IEC-61511---Whats-New-in課件

1、IEC 61511:Whats New in Edition Two Copyright exida Asia Pacific 20172Managing Director / Senior Safety Consultant at exida Asia Pacific with extensive knowledge of process safety management and functional safety (IEC 61508 and IEC 61511 process risk analysis). Familiar with methodology like HAZID, H

2、AZOP, CHAZOP, Alarm Management Studies, FMEA, FMEDA, FTA, LOPA, SIL classification, SRS development, SIL verification, SIS validation, Functional Safety Assessment, SIS maintenance procedure development. Credentials B.Eng (Electrical and Electronics Engineering), NTUCertified Functional Safety Exper

3、t, CFSEAffiliationsMember of the International Society of Automation (ISA), (ISA84, ISA18, ISA96 and ISA99 standard committees member)American Institute of Chemical Engineers (AIChE) MemberNational Fire Protection Association(NFPA) MemberInstrumentation & Control Society of Singapore MemberInternati

4、onal System Safety Society (ISSS) MemberThe Critical Thinking Community MemberDesmond Lee, CFSECopyright exida Asia Pacific 2017Functional Safety Standard History功能安全演變DIN V 19250IEC 61508 Ed 1IEC 61511 Ed 1Ed 2S84.01 1996S84.01 2004199019952000200520102017Ed 2Safety Loop“Functional”Copyright exida

5、Asia Pacific 20174Copyright exida Asia Pacific 2017IEC 61511 StatusPart 1 released in Red Line Version (RLV) 2016-02-24Part 2 released in Red Line Version (RLV) 2016-07-28Part 3 released in Red Line Version (RLV) 2016-07-21Part 1 released Corrigendum 1 2016-09-15Part 1 released Amendment 1 2017-08-1

6、5Copyright exida Asia Pacific 2017IEC 61511 Basics RemainIEC 61511標(biāo)準(zhǔn) 的基礎(chǔ)沒變Targets end users, engineering contractors and integratorsCovers the entire SIS LifecycleRisk analysisPerformance based designOperations and maintenancePerformance NOT PrescriptiveEnd user applicationsNot typically certifiedIn

7、dependent functional safety assessmentsThree sectionsRequirementsGuidelinesSIL SelectionPrescriptive (Clear design, variable safety)Performance (Clear safety, optimal design) Same Basic Relationship to IEC 61508與IEC 61508的基本關(guān)系沒變But now the 2nd Edition of 61508 from 2010 applies instead of the origin

8、al 1st Edition6Copyright exida Asia Pacific 2017Same Basic IEC 61511 Safety Lifecycle相同的安全生命周期Copyright LLC 2000-20177測試安裝驗證饋送概念功能安全管理和功能安全評估章節(jié)5安全生命周期結(jié)構(gòu)和規(guī)劃章節(jié)6.2為保護層分配安全功能章節(jié)9驗證章節(jié)7 和章節(jié)12.7SIS安全要求規(guī)格章節(jié)10和12 危險與風(fēng)險分析 章節(jié)8SIS設(shè)計與工程章節(jié)11 & 12SIS安裝和調(diào)試章節(jié)14SIS操作和維護章節(jié)16SIS安全驗證章節(jié)15SIS修改章節(jié)17SIS退役章節(jié)18SIS現(xiàn)場驗收測試章節(jié)13管理檢

9、驗測試設(shè)計與建造分析設(shè)計與實施運作Copyright exida Asia Pacific 2017Same Basic Elements相同的基本要素Part 1 requirements about the same length as before (81 vs 83 pages)Differences expand both the safety lifecycle activity details as well as the documentation and functional safety management requirementsPart 2 has more and

10、better clarifications to Part 1 than beforePart 3 has more risk analysis explanation / examples than before9Copyright exida Asia Pacific 2017Systematic and Random Failures are Better Defined對系統(tǒng)失效和隨機失效有更好的定義Random failuresDefined by a predictable failure rate but occur at unpredictable timesOnly invo

11、lve the system, not a particular conditionQuantitative approach to manage random failuresSystematic failuresCan be eliminated when the cause is eliminated (unlike random failures)Typically reproducibleQualitative approach to manage systematic failuresBoth random and systematic failures must be contr

12、olled to achieve SIL10Copyright exida Asia Pacific 2017Random vs. Systematic Failures隨機失效與系統(tǒng)失效The difference is important because the Functional Safety Standards state that probabilistic analysis only applies to random failuresSome tend to classify many real failures as “systematic” and end up with

13、very low and unrealistic “random” failure numbersFailure data collection programs should collect information on ALL failures and count ALL real failures as random until it is proven that systematic changes have eliminated future failures of a given type11Copyright exida Asia Pacific 2017More Formal

14、Competency Requirements正式的提出能力要求Old IEC 61511 only required that individuals be competent to carry out the activities for which they are accountableNew IEC 61511 requires a list of specific items to be “addressed and documented” when considering the competency of those involved in safety lifecycle a

15、ctivitiesA procedure must also be in place to manage the competency of all those involved in the SIS safety lifecyclePeriodic competency assessments are also now required12Copyright exida Asia Pacific 2017Additional Supplier Requirements新的供應(yīng)商要求Old IEC 61511 Clause only required that suppliers of pro

16、ducts or services to have adequate quality management systemNew IEC 61511 Clause adds the following:“If a supplier makes any functional safety claims for a product or service, which are used by the organization to demonstrate compliance with the requirements of this part of IEC 61511, the supplier s

17、hall have a functional safety management system. Procedures shall be in place to demonstrate the adequacy of the functional safety management system.”13Copyright exida Asia Pacific 2017More Robust Functional Safety Assessment強化了的功能安全評估的要求“The use of functional safety assessment (FSA) is fundamental

18、in demonstrating that a SIS fulfils its requirements” Part 2 Clause Same requirement to carry out a FSA after validation and before operationNew requirement to carry out a FSA periodically during operations and maintenance phase (Clause .10)FSA on modifications specifically requires review of impact

19、 analysisMore details on auditing and revision with emphasis on management of change14Copyright exida Asia Pacific 2017Clearer Application Program SLC更清晰的應(yīng)用程序SLC15Copyright exida Asia Pacific 2017More Extensive Process Hazards and Risk Assessment Guidance更廣泛的過程危害和風(fēng)險評估指導(dǎo)Significant information on rec

20、ommended methods in Part 2 Clause 8.2.1“A preliminary hazard and risk assessment should be carried out early during the basic process design”“A final hazard and risk assessment may therefore be necessary once the piping and instrumentation diagrams have been finalized formal and fully documented pro

21、cedure such as hazard and operability study (HAZOP see IEC 61882)”“When considering the frequencyof demands, it may be necessary in some complex cases to undertakea fault tree analysis”16Copyright exida Asia Pacific 2017Clause 8.2.4: “A security risk assessment shall be carried out to identify the s

22、ecurity vulnerabilities of the SIS”Includes security against both intentional attacks and unintended errorsIncludes requirement to determine what is needed for additional risk reduction with respect to security threatsSIS design must provide “the necessary resilience against the identified security

23、risks”New Cyber Security Requirements新的網(wǎng)絡(luò)安全風(fēng)險評估要求17Copyright exida Asia Pacific 2017Consider High Demand / ContinuousModes in Risk Analysis考慮風(fēng)險分析中的高需求/連續(xù)模式Clause 9.2.2 OLD: “The required safety integrity level of a safety instrumented function shall be derived by taking into account the required ris

24、k reduction that is to be provided by that function”Clause 9.2.2 NEW: “The required SIL shall be derived taking into account the required PFD or PFH that is to be provided by the SIF”18Copyright exida Asia Pacific 2017New Requirement for Single Hazards with Multiple SIFs具有多個SIF的危害的新要求Clause 9.2.4 No

25、te 4 OLD: “It is possible to use several lower safety integrity level systems to satisfy the need for a higher level function (for example, using a SIL 2 and a SIL 1 system together to satisfy the need for a SIL 3 function)”Clause 9.2.8 NEW: “If the risk reduction required for a hazardous event is a

26、llocated to multiple SIFs in a single SIS, then the SIS shall meet the overall risk reduction requirement”19Copyright exida Asia Pacific 2017Clearer Guidance on BPCS Credit對BPCS有更清晰的指導(dǎo)Clause 9.3.4 NEW: “No more than one BPCS protection layer shall be claimed for the same sequence of event leading to

27、 the hazardous event when the BPCS is the initiating source for the demand on the protection layer”“No more than two BPCS protection layers shall be claimed for the same sequence of even leading to the hazardous event when the BPCS is not the initiating source of the demand”Clause 9.3.5 NEW: “Each B

28、PCS protection layer shall be independent and separate from the initiating source and from each other to the extent that the claimed risk reduction of each BPCS protection layer is not compromised”20Copyright exida Asia Pacific 2017Example - BPCS Independence RequirementBPCS的獨立要求-示例Part 2 Clauses 9.

29、3.4 and 9.3.521Copyright exida Asia Pacific 2017New Safety RequirementsSpecification Considerations新的安全要求規(guī)范 Clause 10.3.2 has 29 requirements for the SRSNew I/O list requirementMore SIS process measurement requirements for range & accuracy as well as trip pointsMore specifics on bypass requirementsA

30、pplication program requirements moved from OLD Clause 12.2 to NEW SRS Clause 10.3 with some software planning aspects moved to Clause 622Copyright exida Asia Pacific 2017New Process Safety Time 過程安全時間注意事項Old IEC 61511 only referred to a system response time which simply needed to be specified and me

31、tNow process safety time (Clause ) is “time period between a failure occurring in the process or the basic process control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the SIF is not performed”Interestingly, the guidance in Part 2 Clause

32、11.9.2 is that “the sum of the diagnostic test interval and the time to perform the specified action to achieve or maintain a safe state is less than the process safety time”This is more aggressive than the generally accepted target response in less than half the process safety time23Copyright exida

33、 Asia Pacific 2017Additional Design Requirements增加的設(shè)計要求Must now alarm energise to trip (ETT) systems when utility (power) is lostMust now provide “the necessary resilience against the identified security risks”FVL and LVL programmable devices shall have diagnostic coverages 60 %Must define maximum b

34、ypass time and provide compensating measures during bypass24Copyright exida Asia Pacific 2017Consistent Low / High Demand & Continuous Modes Definitions低 / 高要求和連續(xù)模式的定義Previously, there was a definition mismatch with IEC 61508 since IEC 61511 did not define a high demand modeNow, all three modes are

35、defined in new IEC 61511 Clause 3.2.43Low demandHigh demandContinuousNote that the one demand per year point defines the difference between low and high demand modeThis can cause problems when proof testing is done frequently on “high demand” applications since low demand better defines the correct

36、way to calculate SIF performanceMore consideration for high demand and continuous mode SIFs throughout the standard25Copyright exida Asia Pacific 2017Mode Summary模式概要Low DemandHigh DemandContinuousUse PFDavg TableUse PFH TableUse PFH TableTake Credit for Proof TestingNO Credit for Proof Testing unle

37、ss HFT0NO Credit for Proof Testing*Take Credit for Automatic Diagnostics*Take Credit for Automatic DiagnosticsNO Credit for Automatic Diagnostics* If fast enough (Part 2 Clause 11.9.2 recommends 100 diagnostic cycles per demand)Systematic Capability Better Defined系統(tǒng)能力現(xiàn)已被明確定義Determined with reference

38、 to the requirements for the avoidance of systematic faults in 61508-2 and 61508-3SC N means the Systematic Capability of the device meets the requirements of SIL NStill requires device to be applied in accordance with the instructions specified in the device safety manual for SC N26Copyright exida

39、Asia Pacific 201727Copyright exida Asia Pacific 2017Different Hardware Fault Tolerance / Architectural Constraints硬件故障裕度 /結(jié)構(gòu)約束New table of requirementsNo more safe failure fraction calculations requiredMatches IEC 61508-2 Clause Routh 2HStill have three requirements for SILPFDavg / PFHHardware Fault

40、 ToleranceSystematic Capability28Copyright exida Asia Pacific 2017More Robust Reliability Data Requirements更明確的可靠性數(shù)據(jù)要求Random failure rate data “shall be credible, traceable, documented and justified” (Clause 11.9.3)“End users should organize relevant reliability data collections in accordance with I

41、EC 60300-3-2 or ISO 14224 to improve the implementation of the IEC 61511 standard” (Clause 11.9.3)“Reliability data uncertainties shall be assessed and taken into account when calculating the failure measure” (Clause 11.9.4)70% minimum confidence limit recommended in IEC 61511 Part 2 and in IEC 6150

42、829Copyright exida Asia Pacific 2017New Application Program SLC Details新的應(yīng)用程序SLC細(xì)節(jié)30Copyright exida Asia Pacific 2017Validation確認(rèn) New specific requirement to plan validation throughout the SLC (Clause 15.2.1)Special mention of planning “how validation activities can be performed, without putting the

43、 plant and process at risk of the hazardous events the SIS is to protect against”Application software validation must include documented “traceability of the SIF from inception during the H&RA through the final installed SIF”Specific item to validate there are no negative SIS effects from “BPCS faul

44、t conditions for any interfaces between the SIS and BPCS” or from “executing unused software functionality, i.e. functionality not defined in the specificationSpecific emphasis to resolve any discrepancies between expected and actual results31Copyright exida Asia Pacific 2017Specific O&M ItemsO&M的特定事項Specific SIS Maintenance Plan is required (Clause 16.2.1)Specific response pla