IEC 61511-3:2016
(Main)Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels
Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels
IEC 61511-3:2016 applies when functional safety is achieved using one or more SIF for the protection of either personnel, the general public, or the environment; may be applied in non-safety applications such as asset protection; illustrates typical hazard and risk assessment methods that may be carried out to define the safety functional requirements and SIL of each SIF; illustrates techniques/measures available for determining the required SIL; provides a framework for establishing SIL but does not specify the SIL required for specific applications; does not give examples of determining the requirements for other methods of risk reduction. This second edition cancels and replaces the first edition published in 2003. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: Additional H&RA example(s) and quantitative analysis consideration annexes are provided.
Sécurité fonctionnelle - Systèmes instrumentés de sécurité pour le secteur des industries de transformation - Partie 3: Conseils pour la détermination des niveaux exigés d'intégrité de sécurité
L'IEC 61511-3:2016 s'applique lorsque la sécurité fonctionnelle est obtenue en utilisant une ou plusieurs SIF pour la protection du personnel, du grand public ou de l'environnement; peut s'appliquer dans des applications non liées à la sécurité (notamment la protection des biens); présente les méthodes d'analyse de danger et de risque qui peuvent être réalisées pour définir les exigences fonctionnelles de sécurité et le SIL de chaque SIF; identifie des techniques et mesures disponibles pour déterminer le SIL exigé; fournit un cadre pour la détermination du SIL, mais ne spécifie pas le SIL exigé pour des applications spécifiques; ne donne aucun exemple de détermination des exigences relatives à d'autres méthodes de réduction de risque. Cette deuxième édition annule et remplace la première édition parue en 2003. Cette édition constitue une révision technique. Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente: Réalisation d'exemples additionnels H&RA et d'annexes sur la considération d'analyse quantitative.
General Information
- Status
- Published
- Publication Date
- 20-Jul-2016
- Technical Committee
- SC 65A - System aspects
- Drafting Committee
- MT 61511 - TC 65/SC 65A/MT 61511
- Current Stage
- PPUB - Publication issued
- Start Date
- 21-Jul-2016
- Completion Date
- 15-Mar-2016
Relations
- Effective Date
- 05-Sep-2023
- Effective Date
- 05-Sep-2023
Overview
IEC 61511-3:2016 - Part 3 of the IEC 61511 series - provides guidance for determining the required Safety Integrity Levels (SILs) for Safety Instrumented Functions (SIFs) in the process industry. Intended for applications that protect personnel, the public, or the environment (and applicable to asset protection), this second edition (2016) updates and replaces the 2003 edition and adds expanded hazard & risk assessment (H&RA) examples and quantitative analysis annexes.
Key topics and technical requirements
- Scope and intent
- Framework for establishing the required SIL for each SIF.
- Applies when functional safety is achieved using one or more SIF; may be used for non-safety applications (asset protection).
- Clarifies that it provides guidance and techniques but does not prescribe the SIL for specific applications.
- Risk assessment methods explained
- Semi‑quantitative methods (event tree analysis).
- Qualitative and semi‑qualitative risk graphs, including guidance on designing and calibrating risk graphs.
- Layer of Protection Analysis (LOPA) and variations (including matrix-based LOPA).
- Safety layer matrix and multiple safety systems approaches.
- ALARP (As Low As Reasonably Practicable) and tolerable risk concepts.
- Supporting guidance and annexes
- Numerous informative annexes with worked examples, calibration techniques, H&RA examples, multiple-system treatments, and documentation practices.
- Guidance on selecting methods for SIL determination and on allocating safety requirements across protection layers.
Practical applications and who uses it
IEC 61511-3 is used to:
- Define the Safety Functional Requirements (SFRs) and required SIL for instrumented protective systems.
- Support HAZOP, LOPA, and risk‑assessment workshops to derive required risk reduction.
- Calibrate risk graphs and document SIL decisions for verification and audits.
Typical users:
- Process safety engineers and functional safety specialists
- Asset owners, operations and maintenance teams
- Safety consultants and third‑party assessors
- HAZOP/LOPA facilitators and regulatory compliance teams
Related standards
- IEC 61511-1 and IEC 61511-2 (other parts of the process industry functional safety series)
- IEC 61508 (generic functional safety of electrical/electronic/programmable systems)
Keywords: IEC 61511-3, SIL determination, safety instrumented systems, SIF, process industry, LOPA, risk graph, HAZOP, functional safety.
IEC 61511-3:2016 RLV - Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels Released:7/21/2016 Isbn:9782832235454
IEC 61511-3:2016 - Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels
Frequently Asked Questions
IEC 61511-3:2016 is a standard published by the International Electrotechnical Commission (IEC). Its full title is "Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels". This standard covers: IEC 61511-3:2016 applies when functional safety is achieved using one or more SIF for the protection of either personnel, the general public, or the environment; may be applied in non-safety applications such as asset protection; illustrates typical hazard and risk assessment methods that may be carried out to define the safety functional requirements and SIL of each SIF; illustrates techniques/measures available for determining the required SIL; provides a framework for establishing SIL but does not specify the SIL required for specific applications; does not give examples of determining the requirements for other methods of risk reduction. This second edition cancels and replaces the first edition published in 2003. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: Additional H&RA example(s) and quantitative analysis consideration annexes are provided.
IEC 61511-3:2016 applies when functional safety is achieved using one or more SIF for the protection of either personnel, the general public, or the environment; may be applied in non-safety applications such as asset protection; illustrates typical hazard and risk assessment methods that may be carried out to define the safety functional requirements and SIL of each SIF; illustrates techniques/measures available for determining the required SIL; provides a framework for establishing SIL but does not specify the SIL required for specific applications; does not give examples of determining the requirements for other methods of risk reduction. This second edition cancels and replaces the first edition published in 2003. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: Additional H&RA example(s) and quantitative analysis consideration annexes are provided.
IEC 61511-3:2016 is classified under the following ICS (International Classification for Standards) categories: 13.110 - Safety of machinery; 25.040.01 - Industrial automation systems in general. The ICS classification helps identify the subject area and facilitates finding related standards.
IEC 61511-3:2016 has the following relationships with other standards: It is inter standard links to IEC 61511-3:2003, IEC 61511-3:2003/COR1:2004. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase IEC 61511-3:2016 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of IEC standards.
Standards Content (Sample)
IEC 61511-3 ®
Edition 2.0 2016-07
REDLINE VERSION
INTERNATIONAL
STANDARD
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 3: Guidance for the determination of the required safety integrity levels
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 15 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
IEC 61511-3 ®
Edition 2.0 2016-07
REDLINE VERSION
INTERNATIONAL
STANDARD
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 3: Guidance for the determination of the required safety integrity levels
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.01 ISBN 978-2-8322-3545-4
– 2 – IEC 61511-3:2016 RLV IEC 2016
CONTENTS
FOREWORD. 7
INTRODUCTION . 9
1 Scope . 12
2 Normative references . 13
3 Terms, definitions and abbreviations . 14
Annex A (informative) Risk and safety integrity – general guidance . 15
A.1 General . 15
A.2 Necessary risk reduction . 15
A.3 Role of safety instrumented systems . 15
3.4 Safety integrity .
A.4 Risk and safety integrity . 17
A.5 Allocation of safety requirements . 18
A.6 Hazardous event, hazardous situation and harmful event . 18
A.7 Safety integrity levels . 19
A.8 Selection of the method for determining the required safety integrity level . 19
Annex B (informative) Semi-quantitative method – event tree analysis . 22
B.1 General Overview . 22
B.2 Compliance with IEC 61511-1:2016 . 22
B.3 Example . 23
B.3.1 General . 23
B.3.2 Process safety target level . 24
B.3.3 Hazard analysis . 24
B.3.4 Semi-quantitative risk analysis technique. 25
B.3.5 Risk analysis of existing process . 26
B.3.6 Events that do not meet the process safety target level . 29
B.3.7 Risk reduction using other protection layers . 30
B.3.8 Risk reduction using a safety instrumented function . 30
Annex C (informative) The safety layer matrix method . 34
C.1 Introduction Overview . 34
C.2 Process safety target . 35
C.3 Hazard analysis . 36
C.4 Risk analysis technique . 36
C.5 Safety layer matrix . 37
C.6 General procedure . 38
Annex D (informative) Determination of the required safety integrity levels – A semi-
qualitative method: calibrated risk graph . 40
D.1 Introduction Overview . 40
D.2 Risk graph synthesis . 40
D.3 Calibration . 41
D.4 Membership and organization of the team undertaking the SIL assessment . 42
D.5 Documentation of results of SIL determination . 43
D.6 Example calibration based on typical criteria . 43
D.7 Using risk graphs where the consequences are environmental damage . 46
D.8 Using risk graphs where the consequences are asset loss . 47
D.9 Determining the integrity level of instrument protection function where the
consequences of failure involve more than one type of loss . 47
Annex E (informative) Determination of the required safety integrity levels – A
qualitative method: risk graph . 48
E.1 General . 48
E.2 Typical implementation of instrumented functions . 48
E.3 Risk graph synthesis . 49
E.4 Risk graph implementation: personnel protection . 50
E.5 Relevant issues to be considered during application of risk graphs . 53
Annex F (informative) Layer of protection analysis (LOPA) . 54
F.1 Introduction Overview . 54
F.2 Layer of protection analysis .
F.2 Impact event . 55
F.3 Severity level . 55
F.4 Initiating cause . 56
F.5 Initiation likelihood . 57
F.6 Protection layers . 57
F.7 Additional mitigation . 58
F.8 Independent protection layers (IPL) . 58
F.9 Intermediate event likelihood . 59
F.10 SIF integrity level . 59
F.11 Mitigated event likelihood . 59
F.12 Total risk . 59
F.13 Example . 60
F.13.1 General . 60
F.13.2 Impact event and severity level . 60
F.13.3 Initiating cause . 60
F.13.4 Initiating likelihood . 60
F.13.5 Protection layers General process design . 60
F.13.6 BPCS . 60
F.13.7 Alarms . 60
F.13.8 Additional mitigation . 61
F.13.9 Independent protection level layer(s) (IPL) . 61
F.13.10 Intermediate event likelihood . 61
F.13.11 SIS . 61
F.13.12 Next SIF . 61
Annex G (informative) Layer of protection analysis using a risk matrix . 63
G.1 Overview . 63
G.2 Procedure . 65
G.2.1 General . 65
G.2.2 Step 1: General Information and node definition . 65
G.2.3 Step 2: Describe hazardous event . 66
G.2.4 Step 3: Evaluate initiating event frequency . 69
G.2.5 Step 4: Determine hazardous event consequence severity and risk
reduction factor . 70
G.2.6 Step 5: Identify independent protection layers and risk reduction factor . 71
G.2.7 Step 6: Identify consequence mitigation systems and risk reduction
factor . 72
G.2.8 Step 7: Determine CMS risk gap . 73
G.2.9 Step 8: Determine scenario risk gap . 76
G.2.10 Step 9: Make recommendations when needed . 76
– 4 – IEC 61511-3:2016 RLV IEC 2016
Annex H (informative) A qualitative approach for risk estimation & safety integrity level
(SIL) assignment . 78
H.1 Overview . 78
H.2 Risk estimation and SIL assignment . 80
H.2.1 General . 80
H.2.2 Hazard identification/indication . 80
H.2.3 Risk estimation . 80
H.2.4 Consequence parameter selection (C) (Table H.2) . 81
H.2.5 Probability of occurrence of that harm . 81
H.2.6 Estimating probability of harm . 84
H.2.7 SIL assignment . 84
Annex I (informative) Designing & calibrating a risk graph . 87
I.1 Overview . 87
I.2 Steps involved in risk graph design and calibration . 87
I.3 Risk graph development . 87
I.4 The risk graph parameters . 88
I.4.1 Choosing parameters . 88
I.4.2 Number of parameters. 88
I.4.3 Parameter value. 88
I.4.4 Parameter definition . 88
I.4.5 Risk graph . 89
I.4.6 Tolerable event frequencies (Tef) for each consequence . 89
I.4.7 Calibration . 90
I.4.8 Completion of the risk graph . 91
Annex J (informative) Multiple safety systems . 92
J.1 Overview . 92
J.2 Notion of systemic dependencies . 92
J.3 Semi-quantitative approaches . 95
J.4 Boolean approaches . 96
J.5 State-transition approach . 99
Annex K (informative) As low as reasonably practicable (ALARP) and tolerable risk
concepts . 103
K.1 General . 103
K.2 ALARP model . 103
K.2.1 Introduction Overview . 103
K.2.2 Tolerable risk target . 104
Bibliography . 106
Figure 1 – Overall framework of the IEC 61511 series . 11
Figure 2 – Typical protection layers and risk reduction methods means found in
process plants . 13
Figure A.1 – Risk reduction: general concepts . 17
Figure A.2 – Risk and safety integrity concepts . 18
Figure A.3 – Harmful event progression . 19
Figure A.4 – Allocation of safety requirements to the Safety Instrumented Systems,
non-SIS prevention/mitigation protection layers and other protection layers . 21
Figure B.1 – Pressurized vessel with existing safety systems . 24
Figure B.2 – Fault tree for overpressure of the vessel . 27
Figure B.3 –Hazardous events with existing safety systems . 29
Figure B.4 – Hazardous events with redundant protection layer .
Figure B.4 – Hazardous events with SIL 2 safety instrumented function . 33
Figure C.1 – Protection layers . 34
Figure C.2 – Example of safety layer matrix. 38
Figure D.1 – Risk graph: general scheme . 44
Figure D.2 – Risk graph: environmental loss . 47
Figure E.1 – DIN V 19250 risk graph – personnel protection (see Table E.1) .
Figure E.1 – VDI/VDE 2180 Risk graph – personnel protection and relationship to SILs . 51
Figure E.2 – Relationship between IEC 61511 series, DIN 19250 and VDI/VDE 2180 .
Figure F.1 – Layer of protection analysis (LOPA) report . 56
Figure G.1 – Layer of protection graphic highlighting proactive and reactive IPL . 63
Figure G.2 – Work process used for Annex G . 65
Figure G.3 – Example process node boundary for selected scenario . 66
Figure G.4 – Acceptable secondary consequence risk . 74
Figure G.6 – Managed secondary consequence risk . 76
Figure G.5 – Unacceptable secondary consequence risk . 74
Figure H.1 – Workflow of SIL assignment process . 79
Figure H.2 – Parameters used in risk estimation . 81
Figure I.1 – Risk graph parameters to consider . 88
Figure I.2 – Illustration of a risk graph with parameters from Figure I.1 . 89
Figure J.1 – Conventional calculations . 92
Figure J.2 – Accurate calculations . 93
Figure J.3 – Redundant SIS . 95
Figure J.4 – Corrective coefficients for hazardous event frequency calculations when
the proof tests are performed at the same time . 96
Figure J.5 – Expansion of the simple example . 96
Figure J.6 – Fault tree modelling of the multi SIS presented in Figure J.5 . 97
Figure J.7 – Modelling CCF between SIS and SIS . 98
1 2
Figure J.8 – Effect of tests staggering . 98
Figure J.9 – Effect of partial stroking . 99
Figure J.10 – Modelling of repair resource mobilisation . 100
Figure J.11 – Example of output from Monte Carlo simulation . 101
Figure J.12 – Impact of repairs due to shared repair resources . 102
Figure K.1 – Tolerable risk and ALARP . 104
Table B.1 – HAZOP study results . 25
Table C.1 – Frequency of hazardous event likelihood (without considering PLs) . 37
Table C.2 – Criteria for rating the severity of impact of hazardous events . 37
Table D.1 – Descriptions of process industry risk graph parameters . 41
Table D.2 – Example calibration of the general purpose risk graph . 45
Table D.3 – General environmental consequences . 46
Table E.1– Data relating to risk graph (see Figure E.1) . 52
– 6 – IEC 61511-3:2016 RLV IEC 2016
Table F.1 – HAZOP developed data for LOPA . 55
Table F.2 – Impact event severity levels . 56
Table F.3 – Initiation likelihood . 57
Table F.4 – Typical protection layers (prevention and mitigation) PFDs . 58
avg
Table G.1 – Selected scenario from HAZOP worksheet . 67
Table G.2 – Selected scenario from LOPA worksheet . 68
Table G.3 – Example initiating causes and associated frequency . 70
Table G.4 – Consequence severity decision table . 71
Table G.5 – Risk reduction factor matrix . 71
Table G.6 – Examples of independent protection layers (IPL) with associated risk
reduction factors (RRF) and probability of failure on demand (PFD) . 73
Table G.7 – Examples of consequence mitigation system (CMS) with associated risk
reduction factors (RRF) and probability of failure on demand (PFD) . 73
Table G.8 – Step 7 LOPA worksheet (1 of 2) . 75
Table G.9 – Step 8 LOPA worksheet (1 of 2) . 77
Table H.1 – List of SIFs and hazardous events to be assessed . 80
Table H.2 – Consequence parameter/severity level . 81
Table H.3 – Occupancy parameter/Exposure probability (F) . 82
Table H.4 – Avoidance parameter/avoidance probability . 83
Table H.5 – Demand rate parameter (W) . 84
Table H.6 – Risk graph matrix (SIL assignment form for safety instrumented functions) . 85
Table H.7 – Example of consequence categories . 85
Table K.1 – Example of risk classification of incidents . 105
Table K.2 – Interpretation of risk classes . 105
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This redline version of the official IEC Standard allows the user to identify the changes
made to the previous edition. A vertical bar appears in the margin wherever a change
has been made. Additions are in green text, deletions are in strikethrough red text.
– 8 – IEC 61511-3:2016 RLV IEC 2016
International Standard IEC 61511-3: has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement, control and
automation.
This second edition cancels and replaces the first edition published in 2003. This edition
constitutes a technical revision. This edition includes the following significant technical
changes with respect to the previous edition:
Additional H&RA example(s) and quantitative analysis consideration annexes are provided.
The text of this document is based on the following documents:
FDIS Report on voting
65A/779/FDIS 65A786/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 61511 series, published under the general title Functional safety –
Safety instrumented systems for the process industry sector, can be found on the
IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC website under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
INTRODUCTION
Safety instrumented systems (SIS) have been used for many years to perform safety
instrumented functions (SIF) in the process industries. If instrumentation is to be effectively
used for SIF, it is essential that this instrumentation achieves certain minimum standards and
performance levels.
The IEC 61511 series addresses the application of SIS for the process industries. It also
requires A process hazard and risk assessment to be is carried out to enable the specification
for SIS to be derived. Other safety systems are only considered so that their contribution can
be taken into account when considering the performance requirements for the SIS. The SIS
includes all components devices and subsystems necessary to carry out the SIF from
sensor(s) to final element(s).
The IEC 61511 series has two concepts which are fundamental to its application; SIS safety
life-cycle and safety integrity levels (SIL).
The IEC 61511 series addresses SIS which are based on the use of Electrical (E)/Electronic
(E)/Programmable Electronic (PE) technology. Where other technologies are used for logic
solvers, the basic principles of the IEC 61511 series should be applied. The IEC 61511 series
also addresses the SIS sensors and final elements regardless of the technology used. The
IEC 61511 series is process industry specific within the framework of IEC 61508:2010 (see
Annex A of IEC 61511-1).
The IEC 61511 series sets out an approach for SIS safety life-cycle activities to achieve these
minimum standards. This approach has been adopted in order that a rational and consistent
technical policy is used.
In most situations, safety is best achieved by an inherently safe process design. If necessary,
this may be combined with a protective system or systems to address any residual identified
risk. Protective systems can rely on different technologies (chemical, mechanical, hydraulic,
pneumatic, electrical, electronic, and programmable electronic). Any safety strategy should
consider each individual SIS in the context of the other protective systems. To facilitate this
approach, the IEC 61511 series covers:
– requires that a hazard and risk assessment is carried out to identify the overall safety
requirements;
– requires that an allocation of the safety requirements to the SIS is carried out;
– works within a framework which is applicable to all instrumented methods means of
achieving functional safety;
– details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety;
This standard on safety instrumented systems for the process industry:
– addressesing all SIS safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
– enablesing existing or new country specific process industry standards to be harmonized
with the IEC 61511 series.
The IEC 61511 series is intended to lead to a high level of consistency (for example, of
underlying principles, terminology, information) within the process industries. This should
have both safety and economic benefits.
In jurisdictions where the governing authorities (for example national, federal, state, province,
county, city) have established process safety design, process safety management, or other
requirements regulations, these take precedence over the requirements defined in this
standard the IEC 61511-1.
– 10 – IEC 61511-3:2016 RLV IEC 2016
This standard The IEC 61511-3 deals with guidance in the area of determining the required
SIL in hazards and risk analysis assessment (H & RA). The information herein is intended to
provide a broad overview of the wide range of global methods used to implement H & RA
hazards and risk assessment. The information provided is not of sufficient detail to implement
any of these approaches.
Before proceeding, the concept and determination of SIL provided in IEC 61511-1:2016
should be reviewed. The informative annexes in this standard the IEC 61511-3 address the
following:
Annex A provides an overview of the concepts of tolerable risk and ALARP information that
is common to each of the hazard and risk assessment methods shown herein.
Annex B provides an overview of a semi-quantitative method used to determine the
required SIL.
Annex C provides an overview of a safety matrix method to determine the required SIL.
Annex D provides an overview of a method using a semi-qualitative risk graph approach
to determine the required SIL.
Annex E provides an overview of a method using a qualitative risk graph approach to
determine the required SIL.
Annex F provides an overview of a method using a layer of protection analysis (LOPA)
approach to select the required SIL.
Annex G provides a layer of protection analysis using a risk matrix.
Annex H provides an overview of a qualitative approach for risk estimation & SIL
assignment.
Annex I provides an overview of the basic steps involved in designing and calibrating a
risk graph.
Annex J provides an overview of the impact of multiple safety systems on determining the
required SIL
Annex K provides an overview of the concepts of tolerable risk and ALARP.
Figure 1 shows the overall framework for IEC 61511-1, IEC 61511-2 and IEC 61511-3 and
indicates the role that the IEC 61511 series plays in the achievement of functional safety for
SIS.
Support
Technical
parts
requirements
PART 1 References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of the safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
SIS application
safety
Clause 6
instrumented programming
PART 1
systems Clause 12
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1
PART 2
Operation and maintenance,
Guidance for the
modification and retrofit,
decommissioning or disposal of determination of the
required safety
safety instrumented systems
Clauses 16, 17, and 18 integrity levels
PART 3
IEC
Figure 1 – Overall framework of the IEC 61511 series
– 12 – IEC 61511-3:2016 RLV IEC 2016
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
1 Scope
This part of IEC 61511 provides information on:
– the underlying concepts of risk and the relationship of risk to safety integrity (see Clause
A.4);
– the determination of tolerable risk (see Annex K);
– a number of different methods that enable the safety integrity levels (SIL) for the safety
instrumented functions (SIF) to be determined (see Annexes B through K);
– the impact of multiple safety systems on calculations determining the ability to achieve the
desired risk reduction (see Annex J).
In particular, this part of IEC 61511:
a) applies when functional safety is achieved using one or more SIF for the protection of
either personnel, the general public, or the environment;
b) may be applied in non-safety applications such as asset protection;
c) illustrates typical hazard and risk assessment methods that may be carried out to define
the safety functional requirements and SIL of each SIF;
d) illustrates techniques/measures available for determining the required SIL;
e) provides a framework for establishing SIL but does not specify the SIL required for specific
applications;
f) does not give examples of determining the requirements for other methods of risk
reduction.
NOTE Examples given in the Annexes of this Standard are intended only as case specific examples of
implementing IEC 61511 requirements in a specific instance, and the user should satisfy themselves that the
chosen methods and techniques are appropriate to their situation.
Annexes B through K illustrate quantitative and qualitative approaches and have been
simplified in order to illustrate the underlying principles. These annexes have been included to
illustrate the general principles of a number of methods but do not provide a definitive
account.
NOTE 1 Those intending to apply the methods indicated in these annexes should can consult the source material
referenced in each annex.
NOTE 2 The methods of SIL determination included in Part 3 may not be suitable for all applications. In particular,
specific techniques or additional factors that are not illustrated may be required for high demand or continuous
mode of operation.
NOTE 3 The methods as illustrated herein may result in non-conservative results when they are used beyond
their underlying limits and when factors such as common cause, fault tolerance, holistic considerations of the
application, lack of experience with the method being used, independence of the protection layers, etc., are not
properly considered. See Annex J.
Figure 2 gives an overview of typical protection layers and risk reduction methods means.
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Evacuation procedures
MITIGATION
Mechanical mitigation systems
Safety instrumented control systems
Safety instrumented mitigation systems
Safety instrumented systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety instrumented control systems
Safety instrumented prevention systems
Safety instrumented systems
CONTROL and MONITORING
Basic process control systems
Monitoring systems (process alarms)
Operator supervision
PROCESS
IEC
Figure 2 – Typical protection layers and risk reduction methods means found in
process plants (for example, protection layer model)
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 61511-1:2016 Functional safety – Safety instrumented systems for the process industry
sector – Part 1: framework, definitions, system, hardware and application programming
requirements
– 14 – IEC 61511-3:2016 RLV IEC 2016
3 Terms, definitions and abbreviations
For the purposes of this document the terms, definit
...
IEC 61511-3 ®
Edition 2.0 2016-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 3: Guidance for the determination of the required safety integrity levels
Sécurité fonctionnelle – Systèmes instrumentés de sécurité pour le secteur des
industries de transformation –
Partie 3: Conseils pour la détermination des niveaux exigés d'intégrité de
sécurité
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.
IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 15 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.
Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient 20 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres
et en français, ainsi que les termes équivalents dans 15
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.
Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC 65 000 entrées terminologiques électrotechniques, en anglais
en utilisant différents critères (numéro de référence, texte, et en français, extraites des articles Termes et Définitions des
comité d’études,…). Elle donne aussi des informations sur les publications IEC parues depuis 2002. Plus certaines entrées
projets et les publications remplacées ou retirées. antérieures extraites des publications des CE 37, 77, 86 et
CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 61511-3 ®
Edition 2.0 2016-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Functional safety – Safety instrumented systems for the process industry
sector –
Part 3: Guidance for the determination of the required safety integrity levels
Sécurité fonctionnelle – Systèmes instrumentés de sécurité pour le secteur des
industries de transformation –
Partie 3: Conseils pour la détermination des niveaux exigés d'intégrité de
sécurité
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.01 ISBN 978-2-8322-3212-5
– 2 – IEC 61511-3:2016 IEC 2016
CONTENTS
FOREWORD. 7
INTRODUCTION . 9
1 Scope . 12
2 Normative references . 13
3 Terms, definitions and abbreviations . 13
Annex A (informative) Risk and safety integrity – general guidance . 14
A.1 General . 14
A.2 Necessary risk reduction . 14
A.3 Role of safety instrumented systems . 14
A.4 Risk and safety integrity . 16
A.5 Allocation of safety requirements . 17
A.6 Hazardous event, hazardous situation and harmful event . 17
A.7 Safety integrity levels . 18
A.8 Selection of the method for determining the required safety integrity level . 18
Annex B (informative) Semi-quantitative method – event tree analysis . 20
B.1 Overview . 20
B.2 Compliance with IEC 61511-1:2016 . 20
B.3 Example . 20
B.3.1 General . 20
B.3.2 Process safety target . 21
B.3.3 Hazard analysis . 21
B.3.4 Semi-quantitative risk analysis technique. 22
B.3.5 Risk analysis of existing process . 23
B.3.6 Events that do not meet the process safety target . 25
B.3.7 Risk reduction using other protection layers . 26
B.3.8 Risk reduction using a safety instrumented function . 26
Annex C (informative) The safety layer matrix method . 28
C.1 Overview . 28
C.2 Process safety target . 29
C.3 Hazard analysis . 29
C.4 Risk analysis technique . 30
C.5 Safety layer matrix . 31
C.6 General procedure . 32
Annex D (informative) A semi-qualitative method: calibrated risk graph . 34
D.1 Overview . 34
D.2 Risk graph synthesis . 34
D.3 Calibration . 35
D.4 Membership and organization of the team undertaking the SIL assessment . 36
D.5 Documentation of results of SIL determination . 37
D.6 Example calibration based on typical criteria . 37
D.7 Using risk graphs where the consequences are environmental damage . 40
D.8 Using risk graphs where the consequences are asset loss . 41
D.9 Determining the integrity level of instrument protection function where the
consequences of failure involve more than one type of loss . 41
Annex E (informative) A qualitative method: risk graph . 42
E.1 General . 42
E.2 Typical implementation of instrumented functions . 42
E.3 Risk graph synthesis . 43
E.4 Risk graph implementation: personnel protection . 43
E.5 Relevant issues to be considered during application of risk graphs . 45
Annex F (informative) Layer of protection analysis (LOPA) . 47
F.1 Overview . 47
F.2 Impact event . 48
F.3 Severity level . 48
F.4 Initiating cause . 49
F.5 Initiation likelihood . 50
F.6 Protection layers . 50
F.7 Additional mitigation . 51
F.8 Independent protection layers (IPL) . 51
F.9 Intermediate event likelihood . 52
F.10 SIF integrity level . 52
F.11 Mitigated event likelihood . 52
F.12 Total risk . 52
F.13 Example . 53
F.13.1 General . 53
F.13.2 Impact event and severity level . 53
F.13.3 Initiating cause . 53
F.13.4 Initiating likelihood . 53
F.13.5 General process design. 53
F.13.6 BPCS . 53
F.13.7 Alarms . 53
F.13.8 Additional mitigation . 54
F.13.9 Independent protection layer(s) (IPL) . 54
F.13.10 Intermediate event likelihood . 54
F.13.11 SIS . 54
F.13.12 Next SIF . 54
Annex G (informative) Layer of protection analysis using a risk matrix . 56
G.1 Overview . 56
G.2 Procedure . 58
G.2.1 General . 58
G.2.2 Step 1: General Information and node definition . 58
G.2.3 Step 2: Describe hazardous event . 59
G.2.4 Step 3: Evaluate initiating event frequency . 62
G.2.5 Step 4: Determine hazardous event consequence severity and risk
reduction factor . 63
G.2.6 Step 5: Identify independent protection layers and risk reduction factor . 64
G.2.7 Step 6: Identify consequence mitigation systems and risk reduction
factor . 65
G.2.8 Step 7: Determine CMS risk gap . 66
G.2.9 Step 8: Determine scenario risk gap . 69
G.2.10 Step 9: Make recommendations when needed . 69
Annex H (informative) A qualitative approach for risk estimation & safety integrity level
(SIL) assignment . 71
H.1 Overview . 71
– 4 – IEC 61511-3:2016 IEC 2016
H.2 Risk estimation and SIL assignment . 73
H.2.1 General . 73
H.2.2 Hazard identification/indication . 73
H.2.3 Risk estimation . 73
H.2.4 Consequence parameter selection (C) (Table H.2) . 74
H.2.5 Probability of occurrence of that harm . 75
H.2.6 Estimating probability of harm . 77
H.2.7 SIL assignment . 77
Annex I (informative) Designing & calibrating a risk graph . 80
I.1 Overview . 80
I.2 Steps involved in risk graph design and calibration . 80
I.3 Risk graph development . 80
I.4 The risk graph parameters . 81
I.4.1 Choosing parameters . 81
I.4.2 Number of parameters. 81
I.4.3 Parameter value. 81
I.4.4 Parameter definition . 81
I.4.5 Risk graph . 82
I.4.6 Tolerable event frequencies (Tef) for each consequence . 82
I.4.7 Calibration . 83
I.4.8 Completion of the risk graph . 84
Annex J (informative) Multiple safety systems . 85
J.1 Overview . 85
J.2 Notion of systemic dependencies . 85
J.3 Semi-quantitative approaches . 88
J.4 Boolean approaches . 89
J.5 State-transition approach . 92
Annex K (informative) As low as reasonably practicable (ALARP) and tolerable risk
concepts . 96
K.1 General . 96
K.2 ALARP model . 96
K.2.1 Overview . 96
K.2.2 Tolerable risk target . 97
Bibliography . 99
Figure 1 – Overall framework of the IEC 61511 series . 11
Figure 2 – Typical protection layers and risk reduction means . 13
Figure A.1 – Risk reduction: general concepts . 16
Figure A.2 – Risk and safety integrity concepts . 17
Figure A.3 – Harmful event progression . 18
Figure A.4 – Allocation of safety requirements to the non-SIS protection layers and
other protection layers . 19
Figure B.1 – Pressurized vessel with existing safety systems . 21
Figure B.2 – Fault tree for overpressure of the vessel . 24
Figure B.3 – Hazardous events with existing safety systems . 25
Figure B.4 – Hazardous events with SIL 2 safety instrumented function . 27
Figure C.1 – Protection layers . 28
Figure C.2 – Example of safety layer matrix. 32
Figure D.1 – Risk graph: general scheme . 38
Figure D.2 – Risk graph: environmental loss . 41
Figure E.1 – VDI/VDE 2180 Risk graph – personnel protection and relationship to SILs . 44
Figure F.1 – Layer of protection analysis (LOPA) report . 49
Figure G.1 – Layer of protection graphic highlighting proactive and reactive IPL . 56
Figure G.2 – Work process used for Annex G . 58
Figure G.3 – Example process node boundary for selected scenario . 59
Figure G.4 – Acceptable secondary consequence risk . 67
Figure G.5 – Unacceptable secondary consequence risk . 67
Figure G.6 – Managed secondary consequence risk . 69
Figure H.1 – Workflow of SIL assignment process . 72
Figure H.2 – Parameters used in risk estimation . 74
Figure I.1 – Risk graph parameters to consider . 81
Figure I.2 – Illustration of a risk graph with parameters from Figure I.1 . 82
Figure J.1 – Conventional calculations . 85
Figure J.2 – Accurate calculations . 86
Figure J.3 – Redundant SIS . 88
Figure J.4 – Corrective coefficients for hazardous event frequency calculations when
the proof tests are performed at the same time . 89
Figure J.5 – Expansion of the simple example . 89
Figure J.6 – Fault tree modelling of the multi SIS presented in Figure J.5 . 90
Figure J.7 – Modelling CCF between SIS and SIS . 91
1 2
Figure J.8 – Effect of tests staggering . 91
Figure J.9 – Effect of partial stroking . 92
Figure J.10 – Modelling of repair resource mobilisation . 93
Figure J.11 – Example of output from Monte Carlo simulation . 94
Figure J.12 – Impact of repairs due to shared repair resources . 95
Figure K.1 – Tolerable risk and ALARP . 97
Table B.1 – HAZOP study results . 22
Table C.1 – Frequency of hazardous event likelihood (without considering PLs) . 31
Table C.2 – Criteria for rating the severity of impact of hazardous events . 31
Table D.1 – Descriptions of process industry risk graph parameters . 35
Table D.2 – Example calibration of the general purpose risk graph . 39
Table D.3 – General environmental consequences . 40
Table E.1 – Data relating to risk graph (see Figure E.1) . 45
Table F.1 – HAZOP developed data for LOPA . 48
Table F.2 – Impact event severity levels . 49
Table F.3 – Initiation likelihood . 50
Table F.4 – Typical protection layers (prevention and mitigation) PFD . 51
avg
Table G.1 – Selected scenario from HAZOP worksheet . 59
Table G.2 – Selected scenario from LOPA worksheet . 61
– 6 – IEC 61511-3:2016 IEC 2016
Table G.3 – Example initiating causes and associated frequency . 63
Table G.4 – Consequence severity decision table . 64
Table G.5 – Risk reduction factor matrix . 64
Table G.6 – Examples of independent protection layers (IPL) with associated risk
reduction factors (RRF) and probability of failure on demand (PFD) . 66
Table G.7 – Examples of consequence mitigation system (CMS) with associated risk
reduction factors (RRF) and probability of failure on demand (PFD) . 66
Table G.8 – Step 7 LOPA worksheet (1 of 2) . 68
Table G.9 – Step 8 LOPA worksheet (1 of 2) . 70
Table H.1 – List of SIFs and hazardous events to be assessed . 73
Table H.2 – Consequence parameter/severity level . 74
Table H.3 – Occupancy parameter/Exposure probability (F) . 75
Table H.4 – Avoidance parameter/avoidance probability . 76
Table H.5 – Demand rate parameter (W) . 77
Table H.6 – Risk graph matrix (SIL assignment form for safety instrumented functions) . 78
Table H.7 – Example of consequence categories . 78
Table K.1 – Example of risk classification of incidents . 98
Table K.2 – Interpretation of risk classes . 98
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61511-3: has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement, control and
automation.
This second edition cancels and replaces the first edition published in 2003. This edition
constitutes a technical revision. This edition includes the following significant technical
changes with respect to the previous edition:
Additional H&RA example(s) and quantitative analysis consideration annexes are provided.
– 8 – IEC 61511-3:2016 IEC 2016
The text of this document is based on the following documents:
FDIS Report on voting
65A/779/FDIS 65A786/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the IEC 61511 series, published under the general title Functional safety –
Safety instrumented systems for the process industry sector, can be found on the
IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC website under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
INTRODUCTION
Safety instrumented systems (SIS) have been used for many years to perform safety
instrumented functions (SIF) in the process industries. If instrumentation is to be effectively
used for SIF, it is essential that this instrumentation achieves certain minimum standards and
performance levels.
The IEC 61511 series addresses the application of SIS for the process industries. A process
hazard and risk assessment is carried out to enable the specification for SIS to be derived.
Other safety systems are only considered so that their contribution can be taken into account
when considering the performance requirements for the SIS. The SIS includes all devices and
subsystems necessary to carry out the SIF from sensor(s) to final element(s).
The IEC 61511 series has two concepts which are fundamental to its application; SIS safety
life-cycle and safety integrity levels (SIL).
The IEC 61511 series addresses SIS which are based on the use of Electrical (E)/Electronic
(E)/Programmable Electronic (PE) technology. Where other technologies are used for logic
solvers, the basic principles of the IEC 61511 series should be applied. The IEC 61511 series
also addresses the SIS sensors and final elements regardless of the technology used. The
IEC 61511 series is process industry specific within the framework of IEC 61508:2010.
The IEC 61511 series sets out an approach for SIS safety life-cycle activities to achieve these
minimum standards. This approach has been adopted in order that a rational and consistent
technical policy is used.
In most situations, safety is best achieved by an inherently safe process design. If necessary,
this may be combined with a protective system or systems to address any residual identified
risk. Protective systems can rely on different technologies (chemical, mechanical, hydraulic,
pneumatic, electrical, electronic, and programmable electronic). Any safety strategy should
consider each individual SIS in the context of the other protective systems. To facilitate this
approach, the IEC 61511 series covers:
– a hazard and risk assessment is carried out to identify the overall safety requirements;
– an allocation of the safety requirements to the SIS is carried out;
– works within a framework which is applicable to all instrumented means of achieving
functional safety;
– details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety;
– addressing all SIS safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
– enabling existing or new country specific process industry standards to be harmonized
with the IEC 61511 series.
The IEC 61511 series is intended to lead to a high level of consistency (for example, of
underlying principles, terminology, information) within the process industries. This should
have both safety and economic benefits.
In jurisdictions where the governing authorities (for example national, federal, state, province,
county, city) have established process safety design, process safety management, or other
regulations, these take precedence over the requirements defined in the IEC 61511-1.
The IEC 61511-3 deals with guidance in the area of determining the required SIL in hazards
and risk assessment. The information herein is intended to provide a broad overview of the
wide range of global methods used to implement hazards and risk assessment. The
information provided is not of sufficient detail to implement any of these approaches.
– 10 – IEC 61511-3:2016 IEC 2016
Before proceeding, the concept and determination of SIL provided in IEC 61511-1:2016should
be reviewed. The informative annexes in the IEC 61511-3 address the following:
Annex A provides information that is common to each of the hazard and risk assessment
methods shown herein.
Annex B provides an overview of a semi-quantitative method used to determine the
required SIL.
Annex C provides an overview of a safety matrix method to determine the required SIL.
Annex D provides an overview of a method using a semi-qualitative risk graph approach
to determine the required SIL.
Annex E provides an overview of a method using a qualitative risk graph approach to
determine the required SIL.
Annex F provides an overview of a method using a layer of protection analysis (LOPA)
approach to select the required SIL.
Annex G provides a layer of protection analysis using a risk matrix.
Annex H provides an overview of a qualitative approach for risk estimation & SIL
assignment.
Annex I provides an overview of the basic steps involved in designing and calibrating a
risk graph.
Annex J provides an overview of the impact of multiple safety systems on determining the
required SIL
Annex K provides an overview of the concepts of tolerable risk and ALARP.
Figure 1 shows the overall framework for IEC 61511-1, IEC 61511-2 and IEC 61511-3 and
indicates the role that the IEC 61511 series plays in the achievement of functional safety for
SIS.
Support
Technical
parts
requirements
PART 1 References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of the safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
SIS application
safety
Clause 6
instrumented programming
PART 1
Clause 12
systems
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1
PART 2
Operation and maintenance,
modification and retrofit, Guidance for the
decommissioning or disposal of determination of the
required safety
safety instrumented systems
Clauses 16, 17, and 18 integrity levels
PART 3
IEC
Figure 1 – Overall framework of the IEC 61511 series
– 12 – IEC 61511-3:2016 IEC 2016
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
1 Scope
This part of IEC 61511 provides information on:
– the underlying concepts of risk and the relationship of risk to safety integrity (see Clause
A.4);
– the determination of tolerable risk (see Annex K);
– a number of different methods that enable the safety integrity level (SIL) for the safety
instrumented functions (SIF) to be determined (see Annexes B through K);
– the impact of multiple safety systems on calculations determining the ability to achieve the
desired risk reduction (see Annex J).
In particular, this part of IEC 61511:
a) applies when functional safety is achieved using one or more SIF for the protection of
either personnel, the general public, or the environment;
b) may be applied in non-safety applications such as asset protection;
c) illustrates typical hazard and risk assessment methods that may be carried out to define
the safety functional requirements and SIL of each SIF;
d) illustrates techniques/measures available for determining the required SIL;
e) provides a framework for establishing SIL but does not specify the SIL required for specific
applications;
f) does not give examples of determining the requirements for other methods of risk
reduction.
NOTE Examples given in the Annexes of this Standard are intended only as case specific examples of
implementing IEC 61511 requirements in a specific instance, and the user should satisfy themselves that the
chosen methods and techniques are appropriate to their situation.
Annexes B through K illustrate quantitative and qualitative approaches and have been
simplified in order to illustrate the underlying principles. These annexes have been included to
illustrate the general principles of a number of methods but do not provide a definitive
account.
NOTE 1 Those intending to apply the methods indicated in these annexes can consult the source material
referenced in each annex.
NOTE 2 The methods of SIL determination included in Part 3 may not be suitable for all applications. In particular,
specific techniques or additional factors that are not illustrated may be required for high demand or continuous
mode of operation.
NOTE 3 The methods as illustrated herein may result in non-conservative results when they are used beyond
their underlying limits and when factors su
...
IEC 61511-3:2016は、プロセス業界における安全計装システムのための機能安全に関する標準であり、特に必要な安全性の完全性レベル(SIL)を決定するための指導を提供します。この標準は、SIF(Safety Instrumented Functions)を使用して機能安全が達成される場合に適用され、従業員、一般市民、環境に対する保護を目的としています。また、資産保護などの非安全用途にも適用可能です。 IEC 61511-3:2016の強みは、典型的な危険性評価およびリスクアセスメント手法を明示しており、安全機能要件と各SIFのSILを定義するためのガイドラインを提供している点です。これにより、組織はリスクを適切に評価し、必要な安全機能を策定するための明確なフレームワークを得ることができます。また、求められるSILの決定に使用可能な技術や手段が示されているため、実務者は実際の状況に即した判断を下しやすくなります。 この標準は特定のアプリケーションに必要なSILを指定するのではなく、SILを確立するためのフレームワークを提供することに重点を置いています。そのため、組織は自らのニーズやリスクに応じた適切な評価を行うことが可能です。新たに追加された危険性およびリスクアセスメントの例や定量的分析に関する附則は、前回の版と比べて大幅に充実しており、より具体的な方法論を提供しています。 IEC 61511-3:2016は、機能安全に必要な安全整合性レベルを確立するための基準として、プロセス業界において重要な役割を果たしています。この標準により、業界全体がリスクを低減し、安全性を向上させるための共通の基盤を持つことができます。
Die Norm IEC 61511-3:2016 ist ein entscheidendes Dokument im Bereich der funktionalen Sicherheit, insbesondere für Sicherheitsinstrumentierungssysteme in der Prozessindustrie. Ihr Anwendungsbereich ist klar definiert und konzentriert sich darauf, wie funktionale Sicherheit unter Verwendung eines oder mehrerer Sicherheitsinstrumentierungsfunktionen (SIF) zum Schutz von Personal, der Öffentlichkeit und der Umwelt erreicht werden kann. Dies gebe der Norm eine bemerkenswerte Relevanz in unterschiedlichsten industriellen Anwendungen. Ein wesentlicher Stärke dieser Norm ist die umfassende Darstellung der typischen Methoden zur Gefahren- und Risikoanalyse. Diese Methoden sind entscheidend, um die sicherheitsrelevanten Anforderungen und das Sicherheitsintegritätsniveau (SIL) für jede SIF zu definieren. Durch die Bereitstellung eines Rahmens zur Festlegung dieser SILs unterstützt die Norm Unternehmen dabei, klare und präzise Sicherheitsstandards zu entwickeln. Die aktualisierte Ausgabe von IEC 61511-3:2016 bringt bedeutende technische Änderungen mit sich, die im Vergleich zur Vorgängerversion von 2003 hervorstechen. Insbesondere die Ergänzung zusätzlicher Beispiele zur Gefahren- und Risikoanalyse sowie die Berücksichtigung quantitativer Analysen in den Anhängen bieten wertvolle Werkzeuge für Fachleute, die sich mit der Bestimmung der erforderlichen SILs befassen. Diese Änderungen gewährleisten, dass die Norm den aktuellen Anforderungen und Technologien entspricht und somit einen hohen praktischen Nutzen bietet. Zusammenfassend lässt sich sagen, dass die Norm IEC 61511-3:2016 nicht nur eine wichtige Orientierung für die Implementierung von Sicherheitsinstrumentierungssystemen bereitstellt, sondern auch als fortschrittliches Leitdokument fungiert, das Industriefirmen hilft, ihre Sicherheitsstandards kontinuierlich zu verbessern und zu aktualisieren. Solche Standards sind unerlässlich, um ein hohes Maß an Sicherheit in der Prozessindustrie zu gewährleisten.
La norme IEC 61511-3:2016, intitulée « Sécurité fonctionnelle - Systèmes instrumentés de sécurité pour le secteur de l'industrie des procédés - Partie 3 : Conseils pour la détermination des niveaux d'intégrité de sécurité requis », représente un document essentiel pour la mise en œuvre de la sécurité fonctionnelle dans le secteur industriel. Cette norme s'applique lorsque la sécurité fonctionnelle est assurée par un ou plusieurs Systèmes Instrumentés de Sécurité (SIF) visant à protéger le personnel, le grand public ou l'environnement. L'un des principaux points forts de la norme IEC 61511-3:2016 est sa capacité à illustrer les méthodes typiques d'évaluation des dangers et des risques. Ces méthodes sont cruciales pour définir les exigences fonctionnelles de sécurité et le niveau d'intégrité de sécurité (SIL) de chaque SIF. En fournissant des exemples supplémentaires d'analyse des risques, cette édition actualisée renforce la capacité des professionnels à déterminer avec précision le SIL requis. De plus, la norme offre une variété de techniques et de mesures pour établir le SIL requis, fournissant ainsi un cadre informatique clair et structuré. Bien qu'elle ne spécifie pas les niveaux de SIL pour des applications spécifiques, elle permet de mieux comprendre comment les systèmes de sécurité peuvent être intégrés dans des applications non liées à la sécurité, comme la protection des actifs. Cette seconde édition remplace la première édition publiée en 2003 et introduit des modifications techniques significatives. Ces mises à jour, notamment l'ajout d'exemples d'évaluation des risques (H&RA) et d'annexes concernant l'analyse quantitative, constituent une avancée majeure pour les professionnels du domaine. En somme, la norme IEC 61511-3:2016 se révèle être un guide de référence incontournable pour déterminer les niveaux d'intégrité de sécurité nécessaires dans le secteur des procédés, tout en répondant aux exigences modernes en matière de sécurité fonctionnelle.
The standard IEC 61511-3:2016 serves as a crucial guideline for organizations aiming to achieve functional safety in the process industry sector through the implementation of Safety Instrumented Functions (SIFs). The scope of this standard is comprehensive, allowing for its application not only in safety-critical scenarios involving personnel and environmental protection but also extending to asset protection in non-safety contexts. This wide applicability enhances its relevance across various sectors within the process industry, demonstrating its versatility as a foundational element for safety management. One of the significant strengths of IEC 61511-3:2016 lies in its structured approach to determining required safety integrity levels (SIL). The standard illustrates several hazard and risk assessment methods essential for defining safety functional requirements and the corresponding SIL for each SIF. This clarity facilitates a more systematic evaluation process, enabling organizations to make informed decisions regarding safety measures. The guidance provided within this standard for establishing SIL is notable for its thoroughness. While it does not prescribe specific SILs for all applications, it effectively outlines techniques and measures that organizations can employ to determine their required SIL, ensuring that they are tailored to the particular needs and risks of each situation. This flexible framework is vital for adapting safety strategies to real-world conditions. Furthermore, this second edition of the standard signifies a timely technical revision that builds upon the foundation set by the first edition published in 2003. Noteworthy enhancements include the inclusion of additional hazard and risk assessment examples, as well as annexes that consider quantitative analysis. These updates reflect the evolving landscape of safety practices and the importance of integrating newer methodologies into risk assessment processes. In summary, IEC 61511-3:2016 stands out as a key reference document that not only emphasizes the importance of functional safety in the process industry but also equips professionals with the necessary guidance and tools to effectively navigate safety challenges. Its balance of technical content and practical application ensures that organizations can align their operational practices with established safety standards, ultimately enhancing safety outcomes across the sector.
IEC 61511-3:2016 표준은 프로세스 산업 분야의 안전 계측 시스템에서 기능적 안전성을 달성하기 위한 필수 안전 무결성 수준(SIL)의 결정에 대한 가이드를 제공합니다. 이 표준은 인명, 일반 대중 또는 환경을 보호하기 위해 하나 이상의 안전 계측 기능(SIF)을 사용하는 경우에 적용되며, 자산 보호와 같은 비안전 응용 프로그램에도 적용 가능합니다. 이 표준의 주요 강점은 안전 기능 요구 사항과 각 SIF의 SIL을 정의하기 위해 수행될 수 있는 전형적인 위험 분석 및 위험 평가 방법을 제시하는 것입니다. 또한, 요구되는 SIL을 결정하기 위해 사용할 수 있는 다양한 기술과 조치를 설명하고, SIL을 설정하기 위한 프레임워크를 제공합니다. 그러나 특정 응용 프로그램에 필요한 SIL을 구체적으로 명시하지는 않으며, 다른 위험 감소 방법의 요구 사항을 결정하는 예를 제공하지 않습니다. IEC 61511-3:2016의 두 번째 판은 2003년에 발행된 첫 번째 판을 취소하고 대체하며, 기술적 수정이 포함되어 있습니다. 이전 판에 비해 추가적인 위험 및 위험 분석(H&RA) 예시와 정량적 분석 고려 부록이 포함되어 있어 더욱 폭넓은 적용 가능성을 제공합니다. 이와 같은 내용은 해당 표준이 산업 내에서 기능적 안전성을 수립하는 데 있어 신뢰할 수 있는 기준으로 자리잡을 수 있도록 합니다. 결론적으로, IEC 61511-3:2016 표준은 프로세스 산업에서 SIF의 안전 무결성 수준을 결정하기 위한 포괄적인 가이드를 제공하고, 적절한 기능적 안전성을 확보하는 데 있어 매우 중요한 자료로 자리잡고 있습니다.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...