See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/239592768

THE INTRODUCTION OF IEC 61511 IN NORWEGIAN OFFSHORE INDUSTRY

Article · October 2013

CITATIONS READS
8 1,096

3 authors, including:

Stein Hauge Per Hokstad

SINTEF SINTEF
38 PUBLICATIONS   332 CITATIONS    76 PUBLICATIONS   1,519 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Automatized follow-up of safety instrumented systems View project

Cybersecurity Barrier Management View project

All content following this page was uploaded by Stein Hauge on 08 October 2014.

The user has requested enhancement of the downloaded file.

 THE INTRODUCTION OF IEC 61511 IN NORWEGIAN
OFFSHORE INDUSTRY
Stein Hauge1, Per Hokstad1, Tor Onshus2
1
SINTEF Industrial Management, Dept. of Safety and Reliability, Trondheim, Norway;
stein.hauge@online.no; Per.Hokstad@indman.sintef.no.
2
Dept. of Engineering Cybernetics, Norwegian University of Science and Technology (NTNU),
Trondheim, Norway; Tor.Onshus@itk.ntnu.no.

ABSTRACT
This paper presents main results from a project that prepared a guideline for use of the
standards IEC 61508 and IEC 61511 in the offshore industry of Norway. There is a focus on
the determination of Safety Integrity Level (SIL) for main equipment. Also the paper will discuss
the elements contributing to safety unavailability and the calculation of the Probability of
Failure on Demand (PFD), which is crucial for the determination of SIL.

1. INTRODUCTION
Today it seems evident that, at least in Europe, IEC 61508 (ref. [1]) will become the central
standard for specification, design and operation of Safety Instrumented Systems (SIS). Thus, the
standard will have a major impact on the safety work e.g. within the process industry. Whereas IEC
61508 is a generic standard common to several industries, the process industry is currently
developing its own sector specific standard for application of SIS, i.e. IEC 61511 (ref. [2]).
In Norway the offshore oil/gas industry is one major area for the use of IEC 61508 and IEC
61511. The experience so far is that the application of these standards has been beneficial.
However, several challenges has emerged during the work with the Norwegian guideline and during
actual use of IEC 61508. In spite of the negative aspects, IEC 61508 and IEC 61511 introduce a
number of positive elements, and it is therefore important that these standards are implemented. One
of the many positive aspects is the focus on the entire lifecycle, and the requirements related to
operation and maintenance, in addition to design.
The Norwegian Petroleum Directorate (NPD) will in their forthcoming regulations (to
become operative 01.01.2002) recommend the use of IEC 61508 for defining the performance level
for instrumented safety functions. Therefore, the Norwegian offshore industry and NPD took an
initiative in order to ease the implementation of IEC 61508/61511. A guideline (ref. [3]) was
developed, which supports the use of the standards, and gives guidance on how to implement the
defined functions in order to obtain the required safety level. In particular, it treats the determination
of SIL for common safety functions on offshore production installations. Major operators on the
Norwegian Continental Shelf, engineering companies and vendors, together with SINTEF and
NTNU (Norwegian University of Science and Technology) carried out the work as a joint industry
project during the autumn 2000. The guideline was sponsored and issued by the Norwegian Oil
Industry Association (OLF) in January 2001. The NPD will refer to this guideline in their new
regulations.
An expressed objective underlying the guideline work was to include as many companies as
possible and to utilise the experience gathered by these companies, in order to arrive at good
solutions. Further, it was accepted that current design practice for instrumented safety systems has
resulted in a safety level considered adequate and that the implementation of IEC 61508 therefore
should be attempted without significantly increasing the overall costs.

2. OBJECTIVE AND CONTENTS OF THE GUIDELINES

As indicated above, several challenges has emerged during the work with the Norwegian
guideline and during actual use of IEC 61508:
• Following the standard, the risk of the Equipment Under Control (EUC) shall first be assessed
without any safety functions present. However, there hardly exist field data for the EUC risk
without any safety functions, and so these data have to be established based on judgement and
qualitative arguments;
• Field data for demand rates on process safety functions are nearly non-existing due to lack of
procedures for collecting such data;
• The present QRA (Quantitative Risk Assessments) are not sufficiently detailed for and not
intended to provide input for establishing SIL requirements for safety functions. In particular,
process safety systems are seldom explicitly modelled in the QRA;
• The risk graph is difficult to apply, in particular for global safety functions like ESD (Emergency
Shutdown Systems) and F&G (Fire and Gas Systems), as these systems will be subject to
demands in a number of different accident scenarios;
• The methodology in IEC 61508 does not necessarily preserve good standard solutions, as no
guidance is given on how to define functions like in ISO 10418 (API RP14C). One example is
the requirement for two physical and functionally independent functions for overpressure
protection, using a pressure transmitter and a pressure relief valve;
• Using IEC 61508 directly requires large amount of work without necessarily resulting in new
knowledge or better solutions for "standard" safety functions.
The standards IEC 61508 and IEC 61511 are both comprehensive and not too easily
applied without expert assistance. Interpretations may be needed for some of the requirements, and
several practical questions such as how to exactly define a safety function will arise. Further, the
presented methods for determining the SIL class are not always straightforward to use and/or not
applicable for the type of safety function under consideration. Consequently, it seemed reasonable to
develop a guideline for the application of these standards.
The overall objective of the project was to arrive at a consensus on the understanding and
use of the standards in Norwegian Offshore industry. The guideline considers aspects as:
• Specification of the SIS, including development and allocation of SIL requirements;
• Quantification of safety unavailability, in particular calculation of PFD;
• Implementation of instrumented safety functions;
• The additional lifecycle activities for the SIS including integration, operation, maintenance,
modification and eventual decommissioning;
• Management of functional safety;
• Description of verification, validation and functional safety assessment activities.

3. SAFETY FUNCTIONS AND SAFETY INTEGRITY LEVEL (SIL)

In the IEC standards a safety function is considered as a function to be implemented in order
to achieve a specified risk reduction related to a hazardous event. A safety function is thus specified
in terms of the action to be taken and the required probability to successfully carry out this action.
This probability is also referred to as the safety integrity, and in the context of IEC 61508 the safety
integrity is classified according to discrete levels as indicated in Table 1 below.

Table 1: Safety integrity levels for safety functions (from IEC 61508-1, Table 2 and 3)
Safety Low demand mode of operation High demand or continuous mode of
Integrity (Aver. probability of failure to perform its operation (Probability of a dangerous
Level (SIL) design function on demand) failure per hour)
4 ≥ 10 to < 10
-5 -4
≥ 10-9 to < 10-8
3 ≥ 10-4 to < 10-3 ≥ 10-8 to < 10-7
2 ≥ 10-3 to < 10-2 ≥ 10-7 to < 10-6
1 ≥ 10-2 to < 10-1 ≥ 10-6 to < 10-5

In addition to specifying a quantitative requirement to the failure probability, the SIL also
forms the basis for a number of qualitative requirements. This includes architectural constraints on the
safety systems as well as the description of which techniques and measures should be used in order
to avoid and control systematic faults in both hardware and software. Both IEC 61508 and IEC
61511 describe a fully risk based approach for determining the SIL requirements. The methods
indicated within IEC 61508 for determining the SIL, range from using pure quantitative risk
assessments to more qualitative methods such as risk graphs. In particular, the risk graph technique
has been extensively applied when determining SIL requirements for local safety functions such as
Process Shutdown Systems (PSD).

4. DETERMINATION OF SIL IN THE NORWEGIAN GUIDELINE

During the work with the Norwegian guideline, it was strongly argued that a pure risk based
approach for determination of SIL had several shortcomings, and that an alternative method should
be considered. It was suggested that for the most common instrumented safety functions, predefined
or minimum SIL requirements should be stated and adhered to whenever possible. The reasoning
behind such a deterministic approach is discussed below.
For a new offshore installation, a QRA will always be performed as part of the conceptual
and detail design phase. Ideally, this analysis should have been used when establishing the integrity
requirements to safety functions, at least for the functions explicitly modelled in the QRA. However,
the level of detail of the QRA as performed today, is more appropriate for evaluating conceptual
options and for verification purposes, than for stating absolute criteria. Thus, SIL requirements to
safety functions can normally not be obtained directly from the QRA, and other types of analyses
have to be performed to determine SIL.
IEC 61508/61511 suggests several methods for determining SIL requirements (e.g. risk
graph, hazardous event severity matrix). Concerning the use of risk graphs, practice has shown that
the results from using this method to a limited degree can be reproduced, and it is also very difficult
to document. A new group of people analysing the same system is very likely to come up with SIL
requirements different from the original analysis team. The risk graph appears to be a possible way
forward when determining integrity levels for ”local” safety systems such as the PSD system.
However, when considering ”global” safety systems such as the ESD and F&G systems, the method
seems to cause considerable problems.
 On an average offshore installation there will be a large number of instrumented safety
functions implemented through well-known systems such as the PSD, ESD and F&G systems. The
design of these systems is to a large degree based on experience gathered through operation in the
North Sea the last 20-30 years. It therefore appears to be a major ”overkill” to perform large
amounts of additional analysis work in order to determine the SIL requirements for more or less
standard safety functions. Instead, it seems sensible to focus the resources towards functions, which
deviate from the ”standard” design, such as the use of HIPPS (High Integrity Pressure Protection
Systems) both topside and sub-sea, and other new concepts. The handling of such “deviations” is
further discussed in [3].

Table 2: Examples of minimum SIL requirements (from [3])

Safety function SIL Functional boundaries for given SIL requirement / comments
PSD functions : 2 The function starts with (and includes) the process sensor (e.g.
PAHH PAHH), and terminates with closing of the critical valve.
LAHH Note: The given requirement for PAHH and LAHH assumes that there
LALL is one common inlet line to the considered process equipment. In case
(closure of one of several inlet lines and thus several valves to close, a separate
critical valve) evaluation of required SIL should be performed.
PSD function: 2 The function starts with (and includes) the process sensor and
LAHH on flare terminates at the unit(s) intended to perform the action (cf Note 2)
knock-out drum Note 1: When implemented in both the PSD and ESD system, this
(detection and combined function can obtain SIL 3.
transfer of shutdown Note 2: The final element(s) have not been included since a generic
signal) definition of this function has been impossible to give.
Isolation of riser; 2 The SIL requirement applies to the sub-function needed for isolation of
(shut in of one riser) one riser/flowline, i.e:
- ESD-node
- ESD valve including solenoide(s) and actuator
The QRA should verify whether a stricter requirement (SIL 3) is
required due to dimension, length, number of and fluid composition of
risers/flowlines.
Gas detection; 2 The SIL-requirement applies to the sub-function needed for gas
(alarm signal detection, given exposure of one detector, i.e.:
generated, - Gas detector
processed and - F&G node
action signals.
transmitted)

Consequently, it was decided to come up with a list of minimum safety integrity levels for the
most common safety functions. The SIL requirements given in this list are based on experience, with
a design practice that has resulted in a safety level considered adequate. This will reduce the need for
time-consuming SIL calculations for more or less “standard solutions” and will ensure a minimum
level of safety. Another advantage of using pre-determined SILs is that these figures can be used as
input to QRA during early design stages and thereby set up a link between the risk analysis and the
integrity levels for important safety functions. Some examples of these minimum SIL requirements are
shown in Table 2, treating main PSD functions.
When stating such minimum SIL requirements like the ones above, one main objective has
been to ensure a performance level equal to or better than today’s solutions. Hence, in cases where
the generic reliability data has indicated a requirement “just between” two SIL classes, generally the
stricter SIL requirement has been chosen. This is also in line with the NPD requirement for
continuous improvement.

5. QUANTIFICATION OF SAFETY UNAVAILABILITY (PFD)

One of the major SIL requirements is related to PFD = Probability of Failure on Demand,
i.e. the safety unavailability (SU) of the SIS. The IEC 61508 standard presents several suggestions
concerning the methodology for quantification of PFD. However, a couple of flaws have been
discovered, that may contribute to some confusion.
There is at least one ambiguity regarding the failure classification introduced in the standard,
regarding the terms random hardware failures, hardware failures and systematic failures. There
is also missing an exhaustive discussion of the various contributions to the SU. Perhaps most
seriously, the suggested β-factor model for common cause failures will not distinguish between the
performance of say 1oo2 (1-out-of-2) and 2oo3 voting configurations.
These problems will be detailed below, and some rather simple ways to resolve them are
pointed out. Mainly, these recommendations can be traced back to the PDS project, carried out for
the Norwegian offshore industry, (ref’s. [4], [5] and [6]). The PDS method is today the major
technique for SIS quantification in Norwegian offshore industry.

5.1 Failure classification and common cause failures

The IEC standard refers to two failure categories: random hardware failures and systematic
failures. From the standard it appears that the Common Cause Failure (CCFs) may result both from
systematic failures and common excessive stress on the components. However, only those arising
from excessive stresses are quantified. Therefore, some readers may find it confusing that when the
CCFs are quantified, it is stated that they actually fall into the category random hardware failures
(as systematic failures are not quantified). The simplest solution to this confusion is to adopt the
following categorisation of failures (Fig. 1).
1. Hardware failures, split into
• Random hardware failures;
• Hardware failures due to excessive stresses; either due to environmental stress (e.g. pressure,
humidity) or caused by human interaction (e.g. erroneous maintenance).
2. Systematic failures, split into
• Design errors; e.g. software errors, inability of detector to distinguish between "true" and "false"
demand, inappropriate location of gas detector (gas "blows away");
• Human interaction, i.e. human error during operation, for instance operator forgets to
remove inhibition of safety system after repair.
Hence, totally there are four failure categories, and the CCFs relate to the categories
• Hardware failures due to excessive stresses (being quantified);
• Design errors (often not quantified);
• Human error during operation (often not quantified).
The category of Random hardware failures relates entirely to independent failures. It is agreed that
the contributions of the systematic failures might be treated qualitatively. However, the contribution
to SU of all hardware failures should be quantified, (not only the random hardware failures). It may
be the intention of IEC 61508 to indicate a categorisation similar to the one presented above.
However, this will not be obvious from reading the standard.

Failure

Hardware failure Systematic failure

Random Excessive stresses Design error Human interaction

hardware failure

Fig.1 Failure classification. Causes of failure

5.2 Contributions to safety unavailability

The contributions to the SU of a safety system can be classified according to
• Whether the unavailability is revealed (i.e. detected and "known" to the operator). In particular,
when your safety system is made unavailable due to e.g. repair or testing it is known (revealed).
In that case you may take precautions and the unavailability is much less critical. The
unavailability is unrevealed when it is caused by a dormant failure (then we call it a critical
failure);
• Whether the unavailability is caused by a systematic failure or hardware failure. In the first case
you will usually not detect the failure by functional testing.
Following the classification suggested in Fig. 1, the contributions to the SU are
• The unrevealed (i.e. critical) unavailability; which following the IEC 61508 notation, is due to DU
(dangerous undetectable) hardware failures of rate λDU. On the average the unavailability due to
such a failure is λDU ⋅ τ/2 (where τ = period of functional testing);
• The revealed (i.e. non-critical) unavailability due to hardware failures. The unavailability due to
these events have duration equal to the mean repair time, MTTR, or to the inhibition time during
functional testing;
• Unavailability due to systematic failures, (then it is also unrevealed, i.e. critical).
Thus, we introduce
CSU = Critical Safety Unavailability = The SU caused by unrevealed failures
= CSUHW + CSUSys, where
CSUHW = Critical Safety Unavailability due to hardware failures
CSUSys = Critical Safety Unavailability due to systematic failures
NSU = Non-critical SU = The SU caused by revealed failures
= The SU caused by repair (any type of failure) + The SU caused by functional testing.
 Safety unavailability concepts

NSU
PFD
(used in
IEC)
CSU HW

CSU
(used in
PDS)
CSU Sys

Fig. 2 Relation between CSU and PFD

Thus, the total SU is a sum of three terms, see Fig. 2. In this figure the SU terms are also
related to the calculation of PFD as described in IEC 61508. The standard is very clear in stating
that CSUSys is not quantified. So the PFD will not include contribution from systematic failures, which
may be significant for safety systems. Further, the authors of the present paper see it as rather
unfortunate that the PFD, without a proper discussion, includes a mixture of (a part of) the noncritical
safety unavailability (NSU) and hardware failures (CSUHW). The effect of CSU and NSU are so
different that these concepts should be separated.

5.3 The β -factor model

If λ is the failure rate of the components under consideration, the β-factor model states that a
redundant MooN-system has failure rate β ⋅ λ, irrespective of the value of M and N (as long as
1≤M<N). Hence, the approach does not distinguish between different voting configurations, and the
same result is obtained e.g. for 1oo2, 1oo3 and 2oo3- votings. A possible way around this problem,
however, is to use different β's; e.g. using β=1% for a 1oo3-voting, β=5% for 1oo2 voting and
β=10% for 2oo3.
In the IEC standards, however, one "plant specific" β is determined, and this value is used
for all voting configurations, MooN (M<N). So in IEC 61508 the contribution to CSUHW from
CCFs simply equals CSUHW = β ⋅ λDU ⋅ τ /2 (for any MooN voting, M<N), and the rate of system
CCFs does not depend on the system configuration.
In [3] an approximate formulas for CSUHW of a MooN-voting is suggested:
CSUHW(MooN) = β(MooN) ⋅ λDU ⋅ τ /2, (M<N),
where β(MooN) = β ⋅ CMooN, (M<N). Here β is the β-factor obtained from the IEC approach, and
the suggested coefficient CMooN for some typical voting configuration is obtained from the Table 3
below. This extension of the β-factor model will also be reported separately.
 Table 3: Modification factor, CMooN for β -factor, according to voting of channels

Voting 1oo2 1oo3 2oo3 1oo4 2oo4 3oo4

CMooN 1.0 0.3 2.4 0.15 0.8 4.0

6. CONCLUSIONS
Overall, it is foreseen that IEC 61508 and IEC 61511 will contribute to a more systematic
safety work in the industry and hopefully to increased safety. In particular, the standards consider all
relevant lifecycles of the SIS, and thereby put focus on aspects that may have been neglected in the
past. However, when trying to implement the standards, certain practical problems arise. In
particular, it is difficult to arrive at the required SIL values. When using risk graphs, it is problematic
to determine the SIL in a unique and objective manner. Thus, in the Norwegian guideline a set of
minimum SIL requirements for common safety functions has been provided. This might not be in line
with the basic intentions of the standards, but has been done e.g. to reduce the need for time-
consuming SIL calculations for more or less “standard solutions”, and to ensure a minimum level of
safety. Further, the work with the Norwegian guideline may be seen as a first effort to obtain
standard definitions of essential safety functions, EUC and corresponding SIL requirements in the
Norwegian offshore industry.
A couple of rather unfortunate ambiguities and flaws have been discovered in the standard,
regarding the recommended approach for PFD quantification. These may contribute to some
confusion, and the paper has presented some suggestions concerning how to deal with these
problems.

ACKNOWLEDGEMENTS
The authors will thank all companies and persons participating in the development of the
Norwegian Guideline for application of IEC 61508 and IEC 61511, and thereby provided valuable
input to this paper. Thanks to OLF, which has sponsored and issued the guideline.

REFERENCES

[1] IEC 61508. "Functional safety of electrical/electronic/programmable electronic (E/E/PE)

safety related systems", part 1-7, Edition 1.0 (various dates).
[2] IEC 61511. "Functional safety: safety instrumented systems for the process industry sector",
part 1-3, CDV versions.
[3] 066 OLF guideline on the application of IEC 61508 and IEC 61511 in the petroleum
activities on the Norwegian Continental Shelf, OLF, Rev. 01, 26-01-01; (see
http://www.itk.ntnu.no/sil)
[4] Reliability Prediction Handbook; Computer-Based Process Safety Systems. SINTEF report
STF75 A89023.
[5] L. Bodsberg & P. Hokstad, A System Approach to Reliability and Life-Cycle Cost for
Process Safety Systems. IEC Trans. on Reliability, Vol. 44, No. 2, 1995.
[6] G.K. Hansen and R. Aarø, Reliability Quantification of Computer-Based Safety Systems.
An Introduction to PDS. SINTEF report STF38 A97434, Dec. 1997.

View publication stats