Upcoming changes in IEC 61511 on Safety Instrumented Systems

iec61511_updateblogThe ISA (International Society of Automation) 84 standard (“Application of Safety Instrumented Systems for the Process Industries”) was first published in 1996. During the time of its development, the IEC (International Electrotechnical Commission) was working on the 61511 standard (“Functional Safety: Safety Instrumented Systems for the Process Industry Sector”). Some members of the ISA 84 committee were also members of the IEC 61511 committee. In essence, the ISA 84 committee had direct involvement – along with all the other national committees – in the creation of the IEC 61511 standard. IEC 61511 was published in 2003.

ISA and IEC, like many standards development organizations, try and put their standards through a 5 year review and development cycle. In the early 2000’s the ISA 84 committee felt that the more recent 61511 standard was a considerable improvement compared to its original work, and the committee agreed to adopt 61511 as the 2nd edition of ISA 84. The only change was the addition of the “grandfather clause” (1.y) which comes from a US regulation. ISA 84 (IEC 61511 mod) 2nd edition was published in 2004.

It has been over 10 years since the first release of IEC 61511. That committee has worked diligently to create a 2nd edition. A CD (Committee Draft) went out for review and comment by the national committees in 2012. The FDIS (Final Draft International Standard) went out to the committee in November 2015. The standard should be released in 2016. Note that there may still be editorial changes to the standard, but no further technical changes will be accepted for this edition. The ISA 84 committee will then decide whether to accept the 2nd edition of IEC 61511 as the 3rd edition of ISA 84, or whether they may wish to make any changes. Considering the desire for international design practices and standards, changes would be unlikely.

One significant change is the removal of the concept of safe failure fraction (SFF), along with the old Table 5 covering the minimum hardware fault tolerance requirements for programmable electronic logic solvers (which was based on SFF). However, one of the most significant changes to the standard is the single fault tolerance table that does appear. Essentially, the fault tolerance requirements for SIL 2 and 3 have been lowered by one compared to the first edition of the standard.

There are three options to meet the fault tolerance requirements for subsystems; follow the table and five clauses in the standard, or base the claim on either route 1H or 2H from IEC 61508. Route 1H is based on safe failure fraction concepts, route 2H is based on prior use. The “H” is intended to signify hardware safety integrity, in order to distinguish it from systematic safety integrity. The five clauses in 61511 are derived from route 2H in 61508. There are still exceptions allowing the numbers in the table to be reduced further. However, such cases must be justified and documented showing evidence of suitability, systematic failures must be considered, diagnostic coverage of programmable devices cannot be less than 60%, and reliability data must have a confidence limit no less than 70%.

The table should not be interpreted as a “get out of jail free” card allowing everyone to claim SIL 2 while using a single (non-redundant) dumb (without any diagnostics) switch and valve. Probability of failure on demand (PFD) calculations must still be done to justify a design. Published failure rates would show such a claim to be a difficult justify.

Simply put, the majority of changes can be classified as clarifications and improvements. Many items that were previously understood and commonly practiced are now spelled out. However, the lowering of the fault tolerance requirements by one compared to the earlier edition is cause for concern and potential abuse.

Click on the link below for a paper summarizing the changes to each clause.
Download White Paper