DIFFERENCES BETWEEN IEC 61511 AND ISA 84.01-1996 Angela E. Summers, P.E., PhD
President, SIS-TECH Solutions, LLC
12621 Featherwood, Suite 120
Houston, Texas 77034
KEYWORDS
Standards, Safety Instrumented Function, Validation, Verification
ABSTRACT
The international standard IEC 61511 will be released in its entirety as a final standard this year.  The ISA SP84 committee has voted to accept IEC 61511 as ANSI/ISA 84.01-2003.  It has also begun work on a guidance document, concerning transition to and implementation of IEC 61511 in the United States.  The author of this paper is the Task Team Leader for this guidance document.
Although IEC 61511 uses a lifecycle concept, it is no mirror image of ISA 84.01-1996.  An international standard must harmonize the standards of many countries.  Consequently, the standard will add new requirements for management of functional safety, component selection, design, pre-startup safety reviews, operation and maintenance, and auditing.  This paper will not present an overview of the IEC 61511 standard.  Rather, this paper will focus on the most significant differences between IEC 61511 and ISA 84.01-1996, highlighting what end users need to consider in migrating their current ISA 84.01-1996 programs into IEC 61511 programs.
LIFECYCLE DIFFERENCES
In the United States, many companies must adhere to OSHA 1910.119, Process Safety Management (PSM) for Highly Hazardous Chemicals.  The ISA SP84 committee created the ISA 84.01-1996 standard to supplement PSM in the areas related to the implementation of instrumentation and controls necessary for safe operation.  Rather than repeating PSM mandates, the standard references OSHA 1910 for some key PSM program elements.  Specifically, ISA 84.01-1996 does not cover safety management, hazard analysis, pre-start-up safety review, or training.
Many other countries do not have a regulation similar to OSHA 1910.  Therefore, IEC 61511 includes s
pecific requirements in the areas of safety management, hazard analysis, pre-start-up safety review, and training.  The inclusion of these requirements ensures that a complete safety management system, as required in the United States, is implemented worldwide.  The requirements will be discussed later in this paper.
GRANDFATHER CLAUSE
The US version of IEC 61511 will include a grandfather clause for existing installations that were designed in accordance with ISA 84.01-1996, which states
For existing SIS designed and constructed in accordance with codes, standards (i.e. ANSI/ISA
84.01-1996), or practices prior to the issuance of this standard, the owner/operator shall
determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.
The grandfather clause does not protect any user from OSH Act General Duty clause, which requires that owners/operators provide a safe working environment.  And, OSHA has already stated in their letter to ISA dated March 23, 2000 that “The employer may be in violation of the General Duty Clause,
Section 5 (a)(1) of the OSH Act, if SIS are utilized which do not conform with S84.01 and hazards exist related to the SIS which could seriously harm employees.”
Of course, new units or retrofits must be designed and implemented according to the ISA 84.01-2003 standard.
TERMINOLOGY
SAFETY INSTRUMENTED FUNCTION VERSUS SAFETY INSTRUMENTED SYSTEM
ISA 84.01-1996 uses the term safety instrumented system to refer to a single instrumented loop or to the overall implementation of multiple instrumented loops in a single programmable electronic system (PES).  IEC 61511 introduces a new term, safety instrumented function (SIF).
SIFs are instrumented loops that address a specific process risk and are assigned an SIL.  SIFs are simply the logic that is being applied to achieve a certain amount of risk reduction, e.g. on high pressure, shut the main fuel gas valves.  An SIS is used to implement the safety instrumented function.  Safety instrumented systems are the actual hardware and software that is used to implement the safety instrumented function, e.g. on high pressure, transmitter PT-101 sends a trip condition to the
redundant PES which de-energizes its outputs associated with solenoid XY-101A which closes valve XV-101A and solenoid XY-101B which closes valve XV-101B.
VERIFICATION VERSUS VALIDATION
ISA 84.01-1996 required that the conceptual design be verified against the safety requirements specification (SRS) and the detailed design to be verified against the conceptual design and SRS.  It also required that the SIL be verified.  After commissioning the SIS, a pre-startup acceptance test was required that included input to output testing to ensure that the SIS works in the actual installation as intended by the design.  These same activities occur in IEC 61511, but this standard makes a distinction between pre-startup acceptance testing, which IEC 61511 refers to as validation, and the earlier assessment activities, which IEC 61511 refers to as verification.
Verification is an activity in which the deliverables from any stage are compared to the specifications developed in the previous stages to ensure that the deliverables match the specifications.  A verification step would be to ensure that the detail design matches the safety requirements specification.  Validation is an activity that proves that the SIS works.  Validation involves a complete input to output test.  In the US, this testing is performed as part of the pre-startup acceptance test.
validation verification
MANAGEMENT OF FUNCTIONAL SAFETY
The management of functional safety is a requirement in IEC 61511 and there is no similar requirement in ISA 84.01-1996.  The intent is to identify the activities that must take place to achieve safe operation and to identify the personnel that will be responsible for conducting each activity.  This is simply good project management.
Management of functional safety includes the following requirements:
Identification of the individuals, departments or organizations that will be responsible for each of the lifecycle task
Determination that those assigned responsibility for these activities are competent
Define when verification, assessments, auditing and validation activities will take place
Require procedures for evaluating the performance of the SIF after it has been installed (e.g.
performance audits, tracking failures rates, etc.)
Require at least one functional safety assessment (FSA) be performed prior to introduction of hazardous materials into the process.  The FSA is similar in content to pre-startup safety review, so any OSHA 1910 compliant facility should already be fulfilling the majority of the requirements associated with the FSA.  IEC 61511 does require at least one senior, competent, independent (from the project team) person take part in the FSA.  This “competent” person should be able to review the hazards analysis, design, implementation, and testing to ensure that everything had been successfully completed.  This “senior” person must also have the authority to prevent the start-up of the process unit, if necessary.
RISK ASSESSMENT AND ALLOCATION
As mentioned previously, ISA 84.01-1996 did not provide any requirements related to the hazard and risk analysis, since this analysis was already required by OSHA 1910.  Further, significant guidance on risk assessment and protection layer analysis is provided by the Center for Chemical Process Safety books, “Guidelines for Safe Automation of Chemical Process Safety” and “Guidelines for Chemical Process Quantitative Risk Analysis.”
IEC 61511 does include requirements for the risk assessment and risk allocation, including the following:
Hazard analysis scope:
o All protection layers, including critical control loops, safety critical alarms, and pressure safety devices, must be identified.
o Risk reduction must be allocated to these protection layers.
o Justification must be provided for the allocated risk reduction.
BPCS limitations (when not designed to meet the requirements of the IEC 61511 standard): o Initiating cause frequency - no less than 10-5/hr – regardless of the BPCS technology.
o Maximum credit as risk reduction layer – assumed risk reduction must be less than 10. DESIGN RESTRICTIONS
There are a number of new design requirements in IEC 61511, which cover everything from the selection of devices to proving that the SIS has been adequately designed.
DEVICE SELECTION JUSTIFICATION
ISA 84.01-1996 left the choice of SIS devices to the discretion of the user.  IEC 61511 provides two means for selecting devices for SIS applications:
1. Proven-in-use.  The selection is based on the prior use of the device.  There must be sufficient
operating experience for the device in a similar operating profile.  For field devices, this could include the use of the device in a process control system application, as long as the operating profile, including the process application environment, is similar.
2. Compliance with IEC 61508.  The selection is based on the device being designed for
compliance with IEC 61508.  The user can make this determination or use evidence provided by the vendor or third party certification body.
FAULT TOLERANCE
In ISA 84.01-1996, the design was considered adequate as long as the PFDavg was achieved by the SIS design.  In addition to the PFDavg, IEC 61511 requires that the SIS demonstrate a minimum fault tolerance.  The fault tolerance requirements in IEC 61511 have been highly simplified from those contained in IEC 61508.  For field devices, the redundancy requirements essentially increase as the SI
L is increased.  For PES, the fault tolerance is based on the PES safe failure fraction.  The safe failure fraction is the fraction of the overall random hardware failure rate of the PES that results in either a safe failure or dangerous detected failure.  The safe failure fraction is simply a measure of the PES’s tendency to go to the safe state when there is a fault within the system.  The standard lowers the redundancy requirements as the safe failure fraction increases. 1
QUANTITATIVE SIL VERIFICATION
1Please note that this means that low redundancy, high diagnostic PES will meet SIL 3 requirements.  And, the vendors have been proclaiming the capital cost savings of these PES.  However, these PES come with another price – online operation.  The very high safe failure fraction required for SIL 3 means that most PES faults take the PES to the fail safe condition.  IEC 61511 is not concerned with online performance, only safe operation.  So, make sure that reliability requirements are included in specifications for new SIS, so the plant does not wind up with a very safe but highly unreliable SIS.

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。