to
understand user/integrator options.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/777/FDIS 65A/784/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 61511 series, published under the general title Functional safety –
safety instrumented systems for the process industry sector, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC website under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of September 2016 have been included in this copy.

INTRODUCTION
Safety instrumented systems (SISs) have been used for many years to perform safety
instrumented functions (SIFs) in the process industries. If instrumentation is to be effectively
used for SIFs, it is essential that this instrumentation achieves certain minimum standards
and performance levels.
The IEC 61511 series addresses the application of SISs for the process industries. The
IEC 61511 series also addresses a process Hazard and Risk Assessment (H&RA) to be
carried out to enable the specification for SISs to be derived. Other safety systems'
contributions are only considered with respect to the performance requirements for the SIS.
The SIS includes all devices necessary to carry out each SIF from sensor(s) to final
element(s).
The IEC 61511 series has two concepts which are fundamental to its application: SIS safety
life-cycle and safety integrity levels (SILs).
The IEC 61511 series addresses SISs which are based on the use of
electrical/electronic/programmable electronic technology. Where other technologies are used
for logic solvers, the basic principles of the IEC 61511 series should be applied to ensure the
functional safety requirements are met. The IEC 61511 series also addresses the SIS sensors
and final elements regardless of the technology used. The IEC 61511 series is process
industry specific within the framework of the IEC 61508 series.
The IEC 61511 series sets out an approach for SIS safety life-cycle activities to achieve these
minimum principles. This approach has been adopted in order that a rational and consistent
technical policy is used.
In most situations, safety is best achieved by an inherently safe process design. However in
some instances this is not possible or not practical. If necessary, this may be combined with a
protective system or systems to address any residual identified risk. Protective systems can
rely on different technologies (chemical, mechanical, hydraulic, pneumatic, electrical,
electronic, and programmable electronic). To facilitate this approach, the IEC 61511 series:
• addresses that a H&RA is carried out to identify the overall safety requirements;
• addresses that an allocation of the safety requirements to the SIS is carried out;
• works within a framework which is applicable to all instrumented means of achieving
functional safety;
• details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
The IEC 61511 series on SIS for the process industry:
• addresses all SIS safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
• enables existing or new country specific process industry standards to be harmonized with
the IEC 61511 series.
The IEC 61511 series is intended to lead to a high level of consistency (e.g., of underlying
principles, terminology, and information) within the process industries. This should have both
safety and economic benefits. Figure 1 below shows an overall framework of the IEC 61511
series.
In jurisdictions where the governing authorities (e.g., national, federal, state, province, county,
city) have established process safety design, process safety management, or other
regulations, these take precedence over the requirements defined in the IEC 61511 series.

– 8 – IEC 61511-1:2016  IEC 2016

Support
Technical
parts
requirements
PART 1
References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of the safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
SIS application
safety
Clause 6
instrumented programming
PART 1
Clause 12
systems
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1
PART 2
Operation and maintenance,
Guidance for the
modification and retrofit,
decommissioning or disposal of determination of the
required safety
safety instrumented systems
integrity levels
Clauses 16, 17, and 18
PART 3
IEC
Figure 1 – Overall framework of the IEC 61511 series

FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 1: Framework, definitions, system,
hardware and application programming requirements

1 Scope
This part of IEC 61511 gives requirements for the specification, design, installation, operation
and maintenance of a safety instrumented system (SIS), so that it can be confidently
entrusted to achieve or maintain a safe state of the process. IEC 61511-1 has been
developed as a process sector implementation of IEC 61508:2010.
In particular, IEC 61511-1:
a) specifies the requirements for achieving functional safety but does not specify who is
responsible for implementing the requirements (e.g., designers, suppliers,
owner/operating company, contractor). This responsibility will be assigned to different
parties according to safety planning, project planning and management, and national
regulations;
b) applies when devices that meets the requirements of the IEC 61508 series published in
2010, or IEC 61511-1:2016 [11.5], is integrated into an overall system that is to be used
for a process sector application. It does not apply to manufacturers wishing to claim that
devices are suitable for use in SISs for the process sector (see IEC 61508-2:2010 and
IEC 61508-3:2010);
c) defines the relationship between IEC 61511 and IEC 61508 (see Figures 2 and 3);
d) applies when application programs are developed for systems having limited variability
language or when using fixed programming language devices, but does not apply to
manufacturers, SIS designers, integrators and users that develop embedded software
(system software) or use full variability languages (see IEC 61508-3:2010);
e) applies to a wide variety of industries within the process sector for example, chemicals, oil
and gas, pulp and paper, pharmaceuticals, food and beverage, and non-nuclear power
generation;
NOTE 1 Within the process sector some applications may have additional requirements that have to be
satisfied.
f) outlines the relationship between SIFs and other instrumented functions (see Figure 4);
g) results in the identification of the functional requirements and safety integrity requirements
for the SIF taking into account the risk reduction achieved by other methods;
h) specifies life-cycle requirements for system architecture and hardware configuration,
application programming, and system integration;
i) specifies requirements for application programming for users and integrators of SISs.
j) applies when functional safety is achieved using one or more SIFs for the protection of
personnel, protection of the general public or protection of the environment;
k) may be applied in non-safety applications for example asset protection;
l) defines requirements for implementing SIFs as a part of the overall arrangements for
achieving functional safety;
m) uses a SIS safety life-cycle (see Figure 7) and defines a list of activities which are
necessary to determine the functional requirements and the safety integrity requirements
for the SIS;
– 10 – IEC 61511-1:2016  IEC 2016
n) specifies that a H&RA is to be carried out to define the safety functional requirements and
safety integrity levels (SIL) of each SIF;
NOTE 2 Figure 9 presents an overview of risk reduction means.
o) establishes numerical targets for average probability of failure on demand (in demand
mode) and average frequency of dangerous failures (in demand mode or continuous
mode) for each SIL;
p) specifies minimum requirements for hardware fault tolerance (HFT);
q) specifies measures and techniques required for achieving the specified SIL;
r) defines a maximum level of functional safety performance (SIL 4) which can be achieved
for a SIF implemented according to IEC 61511-1;
s) defines a minimum level of functional safety performance (SIL 1) below which
IEC 61511-1 does not apply;
t) provides a framework for establishing the SIL but does not specify the SIL required for
specific applications (which should be established based on knowledge of the particular
application and on the overall targeted risk reduction);
u) specifies requirements for all parts of the SIS from sensor to final element(s);
v) defines the information that is needed during the SIS safety life-cycle;
w) specifies that the design of the SIS takes into account human factors;
x) does not place any direct requirements on the individual operator or maintenance person:
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and
instrumented
suppliers of
systems designers,
devices
integrators and
users
IEC 61508
IEC 61511
IEC
Figure 2 – Relationship between IEC 61511 and IEC 61508
NOTE 3 IEC 61508 is also used by safety instrumented designers, integrators and users where directed in
IEC 61511.
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARDS
PROCESS
PROCESS
SECTOR
SECTOR
SOFTWARE AND
HARDWARE
APPLICATION
PROGRAM
DEVELOPING USING PRIOR USING DEVELOPING DEVELOPING DEVELOPING
NEW USE HARDWARE EMBEDDED APPLICATION APPLICATION
HARDWARE HARDWARE DEVELOPED (SYSTEM) PROGRAM PROGRAM
DEVICES DEVICES AND SOFTWARE USING FULL USING LIMITED
ASSESSED VARIABILITY VARIABILITY
ACCORDING LANGUAGES OR FIXED
TO IEC 61508  PROGRAM
LANGUAGES
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
IEC 61508 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511
IEC
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508
NOTE 4 Subclause 7.2.2 in IEC 61511-1:2016 and IEC 61511-2:2016 contain guidance on handling integration of sub-systems that comply with other standards (such as
machinery , burner, etc.).
– 12 – IEC 61511-1:2016  IEC 2016

Start
Is this an
No Yes
Instrumented
function?
No
Safety
Yes No Yes
Safety
instrumented
Function?
function?
Continuous
Demand
Not relevant Mode?
Other
Continuous
Other means of Demand mode
instrumented
Mode SIF
Mode SIF
risk reduction means of risk
reduction
Standard specifies activities which are to be carried out but requirements are not detailed
IEC
Figure 4 – Relationship between safety instrumented functions and other functions
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 1: General Requirements
IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 3: Software requirements

3 Terms, definitions and abbreviations
3.1 Terms
Terms are listed alphabetically in 3.2.
3.2 Terms and definitions
For the purposes of this document, the following definitions apply.
In some cases these definitions differ from the definitions of the same terms in IEC 61508-4:2010. In some cases
this is due to the terminology used in the process sector. In other cases these definitions have been aligned with
other relevant definitive references (e.g., IEC 60050 the International Electrotechnical Vocabulary,
ISO/IEC Guide 51:2013). However, unless otherwise stated, there is no difference in the technical meaning
between these definitions and the definitions of the same terms in IEC 61508-4:2010.
3.2.1
architecture
configuration
specific configuration of hardware and software components in a system
Note 1 to entry: In the IEC 61511 series this can mean, for example, arrangement of SIS subsystems, the internal
structure of a SIS subsystem or the internal structure of SIS application programs.
3.2.2
asset protection
function allocated to a system and designed for the purpose of preventing loss or damage to
assets
3.2.3
basic process control system
BPCS
system which responds to input signals from the process, its associated equipment, other
programmable systems and/or operators and generates output signals causing the process
and its associated equipment to operate in the desired manner but which does not perform
any SIF
Note 1 to entry: A BPCS includes all of the devices necessary to ensure that the process operates in the desired
manner.
Note 2 to entry: A BPCS typically may implement various functions such as process control functions,
monitoring, and alarms.
3.2.4
bypass
action or facility to prevent all or parts of the SIS functionality from being executed
Note 1 to entry: Examples of bypassing include:
– the input signal is blocked from the trip logic while still presenting the input parameters and alarm to the
operator;
– the output signal from the trip logic to a final element is held in the normal state preventing final element
operation;
– a physical bypass line is provided around the final element;
– preselected input state (e.g., on/off input) or set is forced by means of an engineering tool (e.g., in the
application program).
Note 2 to entry: Other terms are also used to refer to bypassing, such as override, defeat, disable, force, or
inhibit or muting.
3.2.5
channel
device or group of devices that independently perform(s) a specified function

– 14 – IEC 61511-1:2016  IEC 2016
Note 1 to entry: The devices within a channel could include input/output (I/O) devices, logic solvers, sensors, and
final elements.
Note 2 to entry: A dual channel (i.e., a two-channel) configuration is one with two channels that independently
perform the same function. Channels may be identical or diverse.
Note 3 to entry: The term can be used to describe a complete system or a portion of a system (e.g., sensors or
final elements).
Note 4 to entry: Channel describes SIS hardware architectural features often used to meet hardware fault
tolerance requirements.
3.2.6
common cause
3.2.6.1
common cause failures, pl
concurrent failures of different devices, resulting from a single event, where these failures are
not consequences of each other
Note 1 to entry: All the failures due to a common cause do not necessarily occur exactly at the same time and this
may allow time to detect the occurrence of the common cause before a SIF is actually failed.
Note 2 to entry: Common cause failures can also lead to common mode failures.
Note 3 to entry: The potential for common cause failures reduces the effect of system redundancy or fault
tolerance (e.g., increases the probability of failure of two or more channels in a multiple channel system).
Note 4 to entry: Common cause failures are dependent failures. They may be due to external events (e.g.,
temperature, humidity, overvoltage, fire, and corrosion), systematic fault (e.g., design, assembly or installation
errors, bugs), human error (e.g., misuse), etc.
Note 5 to entry: By extension, a common cause failure (in singular form) is a failure belonging to a set of
concurrent failures (plural form) according to 3.2.6.1 definition.
3.2.6.2
common mode failures, pl
concurrent failures of different devices characterized by the same failure mode (i.e., identical
faults)
Note 1 to entry: Common mode failures may have different causes.
Note 2 to entry: Common mode failures can also be the result of common cause failures (3.2.6.1).
Note 3 to entry: The potential for common mode failures reduces the effectiveness of system redundancy and
fault tolerance (e.g., failure of two or more channels in the same way, causing the same erroneous result).
Note 4 to entry: By extension, a common mode failure (in singular form) is a failure belonging to a set of
concurrent failures (plural form) according to 3.2.6.2 definition.
3.2.7
compensating measure
temporary implementation of planned and documented methods for managing risks during any
period of maintenance or process operation when it is known that the performance of the SIS
is degraded
3.2.8
component
one of the parts of a system, SIS subsystem, or device performing a specified function
Note 1 to entry: Component may also include software.

3.2.9
configuration management
discipline of identifying the components and the arrangements of those components of an
evolving system for the purposes of controlling changes to those components, and
maintaining continuity of the system and traceability of any changes throughout the life-cycle
3.2.9.1
conservative approach
cautious way of doing analysis and calculations
Note 1 to entry: In the safety field, each time an analysis, assumptions, or calculation has to be done (about
models, input data, computations, etc.) it can be chosen in order to be sure to produce pessimistic results.
3.2.10
control system
system which responds to input signals from the process and/or from an operator and
generates output signals causing the process to operate in the desired manner
Note 1 to entry: The control system includes sensors and final elements and may be either a BPCS or a SIS or
a combination of the two.
3.2.11
dangerous failure
failure which impedes or disables a given safety action
Note 1 to entry: A failure is "dangerous" only with regard to a given SIF.
Note 2 to entry: When fault tolerance is implemented, a dangerous failure can lead to either:
– a deg
...

IEC 61511-1 ®
Edition 2.1 2017-08
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONAL
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 1: Framework, definitions, system, hardware and application programming
requirements
Sécurité fonctionnelle – Systèmes instrumentes de sécurité pour le secteur des
industries de transformation –
Partie 1: Cadre, définitions, exigences pour le système, le matériel et la
programmation d'application
IEC 61511-12016-02+AMD1:2017-08 CSV(en-fr)

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and definitions clause of
IEC publications issued between 2002 and 2015. Some
IEC Customer Service Centre - webstore.iec.ch/csc entries have been collected from earlier publications of IEC
If you wish to give us your feedback on this publication or TC 37, 77, 86 and CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Electropedia - www.electropedia.org
webstore.iec.ch/advsearchform Le premier dictionnaire d'électrotechnologie en ligne au
La recherche avancée permet de trouver des publications IEC monde, avec plus de 22 000 articles terminologiques en
en utilisant différents critères (numéro de référence, texte, anglais et en français, ainsi que les termes équivalents dans
comité d’études,…). Elle donne aussi des informations sur les 16 langues additionnelles. Egalement appelé Vocabulaire
projets et les publications remplacées ou retirées. Electrotechnique International (IEV) en ligne.

IEC Just Published - webstore.iec.ch/justpublished Glossaire IEC - std.iec.ch/glossary
Restez informé sur les nouvelles publications IEC. Just 67 000 entrées terminologiques électrotechniques, en anglais
Published détaille les nouvelles publications parues. et en français, extraites des articles Termes et définitions des
Disponible en ligne et une fois par mois par email. publications IEC parues entre 2002 et 2015. Plus certaines
entrées antérieures extraites des publications des CE 37, 77,
Service Clients - webstore.iec.ch/csc 86 et CISPR de l'IEC.

Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC 61511-1 ®
Edition 2.1 2017-08
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONAL
colour
inside
Functional safety – Safety instrumented systems for the process industry

sector –
Part 1: Framework, definitions, system, hardware and application programming

requirements
Sécurité fonctionnelle – Systèmes instrumentes de sécurité pour le secteur des

industries de transformation –

Partie 1: Cadre, définitions, exigences pour le système, le matériel et la

programmation d'application
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.01 ISBN 978-2-8322-8012-6

IEC 61511-1 ®
Edition 2.1 2017-08
CONSOLIDATED VERSION
REDLINE VERSION
VERSION REDLINE
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 1: Framework, definitions, system, hardware and application programming
requirements
Sécurité fonctionnelle – Systèmes instrumentes de sécurité pour le secteur des
industries de transformation –
Partie 1: Cadre, définitions, exigences pour le système, le matériel et la
programmation d'application
IEC 61511-12016-02+AMD1:2017-08 CSV(en-fr)

– 2 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 9
2 Normative references . 12
3 Terms, definitions and abbreviations . 13
3.1 Terms . 13
3.2 Terms and definitions . 13
3.3 Abbreviations . 31
4 Conformance to the IEC 61511-1:2016 . 32
5 Management of functional safety . 32
5.1 Objective . 32
5.2 Requirements . 33
5.2.1 General . 33
5.2.2 Organization and resources . 33
5.2.3 Risk evaluation and risk management . 33
5.2.4 Safety planning . 33
5.2.5 Implementing and monitoring . 34
5.2.6 Assessment, auditing and revisions . 34
5.2.7 SIS configuration management . 37
6 Safety life-cycle requirements . 37
6.1 Objectives . 37
6.2 Requirements . 38
6.3 Application program SIS safety life-cycle requirements . 40
7 Verification . 43
7.1 Objective . 43
7.2 Requirements . 43
8 Process H&RA . 45
8.1 Objectives . 45
8.2 Requirements . 45
9 Allocation of safety functions to protection layers . 46
9.1 Objectives . 46
9.2 Requirements of the allocation process . 46
9.3 Requirements on the basic process control system as a protection layer . 49
9.4 Requirements for preventing common cause, common mode and dependent
failures . 50
10 SIS safety requirements specification (SRS) . 50
10.1 Objective . 50
10.2 General requirements . 50
10.3 SIS safety requirements . 51
11 SIS design and engineering . 53
11.1 Objective . 53
11.2 General requirements . 53
11.3 Requirements for system behaviour on detection of a fault . 54
11.4 Hardware fault tolerance . 55
11.5 Requirements for selection of devices . 56

© IEC 2017
11.5.1 Objectives . 56
11.5.2 General requirements . 56
11.5.3 Requirements for the selection of devices based on prior use . 56
11.5.4 Requirements for selection of FPL programmable devices (e.g., field
devices) based on prior use . 57
11.5.5 Requirements for selection of LVL programmable devices based on
prior use . 58
11.5.6 Requirements for selection of FVL programmable devices . 59
11.6 Field devices. 59
11.7 Interfaces . 59
11.7.1 General . 59
11.7.2 Operator interface requirements . 59
11.7.3 Maintenance/engineering interface requirements . 60
11.7.4 Communication interface requirements . 60
11.8 Maintenance or testing design requirements . 61
11.9 Quantification of random failure . 61
12 SIS application program development . 63
12.1 Objective . 63
12.2 General requirements . 63
12.3 Application program design . 64
12.4 Application program implementation . 65
12.5 Requirements for application program verification (review and testing) . 66
12.6 Requirements for application program methodology and tools . 67
13 Factory acceptance test (FAT) . 68
13.1 Objective . 68
13.2 Recommendations . 68
14 SIS installation and commissioning . 69
14.1 Objectives . 69
14.2 Requirements . 69
15 SIS safety validation . 70
15.1 Objective . 70
15.2 Requirements . 70
16 SIS operation and maintenance . 73
16.1 Objectives . 73
16.2 Requirements . 73
16.3 Proof testing and inspection . 75
16.3.1 Proof testing . 75
16.3.2 Inspection . 76
16.3.3 Documentation of proof tests and inspection . 76
17 SIS modification . 76
17.1 Objectives . 76
17.2 Requirements . 77
18 SIS decommissioning . 77
18.1 Objectives . 77
18.2 Requirements . 78
19 Information and documentation requirements . 78
19.1 Objectives . 78
19.2 Requirements . 78

– 4 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
Bibliography . 80

Figure 1 – Overall framework of the IEC 61511 series . 8
Figure 2 – Relationship between IEC 61511 and IEC 61508 . 10
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508 . 11
Figure 4 – Relationship between safety instrumented functions and other functions . 12
Figure 5 – Programmable electronic system (PES): structure and terminology . 24
Figure 6 – Example of SIS architectures comprising three SIS subsystems . 26
Figure 7 – SIS safety life-cycle phases and FSA stages . 38
Figure 8 – Application program safety life-cycle and its relationship to the SIS safety
life-cycle . 41
Figure 9 – Typical protection layers and risk reduction means . 49

Table 1 – Abbreviations used in IEC 61511 . 31
Table 2 – SIS safety life-cycle overview (1 of 2) . 39
Table 3 – Application program safety life-cycle: overview (1 of 2) . 42
Table 4 – Safety integrity requirements: PFD . 47
avg
Table 5 – Safety integrity requirements: average frequency of dangerous failures of the
SIF . 47
Table 6 – Minimum HFT requirements according to SIL . 55

© IEC 2017
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 1: Framework, definitions, system,
hardware and application programming requirements
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This consolidated version of the official IEC Standard and its amendment has been prepared
for user convenience.
IEC 61511-1 edition 2.1 contains the second edition (2016-02) [documents 65A/777/FDIS and
65A/784/RVD], its corrigendum 1 (2016-09) and its amendment 1 (2017-08) [documents 65A/844/
FDIS and 65A/848/RVD].
In this Redline version, a vertical line in the margin shows where the technical content is
modified by amendment 1. Additions are in green text, deletions are in strikethrough red text. A
separate Final version with all changes accepted is available in this publication.

– 6 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
International Standard IEC 61511-1 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement, control and
automation.
This second edition constitutes a technical revision and includes the following
significant technical changes with respect to the previous edition:
• references and requirements to software replaced with references and requirements to
application programming;
• functional safety assessment requirements provided with more detail to improve
management of functional safety.
• management of change requirement added;
• security risk assessment requirements added;.
• requirements expanded on the basic process control system as a protection layer;
• requirements for hardware fault tolerance modified and should be reviewed carefully to
understand user/integrator options.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 61511 series, published under the general title Functional safety –
safety instrumented systems for the process industry sector, can be found on the IEC website.
The committee has decided that the contents of the base publication and its amendment will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
© IEC 2017
INTRODUCTION
Safety instrumented systems (SISs) have been used for many years to perform safety
instrumented functions (SIFs) in the process industries. If instrumentation is to be effectively
used for SIFs, it is essential that this instrumentation achieves certain minimum standards
and performance levels.
The IEC 61511 series addresses the application of SISs for the process industries. The
IEC 61511 series also addresses a process Hazard and Risk Assessment (H&RA) to be
carried out to enable the specification for SISs to be derived. Other safety systems'
contributions are only considered with respect to the performance requirements for the SIS.
The SIS includes all devices necessary to carry out each SIF from sensor(s) to final
element(s).
The IEC 61511 series has two concepts which are fundamental to its application: SIS safety
life-cycle and safety integrity levels (SILs).
The IEC 61511 series addresses SISs which are based on the use of
electrical/electronic/programmable electronic technology. Where other technologies are used
for logic solvers, the basic principles of the IEC 61511 series should be applied to ensure the
functional safety requirements are met. The IEC 61511 series also addresses the SIS sensors
and final elements regardless of the technology used. The IEC 61511 series is process
industry specific within the framework of the IEC 61508 series.
The IEC 61511 series sets out an approach for SIS safety life-cycle activities to achieve these
minimum principles. This approach has been adopted in order that a rational and consistent
technical policy is used.
In most situations, safety is best achieved by an inherently safe process design. However in
some instances this is not possible or not practical. If necessary, this may be combined with a
protective system or systems to address any residual identified risk. Protective systems can
rely on different technologies (chemical, mechanical, hydraulic, pneumatic, electrical,
electronic, and programmable electronic). To facilitate this approach, the IEC 61511 series:
• addresses that a H&RA is carried out to identify the overall safety requirements;
• addresses that an allocation of the safety requirements to the SIS is carried out;
• works within a framework which is applicable to all instrumented means of achieving
functional safety;
• details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
The IEC 61511 series on SIS for the process industry:
• addresses all SIS safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
• enables existing or new country specific process industry standards to be harmonized with
the IEC 61511 series.
The IEC 61511 series is intended to lead to a high level of consistency (e.g., of underlying
principles, terminology, and information) within the process industries. This should have both
safety and economic benefits. Figure 1 below shows an overall framework of the IEC 61511
series.
In jurisdictions where the governing authorities (e.g., national, federal, state, province, county,
city) have established process safety design, process safety management, or other
regulations, these take precedence over the requirements defined in the IEC 61511 series.

– 8 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
Support
Technical
parts
requirements
PART 1
References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of the safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
SIS application
safety
Clause 6
instrumented programming
PART 1
Clause 12
systems
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
PART 1
instrumented systems
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1
PART 2
Operation and maintenance,
Guidance for the
modification and retrofit,
determination of the
decommissioning or disposal of
safety instrumented systems required safety
integrity levels
Clauses 16, 17, and 18
PART 3
IEC
Figure 1 – Overall framework of the IEC 61511 series

© IEC 2017
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 1: Framework, definitions, system,
hardware and application programming requirements

1 Scope
This part of IEC 61511 gives requirements for the specification, design, installation, operation
and maintenance of a safety instrumented system (SIS), so that it can be confidently
entrusted to achieve or maintain a safe state of the process. IEC 61511-1 has been
developed as a process sector implementation of IEC 61508:2010.
In particular, IEC 61511-1:
a) specifies the requirements for achieving functional safety but does not specify who is
responsible for implementing the requirements (e.g., designers, suppliers,
owner/operating company, contractor). This responsibility will be assigned to different
parties according to safety planning, project planning and management, and national
regulations;
b) applies when devices that meets the requirements of the IEC 61508 series published in
2010, or IEC 61511-1:2016 [11.5], is integrated into an overall system that is to be used
for a process sector application. It does not apply to manufacturers wishing to claim that
devices are suitable for use in SISs for the process sector (see IEC 61508-2:2010 and
IEC 61508-3:2010);
c) defines the relationship between IEC 61511 and IEC 61508 (see Figures 2 and 3);
d) applies when application programs are developed for systems having limited variability
language or when using fixed programming language devices, but does not apply to
manufacturers, SIS designers, integrators and users that develop embedded software
(system software) or use full variability languages (see IEC 61508-3:2010);
e) applies to a wide variety of industries within the process sector for example, chemicals, oil
and gas, pulp and paper, pharmaceuticals, food and beverage, and non-nuclear power
generation;
NOTE 1 Within the process sector some applications may have additional requirements that have to be
satisfied.
f) outlines the relationship between SIFs and other instrumented functions (see Figure 4);
g) results in the identification of the functional requirements and safety integrity requirements
for the SIF taking into account the risk reduction achieved by other methods;
h) specifies life-cycle requirements for system architecture and hardware configuration,
application programming, and system integration;
i) specifies requirements for application programming for users and integrators of SISs.
j) applies when functional safety is achieved using one or more SIFs for the protection of
personnel, protection of the general public or protection of the environment;
k) may be applied in non-safety applications for example asset protection;
l) defines requirements for implementing SIFs as a part of the overall arrangements for
achieving functional safety;
m) uses a SIS safety life-cycle (see Figure 7) and defines a list of activities which are
necessary to determine the functional requirements and the safety integrity requirements
for the SIS;
– 10 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
n) specifies that a H&RA is to be carried out to define the safety functional requirements and
safety integrity levels (SIL) of each SIF;
NOTE 2 Figure 9 presents an overview of risk reduction means.
o) establishes numerical targets for average probability of failure on demand (in demand
mode) and average frequency of dangerous failures (in demand mode or continuous
mode) for each SIL;
p) specifies minimum requirements for hardware fault tolerance (HFT);
q) specifies measures and techniques required for achieving the specified SIL;
r) defines a maximum level of functional safety performance (SIL 4) which can be achieved
for a SIF implemented according to IEC 61511-1;
s) defines a minimum level of functional safety performance (SIL 1) below which
IEC 61511-1 does not apply;
t) provides a framework for establishing the SIL but does not specify the SIL required for
specific applications (which should be established based on knowledge of the particular
application and on the overall targeted risk reduction);
u) specifies requirements for all parts of the SIS from sensor to final element(s);
v) defines the information that is needed during the SIS safety life-cycle;
w) specifies that the design of the SIS takes into account human factors;
x) does not place any direct requirements on the individual operator or maintenance person:
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and
instrumented
suppliers of
systems designers,
devices
integrators and
users
IEC 61508
IEC 61511
IEC
Figure 2 – Relationship between IEC 61511 and IEC 61508
NOTE 3 IEC 61508 is also used by safety instrumented designers, integrators and users where directed in
IEC 61511.
© IEC 2017
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARDS
PROCESS
PROCESS
SECTOR
SECTOR
SOFTWARE AND
HARDWARE
APPLICATION
PROGRAM
DEVELOPING USING PRIOR USING DEVELOPING DEVELOPING DEVELOPING
NEW USE HARDWARE EMBEDDED APPLICATION APPLICATION
HARDWARE HARDWARE DEVELOPED (SYSTEM) PROGRAM PROGRAM
DEVICES DEVICES AND SOFTWARE USING FULL USING LIMITED
ASSESSED VARIABILITY VARIABILITY
ACCORDING LANGUAGES OR FIXED
TO IEC 61508  PROGRAM
LANGUAGES
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
IEC 61508 IEC 61511 IEC 61511 IEC 61508-3 IEC 61508-3 IEC 61511
IEC
Figure 3 – Detailed relationship between IEC 61511 and IEC 61508
NOTE 4 Subclause 7.2.2 in IEC 61511-1:2016 and A.7.2.2 in IEC 61511-2:2016 contain guidance on handling integration of sub-systems that comply with other standards (such as
machinery , burner, etc.).
– 12 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
Start
Is this an
No Yes
Instrumented
function?
No
Safety
Yes No Yes
Safety
instrumented
Function?
function?
Continuous
Demand
Not relevant Mode?
Other
Continuous
Other means of Demand mode
instrumented
Mode SIF
Mode SIF
risk reduction means of risk
reduction
Standard specifies activities which are to be carried out but requirements are not detailed
IEC
Figure 4 – Relationship between safety instrumented functions and other functions
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 61508-1:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 1: General Requirements
IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems
IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 3: Software requirements

© IEC 2017
3 Terms, definitions and abbreviations
3.1 Terms
Terms are listed alphabetically in 3.2.
3.2 Terms and definitions
For the purposes of this document, the following definitions apply.
In some cases these definitions differ from the definitions of the same terms in IEC 61508-4:2010. In some cases
this is due to the terminology used in the process sector. In other cases these definitions have been aligned with
other relevant definitive references (e.g., IEC 60050 the International Electrotechnical Vocabulary,
ISO/IEC Guide 51:2013). However, unless otherwise stated, there is no difference in the technical meaning
between these definitions and the definitions of the same terms in IEC 61508-4:2010.
3.2.1
architecture
configuration
specific configuration of hardware and software components in a system
Note 1 to entry: In the IEC 61511 series this can mean, for example, arrangement of SIS subsystems, the internal
structure of a SIS subsystem or the internal structure of SIS application programs.
3.2.2
asset protection
function allocated to a system and designed for the purpose of preventing loss or damage to
assets
3.2.3
basic process control system
BPCS
system which responds to input signals from the process, its associated equipment, other
programmable systems and/or operators and generates output signals causing the process
and its associated equipment to operate in the desired manner but which does not perform
any SIF
Note 1 to entry: A BPCS includes all of the devices necessary to ensure that the process operates in the desired
manner.
Note 2 to entry: A BPCS typically may implement various functions such as process control functions,
monitoring, and alarms.
3.2.4
bypass
action or facility to prevent all or parts of the SIS functionality from being executed
Note 1 to entry: Examples of bypassing include:
– the input signal is blocked from the trip logic while still presenting the input parameters and alarm to the
operator;
– the output signal from the trip logic to a final element is held in the normal state preventing final element
operation;
– a physical bypass line is provided around the final element;
– preselected input state (e.g., on/off input) or set is forced by means of an engineering tool (e.g., in the
application program).
Note 2 to entry: Other terms are also used to refer to bypassing, such as override, defeat, disable, force, or
inhibit or muting.
3.2.5
channel
device or group of devices that independently perform(s) a specified function

– 14 – IEC 61511-1:2016+AMD1:2017 CSV
© IEC 2017
Note 1 to entry: The devices within a channel could include input/output (I/O) devices, logic solvers, sensors, and
final elements.
Note 2 to entry: A dual channel (i.e., a two-channel) configuration is one with two channels that independently
perform the same function. Channels may be identical or diverse.
Note 3 to entry: The term can be used to describe a complete system or a portion of a system (e.g., sensors or
final elements).
Note 4 to entry: Channel describes SIS hardware architectural features often used to meet hardware fault
tolerance requirements.
3.2.6
common cause
3.2.6.1
common cause failures, pl
concurrent failures of different devices, resulting from a single event, where these failures are
not consequences of each other
Note 1 to entry: All the failures due to a common cause do not necessarily occur exactly at the same time and this
may allow time to detect the occurrence of the common cause before a SIF is actually failed.
Note 2 to entry: Common cause failures can also lead to common mode failures.
Note 3 to entry: The potential for common cause failures reduces the effect of system redundancy or fault
tolerance (e.g., increases the probability of failure of two or more channels in a multiple channel system).
Note 4 to entry: Common cause failures are dependent failures. They may be due to external events (e.g.,
temperature, humidity, overvoltage, fire, and corrosion), systematic fault (e.g., design, assembly or installation
errors, bugs), human error (e.g., misuse), etc.
Note 5 to entry: By extension, a common cause failure (in singular form) is a failure belonging to a set of
concurrent failures (plural form) according to 3.2.6.1 definition.
3.2.6.2
common mode failures, pl
concurrent failures of different devices characterized by the same failure mode (i.e., identical
faults)
Note 1 to entry: Common mode failures may have different causes.
Note 2 to entry: Common mode failures can also be the result of common cause failures (3.2.6.1).
Note 3 to entry: The potential for common mode failures reduces the effectiveness of system redundancy and
fault tolerance (e.g., failure of two or more channels in the same way, causing the same erroneous result).
Note 4 to entry: By extension, a common mode failure (in singular form) is a failure belonging to a set of
concurrent failures (plural form) according to 3.2.6.2 definition.
3.2.7
compensating measure
temporary implementation of planned and documented methods for managing risks during any
period of maintenance or process operation when it is known that the performance of the SIS
is degraded
3.2.8
component
one of the parts of a system, SIS subsystem, or device performing a specified function
Note 1 to entry: Component may also include software.

© IEC 2017
3.2.9
configuration management
discipline of identifying the components and the arrangements of those components of an
evolving system for the purposes of controlling changes to those components, and
maintaining continuity of the system and traceability of any chang
...