1、IEC 61511:Whats New in Edition Two Copyright exida Asia Pacific 2017第1页,共34页。2Managing Director/Senior Safety Consultant at exida Asia Pacific with extensive knowledge of process safety management and functional safety(IEC 61508 and IEC 61511 process risk analysis).Familiar with methodology like HAZ
2、ID,HAZOP,CHAZOP,Alarm Management Studies,FMEA,FMEDA,FTA,LOPA,SIL classification,SRS development,SIL verification,SIS validation,Functional Safety Assessment,SIS maintenance procedure development.Credentials B.Eng(Electrical and Electronics Engineering),NTUCertified Functional Safety Expert,CFSEAffil
3、iationsMember of the International Society of Automation(ISA),(ISA84,ISA18,ISA96 and ISA99 standard committees member)American Institute of Chemical Engineers(AIChE)MemberNational Fire Protection Association(NFPA)MemberInstrumentation&Control Society of Singapore MemberInternational System Safety So
4、ciety(ISSS)MemberThe Critical Thinking Community MemberDesmond Lee,CFSECopyright exida Asia Pacific 2017第2页,共34页。Functional Safety Standard History功能安全演变DIN V 19250IEC 61508 Ed 1IEC 61511 Ed 1Ed 2S84.01 1996S84.01 2004199019952000200520102017Ed 2Safety Loop“Functional”Copyright exida Asia Pacific 20
5、17第3页,共34页。4Copyright exida Asia Pacific 2017IEC 61511 Status Part 1 released in Red Line Version(RLV)2016-02-24 Part 2 released in Red Line Version(RLV)2016-07-28 Part 3 released in Red Line Version(RLV)2016-07-21 Part 1 released Corrigendum 1 2016-09-15 Part 1 released Amendment 1 2017-08-1第4页,共34
6、页。5Copyright exida Asia Pacific 2017IEC 61511 Basics RemainIEC 61511标准 的基础没变 Targets end users,engineering contractors and integrators Covers the entire SIS Lifecycle Risk analysis Performance based design Operations and maintenance Performance NOT Prescriptive End user applications Not typically ce
7、rtified Independent functional safety assessments Three sections Requirements Guidelines SIL SelectionPrescriptive(Clear design,variable safety)Performance(Clear safety,optimal design)第5页,共34页。Same Basic Relationship to IEC 61508与IEC 61508的基本关系没变 But now the 2nd Edition of 61508 from 2010 applies in
8、stead of the original 1st Edition6Copyright exida Asia Pacific 2017第6页,共34页。Same Basic IEC 61511 Safety Lifecycle相同的安全生命周期Copyright LLC 2000-20177测试测试安装安装验证验证馈送馈送概念概念功能安全管理和功能安全评估章节5安全生命周期结构和规划章节6.2为保护层分配安全功能为保护层分配安全功能章节9验证章节7 和章节12.7SIS安全要求规格安全要求规格章节10和12 危险与风险分析危险与风险分析 章节8SIS设计与工程章节11&12SIS安装和调试章节
9、14SIS操作和维护章节16SIS安全验证章节15SIS修改章节17SIS退役章节18SIS现场验收测试章节13管理管理检验测试检验测试设计与建设计与建造造分析分析设计与实施设计与实施运作运作第7页,共34页。Copyright exida Asia Pacific 2017Same Basic Elements相同的基本要素 Part 1 requirements about the same length as before(81 vs 83 pages)Differences expand both the safety lifecycle activity details as wel
10、l as the documentation and functional safety management requirements Part 2 has more and better clarifications to Part 1 than before Part 3 has more risk analysis explanation/examples than before第8页,共34页。9Copyright exida Asia Pacific 2017Systematic and Random Failures are Better Defined对系统失效和随机失效有更好
11、的定义Random failures Defined by a predictable failure rate but occur at unpredictable times Only involve the system,not a particular condition Quantitative approach to manage random failuresSystematic failures Can be eliminated when the cause is eliminated(unlike random failures)Typically reproducible
12、 Qualitative approach to manage systematic failuresBoth random and systematic failures must be controlled to achieve SIL第9页,共34页。10Copyright exida Asia Pacific 2017Random vs.Systematic Failures随机失效与系统失效The difference is important because the Functional Safety Standards state that probabilistic analy
13、sis only applies to random failuresSome tend to classify many real failures as“systematic”and end up with very low and unrealistic“random”failure numbersFailure data collection programs should collect information on ALL failures and count ALL real failures as random until it is proven that systemati
14、c changes have eliminated future failures of a given type第10页,共34页。11Copyright exida Asia Pacific 2017More Formal Competency Requirements正式的提出能力要求正式的提出能力要求 Old IEC 61511 only required that individuals be competent to carry out the activities for which they are accountable New IEC 61511 requires a li
15、st of specific items to be“addressed and documented”when considering the competency of those involved in safety lifecycle activities A procedure must also be in place to manage the competency of all those involved in the SIS safety lifecycle Periodic competency assessments are also now required第11页,
16、共34页。12Copyright exida Asia Pacific 2017Additional Supplier Requirements新的供应商要求 Old IEC 61511 Clause 5.2.5.2 only required that suppliers of products or services to have adequate quality management system New IEC 61511 Clause 5.2.5.2 adds the following:“If a supplier makes any functional safety clai
17、ms for a product or service,which are used by the organization to demonstrate compliance with the requirements of this part of IEC 61511,the supplier shall have a functional safety management system.Procedures shall be in place to demonstrate the adequacy of the functional safety management system.”
18、第12页,共34页。13Copyright exida Asia Pacific 2017More Robust Functional Safety Assessment强化了的功能安全评估的要求“The use of functional safety assessment(FSA)is fundamental in demonstrating that a SIS fulfils its requirements”Part 2 Clause 5.3.6.1 Same requirement to carry out a FSA after validation and before ope
19、ration New requirement to carry out a FSA periodically during operations and maintenance phase(Clause 5.2.6.1.10)FSA on modifications specifically requires review of impact analysis More details on auditing and revision with emphasis on management of change第13页,共34页。14Copyright exida Asia Pacific 20
20、17Clearer Application Program SLC更清晰的应用程序SLC第14页,共34页。15Copyright exida Asia Pacific 2017More Extensive Process Hazards and Risk Assessment Guidance更广泛的过程危害和风险评估指导 Significant information on recommended methods in Part 2 Clause 8.2.1“A preliminary hazard and risk assessment should be carried out ear
21、ly during the basic process design”“A final hazard and risk assessment may therefore be necessary once the piping and instrumentation diagrams have been finalized formal and fully documented procedure such as hazard and operability study(HAZOP see IEC 61882)”“When considering the frequencyof demands
22、,it may be necessary in some complex cases to undertakea fault tree analysis”第15页,共34页。16Copyright exida Asia Pacific 2017 Clause 8.2.4:“A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS”Includes security against both intentional attacks and unintend
23、ed errors Includes requirement to determine what is needed for additional risk reduction with respect to security threats SIS design must provide“the necessary resilience against the identified security risks”New Cyber Security Requirements新的网络安全风险评估要求第16页,共34页。17Copyright exida Asia Pacific 2017Con
24、sider High Demand/ContinuousModes in Risk Analysis考虑风险分析中的高需求/连续模式Clause 9.2.2 OLD:“The required safety integrity level of a safety instrumented function shall be derived by taking into account the required risk reduction that is to be provided by that function”Clause 9.2.2 NEW:“The required SIL sha
25、ll be derived taking into account the required PFD or PFH that is to be provided by the SIF”第17页,共34页。18Copyright exida Asia Pacific 2017New Requirement for Single Hazards with Multiple SIFs具有多个SIF的危害的新要求 Clause 9.2.4 Note 4 OLD:“It is possible to use several lower safety integrity level systems to
26、satisfy the need for a higher level function(for example,using a SIL 2 and a SIL 1 system together to satisfy the need for a SIL 3 function)”Clause 9.2.8 NEW:“If the risk reduction required for a hazardous event is allocated to multiple SIFs in a single SIS,then the SIS shall meet the overall risk r
27、eduction requirement”第18页,共34页。19Copyright exida Asia Pacific 2017Clearer Guidance on BPCS Credit对BPCS有更清晰的指导 Clause 9.3.4 NEW:“No more than one BPCS protection layer shall be claimed for the same sequence of event leading to the hazardous event when the BPCS is the initiating source for the demand
28、on the protection layer”“No more than two BPCS protection layers shall be claimed for the same sequence of even leading to the hazardous event when the BPCS is not the initiating source of the demand”Clause 9.3.5 NEW:“Each BPCS protection layer shall be independent and separate from the initiating s
29、ource and from each other to the extent that the claimed risk reduction of each BPCS protection layer is not compromised”第19页,共34页。20Copyright exida Asia Pacific 2017Example-BPCS Independence RequirementBPCS的独立要求-示例Part 2 Clauses 9.3.4 and 9.3.5第20页,共34页。21Copyright exida Asia Pacific 2017New Safety
30、 RequirementsSpecification Considerations新的安全要求规范 Clause 10.3.2 has 29 requirements for the SRS New I/O list requirement More SIS process measurement requirements for range&accuracy as well as trip points More specifics on bypass requirements Application program requirements moved from OLD Clause 12
31、.2 to NEW SRS Clause 10.3 with some software planning aspects moved to Clause 6第21页,共34页。22Copyright exida Asia Pacific 2017New Process Safety Time 过程安全时间注意事项 Old IEC 61511 only referred to a system response time which simply needed to be specified and met Now process safety time(Clause 3.2.52.1)is“
32、time period between a failure occurring in the process or the basic process control system(with the potential to give rise to a hazardous event)and the occurrence of the hazardous event if the SIF is not performed”Interestingly,the guidance in Part 2 Clause 11.9.2 is that“the sum of the diagnostic t
33、est interval and the time to perform the specified action to achieve or maintain a safe state is less than the process safety time”This is more aggressive than the generally accepted target response in less than half the process safety time第22页,共34页。23Copyright exida Asia Pacific 2017Additional Desi
34、gn Requirements增加的设计要求 Must now alarm energise to trip(ETT)systems when utility(power)is lost Must now provide“the necessary resilience against the identified security risks”FVL and LVL programmable devices shall have diagnostic coverages 60%Must define maximum bypass time and provide compensating m
35、easures during bypass第23页,共34页。24Copyright exida Asia Pacific 2017Consistent Low/High Demand&Continuous Modes Definitions低低/高要求和连续模式的定义高要求和连续模式的定义 Previously,there was a definition mismatch with IEC 61508 since IEC 61511 did not define a high demand mode Now,all three modes are defined in new IEC 61
36、511 Clause 3.2.43 Low demand High demand Continuous Note that the one demand per year point defines the difference between low and high demand mode This can cause problems when proof testing is done frequently on“high demand”applications since low demand better defines the correct way to calculate S
37、IF performance More consideration for high demand and continuous mode SIFs throughout the standard第24页,共34页。25Copyright exida Asia Pacific 2017Mode Summary模式概要Low DemandHigh DemandContinuousUse PFDavg TableUse PFH TableUse PFH TableTake Credit for Proof TestingNO Credit for Proof Testing unless HFT0
38、NO Credit for Proof Testing*Take Credit for Automatic Diagnostics*Take Credit for Automatic DiagnosticsNO Credit for Automatic Diagnostics*If fast enough (Part 2 Clause 11.9.2 recommends 100 diagnostic cycles per demand)第25页,共34页。Systematic Capability Better Defined系统能力现已被明确定义 Determined with refere
39、nce to the requirements for the avoidance of systematic faults in 61508-2 and 61508-3 SC N means the Systematic Capability of the device meets the requirements of SIL N Still requires device to be applied in accordance with the instructions specified in the device safety manual for SC N26Copyright e
40、xida Asia Pacific 2017第26页,共34页。27Copyright exida Asia Pacific 2017Different Hardware Fault Tolerance/Architectural Constraints硬件故障裕度/结构约束New table of requirementsNo more safe failure fraction calculations requiredMatches IEC 61508-2 Clause 7.4.4.3 Routh 2HStill have three requirements for SIL PFDav
41、g/PFH Hardware Fault Tolerance Systematic Capability第27页,共34页。28Copyright exida Asia Pacific 2017More Robust Reliability Data Requirements更明确的可靠性数据要求 Random failure rate data“shall be credible,traceable,documented and justified”(Clause 11.9.3)“End users should organize relevant reliability data coll
42、ections in accordance with IEC 60300-3-2 or ISO 14224 to improve the implementation of the IEC 61511 standard”(Clause 11.9.3)“Reliability data uncertainties shall be assessed and taken into account when calculating the failure measure”(Clause 11.9.4)70%minimum confidence limit recommended in IEC 615
43、11 Part 2 and in IEC 61508第28页,共34页。29Copyright exida Asia Pacific 2017New Application Program SLC Details新的应用程序SLC细节第29页,共34页。30Copyright exida Asia Pacific 2017Validation确认 New specific requirement to plan validation throughout the SLC(Clause 15.2.1)Special mention of planning“how validation activ
44、ities can be performed,without putting the plant and process at risk of the hazardous events the SIS is to protect against”Application software validation must include documented“traceability of the SIF from inception during the H&RA through the final installed SIF”Specific item to validate there ar
45、e no negative SIS effects from“BPCS fault conditions for any interfaces between the SIS and BPCS”or from“executing unused software functionality,i.e.functionality not defined in the specification Specific emphasis to resolve any discrepancies between expected and actual results第30页,共34页。31Copyright
46、exida Asia Pacific 2017Specific O&M ItemsO&M的特定事项特定事项 Specific SIS Maintenance Plan is required(Clause 16.2.1)Specific response plans for identified faults“Adequate validation after replacement of any device”(Clause 16.2.2)Diagnostics must be tested(Clause 16.2.2)Collect data related to the demand r
47、ate and SIS reliability parameters(Clause 16.2.2)第31页,共34页。32Copyright exida Asia Pacific 2017Other O&M Items其他 O&M 事项 More specific SIF demand rate and failure mode data collection(Clause 16.2.9)“SIS spare parts shall be identified and shall be made available”(Clause 16.2.12)O&M team“shall review t
48、he hazard and risk analysis,allocation and design to ensure the assumptions made are valid e.g.assumptions on occupancy and corrosion protection”(Clause 16.2.13)第32页,共34页。33Copyright exida Asia Pacific 2017New Proof Testing Requirements检验测试要求检验测试要求“A proof test shall be repeated after the repair is
49、completed”(Clause 16.3.1.4)Application program changes now require both a“full validation and a proof test of any SIF impacted by the change”(Clause 16.3.1.6)“Exceptions to this are allowed if appropriate review and partial testing of changes are carried out”Proof test deferrals must have“suitable m
50、anagement procedures”to“prevent significant delayto proof testing”(Clause 16.3.1.7)第33页,共34页。New 61511 Summary Not that different from the old 61511 More clear in a number of areas More consistent with 61508 Additional emphasis on:Competency Verification Good reliability data Good documentation and
