SIST EN 61511-3:2007

6,67(16/29(16.,MDQXDU67$1'$5'LVWRYHWHQ(1)XQNFLMVNDYDUQRVW6LVWHPL]YDUQRVWQLPLLQVWUXPHQWL]DVHNWRUSURFHVQHLQGXVWULMHGHO6PHUQLFH]DXJRWDYOMDQMH]DKWHYDQLKQLYRMHYFHORYLWHYDUQRVWL,(&)XQFWLRQDOVDIHW\6DIHW\LQVWUXPHQWHGV\VWHPVIRUWKHSURFHVVLQGXVWU\VHFWRU3DUW*XLGDQFHIRUWKHGHWHUPLQDWLRQRIWKHUHTXLUHGVDIHW\LQWHJULW\OHYHOV,(& !"#$%&'( )&!*- . 5HIHUHQþQDãWHYLOND6,67(1HQ,&6







EUROPEAN STANDARD
EN 61511-3 NORME EUROPÉENNE EUROPÄISCHE NORM
December 2004 CENELEC European Committee for Electrotechnical Standardization Comité Européen de Normalisation Electrotechnique Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2004 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61511-3:2004 E
ICS 25.040.01
English version
Functional safety –
Safety instrumented systems for the process industry sector Part 3: Guidance for the determination
of the required safety integrity levels (IEC 61511-3:2003 + corrigendum 2004)
Sécurité fonctionnelle –
Systèmes instrumentés de sécurité
pour le secteur des industries
de transformation Partie 3: Conseils pour la détermination des niveaux d'intégrité de sécurité (CEI 61511-3:2003)
Funktionale Sicherheit - Sicherheitstechnische Systeme
für die Prozessindustrie Teil 3: Anleitung für die Bestimmung
der erforderlichen Sicherheits-Integritätslevel (IEC 61511-3:2003 + Corrigendum 2004)
This European Standard was approved by CENELEC on 2004-10-01. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.



EN 61511-3:2004 - 2 - Foreword The text of the International Standard IEC 61511-3:2003, prepared by SC 65A, System aspects, of IEC TC 65, Industrial-process measurement and control, was submitted to the Unique Acceptance Procedure and was approved by CENELEC as EN 61511-3 on 2004-10-01 without any modification. The following dates were fixed: – latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement
(dop) 2005-10-01 – latest date by which the national standards conflicting
with the EN have to be withdrawn
(dow) 2007-10-01 __________ Endorsement notice The text of the International Standard IEC 61511-3:2003 + corrigendum October 2004 was approved by CENELEC as a European Standard without any modification. __________



NORME INTERNATIONALECEIIEC INTERNATIONAL STANDARD 61511-3Première éditionFirst edition2003-03 Sécurité fonctionnelle – Systèmes instrumentés de sécurité pour
le secteur des industries de transformation – Partie 3: Conseils pour la détermination des niveaux exigés d'intégrité de sécurité
Functional safety – Safety instrumented systems for the process industry sector – Part 3: Guidance for the determination of the required safety integrity levels
Pour prix, voir catalogue en vigueur For price, see current catalogue IEC 2004
Droits de reproduction réservés

Copyright - all rights reserved Aucune partie de cette publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit de l'éditeur. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher. International Electrotechnical Commission,
3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, SwitzerlandTelephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch
Web: www.iec.ch CODE PRIX PRICE CODE XA Commission Electrotechnique InternationaleInternational Electrotechnical Commission



61511-3  IEC:2004 – 3 –
CONTENTS FOREWORD.7 INTRODUCTION.11 1 Scope.17 2 Terms, definitions and abbreviations.19 3 Risk and safety integrity – general guidance.19 3.1 General.19 3.2 Necessary risk reduction.21 3.3 Role of safety instrumented systems.21 3.4 Safety integrity.23 3.5 Risk and safety integrity.25 3.6 Allocation of safety requirements.27 3.7 Safety integrity levels.27 3.8 Selection of the method for determining the required safety integrity level.29
Annex A
(informative)
As Low As Reasonably Practicable (ALARP)
and tolerable risk concepts.31 Annex B (informative) Semi-quantitative method.39 Annex C (informative) The safety layer matrix method.55 Annex D (informative) Determination of the required safety integrity levels –
a semi-qualitative method: calibrated risk graph.67 Annex E (informative)
Determination of the required safety integrity levels –
a qualitative method: risk graph.85 Annex F (informative)
Layer of protection analysis (LOPA).97
Figure 1 – Overall framework of this standard.15 Figure 2 – Typical risk reduction methods found in process plants.19 Figure 3 – Risk reduction: general concepts.25 Figure 4 – Risk and safety integrity concepts.27 Figure 5 – Allocation of safety requirements to the Safety Instrumented Systems,
non-SIS prevention/mitigation protection layers and other protection layers.29 Figure A.1 – Tolerable risk and ALARP.33 Figure B.1 – Pressurized vessel with existing safety systems.41 Figure B.2 – Fault tree for overpressure of the vessel.47 Figure B.3 – Hazardous events with existing safety systems.49 Figure B.4 – Hazardous events with redundant protection layer.51 Figure B.5 – Hazardous events with SIL 2 SIS safety function.53 Figure C.1 – Protection layers.55 Figure C.2 – Example safety layer matrix.63 Figure D.1 – Risk graph: general scheme.77 Figure D.2 – Risk graph: environmental loss.83 Figure E.1 – DIN V 19250 risk graph – personnel protection (see Table E.1).91 Figure E.2 – Relationship between IEC 61511 series, DIN 19250 and VDI/VDE 2180.95 Figure F.1 – Layer of Protection Analysis (LOPA) Report.99



61511-3 © IEC:2004 – 5 –
Table A.1 – Example of risk classification of incidents.37 Table A.2 – Interpretation of risk classes.37 Table B.1 – HAZOP study results.43 Table C.1 – Frequency of hazardous event likelihood (without considering PLs).61 Table C.2 – Criteria for rating the severity
of impact of hazardous events.61 Table D.1 – Descriptions of process industry risk graph parameters.69 Table D.2 – Example calibration of the general purpose risk graph.79 Table D.3 – General environmental consequences.81 Table E.1 – Data relating to risk graph (see Figure E.1).93 Table F.1 – HAZOP developed data for LOPA.99 Table F.2 – Impact event severity levels.101 Table F.3 – Initiation Likelihood.101 Table F.4 – Typical protection layer (prevention and mitigation) PFDs.103



61511-3  IEC:2004 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION ____________
FUNCTIONAL SAFETY– SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any equipment declared to be in conformity with an IEC Publication. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. International Standard IEC 61511-3 has been prepared by subcommittee 65A: System aspects, of IEC technical committee 65: Industrial-process measurement and control. This bilingual version (2004-10) replaces the English version. The text of this standard is based on the following documents: FDIS Report on voting 65A/367/FDIS 65A/370/RVD
Full information on the voting for the approval of this standard can be found in the report on voting indicated in the above table.



61511-3  IEC:2004 – 9 –
The French version of this standard has not been voted upon. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. IEC 61511 consists of the following parts, under the general title Functional safety – Safety Instrumented Systems for the process industry sector (see Figure 1): Part 1: Framework, definitions, system, hardware and software requirements Part 2: Guidelines for the application of IEC 61511-1
Part 3: Guidance for the determination of the required safety integrity levels The committee has decided that the contents of this publication will remain unchanged until the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to the specific publication. At this date, the publication will be
• reconfirmed; • withdrawn; • replaced by a revised edition, or • amended.



61511-3  IEC:2004 – 11 –
INTRODUCTION Safety instrumented systems have been used for many years to perform safety instrumented functions in the process industries. If instrumentation is to be effectively used for safety instrumented functions, it is essential that this instrumentation achieves certain minimum standards and performance levels. This International Standard addresses the application of safety instrumented systems for the process industries. It also requires a process hazard and risk assessment to be carried out to enable the specification for safety instrumented systems to be derived. Other safety systems are only considered so that their contribution can be taken into account when considering the performance requirements for the safety instrumented systems. The safety instrumented system includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s).
This standard has two concepts which are fundamental to its application; safety lifecycle and safety integrity levels. This standard addresses safety instrumented systems which are based on the use of Electrical (E)/Electronic (E)/Programmable Electronic (PE) technology. Where other technologies are used for logic solvers, the basic principles of this standard should be applied. This standard also addresses the safety instrumented system sensors and final elements regardless of the technology used. This standard is process industry specific within the framework of IEC 61508 (see Annex A of IEC 61511-1).
This standard sets out an approach for safety lifecycle activities to achieve these minimum standards. This approach has been adopted in order that a rational and consistent technical policy be used. In most situations, safety is best achieved by an inherently safe process design. If necessary, this may be combined with a protective system or systems to address any residual identified risk. Protective systems can rely on different technologies (chemical, mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy should consider each individual safety instrumented system in the context of the other protective systems. To facilitate this approach, this standard – requires that a hazard and risk assessment is carried out to identify the overall safety requirements; – requires that an allocation of the safety requirements to the safety instrumented system(s) is carried out; – works within a framework which is applicable to all instrumented methods of achieving functional safety; – details the use of certain activities, such as safety management, which may be applicable to all methods of achieving functional safety. This standard on safety instrumented systems for the process industry: – addresses all safety life cycle phases from initial concept, design, implementation, operation and maintenance through to decommissioning; – enables existing or new country specific process industry standards to be harmonized with this standard.



61511-3  IEC:2004 – 13 –
This standard is intended to lead to a high level of consistency (for example, of underlying principles, terminology, information) within the process industries. This should have both safety and economic benefits. In jurisdictions where the governing authorities (for example national, federal, state, province, county, city) have established process safety design, process safety management, or other requirements, these take precedence over the requirements defined in this standard. This standard deals with guidance in the area of determining the required SIL in hazards and risk analysis (H & RA). The information herein is intended to provide a broad overview of the wide range of global methods used to implement H & RA. The information provided is not of sufficient detail to implement any of these approaches. Before proceeding, the concept and determination of safety integrity level(s) (SIL) provided in IEC 61511-1 should be reviewed. The annexes in this standard address the following: Annex A provides an overview of the concepts of tolerable risk and ALARP. Annex B provides an overview of a semi-quantitative method used to determine the required SIL. Annex C
provides an overview of a safety matrix method to determine the required SIL. Annex D provides an overview of a method using a semi-qualitative risk graph approach to determine the required SIL. Annex E provides an overview of a method using a qualitative risk graph approach to determine the required SIL. Annex F provides an overview of a method using a layer of protection analysis (LOPA) approach to select the required SIL.



61511-3  IEC:2004 – 15 –
Clauses 9 and 10Design phase forsafetyinstrumentedsystemsClause 11Design phase forsafetyinstrumentedsystem softwareClause 12Allocation of the safety requirements tothe safety instrumented functions anddevelopment of safety requirementsSpecificationDevelopment of the overall safetyrequirements (concept, scope definition,hazard and risk assessment)Clause 8Factory acceptance testing,installation and commissioning andsafety validation of safetyinstrumented systemsClauses 13, 14, and 15Operation and maintenance,modification and retrofit,decommissioning or disposal ofsafety instrumented systemsClauses 16, 17, and 18SupportPartsTechnicalrequirementsPART 1PART 1PART 1PART 1PART 1ReferencesClause 2PART 1Definitions andabbreviationsClause 3PART 1ConformanceClause 4PART 1Management offunctional safetyClause 5PART 1InformationrequirementsClause 19PART 1DifferencesAnnex APART 1Guidelines for theapplication of part 1Clause 2PART 2Guidance for thedetermination of therequired safetyintegrity levelsPART 3Safety lifecyclerequirementsClause 6PART 1VerificationClause 7PART 1 Figure 1 – Overall framework of this standardIEC
3008/02



61511-3  IEC:2004 – 17 –
FUNCTIONAL SAFETY–
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 3: Guidance for the determination
of the required safety integrity levels
1 Scope This part of IEC 61511 provides information on – the underlying concepts of risk, the relationship of risk to safety integrity, see Clause 3;
– the determination of tolerable risk, see Annex A; – a number of different methods that enable the safety integrity levels for the safety instru-mented functions to be determined, see Annexes B, C, D, E, and F. In particular, this part a)
applies when functional safety is achieved using one or more safety instrumented functions for the protection of either personnel, the general public, or the environment; b)
may be applied in non-safety applications such as asset protection; c)
illustrates typical hazard and risk assessment methods that may be carried out to define the safety functional requirements and safety integrity levels of each safety instrumented function; d)
illustrates techniques/measures available for determining the required safety integrity levels; e)
provides a framework for establishing safety integrity levels but does not specify the safety integrity levels required for specific applications; f) does not give examples of determining the requirements for other methods of risk reduction. Annexes B, C, D, E, and F illustrate quantitative and qualitative approaches and have been simplified in order to illustrate the underlying principles. These annexes have been included to illustrate the general principles of a number of methods but do not provide a definitive account.
NOTE Those intending to apply the methods indicated in these annexes should consult the source material referenced in each annex.
Figure 1 shows the overall framework for IEC 61511-1, IEC 61511-2 and IEC 61511-3 and indicates the role that this standard plays in the achievement of functional safety for safety instrumented systems. Figure 2 gives an overview of risk reduction methods.



61511-3  IEC:2004 – 19 –
Figure 2 – Typical risk reduction methods found in process plants (for example, protection layer model)
2 Terms, definitions and abbreviations For the purposes of this document, the definitions and abbreviations given in Clause 3 of IEC 61511-1 apply. 3 Risk and safety integrity – general guidance 3.1 General This clause provides information on the underlying concepts of risk and the relationship of risk to safety integrity. This information is common to each of the diverse hazard and risk analysis (H & RA) methods shown herein.
PREVENTION Mechanical protection system Process alarms with operator corrective action
Safety instrumented control systems Safety instrumented prevention systems MITIGATION Mechanical mitigation systems Safety instrumented control systems Safety instrumented mitigation systems Operator supervision CONTROL and MONITORINGBasic process control systems Monitoring systems (process alarms) Operator supervision PLANT EMERGENCY RESPONSEEvacuation procedures COMMUNITY EMERGENCY RESPONSEEmergency broadcasting PROCESS IEC
3009/02



61511-3  IEC:2004 – 21 –
3.2 Necessary risk reduction The necessary risk reduction (which may be stated either qualitatively1 or quantitatively2) is the reduction in risk that has to be achieved to meet the tolerable risk (process safety target level) for a specific situation. The concept of necessary risk reduction is of fundamental importance in the development of the safety requirements specification for the Safety Instru-mented Function (SIF) (in particular, the safety integrity requirements part of the safety requirements specification). The purpose of determining the tolerable risk (process safety target level) for a specific hazardous event is to state what is deemed reasonable with respect to both the frequency of the hazardous event and its specific consequences. Protection layers (see Figure 3) are designed to reduce the frequency of the hazardous event and/or the consequences of the hazardous event. Important factors in assessing tolerable risk include the perception and views of those exposed to the hazardous event. In arriving at what constitutes a tolerable risk for a specific application, a number of inputs can be considered. These may include: – guidelines from the appropriate regulatory authorities; – discussions and agreements with the different parties involved in the application; – industry standards and guidelines; – industry, expert and scientific advice; – legal and regulatory requirements – both general and those directly relevant to the specific application. 3.3 Role of safety instrumented systems A safety instrumented system implements the safety instrumented functions required to achieve or to maintain a safe state of the process and, as such, contributes towards the necessary risk reduction to meet the tolerable risk. For example, the safety functions requirements specification may state that when the temperature reaches a value of x, valve y opens to allow water to enter the vessel. The necessary risk reduction may be achieved by either one or a combination of Safety Instrumented Systems (SIS) or other protection layers. A person could be an integral part of a safety function. For example, a person could receive information on the state of the process, and perform a safety action based on this information. If a person is part of a safety function, then all human factors should be considered. Safety instrumented functions can operate in a demand mode of operation or a continuous mode of operation. ——————— 1
In determining the necessary risk reduction, the tolerable risk needs to be established. Annexes D and E of IEC 61508-5 outline qualitative methods, although in the examples quoted the necessary risk reduction is incorporated implicitly rather than stated explicitly. 2 For example, a hazardous event, leading to a specific consequence, would typically be expressed as a maximum frequency of occurrence per year.



61511-3  IEC:2004 – 23 –
3.4 Safety integrity Safety integrity is considered to be composed of the following two elements. a) Hardware safety integrity – that part of safety integrity relating to random hardware failures in a dangerous mode of failure. The achievement of the specified level of hardware safety integrity can be estimated to a reasonable level of accuracy, and the requirements can therefore be apportioned between subsystems using the established rules for the combination of probabilities and considering common cause failures. It may be necessary to use redundant architectures to achieve the required hardware safety integrity. b) Systematic safety integrity – that part of safety integrity relating to systematic failures in a dangerous mode of failure. Although the contribution due to some systematic failures may be estimated, the failure data obtained from design faults and common cause failures means that the distribution of failures can be hard to predict. This has the effect of increasing the uncertainty in the failure probability calculations for a specific situation (for example the probability of failure of a SIS). Therefore a judgement has to be made on the selection of the best techniques to minimize this uncertainty. Note that taking measures to reduce the probability of random hardware failures may not necessarily reduce the probability of systematic failure. Techniques such as redundant channels of identical hardware, which are very effective at controlling random hardware failures, are of little use in reducing systematic failures. The total risk reduction provided by the safety instrumented function(s) together with any other protection layers has to be such as to ensure that: – the failure frequency of the safety functions is sufficiently low to prevent the hazardous event frequency from exceeding that required to meet the tolerable risk; and/or – the safety functions modify the consequences of failure to the extent required to meet the tolerable risk. Figure 3 illustrates the general concepts of risk reduction. The general model assumes that: – there is a process and an associated basic process control system (BPCS); – there are associated human factor issues; – the safety protection layers features comprise: 1) mechanical protection system; 2) safety instrumented systems; 3) mechanical mitigation system. NOTE Figure 3 is a generalized risk model to illustrate the general principles. The risk model for a specific application needs to be developed taking into account the specific manner in which the necessary risk reduction is actually being achieved by the safety instrumented
...