Iec 61511-1-2017

I E C 61 51 1 -1
®
Edition 2.1 201 7-08
CON SOLI D ATED
VE R SI ON
colour
i n si de
Fu n cti on al safety – Safety i n stru m en ted s ys tem s fo r th e process i n d u stry
sector –
Part 1 : Fram ework, d efi n i ti on s, system , h ard ware an d appl i cati on prog ram m i n g
req u i rem en ts
IEC 61 51 1 -1 :201 6-02+AMD1 :201 7-08 CSV(en)
TH I S P U B L I C AT I O N I S C O P Y R I G H T P R O T E C T E D
C o p yri g h t © 2 0 1 7 I E C , G e n e v a , Sw i t z e rl a n d
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 91 9 02 1 1
3, rue de Varembé Fax: +41 22 91 9 03 00
CH-1 21 1 Geneva 20 info@iec.ch
Switzerland www.iec.ch
Ab o u t th e I E C
The International Electrotechnical Commission (I EC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
Ab o u t I E C p u b l i ca t i o n s
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
I E C Catal o g u e - websto re. i ec. ch /catal o g u e E l ectroped i a - www. el ectro ped i a. o rg
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 1 6 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
I E C pu bl i cati on s search - www. i ec. ch /search pu b I E C G l o ssary - std . i ec. ch /g l o ssary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
I E C J u st Pu bl i sh ed - websto re. i ec. ch /j u stpu bl i sh ed
Stay up to date on all new IEC publications. Just Published I E C Cu stom er Servi ce Cen tre - websto re. i ec. ch /csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
I E C 61 51 1 -1
®
Edition 2.1 201 7-08
CON SOLI D ATED
VE R SI ON
colour
i n si de
Fu n cti on al safety – Safety i n stru m en ted sys tem s fo r th e process i n d u stry
secto r –
Part 1 : Fram ework, d efi n i ti o n s, system , h ard ware an d appl i cati on prog ram m i n g
req u i rem en ts
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 1 3.1 1 0; 25.040.01 ISBN 978-2-8322-4752-5
Warn i n g ! M ake su re th a t yo u o btai n ed th i s pu bl i c ati o n fro m an au th ori zed d i stri bu to r.
® Registered trademark of the International Electrotechnical Commission

I E C 61 51 1 -1
®
Edition 2.1 201 7-08
R E DLI N E VE R SI ON
colour
i n si de
Fu n cti on al safety – Safety i n stru m en ted s ys tem s fo r th e process i n d u stry
sector –
Part 1 : Fram ework, d efi n i ti on s, system , h ard ware an d appl i cati on prog ram m i n g
req u i rem en ts
IEC 61 51 1 -1 :201 6-02+AMD1 :201 7-08 CSV(en)
–2– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
CONTENTS
FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 N orm ati ve references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2
3 Term s, defi n itions and abbrevi ations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 1 Term s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 2 Term s and defi n i ti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 3 Abbreviati ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Conform ance to th e I EC 61 51 1 -1 :201 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 Man ag em en t of fu nction al safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 2 Org an i zati on an d resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 3 Risk evalu ation an d risk m anag em en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 4 Safety pl ann i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 5 I m plem enti ng an d m on i tori ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5. 2. 6 Assessm ent, audi ti n g an d revisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5. 2. 7 SI S config urati on m an ag em ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 Safety l ife-cycle requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6. 3 Applicati on program SI S safety l ife-cycle requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Process H &RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9 Al locati on of safety fu ncti ons to protection l ayers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 2 Requ irem en ts of th e al location process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 3 Requ irem en ts on th e basic process con trol system as a protection l ayer . . . . . . . . . . . . . . 49
9. 4 Requ irem en ts for preventi ng com m on cause, com m on m ode an d depen den t
fail ures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0 SI S safety requ irem ents specification (SRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0. 2 General requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0. 3 SI S safety requ irem ents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1 1 SI S desi gn an d eng i n eering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 .1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 . 2 General requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 . 3 Requ irem en ts for system behavi ou r on detection of a fau lt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1 1 . 4 H ardware fau l t tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1 1 . 5 Requ irem en ts for selecti on of devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –3–
© I EC 201 7
1 1 . 5. 1
Obj ecti ves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 2
General requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 3
Requirem en ts for th e sel ecti on of devices based on pri or use . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 4
Requirem en ts for selecti on of FPL program m abl e devices (e. g . , fi eld
devices) based on pri or u se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1 1 . 5. 5 Requirem en ts for selecti on of LVL program m abl e devices based on
prior use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
1 1 . 5. 6 Requirem en ts for selecti on of FVL prog ram m abl e devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 6 Fi eld devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7 I n terfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 2 Operator interface requ irem ents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 3 Mai nten ance/eng i n eerin g i n terface requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1 1 . 7. 4 Com m u nicati on in terface requi rem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1 1 . 8 Mai nten ance or testi ng desig n requirem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1 1 . 9 Qu an tificati on of ran dom fail ure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1 2 SI S application program devel opm en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1 2. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1 2. 3 Applicati on program desi gn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
1 2. 4 Applicati on program im plem entation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1 2. 5 Requ irem en ts for appl ication program verificati on (review and testi n g) . . . . . . . . . . . . . . . . . 66
1 2. 6 Requ irem en ts for appl icati on prog ram m eth odol og y an d tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1 3 Factory acceptance test (FAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 3. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 3. 2 Recom m endati ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 4 SI S instal lati on an d com m ission in g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 4. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 4. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 5 SI S safety val idation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 5. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 5. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 6 SI S operation an d m ain tenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 3 Proof testing an d inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
1 6. 3. 1 Proof testi ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
1 6. 3. 2 I nspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 6. 3. 3 Docum entation of proof tests an d inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7 SI S m odification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8 SI S decom m ission i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9 I nform ation an d docum en tation requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9. 1 Objecti ves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
–4– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
Bibl iograph y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Fig u re 1 – Overall fram ework of the I EC 61 51 1 seri es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Fig u re 2 – Relati onsh i p between I EC 61 51 1 an d I EC 61 508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0
Fig u re 3 – Detai l ed relati onsh i p between I EC 61 51 1 an d I EC 61 508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1
Fig u re 4 – Relati onsh i p between safety instrum ented fu nctions an d oth er fu ncti ons . . . . . . . . . . . . . . 1 2
Fig u re 5 – Prog ram m abl e el ectronic system (PES) : structure and term in olog y . . . . . . . . . . . . . . . . . . . . . . 24
Fig u re 6 – Exam pl e of SI S arch itectures com prisi n g three SI S su bsystem s . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Fig u re 7 – SI S safety l ife-cycl e ph ases and FSA stag es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Fig u re 8 – Appl icati on program safety l ife-cycl e and its relati onsh i p to th e SI S safety
life-cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Fig u re 9 – Typical protection layers an d risk reducti on m eans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Tabl e 1 – Abbrevi ations used in I EC 61 51 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Tabl e 2 – SI S safety life-cycl e overvi ew (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Tabl e 3 – Appl ication program safety life-cycl e: overview (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Tabl e 4 – Safety i n tegri ty requi rem en ts: PFD avg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Tabl e 5 – Safety i n tegri ty requi rem en ts: average frequ ency of dang erous fai l ures of the
SI F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Tabl e 6 – M in im um HFT requ irem ents accordin g to SI L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –5–
© I EC 201 7
I NTERNATI ON AL ELECTROTECH NI CAL COMMI SSI ON
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 1 : Framework, definitions, system,
hardware and application programming requirements
FOREWORD
1 ) Th e I n ternati on al El ectrotechn i cal Com m i ssi on (I EC) i s a worl d wi d e org an i zati on for stan dardi zati on com pri si n g
al l n ati on al el ectrotech ni cal com m i ttees (I EC N ati onal Com m i ttees) . The obj ect of I EC i s to prom ote
i n ternati on al co-operati on on al l q uesti on s concern i n g stand ardi zati on i n th e el ectri cal an d el ectron i c fi el ds. To
thi s en d and i n addi ti on to other acti vi ti es, I EC pu bl i sh es I n ternati on al Stan dards, Tech n i cal Speci fi cati ons,
Tech ni cal Reports, Pu bl i cl y Avai l abl e Speci fi cati ons (PAS) an d Gu i des (h ereafter referred to as “I EC
Publ i cati on (s) ”) . Th ei r preparati on i s entrusted to tech ni cal com m i ttees; an y I EC N ati onal Com m i ttee i n terested
i n th e su bj ect deal t wi th m ay parti ci pate i n th i s preparatory work. I nternati on al , g overn m ental an d n on -
g overn m ental org an i zati ons l i ai si n g wi th th e I EC al so parti ci pate i n th i s preparati on. I E C col l aborates cl osel y
wi th th e I n tern ati onal Org an i zati on for Stan d ardi zati on (I SO) i n accordan ce wi th con di ti on s determ i ned by
ag reem en t between th e two org an i zati on s.
2) Th e form al deci si on s or ag reem en ts of I EC on tech ni cal m atters express, as n earl y as possi bl e, an i ntern ati onal
con sen su s of opi ni on on th e rel evant su bj ects si n ce each tech ni cal com m i ttee h as representati on from al l
i n terested I EC N ati on al Com m ittees.
3) I EC Pu bl i cati ons h ave th e form of recom m endati on s for i n tern ati onal use an d are accepted by I EC N ati onal
Com m i ttees i n th at sense. Whi l e al l reasonabl e efforts are m ade to ensure th at th e tech n i cal content of I EC
Publ i cati on s i s accu rate, I EC can n ot be h el d respon si bl e for th e way i n wh i ch th ey are used or for an y
m i si nterpretati on by an y en d u ser.
4) I n order to prom ote i n tern ati onal u ni form i ty, I EC N ati on al Com m i ttees un d ertake to appl y I EC Pu bl i cati on s
transparentl y to the m axi m um extent possi bl e i n th ei r nati on al an d reg i on al publ i cati ons. An y d i verg ence
between an y I EC Pu bl i cati on an d the correspon di ng nati on al or reg i on al pu bl i cati on sh al l be cl earl y i n di cated i n
the l atter.
5) I EC i tsel f d oes n ot provi de an y attestati on of con form i ty. I n depend ent certi fi cati on bodi es provi de con form i ty
assessm ent servi ces and, i n som e areas, access to I EC m arks of con form i ty. I EC i s not responsi bl e for an y
servi ces carri ed out by i n d epen den t certi fi cati on bodi es.
6) Al l u sers sh ou l d en su re th at th ey h ave the l atest edi ti on of th i s publ i cati on .
7) N o l i abi l i ty shal l attach to I EC or i ts di rectors, em pl oyees, servants or ag en ts i ncl u di n g i n di vi du al experts an d
m em bers of i ts tech n i cal com m i ttees and I EC Nati on al Com m i ttees for any person al i n j u ry, property d am ag e or
other dam ag e of any n atu re wh atsoever, wheth er di rect or i n di rect, or for costs (i n cl u d i ng l eg al fees) an d
expenses ari si ng out of th e pu bl i cati on, u se of, or rel i an ce upon, th i s I EC P ubl i cati on or an y oth er I EC
Publ i cati ons.
8) Atten ti on i s drawn to th e N orm ati ve references ci ted i n th i s publ i cati on. U se of the referenced publ i cati on s i s
i n di spensabl e for th e correct appl i cati on of th i s publ i cati on .
9) Atten ti on i s drawn to th e possi bi l i ty th at som e of th e el em en ts of th i s I EC Pu bl i cati on m ay be th e su bj ect of
paten t ri g hts. I EC sh al l n ot be h el d responsi bl e for i den ti fyi n g any or al l such patent ri g h ts.
DISCLAIM ER
This Consolidated version is n ot an offi cial IEC Standard and has been prepared for
user conveni ence. On ly th e cu rren t versions of th e stan dard and its am endment(s)
are to be considered th e offi cial docu ments.
This Consolidated version of IEC 61 51 1 -1 bears th e edition nu mber 2.1 . It consists of

the second editi on (201 6-02) [docu men ts 65A/777/FDIS and 65A/784/RVD], its
corrig end um 1 (201 6-09) an d its am endm ent 1 (201 7-08) [docum ents 65A/844/FDIS and
65A/848/RVD]. The tech nical content is identical to the base edition and i ts amendment.
–6– I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
In this Redline version, a vertical line in th e margin shows where the technical content
is modified by am endm ent 1 . Additions are in green text, del etions are in striketh rough
red text. A separate Final version with all ch ang es accepted i s avail able in this
publication .
I ntern ati on al Stan dard I EC 61 51 1 -1 h as been prepared by su bcom m ittee 65A: System
aspects, of I EC tech n ical com m ittee 65: I n dustri al -process m easurem ent, control and
au tom ation.
This secon d editi on can cels an d repl aces the fi rst edition pu blish ed in 2003. Th is edi tion
constitutes a tech n ical revisi on. Th is editi on i nclu des the fol l owing si gn ificant tech nical
chan ges wi th respect to the previ ous edi tion:
• references and requi rem en ts to software repl aced wi th references an d requ irem ents to
appl ication prog ram m ing ;
• functi onal safety assessm ent requ irem ents provided wi th m ore detail to im prove
m anag em en t of fu ncti on al safety.
• m anag em en t of chan ge requ irem ent added;
• securi ty risk assessm en t requ irem ents added;.
• requ irem ents expanded on th e basic process con trol system as a protection l ayer;
• requ irem ents for h ardware fau lt tolerance m odifi ed and sh oul d be revi ewed carefull y to
u n derstand user/in tegrator opti ons.
The text of th is stan dard is based on the fol lowi n g docum en ts:
FDI S Report on voti n g

65A/777/FDI S 65A/784/RVD
Fu l l inform ati on on th e voti ng for th e approval of th is stan dard can be fou nd i n th e report on
voti ng in dicated in th e above table.
This publicati on has been drafted i n accordance wi th th e I SO/I EC Directi ves, Part 2.
A list of al l parts i n th e I EC 61 51 1 seri es, pu blish ed u n der th e g eneral ti tle Functional safety –
safety instrumented systems for the process industry sector, can be fou n d on th e I EC websi te.
The com m ittee h as deci ded that the con ten ts of th is pu blication wi ll rem ai n unch ang ed u nti l
th e stabi l i ty date in dicated on the I EC website un der "h ttp: //webstore. i ec. ch " in th e data
related to th e specific pu blication. At th is date, th e publicati on wi ll be
• reconfi rm ed,
• wi thdrawn ,
• repl aced by a revised editi on, or
• am ended.
IMPORTANT – The “colour in sid e” logo on th e cover pag e of th i s pu bli cation indicates
that it contains colou rs which are considered to be usefu l for th e correct understanding
of its contents. U sers should th erefore print th is publicati on u sing a colou r printer.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –7–
© I EC 201 7
I NTRODUCTI ON
Safety instrum en ted system s (SI Ss) h ave been u sed for m an y years to perform safety
instrum ented fu ncti ons (SI Fs) in the process i n du stries. I f instrum en tation is to be effecti vel y
used for SI Fs, i t is essenti al that th is instrum entati on ach ieves certain m i nim u m stan dards
an d perform ance levels.
The I EC 61 51 1 seri es addresses th e appl ication of SI Ss for th e process in dustri es. Th e

I EC 61 51 1 seri es also addresses a process H azard an d Risk Assessm ent (H &RA) to be
carried ou t to en abl e the specification for SI Ss to be deri ved. Oth er safety system s'
con tribu ti ons are onl y considered wi th respect to th e perform ance requ irem ents for th e SI S.
The SI S i nclu des all devices n ecessary to carry out each SI F from sensor(s) to fi n al
elem en t(s) .
The I EC 61 51 1 seri es has two concepts wh ich are fu ndam en tal to its appl ication : SI S safety
life-cycle an d safety integ rity l evels (SI Ls) .
The I EC 61 51 1 series addresses SI Ss wh ich are based on the use of

electrical /electron ic/program m abl e el ectron ic tech nolog y. Where other techn ol og ies are used
for l og ic sol vers, the basi c princi pl es of th e I EC 61 51 1 seri es sh ould be appli ed to ensure th e
functi onal safety requ irem ents are m et. Th e I EC 61 51 1 series also addresses th e SI S sensors
an d fin al elem en ts reg ardless of th e techn ol og y u sed. The I EC 61 51 1 series is process
industry specific withi n th e fram ework of th e I EC 61 508 seri es.
The I EC 61 51 1 seri es sets ou t an approach for SI S safety l ife-cycle acti vities to ach i eve these
m inim um princi ples. Th is approach h as been adopted i n order that a rational an d consistent
tech nical policy i s used.
I n m ost situ ations, safety i s best ach i eved by an i n herentl y safe process desi g n. H owever in
som e instances this is n ot possi ble or n ot practical . I f necessary, th is m ay be com bi n ed wi th a
protective system or system s to address an y resi du al identifi ed risk. Protecti ve system s can
rel y on different techn olog ies (chem ical, m echan ical , h ydrau lic, pn eum atic, electrical,
electron ic, an d program m abl e electron ic) . To faci l itate th is approach , th e I EC 61 51 1 series:
• addresses th at a H &RA i s carri ed ou t to i dentify the overall safety requ irem ents;
• addresses th at an all ocation of the safety requ irem ents to th e SI S is carri ed out;
• works wi th in a fram ework wh ich is appl icabl e to all instrum ented m eans of ach i evin g
functi onal safety;
• detai ls th e use of certain activi ties, such as safety m anag em ent, which m ay be applicabl e
to all m eth ods of ach ievi ng fu ncti on al safety.
The I EC 61 51 1 seri es on SI S for th e process indu stry:
• addresses al l SI S safety l ife-cycl e ph ases from in itial concept, desi gn , im plem entation,
operati on an d m ai nten an ce throug h to decom m ission i ng ;
• en ables existi ng or n ew cou n try specific process i ndu stry stan dards to be harm oni zed with
th e I EC 61 51 1 seri es.
The I EC 61 51 1 seri es is in ten ded to l ead to a h i gh level of consistency (e. g. , of un derl yin g
princi ples, term in olog y, and inform ation) wi th in th e process industries. This shou ld have both
safety and econ om ic benefits. Fig ure 1 below sh ows an overal l fram ework of the I EC 61 51 1
series.
In j urisdicti ons where th e g overni n g au th oriti es (e. g. , n ati onal , federal, state, provi nce, cou n ty,
city) h ave establish ed process safety desi g n, process safety m an ag em en t, or oth er
reg u l ati ons, these take precedence over the requ irem ents defi n ed i n th e I EC 61 51 1 series.
–8– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
Technical Support
requirements parts
PART 1 References
Clause 2
Development of the overall safety
requirements (concept, scope definition, PART 1
hazard and risk assessment)
Definitions and
Clause 8 abbreviations
Clause 3
PART 1
PART 1
Allocation of the safety requirements to Conformance
the safety instrumented functions and Clause 4
development of the safety requirements PART 1
specification
Management of
Clauses 9 and 10 functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for requirements
safety SIS application Clause 6
instrumented programming
systems Clause 12 PART 1
Clause 11
Verification
Clause 7
PART 1
PART 1
Factory acceptance testing, Information
installation and commissioning and requirements
safety validation of safety Clause 19
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1 PART 2
Operation and maintenance,
modification and retrofit, Guidance for the
decommissioning or disposal of determination of the
safety instrumented systems required safety
Clauses 16, 17, and 18 integrity levels
PART 3
IEC
Figu re 1 – Overall framework of th e IEC 61 51 1 series

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –9–
© I EC 201 7
1 Scope
This part of I EC 61 51 1 g i ves requ irem ents for the specification, desig n , i nstall ation, operati on
an d m aintenance of a safety i nstrum ented system (SI S) , so that i t can be confidentl y
en trusted to ach ieve or m ain tain a safe state of the process. I EC 61 51 1 -1 h as been
developed as a process sector im plem en tati on of I EC 61 508:201 0.
In particu l ar, I EC 61 51 1 -1 :
a) specifies the requ irem ents for ach i evin g functional safety but does n ot specify wh o is
responsible for im pl em enti n g the requi rem ents (e. g. , desig n ers, su ppli ers,
own er/operati n g com pan y, contractor) . This responsi bi li ty wil l be assig ned to differen t
parties accordin g to safety plan n in g , proj ect pl an n ing and m anag em en t, an d nation al
reg u l ations;
b) appl ies wh en devices th at m eets th e requ irem en ts of the I EC 61 508 series published in
201 0, or I EC 61 51 1 -1 :201 6 [1 1 . 5] , is i nteg rated into an overal l system th at is to be u sed
for a process sector appl ication . I t does not appl y to m an ufacturers wi sh ing to claim th at
devices are su itabl e for use in SI Ss for th e process sector (see I EC 61 508-2:201 0 and
I EC 61 508-3: 201 0) ;
c) defin es the relationshi p between I EC 61 51 1 an d I EC 61 508 (see Fi gures 2 an d 3) ;
d) appl ies when appl icati on program s are devel oped for system s h avin g l im ited variabi li ty
l an g uag e or wh en usi n g fixed prog ram m ing l ang u ag e devices, bu t does n ot appl y to
m anufacturers, SI S design ers, i nteg rators an d u sers th at develop em bedded software
(system software) or use ful l vari abi l ity l an gu ages (see I EC 61 508-3: 201 0) ;
e) applies to a wi de vari ety of i n du stri es wi thi n the process sector for exam pl e, chem icals, oil
an d gas, pu lp an d paper, pharm aceu ti cal s, food an d beverag e, an d non -nuclear power
g en eration ;
N OTE 1 Wi th i n the process sector som e appl i cati on s m ay have addi ti onal requi rem ents that have to be
sati sfi ed.
f) ou tl in es the relati onsh i p between SI Fs an d oth er i nstru m en ted functions (see Figu re 4) ;
g) resu lts in th e identification of th e function al requi rem ents and safety i ntegri ty requirem en ts
for th e SI F taki n g i nto accou n t th e risk reducti on ach ieved by oth er m eth ods;
h) specifies l ife-cycl e requ irem ents for system arch itecture an d h ardware confi g uration ,
appl ication program m ing , an d system integrati on ;
i) specifies requ irem ents for appl ication program m ing for users an d i ntegrators of SI Ss.
j) applies wh en function al safety is ach ieved usi n g on e or m ore SI Fs for the protecti on of
person nel , protecti on of the gen eral pu blic or protecti on of the en vironm ent;
k) m ay be applied i n n on -safety appl icati ons for exam ple asset protection ;
l) defin es requ irem ents for im plem enti n g SI Fs as a part of the overal l arran g em ents for
ach i evin g function al safety;
m ) uses a SI S safety l ife-cycle (see Fig ure 7) and defines a l ist of acti vi ti es wh ich are
necessary to determ in e the fu ncti onal requ irem en ts an d th e safety i ntegri ty requ irem en ts
for th e SI S;
– 10 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
n) specifies that a H &RA is to be carried ou t to defi n e th e safety fu ncti onal requ irem en ts an d
safety i n tegrity l evels (SI L) of each SI F;
N OTE 2 Fi g u re 9 presents an overvi ew of ri sk redu cti on m eans.
o) establish es nu m erical targets for averag e probabili ty of failure on dem and (in dem an d
m ode) an d average frequ ency of dan gerous fai lures (i n dem an d m ode or con ti n uous
m ode) for each SI L;
p) specifies m in im um requ irem ents for h ardware fau l t tol erance (HFT) ;
q) specifies m easures an d tech n i qu es requi red for ach ievi ng th e specified SI L;
r) defin es a m axim u m level of fu nctional safety perform ance (SI L 4) wh ich can be ach i eved
for a SI F im plem ented accordi n g to I EC 61 51 1 -1 ;
s) defin es a m in im um level of fu ncti on al safety perform ance (SI L 1 ) below wh ich
I EC 61 51 1 -1 does n ot appl y;
t) provi des a fram ework for establ ish in g th e SI L but does n ot specify th e SI L requ ired for
specific applications (wh ich shou l d be establ ished based on knowl edg e of th e particu lar
appl ication and on th e overall targeted risk redu ction ) ;
u) specifies requ irem ents for al l parts of the SI S from sensor to final el em en t(s) ;
v) defin es the inform ati on th at is needed duri ng th e SI S safety l ife-cycle;
w) specifies th at the desi gn of th e SI S takes into accou n t hu m an factors;
x) does n ot pl ace an y direct requi rem en ts on th e i n di vidu al operator or m ain tenance person :
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and instrumented
suppliers of systems designers,
devices integrators and
users
IEC 61 508
IEC 61 51 1
IEC
Figu re 2 – Relati on ship between IEC 61 51 1 and IEC 61 508

NOTE 3 I EC 61 508 i s al so u sed by safety i nstrum en ted desi g n ers, i nteg rators an d users wh ere di rected i n
I EC 61 51 1 .
© I EC 201 7
I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARDS
PROCESS
PROCESS SECTOR
SECTOR SOFTWARE AND
HARDWARE APPLICATION
PROGRAM
– 11 –
DEVELOPING USING PRIOR USING DEVELOPING DEVELOPING DEVELOPING
NEW USE HARDWARE EMBEDDED APPLICATION APPLICATION
HARDWARE HARDWARE DEVELOPED (SYSTEM) PROGRAM PROGRAM
DEVICES DEVICES AND SOFTWARE USING FULL USING LIMITED
ASSESSED VARIABILITY VARIABILITY
ACCORDING LANGUAGES OR FIXED
TO IEC 61 508 PROGRAM
LANGUAGES
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW

IEC 61 508 IEC 61 51 1 IEC 61 51 1 IEC 61 508-3 IEC 61 508-3 IEC 61 51 1
IEC
Figu re 3 – Detail ed relation shi p between IEC 61 51 1 and IEC 61 508
NOTE 4 Su bcl ause 7. 2. 2 i n I EC 61 51 1 -1 : 201 6 an d A. 7. 2. 2 i n I EC 61 51 1 -2: 201 6 con tai n g u i dan ce on han dl i ng i n teg rati on of su b-system s th at com pl y wi th other stan d ards (su ch as
m ach i nery , burn er, etc. ) .
– 12 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Start
No Is this an Yes
Instrumented
function?
Yes No No Safety Yes

Safety
Function? instrumented
function?
Continuous Demand
Not relevant Mode?
Other
Other means of instrumented Continuous Demand mode
risk reduction means of risk Mode SIF Mode SIF
reduction
Standard specifies activities which are to be carried out but requirements are not detailed
IEC
Figu re 4 – Rel ati onship between safety in stru mented functions and oth er fu nctions
2 Normati ve references
The foll owi ng docum en ts, i n wh ole or i n part, are norm ati vel y referenced i n th is docum en t and
are in dispensabl e for i ts appl ication . For dated references, on l y the editi on cited appli es. For
un dated references, th e l atest editi on of th e referenced docum en t (i nclu ding an y
am endm ents) appli es.
I EC 61 508-1 : 201 0, Functional safety of electrical/electronic/programmable electronic safety-

related systems – Part 1: General Requirements
I EC 61 508-2: 201 0, Functional safety of electrical/electronic/programmable electronic safety-

related systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems

related systems – Part 3: Software requirements
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 13 –
© I EC 201 7
3 Terms, definitions and abbreviations
3.1 Terms
Term s are listed alph abetical l y in 3. 2.
3.2 Terms and definitions

For the purposes of th is docum en t, the fol lowi ng defin i tions appl y.
I n som e cases these defi ni ti on s di ffer from the defi n i ti on s of the sam e term s i n I EC 61 508-4:201 0. I n som e cases
th i s i s due to the term i nol og y u sed i n the process sector. I n other cases th ese defi ni ti ons h ave been al i g n ed wi th
oth er rel evant defi ni ti ve references (e. g . , I EC 60050 th e I ntern ati on al El ectrotech ni cal Vocabu l ary,
I SO/I EC G ui de 51 : 201 3) . H owever, un l ess otherwi se stated, th ere i s no di fference i n the tech ni cal m eani n g
between these d efi n i ti on s an d the d efi n i ti on s of the sam e term s i n I EC 61 508-4: 201 0.
3.2.1
architecture
configuration
specific config urati on of hardware an d software com pon ents in a system
Note 1 to entry: I n the I EC 61 51 1 seri es thi s can m ean, for exam pl e, arrang em ent of SI S su bsystem s, th e i n tern al
stru ctu re of a SI S subsystem or th e i nternal stru cture of SI S appl i cati on prog ram s.
3.2.2
asset protection
functi on al l ocated to a system an d design ed for the purpose of preventi ng loss or dam ag e to
assets
3.2.3
basic process control system
BPCS
system wh ich respon ds to i npu t si g nals from the process, i ts associated equ ipm en t, oth er
program m able system s an d/or operators and g enerates output si gn als causi n g the process
an d its associ ated equ i pm ent to operate in the desired m an n er but wh ich does n ot perform
an y SI F
Note 1 to en try: A BPCS i ncl udes al l of th e d evi ces necessary to ensu re th at the process operates i n the d esi red
m an ner.
Note 2 to entry: A BPCS typi cal l y m ay i m pl em ent vari ous fu ncti ons su ch as process con trol fun cti on s,
m on i tori n g , an d al arm s.
3.2.4
bypass
action or facil ity to prevent al l or parts of th e SI S function ali ty from bei n g execu ted
Note 1 to entry: E xam pl es of bypassi ng i ncl ud e:

– th e i n pu t si g nal i s bl ocked from the tri p l og i c wh i l e sti l l presenti n g th e i n put param eters and al arm to th e
operator;
– the outpu t si g n al from the tri p l og i c to a fi n al el em en t i s hel d i n the n orm al state preventi n g fi nal el em en t
operati on ;
– a ph ysi cal bypass l i ne i s provi d ed arou n d th e fi nal el em ent;
– presel ected i n pu t state (e. g . , on /off i npu t) or set i s forced by m eans of an en g i n eeri n g tool (e. g . , i n the
appl i cati on prog ram ) .
Note 2 to en try: Oth er term s are al so u sed to refer to bypassi ng , su ch as overri de, d efeat, di sabl e, force, or
i n hi bi t or m u ti n g .
3.2.5
channel
device or grou p of devices th at indepen dentl y perform (s) a specifi ed fu ncti on
– 14 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 1 to en try: The d evi ces wi th i n a chan n el cou l d i ncl u de i n pu t/output (I /O) devi ces, l og i c sol vers, sen sors, and
fi n al el em ents.
Note 2 to en try: A du al ch an nel (i . e. , a two-ch an n el ) con fi g u rati on i s on e wi th two chan nel s that i nd epen den tl y
perform the sam e fun cti on . Ch ann el s m ay be i d en ti cal or d i verse.
Note 3 to en try: Th e term can be used to descri be a com pl ete system or a porti on of a system (e. g . , sensors or
fi n al el em ents) .
Note 4 to en try: Ch ann el descri bes SI S hardware arch i tectu ral featu res often used to m eet h ard ware faul t
tol erance req u i rem en ts.
3. 2. 6
com mon cau se
3. 2. 6.1
com mon cau se fai lu res , pl
concurrent fai l ures of differen t devices, resu l ti n g from a sin g l e even t, wh ere th ese fail ures are
not consequences of each oth er
Note 1 to entry: Al l the fai l u res due to a com m on cause do n ot n ecessari l y occu r exactl y at th e sam e ti m e and thi s
m ay al l ow ti m e to detect th e occu rrence of th e com m on cau se before a SI F i s actu al l y fai l ed.
Note 2 to entry: Com m on cau se fai l u res can al so l ead to com m on m ode fai l u res.
Note 3 to entry: The poten ti al for com m on cause fai l ures redu ces th e effect of system redu n dan cy or fau l t
tol erance (e. g . , i n creases the probabi l i ty of fai l u re of two or m ore ch an n el s i n a m u l ti pl e chan nel system ) .
Note 4 to entry: Com m on cause fai l ures are depen dent fai l u res. Th ey m ay be d u e to extern al even ts (e. g . ,
tem peratu re, h u m i di ty, overvol tag e, fi re, and corrosi on ) , system ati c faul t (e. g . , desi g n , assem bl y or i nstal l ati on
errors, bug s) , h u m an error (e. g . , m i su se) , etc.
N ote 5 to entry: By exten si on, a com m on cause fai l u re (i n si ng u l ar form ) i s a fai l u re bel ong i n g to a set of
concurren t fai l u res (pl u ral form ) accordi ng to 3. 2. 6. 1 defi ni ti on .
3. 2. 6.2
com mon mod e fai lu res , pl
concurrent fail ures of differen t devices ch aracteri zed by th e sam e fail ure m ode (i . e. , iden tical
fau lts)
Note 1 to entry: Com m on m ode fai l ures m ay h ave di fferen t causes.
Note 2 to entry: Com m on m ode fai l ures can al so be th e resu l t of com m on cau se fai l u res (3. 2. 6. 1 ) .
Note 3 to en try: Th e potenti al for com m on m ode fai l u res reduces th e effecti ven ess of system redu ndan cy and
faul t tol erance (e. g . , fai l u re of two or m ore ch ann el s i n th e sam e way, cau si n g th e sam e erron eou s resul t) .
Note 4 to en try: By extensi on, a com m on m ode fai l ure (i n si n g u l ar form ) i s a fai l u re bel on g i ng to a set of
concu rren t fai l u res (pl u ral form ) accordi n g to 3. 2. 6. 2 defi ni ti on .
3. 2. 7
com pensati ng m easu re
tem porary im pl em en tation of plan n ed and docum ented m eth ods for m anag i ng risks du ri ng an y
peri od of m ai ntenance or process operati on wh en it is kn own th at the perform ance of th e SI S
is degraded
3. 2. 8
com pon ent
on e of th e parts of a system , SI S su bsystem , or device perform i ng a specifi ed fu ncti on
Note 1 to entry: Com pon en t m ay al so i n cl u de software.

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 15 –
© I EC 201 7
3. 2. 9
confi g u ration manag em ent
disci pl in e of identifyi n g the com ponen ts and th e arran gem ents of th ose com pon ents of an
evol ving system for th e purposes of control li ng ch an g es to th ose com pon ents, an d
m aintain in g conti nu i ty of th e system an d traceabil i ty of an y ch ang es throu g hou t th e l ife-cycl e
3. 2. 9.1
con servative approach
cau tiou s way of doing an al ysis an d calcul ations
Note 1 to en try: I n the safety fi el d, each ti m e an an al ysi s, assum pti on s, or cal cul ati on h as to be don e (about
m odel s, i nput d ata, com pu tati on s, etc. ) i t can be chosen i n order to be su re to produ ce pessi m i stic resu l ts.
3. 2. 1 0
control system
system wh ich respon ds to i n pu t si g n als from th e process and/or from an operator and
gen erates outpu t si g nals causin g th e process to operate in th e desired m ann er
Note 1 to entry: Th e con trol system i ncl u des sen sors an d fi n al el em en ts and m ay be ei th er a BPCS or a SI S or
a com bi n ati on of the two.
3. 2. 1 1
d ang erou s fai lu re
fai l ure wh ich im pedes or disables a g i ven safety action
Note 1 to entry: A fai l u re i s "d ang erou s" on l y wi th reg ard to a g i ven SI F.
Note 2 to entry: Wh en fau l t tol eran ce i s i m pl em en ted, a d an g erous fai l ure can l ead to ei th er:
– a deg raded SI F wh ere the safety acti on i s avai l abl e but th ere i s ei th er a hi g h er PFD (dem and m ode of
operati on ) or a h i g her l i kel i hood of i ni ti ati n g an h azardous even t (conti nu ous m ode of operati on ) or a PFH , or
– a di sabl ed SI F wh ere th e safety acti on i s com pl etel y di sabl ed (dem an d m ode of operati on ) or th e hazard ou s
event h as been i nd u ced (conti n uou s m ode of operati on ) .
Note 3 to entry: Wh en n o fau l t tol eran ce i s i m pl em en ted, al l dan g erou s fai l u res l ead to a d i sabl ed SI F.
3. 2. 1 2
d epen d ent fai l u re
fai l ure wh ose probabil i ty can n ot be expressed as th e sim pl e product of th e u ncondi tion al
probabi l ities of th e i n di vi du al even ts wh ich cau sed i t
Note 1 to en try: Two events A and B are d epend ent i f th e probabi l i ty of occurren ce of A an d B, P(A an d B) , i s
g reater th an P(A) × P(B) .
Note 2 to entry: See 9. 4. 2 an d I EC 61 51 1 -3: 201 6, Ann ex J for consi derati on of d ependent fai l u res between
protecti on l ayers.
Note 3 to en try: Depen dent fai l ures i n cl u d e com m on cau se.
3. 2. 1 3
d etected
reveal ed
overt
relatin g to h ardware an d software failures or fau l ts wh ich are n ot h i dden becau se th ey
an n ou nce th em selves or are discovered throu g h n orm al operation or throug h dedicated
detecti on m eth ods
Note 1 to entry: Th ere are som e di fferences i n th e use of these term s:

– Overt i s used for fai l ures or faul ts whi ch ann oun ce th em sel ves wh en th ey occu r (e. g . , du e to th e ch ang e of
state) . The repai r of such fai l ures can beg i n as soon as they h ave occu rred.
– Detected i s u sed for fai l u res or faul ts wh i ch do not an nou nce them sel ves wh en th ey occu r an d wh i ch rem ai n
hi dd en u n ti l d etected by som e m eans (e. g . , di ag nosti c tests, proof tests, operator i nterven ti on l i ke ph ysi cal
i nspecti on an d m an ual tests) . The repai r of su ch fai l u res can beg i n onl y after th ey h ave been reveal ed. See
Note 2 for th e speci fi c u se of thi s term i n I EC 61 51 1 .
– 16 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
– Reveal ed i s u sed for fai l u res or fau l ts that becom e evi dent du e to bei n g overt or as a resul t of bei n g d etected.
Note 2 to entry: I n I EC 61 51 1 an d except wh en th e con text su g g ests an oth er m ean i n g , the term dangerous
detected failures/faults i s rel ated to d ang erou s fai l u res detected by di ag n osti c tests.
Note 3 to en try: Wh en th e detecti on i s very fast (e. g . , by di ag n osti c tests) th en th e detected fai l u res or faul ts can
be consi d ered to be overt fai l u res or fau l ts.
When the detecti on i s n ot very fast (e. g . , by proof tests) the detected fai l u res or fau l ts can n ot be con si dered to be
overt fai l u res or fau l ts wh en ad dressi n g safety i nteg ri ty l evel s.
Note 4 to entry: A dan g erou s reveal ed fai l ure can on l y be treated as a safe fai l ure i f effecti ve m easu res,
au tom ati c or m an ual , are taken i n a short en oug h ti m e to m ai ntai n process safety.
3. 2. 1 4
d evi ce
hardware, with or wi th ou t software, capable of perform in g a specifi ed fu nction
Note 1 to entry: E xam pl es are sensors, l og i c sol vers, fi nal el em ents, operator i nterfaces, an d fi el d wi ri n g .
3. 2. 1 4. 1
fiel d d evi ce
SI S or BPCS device conn ected directl y to th e process or l ocated i n cl ose proxim ity to th e
process
Note 1 to entry: E xam pl es are sensors, fi n al el em ents an d m anu al swi tches.
3. 2. 1 5
d iag nosti cs
frequent (in relation to th e process safety tim e) au tom atic test to reveal fau lts
3. 2. 1 5. 1
d iag nosti cs coverag e
DC
fraction of dan gerous fai lures rates detected by diag nostics. Di agn ostics coverag e does n ot
incl u de an y faul ts detected by proof tests
Note 1 to en try: D i ag n osti cs coverag e i s typi cal l y appl i ed to SI S devi ces or SI S su bsystem s. E. g . , th e di ag n osti cs
coverag e i s typi cal l y determ i ned for a sen sor, fi n al el em ent or a l og i c sol ver.
Note 2 to entry: For safety appl i cati on s th e di ag n osti cs coverag e i s typi cal l y appl i ed to dan g erous fai l ures of SI S
devi ces or SI S subsystem s. For exam pl e, the di ag n osti cs coverag e for th e dang erous fai l u res of a devi ce i s
DC = λ D D / λ D T , wh ere λ DD i s the dan g erou s d etected fai l u re rate an d λ DT i s th e total dang erou s fai l ure rate. For a
SI S subsystem wi th i ntern al redun dan cy, DC i s ti m e depen dan t: DC (t)= λ DD (t)/ λ D T (t) .
Note 3 to en try: When th e d i ag n osti cs coverag e (DC) an d the total dan g erou s fai l ure rate ( λ D T ) are g i ven, th e
detected ( λ D D ) and un d etected dan g erous fai l u res rates ( λ D U ) can be com pu ted as fol l ows:
λ D D = DC × λ D T an d λ DU = (1 -D C) × λ DT .
3. 2. 1 6
d iversity
different m eans of perform ing a requ ired fu nction
Note 1 to entry: Di versi ty m ay be achi eved by di fferen t physi cal m ean s, di fferent prog ram m i n g techn i q ues, or
di fferen t d esi g n approaches.
3. 2. 1 7
error
discrepancy between a com puted, observed or m easured valu e or conditi on and th e tru e,
specified or th eoretical l y correct value or condition
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-02]

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 17 –
© I EC 201 7
3. 2. 1 8
fai l u re
loss of abil ity to perform as requ ired
Note 1 to entry: A fai l u re of a devi ce i s an event that resul ts i n a faul t state of that devi ce.
Note 2 to en try: When th e l oss of abi l i ty i s cau sed by a l atent faul t, th e fai l ure occu rs when a parti cul ar set of
ci rcum stances i s en cou ntered.
Note 3 to en try: Perform ance of requi red fu n cti on s n ecessari l y excl u des certai n behavi our, and som e fun cti ons
m ay be speci fi ed i n term s of behavi ou r to be avoi d ed. Th e occu rren ce of such beh avi ou r i s a fai l u re.
Note 4 to entry: Fai l u res are ei ther ran d om or system ati c (see 3. 2. 61 and 3. 2. 83 see 3. 2. 59 an d 3. 2. 81 ) .
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-01 , m odifi ed – N otes to entry h ave been ch ang ed]
3. 2. 1 8. 1
fai l u re m od e
m anner in wh ich fai l ure occurs
Note 1 to entry: A fai l u re m ode m ay be d efi ned by th e fu n cti on l ost or the state tran si ti on th at occu rred.
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-1 7]
3. 2. 1 9
fau l t
inabi li ty to perform as requ ired, du e to an in tern al state
Note 1 to entry: A fau l t of an i tem resul ts from a fai l u re, ei th er of th e i tem i tsel f, or from a defi ci ency i n an earl i er
stag e of th e l i fe-cycl e, su ch as speci fi cati on, d esi g n, m an ufactu re or m ai n ten an ce.
Note 2 to en try: A fau l t of a d evi ce resu l ts i n a fai l u re wh en a parti cu l ar set of ci rcu m stan ces i s encou ntered.
[SOU RCE: I EC 60050-1 92:201 5, 1 92-04-01 , m odified – Som e n otes to entry h ave been
chan ged, oth ers h ave been del eted]
3. 2. 20
fau l t avoid an ce
use of techn i ques an d procedures wh ich aim to avoi d the i ntrodu ction of faul ts du ri ng an y
ph ase of th e SI S safety l i fe-cycl e
3. 2. 20. 1
fau l t exclu sion
elim i nation from furth er consi deration of fau lts du e to im probable fai lure m odes
Note 1 to en try: Fu rth er i n form ati on abou t faul t excl usi on can be foun d i n I SO 1 3849-1 an d I SO 1 3849-2. After
those stand ards faul t excl usi on can be based on
– the techn i cal i m probabi l i ty of occurrence of som e fau l ts,
– g en eral l y accepted tech ni cal experi en ce, i n depen den t of the con si dered appl i cati on;
– techn i cal req ui rem ents rel ated to the appl i cati on and th e speci fi c h azard.
Note 2 to entry: Fai l u re m odes, i denti fi ed i n th e d evi ces perform i n g th e safety fun cti on , can be excl u ded becau se
thei r rel ated d an g erou s fai l ure rate(s) are very l ow com pared to th e targ et fai l u re m easu re for the safety fu n cti on
und er consi derati on . Th at i s, the su m of th e dang erou s fai l u re rates of al l seri al devi ces on whi ch fau l t excl u si on i s
bei n g cl ai m ed, g en eral l y can n ot exceed m ore than 1 % of th e targ et fai l u re m easu re.
3. 2. 21
fau l t tol eran ce
abi lity of a functional item to continu e to perform a requ ired fu ncti on in th e presence of fau lts
or errors
– 18 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.22
final element
part of the BPCS or SI S that im plem en ts the ph ysi cal acti on n ecessary to ach ieve or m ai ntai n
a safe state
Note 1 to en try: E xam pl es are val ves, swi tch g ear, an d m otors, i ncl u di ng thei r au xi l i ary el em en ts (su ch as
sol enoi d val ve an d actuator used to operate a val ve) .
3.2.23
functional safety
part of th e overal l safety rel ati ng to th e process an d the BPCS wh ich depen ds on th e correct
functi onin g of th e SI S an d oth er protection l ayers
3.2.24
functional safety assessment
FSA
in vestig ati on, based on evi dence, to ju dge th e fu n ctional safety ach i eved by on e or m ore SI S
an d/or other protecti on layers
3.2.25
functional safety au dit
system atic and i n depen den t exam i nation to determ ine wh eth er th e procedures specific to th e
functi onal safety requ irem ents com pl y with th e pl ann ed arran gem ents, are im plem en ted
effecti vel y an d are su itable to ach i eve th e specified objectives
Note 1 to entry: A fu ncti on al safety audi t m ay be carri ed out as part of a FSA.
3.2.26
hardware safety integ rity
part of the safety i ntegrity of th e SI S relati n g to random hardware fai l ures in a dan g erou s
m ode of fai lu re
Note 1 to entry: Th e two fai l ure m easures that are rel evant i n th i s con text are th e averag e frequ ency of
dan g erou s fai l u re (conti n uou s m ode of operati on ) an d the averag e probabi l i ty of fai l u re on dem and (d em and m ode
of operati on ) .
Note 2 to entry: See 3. 2. 82.
Note 3 to en try: Th i s d efi ni ti on d evi ates from th e d efi ni ti on i n I EC 61 508-4:201 0 to refl ect di fferen ces i n process
sector term i n ol og y.
3.2.27
harm
inj ury or dam ag e to th e h eal th of peopl e, or dam age to property or to th e en vironm en t
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 ]
3.2.27.1
harmfu l event
hazardous event wh ich h as caused h arm
Note 1 to entry: Wheth er or not a hazard ou s event resu l ts i n h arm depen ds on wh eth er peopl e, property, or th e
en vi ronm ent are exposed to th e h azard ous si tu ati on an d, i n the case of h arm to peopl e, wh ether an y su ch exposed
peopl e can escape the conseq uences of th e even t after i t has occurred. A h azard ous event wh i ch has caused harm
i s term ed a harm ful even t.
3.2.28
hazard
poten tial sou rce of harm
Note 1 to en try: Th e term i n cl u des d ang er to person s ari si n g wi th i n a sh ort ti m e scal e (e. g . , fi re an d expl osi on )
an d al so th ose th at h ave a l ong -term effect on a person 's h eal th (e. g . , rel ease of a toxi c substan ce or
rad i oacti vi ty) .
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 2, m odifi ed – Note 1 to en try h as been added]
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 19 –
© I EC 201 7
3. 2. 28. 1
h azard ou s event
even t th at can cause h arm
Note 1 to entry: Wh ether or not a hazardou s event resul ts i n harm depends on wh eth er peopl e, property or the
en vi ronm ent are exposed to th e h azard ous si tuati on and, i n th e case of h arm to peopl e, wh eth er an y such exposed
peopl e can escape th e conseq u en ces of th e event after i t h as occu rred.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4: 3. 3, m odifi ed – see N ote 1 ]
3. 2. 28. 2
h azard ou s si tu ation
circum stance in wh ich people, property or the en vironm ent are exposed to on e or m ore
hazards
[SOU RCE: I SO/I EC Gu ide 51 :201 4, 3. 4]
3. 2. 29
h u m an error
inten ded or u ni n ten ded h um an action or i n action that produces an i nappropriate resu lt
Note 1 to entry: Mi stakes, sl i ps, and l apses are exam pl es of h um an errors.
Note 2 to entry: Th i s excl udes m al i ci ous acti on .
3. 2. 30
impact an al ysi s
activity of determ in in g th e effect th at a ch ang e to a fu nction or com ponen t wi l l have to other
functi ons or com ponen ts i n th e system as wel l as i n oth er system s
3. 2. 31
ind epend ent org ani zati on
org an i zation that is separate an d disti nct, by m an ag em ent and other resources, from th e
org an izations responsibl e for the acti vi ties that take place du ri n g th e speci fic ph ase of th e SI S
safety l ife-cycle th at is su bj ect to th e FSA or vali dati on
3. 2. 32
in d epend en t person
person wh o is separate an d distinct from th e acti vities wh ich take pl ace du ri n g th e specific
ph ase of th e SI S safety life-cycle that is subj ect to th e FSA or val idation an d does n ot h ave
direct responsibil i ty for th ose acti viti es
3. 2. 33
in pu t fu n ction
functi on wh ich m on itors th e process an d its associated equ i pm en t in order to provide i n pu t
inform ation for th e l og ic sol ver
Note 1 to entry: An i npu t fu ncti on coul d be a m anu al fu n cti on .
3. 2. 34
instru m en t
apparatus used in perform ing an acti on (typical l y fou nd in i nstrum ented system s)
3. 2. 34. 1
instru m ented system
system com posed of sensors (e. g. , pressure, flow, tem perature transm itters) , log ic sol vers
(e. g. , prog ram m able con trol lers, distri buted con trol system s, discrete con troll ers) , an d fi nal
elem en ts (e. g . , con trol valves, m otor con trol circu i ts)
Note 1 to entry: I n stru m ented system s perform i nstrum en ted fu n cti on s i ncl u di n g con trol , m on i tori n g , al arm and
protecti ve fu ncti ons. I nstru m en ted system s can be SI S (see 3. 2. 67) or BPCS (see 3. 2. 3) .
– 20 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.35
logi c functi on
functi on wh ich perform s th e transform ations between in pu t inform ati on (provi ded by on e or
m ore in put functions) an d ou tpu t inform ati on (u sed by one or m ore ou tpu t functions)
Note 1 to en try: Log i c fu n cti ons provi de the tran sform ati on from on e or m ore i n pu t fu ncti on s to on e or m ore ou tpu t
fu ncti on s.
Note 2 to entry: For fu rth er g u i dan ce, see I EC 61 1 31 -3: 201 2 an d I EC 6061 7-1 2: 1 997.
3.2.36
logi c solver
part of either a BPCS or SI S th at perform s on e or m ore log ic fu ncti on(s)
Note 1 to entry: I n I EC 61 51 1 the fol l owi n g term s for l og i c sol vers are used:
- el ectri cal l og i c system s for el ectro-m ech an i cal techn ol og y;
- el ectroni c l og i c system s for el ectron i c techn ol og y;
- PE l og i c system for prog ram m abl e el ectron i c system s.
Note 2 to en try: Exam pl es are: el ectri cal system s, el ectroni c system s, prog ram m abl e el ectroni c system s,
pneu m ati c system s, an d hydraul i c system s. Sen sors and fi nal el em en ts are not part of th e l og i c sol ver.
3.2.36.1
safety config ured PE logic solver
gen eral purpose i n dustrial grade PE l og ic sol ver which is specifical l y confi gured for use i n
safety appl ications
Note 1 to entry: Fu rth er g ui dance can be foun d i n 1 1 . 5.
3.2.37
maintenance/engi neering interface
hardware an d software provided to al l ow proper SI S m ai ntenance or m odifi cati on
Note 1 to en try: Mai n ten ance/eng i n eeri n g i n terface can i n cl ude i n stru cti ons and d i ag nosti cs wh i ch m ay be fou nd
i n software, prog ram m i n g term i n al s wi th appropri ate com m uni cati on protocol s, di ag n osti c tool s, i ndi cators, bypass
devi ces, test devi ces, an d cal i brati on d evi ces.
3.2.37.1
mean repair time
MRT
expected overall repair ti m e
Note 1 to entry: M RT en com passes the ti m es (b) , (c) an d (d) of the ti m es for MTTR (see 3. 2. 37. 2) .
3.2.37.2
mean ti me to restoration
MTTR
expected tim e to ach ieve restoration
Note 1 to entry: MTTR en com passes:

– th e ti m e to detect the fai l ure (a) ;
– th e ti m e spent before starti n g the repai r (b) ;
– the effecti ve ti m e to repai r (c) ;
– the ti m e before the com pon ent i s put back i nto operati on (d) .
Th e start ti m e for (b) i s the en d of (a) ; th e start ti m e for (c) i s th e en d of (b) ; th e start ti m e for (d) i s th e en d of (c) .
3.2.37.3
maxi mum permi tted repair time
MPRT
m axim um duration al lowed to repair a fau l t after it has been detected
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 21 –
© I EC 201 7
Note 1 to entry: Th e MRT m ay be u sed as MPRT but the MP RT m ay be d efi n ed wi th out reg ards to th e M RT:
– A MPRT sm al l er th an th e M RT can be ch osen to d ecrease th e probabi l i ty of hazard ou s even t.
– A MPRT g reater th an th e MRT can be ch osen i f the probabi l i ty of hazardou s even t can be rel axed.
Note 2 to entry: Wh en a MP RT has been defi ned i t can be u sed i n pl ace of th e M RT for cal cu l ati ng the probabi l i ty
of ran dom hard ware fai l u res.
3.2.38
miti gation
action th at reduces th e consequ ence(s) of a hazardous event
Note 1 to en try: E xam pl es i n cl ude em erg en cy depressu ri zati on or cl osi n g ven ti l ati on dam pers on detecti on or
con fi rm ed fi re or g as l eak or i n i ti ati on of del ug e on con fi rm ed fi re d etecti on.
3.2.39
mode of operation (of a SIF)
way i n wh ich a SI F operates wh ich m ay be ei th er low dem an d m ode, h ig h dem an d m ode or
con tin u ous m ode
a) low demand mode: m ode of operati on wh ere the SI F is on l y perform ed on dem an d, in
order to transfer th e process i nto a specified safe state, an d wh ere the frequ ency of
dem an ds is no greater th an on e per year.
b) high demand mod e: m ode of operati on wh ere th e SI F, is on l y perform ed on dem an d, in
order to transfer th e process into a specified safe state, an d wh ere the frequ ency of
dem an ds is greater th an on e per year.
c) continuous mod e: m ode of operation wh ere the SI F retains th e process i n a safe state as
part of norm al operati on.
3.2.39.1
deman d mode SIF
SI F operati n g i n low dem an d m ode (3. 2. 39 a) ) or h ig h dem an d m ode (3. 2. 39 b) )
Note 1 to entry: I n th e event of a dang erou s fai l u re of the SI F, a h azardous even t can onl y occur
– i f th e fai l u re i s u n detected an d a dem and occu rs before th e n ext proof test;
– i f th e fai l u re i s d etected by th e di ag n osti c tests but the rel ated process an d i ts associ ated eq u i pm en t has n ot
been m oved to a safe state before a dem an d occu rs.
Note 2 to entry: I n h i g h dem an d m ode, i t wi l l n orm al l y be appropri ate to use th e conti n uou s m ode cri teri a.
Note 3 to entry: Th e safety i n teg ri ty l evel s for SI F operati n g i n dem an d m ode are defi n ed i n Tabl es 4 and 5.
3.2.39.2
continuous mode SIF
SI F operati n g i n conti nu ous m ode (3. 2. 39 c) )
Note 1 to en try: I n th e even t of a dan g erou s fai l u re of the SI F a hazard ou s even t wi l l occu r wi th out fu rth er fai l ure
un l ess acti on i s taken to preven t i t wi thi n th e process safety ti m e.
Note 2 to en try: Conti n u ou s m ode covers th ose SI F wh i ch i m pl em en t con ti n u ou s control to m ai ntai n fu n cti on al
safety.
Note 3 to en try: The safety i n teg ri ty l evel s for SI F operati n g i n conti n uou s m ode are defi n ed i n Tabl e 5.
3.2.40
modu le
self-con tain ed part of a SI S applicati on program (can be in tern al to a prog ram or a set of
program s) that perform s a specifi ed fu ncti on (e. g . , fin al elem en t start/stop/test sequence, an
appl ication specific sequ ence with i n a SI F)
Note 1 to entry: I n th e context of I EC 61 1 31 -3:201 2, a software m odul e i s a fun cti on or fu n cti on bl ock.
Note 2 to entry: Most m odu l es h ave repeti ti ve usag e wi thi n an appl i cati on prog ram .
– 22 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.41
MooN
SI S, or part th ereof, m ade u p of “ N” in depen dent chan nels, wh ich are so con n ected, th at “ M”
chan nels are sufficien t to perform the SI F
3.2.42
necessary risk reduction
risk reducti on to be ach i eved by the SI S(s) an d/or oth er protection l ayers to ensure that th e
tol erable risk is not exceeded
3.2.43
non-prog rammable system
(NP) system
system based on n on-com puter tech nologi es (i. e. , a system not based on program m abl e
electron ics [PE] or software)
Note 1 to en try: E xam pl es woul d i n cl u de h ard -wi red el ectri cal or el ectroni c system s, m echan i cal , h yd rau l i c, or
pn eu m ati c system s.
3.2.44
operating environment
con diti ons i nh erent to th e instal lation of a device that potentiall y affects its functi onal ity an d
safety i n tegri ty, such as:
• external en vironm en t, e. g. , winterization n eeds, hazardou s area cl assificati on ;
• process operatin g con ditions, e. g . , extrem es i n tem perature, pressure, vibrati on ;
• process com posi tion, e. g . , sol i ds, sal ts, or corrosi ves;
• process in terfaces;
• i ntegrati on wi th in th e overall pl ant m ainten ance an d operati n g m an agem en t system s;
• com m unicati on th rou gh-put, e. g. , el ectro-m ag n etic i n terference; an d
• u ti l ity qu ali ty, e. g . , electrical power, air, h ydrau l ics.
Note 1 to en try: Som e process appl i cati ons m ay have speci al operati n g en vi ronm ent req ui rem ents n ecessary to
survi ve a m aj or acci den t event. For exam pl e som e equ i pm ent req u i res speci al encl osu res, pu rg i n g , or fi re
protecti on .
3.2.45
operating mode
process operating mode
an y plan n ed state of process operati on, i nclu ding m odes such as start-up after em erg ency
shu tdown , norm al start-u p, operati on, and sh utdown , tem porary operation s, an d em ergency
operation an d sh utdown
3.2.46
operator interface
m eans by wh ich inform ati on is com m un icated between a h um an operator an d th e SI S (e. g . ,
display i nterfaces, in dicating li g hts, pu sh -bu ttons, horns, alarm s)
Note 1 to entry: Th e operator i n terface i s som etim es referred to as th e hu m an -m ach i ne i n terface (H MI ) .
3.2.47
output function
functi on wh ich controls th e process an d its associ ated equ ipm en t accordi n g to ou tpu t
inform ation from th e l og ic function
3.2.48
performance
accom plishm en t of a g iven action or task m easured ag ainst th e specification an d th e
I EC 61 51 1 seri es
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 23 –
© I EC 201 7
3.2.49
phase
peri od with i n th e SI S safety l ife-cycle wh ere acti viti es descri bed in th e I EC 61 51 1 seri es take
place
3.2.50
prevention
acti on th at reduces th e l i keli h ood of occurrence of a h azardous even t
3.2.51
prior u se
docum en ted assessm ent by a user that a device i s su itable for use i n a SI S and can m eet th e
requ ired fu ncti on al and safety integ rity requ irem ents, based on previou s operatin g experience
in sim ilar operatin g en vironm en ts
Note 1 to en try: To q u al i fy a SI S devi ce on th e basi s of pri or u se, th e user can d ocum ent th at th e d evi ce h as
achi eved sati sfactory perform an ce i n a si m i l ar operati n g en vi ronm ent. U n derstan di n g h ow th e eq u i pm ent behaves
i n th e operati ng en vi ronm ent i s necessary to ach i eve a hi g h d eg ree of certai n ty that the pl an n ed desi g n,
i nspecti on, testi n g , m ai nten ance, an d operati on al practi ces are su ffi ci ent.
Note 2 to entry: Proven i n use i s based on the m an ufactu rer’s desi g n basi s (e. g . , tem peratu re l i m i t, vi brati on l i m i t,
corrosi on l i m i t, desi red m ai n tenance su pport) for h i s devi ce. Pri or u se d eal s wi th d evi ce’s i n stal l ed perform ance
wi thi n a process sector appl i cati on i n a speci fi c operati n g en vi ron m ent whi ch i s often di fferent than th e
m anu facturer’s desi g n basi s.
3.2.52
process risk
risk arisin g from th e process con ditions caused by abnorm al even ts (inclu ding BPCS
m alfu nction)
Note 1 to en try: Th e ri sk i n th i s con text i s th at associ ated wi th the speci fi c h azardous event i n wh i ch SI S are to be
used to provi d e th e n ecessary ri sk red u cti on (i . e. , the ri sk associ ated wi th fu n cti on al safety) .
Note 2 to en try: Process ri sk anal ysi s i s d escri bed i n I EC 61 51 1 -3: 201 6. The m ai n pu rpose of determ i ni n g the
process ri sk i s to establ i sh a referen ce poi nt for th e ri sk wi th out taki ng i n to accou n t th e protecti on l ayers.
Note 3 to entry: Assessm ent of thi s ri sk can i n cl ud e associ ated h um an factor i ssues.
Note 4 to en try: Thi s term eq uates to “E UC ri sk” i n I EC 61 508-4:201 0.
3.2.52.1
process safety time
tim e peri od between a failu re occu rri ng i n the process or th e basic process control system
(wi th th e poten ti al to g i ve rise to a hazardous even t) and the occurrence of th e h azardou s
even t if th e SI F is n ot perform ed
Note 1 to entry: Th i s i s a property of th e process on l y. Th e SI F has to detect th e fai l u re an d com pl ete i ts acti on
soon enou g h to preven t th e h azardou s even t taki n g i nto accou nt an y process l ag (e. g . cool i n g of a vessel ) .
3.2.53
prog rammable electronics
PE
item based on com pu ter tech n olog y wh ich m ay be com prised of hardware, software, and of
input an d/or ou tput un its
Note 1 to entry: Thi s term covers m i cro-el ectroni c devi ces based on on e or m ore central processi n g u ni ts (CP U )
tog eth er wi th associ ated m em ori es. E xam pl es of process sector prog ram m abl e el ectron i cs i n cl u de:
– sm art sen sors and fi n al el em ents;
– prog ram m abl e el ectroni c l og i c sol vers i ncl u di n g :
– prog ram m abl e control l ers;
– prog ram m abl e l og i c control l ers;
– l oop con trol l ers.
– 24 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.54
prog ram mabl e electroni c system
PES
system for con trol, protecti on or m on itori n g based on on e or m ore program m able electron ic
devices, i ncl udi ng al l devices of th e system such as power su ppl i es, sensors an d other i n put
devices, data h i g h ways an d other com m unicati on paths, actu ators and oth er ou tpu t devices
(see Fig ure 5)
Extent of PES Input interfaces Communications Output interfaces

(e.g., A-D (e.g., D-A
converters) converters)
Programmable
electronics (PE)
(see note)
Input devices Output devices/final elements

(e.g., sensors) (e.g., actuators)
Basic PES structure
NOTE The programmable electronics are shown centrally located but could exist at several places in the PES.
IEC
Figu re 5 – Programmable electronic system (PES): stru ctu re and term inol og y
3.2.55
prog rammi ng
coding
process of desi g ni n g , wri tin g an d testin g a set of i nstructi ons for solvi n g a probl em or
processi ng data
Note 1 to entry: I n th e I EC 61 51 1 seri es, prog ram m i n g i s typi cal l y associ ated wi th PE.
3.2.56
proof test
peri odic test perform ed to detect dan gerous h idden fau lts in a SI S so th at, if n ecessary, a
repair can restore the system to an ‘as new’ condi ti on or as cl ose as practi cal to th is condition
3.2.57
protecti on layer
an y i n dependent m ech an ism th at reduces risk by con trol, preven tion or m itig ation
Note 1 to en try: I t can be a process en g i neeri n g m ech an i sm su ch as th e si ze of vessel s contai n i n g hazard ou s

ch em i cal s, a m ech an i cal m echani sm su ch as a rel i ef val ve, a SI S or an adm i ni strati ve procedu re such as an
em erg ency pl an ag ai nst an i m m i nen t h azard. Th ese responses m ay be autom ated or i n i ti ated by h u m an acti ons
(see Fi g u re 9) .
3.2.58
quality
total ity of ch aracteristics of an enti ty th at bear on i ts abil ity to satisfy stated an d im pl ied n eeds
Note 1 to entry: See I SO 9000 for m ore d etai l s.

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 25 –
© I EC 201 7
3. 2. 59
rand om h ard ware fai lu re
fail ure, occurrin g at a ran dom tim e, wh ich resu lts from on e or m ore of the possi ble
deg radation m ech an ism s i n the hardware
Note 1 to en try: Th ere are m any d eg rad ati on m echani sm s occu rri n g at d i fferent rates i n d i fferen t com pon ents an d
si nce m an u factu ri n g tol erances cau se com pon en ts to fai l due to th ese m echani sm s after di fferen t ti m es i n
operati on , fai l u res of a total eq u i pm ent com pri si n g m any com pon ents occur at predi ctabl e rates bu t at
un predi ctabl e (i . e. , ran dom ) ti m es.
Note 2 to entry: Two m aj or di fferen ces di sti ng u i sh th e rand om hard ware fai l u res an d the system ati c fai l ures:
– a ran dom hard ware fai l u re i n vol ves onl y th e system i tsel f whi l e a system ati c fai l u re i n vol ves both the system
i tsel f (a faul t) and a parti cu l ar con di ti on (see 3. 2. 81 ) . Then a ran d om h ard ware fai l ure i s ch aracteri zed by a
si n g l e rel i abi l i ty param eter (i . e. , th e fai l u re rate) wh i l e a system ati c fai l u re i s ch aracteri zed by two rel i abi l i ty
param eters (i . e. , th e probabi l i ty of the pre-exi sti n g faul t an d the h azard rate of the parti cu l ar con di ti on) .
– a system ati c fai l ure can be el i m i n ated after bei ng d etected whi l e ran dom hard ware fai l u res cann ot.
Thi s i m pl i es th at the rel i abi l i ty param eters of ran dom hard ware fai l u res can be esti m ated from fi el d feedback wh i l e
i t i s very di ffi cu l t to do th e sam e for system ati c fai l u res. A qu al i tati ve approach i s preferred for system ati c fai l u res.
[SOU RCE: I EC 61 508-4: 201 0, 3. 6. 5, m odified – The notes have been ch an ged]
3. 2. 60
red u nd an cy
th e existence of m ore th an on e m eans for perform ing a requ ired fu nction or for represen tin g
inform ation
Note 1 to entry: E xam pl es are th e use of du pl i cate d evi ces an d th e ad di ti on of pari ty bi ts.
Note 2 to entry: Redu n dan cy i s used pri m ari l y to i m prove rel i abi l i ty or avai l abi l i ty.
[SOU RCE: I EC 61 508-4: 201 0, 3. 4. 6]
3. 2. 61
ri sk
com bi nation of th e probabil i ty of occurrence of h arm and th e severi ty of th at h arm
Note 1 to entry: Th e probabi l i ty of occu rrence i ncl u des th e exposu re to a h azardou s si tu ati on , the occu rren ce of a
hazardous event, an d th e possi bi l i ty to avoi d or l i m i t the h arm .
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 8]
3. 2. 62
safe fail u re
fai l ure wh ich favou rs a g i ven safety action
Note 1 to entry: A fai l u re i s "safe" on l y wi th reg ard to a g i ven safety fun cti on .
Note 2 to entry: Wh en fau l t tol eran ce i s i m pl em en ted, safe fai l u re can l ead to ei th er:
– operati on wh ere th e safety acti on i s avai l abl e but wi th a h i g her probabi l i ty of success on dem and (dem an d
m ode of operati on ) or a l ower l i kel i hood to cau se a h azardous event (conti nu ous m ode of operati on ) ;
– a spu ri ous operati on wh ere the safety acti on i s i ni ti ated.
Note 3 to en try: When n o fau l t tol erance i s i m pl em en ted, safe fai l u res resul t i n the i ni ti ati on of the safety acti on
reg ardl ess of th e process con d i ti on. Thi s i s al so kn own as a spu ri ou s tri p.
Note 4 to en try: A spu ri ou s tri p m ay be safe wi th reg ard to a g i ven safety fun cti on bu t m ay be dan g erou s wi th
reg ard to an oth er safety fu ncti on .
Note 5 to entry: Spu ri ou s tri ps m ay al so h ave detri m ental effects on the prod u cti on avai l abi l i ty of th e process.
– 26 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.63
safe state
state of the process wh en safety is ach ieved
Note 1 to entry: Som e states are safer th an oth ers an d i n g oi n g from a h azardou s con di ti on to th e fi nal safe state,
or i n g oi n g from the n om i nal safe condi ti on to a h azard ous con di ti on, the process m ay have to g o th roug h a n um ber
of i n term edi ate safe-states.
Note 2 to entry: For som e si tu ati ons, a safe state exi sts onl y so l ong as th e process i s conti nu ousl y con trol l ed.
Su ch conti nu ous control m ay be for a sh ort or an i nd efi n i te peri od of ti m e.
Note 3 to en try: A state wh i ch i s safe wi th reg ard to a g i ven safety fu n cti on m ay i ncrease th e probabi l i ty of
hazardou s even t wi th reg ard to an oth er g i ven safety fu n cti on. I n th i s case, th e m axi m um al l owabl e averag e
spuri ous tri p frequ en cy (see 1 0. 3. 2) for th e fi rst fu n cti on can con si d er th e poten ti al i ncreased ri sk associ ated wi th
th e oth er fu ncti on .
Note 4 to en try: Thi s d efi ni ti on d evi ates from th e d efi ni ti on i n I EC 61 508-4: 201 0 to refl ect di fferen ces i n process
sector term i nol og y.
3.2.64
safety
freedom from risk wh ich i s n ot tolerabl e
Note 1 to en try: Accordi n g to I SO/I EC Gu i de 51 th e term s "acceptabl e ri sk" an d "tol erabl e ri sk" are con si dered to
be syn on ym ou s.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 4, m odified – Th e n ote h as been added]
3.2.65
safety function
functi on to be im pl em en ted by one or m ore protection layers, wh ich is i nten ded to ach i eve or
m aintai n a safe state for th e process, wi th respect to a specific h azardous even t
3.2.66
safety instrumented fun ction
SIF
safety fu ncti on to be im pl em ented by a safety i nstrum ented system (SI S)
Note 1 to entry: A SI F i s desi g ned to ach i eve a requ i red SI L wh i ch i s determ i n ed i n rel ati onshi p wi th th e oth er
protecti on l ayers parti ci pati n g to th e red u cti on of th e sam e ri sk.
3.2.67
safety instrumented system
SIS
instrum ented system u sed to im plem ent on e or m ore SI Fs
Note 1 to en try: A SI S i s com posed of any com bi nati on of sen sor (s) , l og i c sol ver (s) , and fi n al el em ents(s) (e. g . ,
see Fi g u re 6) . I t al so i ncl ud es com m un i cati on an d anci l l ary equi pm ent (e. g . , cabl es, tubi n g , power su ppl y, i m pul se
l i nes, heat traci n g ) .
Note 2 to entry: A SI S m ay i n cl u de software.
Note 3 to en try: A SI S m ay i n cl ude h um an acti on as part of a SI F (see I SA TR84. 00. 04: 201 5, part 1 ) .
SIS architecture and safety

instrumented function Sensors Logic solver Final elements
example with different
devices shown NP NP NP
PE PE PE
PE
H/W S/W H/W S/W
H/W S/W
IEC
Figu re 6 – Example of SIS arch itectures compri sin g th ree SIS subsystems
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 27 –
© I EC 201 7
3. 2. 68
s a f et y i n t eg ri t y
abi lity of the SI S to perform the requ ired SI F as and wh en requ ired
Note 1 to en try: Th i s d efi n i ti on i s equ i val en t to th e depen dabi l i ty of th e SI S wi th reg ard to th e requ i red SI F.
Depen dabi l i ty, bei n g often u n d erstood as an econ om i cal rath er th an a safety concept, has n ot been used to avoi d
con fusi on.
Note 2 to entry: Abi l i ty i n cl u des both th e fu ncti on al respon se (e. g . , cl osi n g a speci fi ed val ve wi th i n a speci fi ed
ti m e) and the l i kel i h ood th at th e SI S wi l l act as requ i red.
Note 3 to entry: I n d eterm i ni n g safety i n teg ri ty, al l cau ses of ran dom h ard ware and system ati c fai l ures wh i ch l ead
to an u n safe state can be i ncl uded (e. g . , h ard ware fai l u res, software i n du ced fai l u res and fai l u res du e to el ectri cal
i nterferences) . Som e of th ese types of fai l u re, i n parti cul ar random h ard ware fai l u res, m ay be q uan ti fi ed usi n g su ch
m easu res as th e averag e dan g erou s fai l u re freq uen cy or th e probabi l i ty of fai l u re on d em an d. H owever, safety
i nteg ri ty al so d epen ds on m any system ati c factors, wh i ch cann ot be accuratel y qu an ti fi ed and are often con si d ered
qu al i tati vel y th rou g h out the l i fe-cycl e. Th e l i kel i hood th at system ati c fai l u res resu l t i n dan g erous fai l u re of th e SI S
i s redu ced th rou g h h ardware faul t tol eran ce (see 1 1 . 4) or oth er m eth ods an d tech ni qu es .
N ote 4 to entry: Safety i nteg ri ty com pri ses h ard ware safety i n teg ri ty (see 3. 2. 26) an d system ati c safety i n teg ri ty
(see 3. 2. 82) , but com pl ex fai l u res caused by th e con j u ncti on of both h ardware an d system ati c i n teracti on can al so
be consi dered.
3. 2. 69
s af e t y i n t eg ri t y l ev e l
SI L
discrete l evel (on e out of four) all ocated to the SI F for specifyi n g the safety i n tegrity
requ irem ents to be ach ieved by th e SI S
Note 1 to entry: Th e hi g h er th e SI L, the l ower th e expected PFDavg for dem an d m ode or the l ower the averag e
freq u en cy of a d an g erou s fai l u re causi n g a h azard ous event for con ti nu ous m ode.
Note 2 to entry: Th e rel ati on shi p between th e targ et fai l ure m easu re an d the SI L i s speci fi ed i n Tabl es 4 an d 5.
Note 3 to entry: SI L 4 i s rel ated to the hi g h est l evel of safety i n teg ri ty; SI L 1 i s rel ated to the l owest
Note 4 to entry: Th i s d efi ni ti on di ffers from the defi ni ti on i n I EC 61 508-4: 201 0 to refl ect di fferences i n process
3. 2. 69. 1
, pl
s af e t y i n t eg ri t y req u i re m e n t s
set of th e I EC 61 51 1 requ irem en ts wh ich sh al l be satisfi ed by a SI S to claim a g iven SI L for a

SI F im plem en ted by th is SI S
Note 1 to entry: Th e safety i n teg ri ty req u i rem ents are stren g th en ed when the rel ated SI L i n creases.
3. 2. 70
SI S s af et y l i f e - c yc l e
necessary acti vi ties in vol ved in th e im pl em en tati on of SI F occu rri ng during a period of tim e
th at starts at th e concept ph ase of a proj ect an d fin ish es wh en al l of th e SI F are n o long er
avai lable for use
Note 1 to entry: The term “fu ncti on al safety l i fe-cycl e” i s stri ctl y m ore accu rate, but th e adj ecti ve “fu ncti on al ” i s
not con si d ered n ecessary i n thi s case wi th i n th e context of the I EC 61 51 1 seri es.
Note 2 to entry: Th e SI S safety l i fe-cycl e m odel u sed i n I EC 61 51 1 i s sh own i n Fi g u re 7.
3. 2. 71
safety m an u al
fu n ct i o n al safety m an u al
inform ation that defines h ow a SI S device, su bsystem or system can be safel y applied
Note 1 to entry: Th e safety m anu al m ay i ncl u de i n pu ts from th e m an ufactu rer as wel l as from th e user.
Note 2 to entry: For I EC 61 508 com pl i an t devi ces, the m anu factu rer’s i npu t i s th e safety m an ual ,
Note 3 to entry: Th i s cou l d be a g en eri c stan d-al one d ocu m en t, or a col l ecti on of docum ents.
– 28 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.72
safety requ i rements specifi cation
SRS
specification contai ni n g the fu ncti onal requ irem en ts for th e SI Fs an d their associ ated safety
integri ty levels
[SOU RCE: I EC 61 508-4: 201 0, 3. 5. 1 1 , m odified – Alig n ed with I EC 61 51 1 term in olog y]
3.2.73
sensor
part of th e BPCS or SI S that m easures or detects th e process con dition
Note 1 to entry: E xam pl es are transm i tters, transducers, process swi tch es, an d posi ti on swi tches.
3.2.74
software
program s, procedures, data, ru l es an d an y associated docum en tati on pertain in g to th e
operation of a data processi ng system
Note 1 to entry: Software i s i n depen den t of the m edi u m on whi ch i t i s record ed.
Note 2 to entry: For exam pl es of di fferent types of software, see 3. 2. 75 an d 3. 2. 76.
3.2.75
application programmi ng lang uag es
3.2.75.1
fixed prog ram langu ag e
FPL
lan g uag e i n wh ich the u ser is lim i ted to adju stm en t of a few pre-defi ned and fixed set of
param eters
Note 1 to entry: Typi cal exam pl es of devi ce appl i cati on s wi th FP L are: sm art sen sor (e. g . , pressu re transm i tter
wi thou t control al g ori thm s) , sm art fi nal el em ent (e. g . val ve wi th ou t control al g ori thm s) , sequ en ce of events
recorder, set poi nts for dedi cated sm art al arm box) . Th e u se of FPL i s often referred to as "confi g urati on of th e
devi ce".
3.2.75.2
limited variability lang u ag e
LVL
program m in g l an g uag e for com m erci al an d in dustrial prog ram m able el ectron ic con troll ers wi th
a rang e of capabi li ties li m ited to their appl ication as defi ned by the associ ated safety m an ual .
The notation of this lan g u ag e m ay be textual or graph ical or h ave ch aracteristics of both.
Note 1 to entry: Thi s type of l ang u ag e i s desi g n ed to be easi l y un derstood by process sector u sers, an d provi d es
th e capabi l i ty to com bi ne pred efi ned, appl i cati on speci fi c, l i brary fu ncti ons to i m pl em ent the SRS. LVL provi des a
cl ose fu ncti on al correspon den ce wi th th e fun cti ons requ i red to ach i eve th e appl i cati on .
Note 2 to entry: I EC 61 51 1 assum es th at the constrai nts necessary to ach i eve th e safety properti es are achi eved
by th e com bi nati on of th e safety m anu al , th e cl osen ess of the l ang u ag e n otati on s to th e fu n cti on s th e appl i cati on
prog ram m er needs to defi n e th e process con trol al g ori thm s, an d th e com pi l e ti m e an d ru n ti m e ch ecks wh i ch the
l og i c sol ver provi der em beds i n to th e l og i c sol ver system prog ram and the l og i c sol ver devel opm en t en vi ronm en t.
The con strai nts i d en ti fi ed i n th e certi fi cati on report an d safety m an ual can en su re th e rel evan t req u i rem en ts of
I EC 61 508-3:201 0 are sati sfi ed .
Note 3 to entry: LVL i s th e m ost com m on l y u sed l ang uag e wh en th e I EC 61 51 1 seri es refers to “appl i cati on
prog ram ”.
3.2.75.3
full variabil ity lan gu ag e
FVL
lan g uag e desi gn ed to be com preh ensi bl e to com puter prog ram m ers an d th at provi des th e
capabil ity to im pl em ent a wide vari ety of functi ons an d appl ications
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 29 –
© I EC 201 7
Note 1 to entry: Typi cal exam pl e of system s usi ng FVL are g eneral pu rpose com puters.
Note 2 to entry: I n th e process sector, FVL i s foun d i n em bedded software an d rarel y i n appl i cati on prog ram m i n g .
Note 3 to en try: FVL exam pl es i ncl ude: Ada, C, Pascal , I nstru cti on Li st, assem bl er l an g uag es, C ++ , J ava, SQL.
3. 2. 76
s o ft wa re & p ro g ram t yp es
3. 2. 76. 1
ap p l i c a t i o n p ro g ram
program specific to th e u ser appl ication contai ni n g, in g eneral, log ic sequ ences, perm issi ves,
lim its an d expressi ons th at control the i n pu t, ou tpu t, calcu lations, an d deci sions n ecessary to
m eet th e SI S fu nctional requ irem ents
3. 2. 76. 2
em b ed d ed s o ft wa re
software th at is part of th e system supplied by th e m an ufacturer an d is not accessible for

m odification by the en d-u ser
Note 1 to en try: Em bedded software i s al so referred to as fi rm ware or system software. See 3. 2. 75. 3 ful l
vari abi l i ty l an g u ag e.
3. 2. 76. 3
u t i l i t y s o ft wa re
software tools for th e creati on , m odification , an d docum en tati on of appl ication program s
Note 1 to entry: Th ese software tool s are not req ui red for th e operati on of the SI S.
3. 2. 77
ap p l i c a t i o n p ro g ram l i f e- c yc l e
activiti es occu rrin g du ri ng a period of tim e th at starts wh en th e appl ication program is

concei ved an d ends wh en th e appl icati on program is perm an entl y disused
Note 1 to en try: An appl i cati on prog ram l i fe-cycl e typi cal l y i n cl u des a requ i rem en ts ph ase, devel opm en t ph ase,
test ph ase, i n teg rati on ph ase, i nstal l ati on phase an d m odi fi cati on phase.
Note 2 to entry: Software, i n cl udi n g appl i cati on prog ram , can not be m ai ntai n ed; rath er, i t i s m odi fi ed.
3. 2. 78
SI S s u b s yst em
indepen dent part of a SI S wh ose disablin g dan g erous fai lure resu lts in a disabl i ng dang erous
fai lu re of the SI S
Note 1 to entry: Fi g u re 6 i l l u strates a SI S m ade of th ree SI S subsystem s.
Note 2 to en try: From the cut set approach poi n t of vi ew (see I EC 61 025) a m i n i m al cut set of a SI S su bsystem i s
al so a m i n i m al cut set of th e whol e SI S. Th erefore th e SI Fs i m pl em ented wi thi n a SI S are en ti rel y depen dent on the
SI S subsystem s of thi s SI S (i . e. , wh en a SI S subsystem fai l s, the rel ated SI Fs al so fai l ) .
3. 2. 79
s ys t em
set of devices, wh ich i nteract accordin g to a specificati on
Note 1 to entry: A person can be part of a system .
Note 2 to en try: Th i s defi ni ti on devi ates from th e defi n i ti on i n I EC 61 508 to refl ect di fferen ces i n process sector
term i n ol og y.
3. 2. 80
s ys t em at i c c ap ab i l i t y
m easure (expressed on a scale of SC 1 to SC 4) of the confi dence that th e system atic safety
integrity of a device m eets the requ irem en ts of th e specified SI L, i n respect of the specifi ed
safety function , wh en th e device is appl i ed i n accordance with the i nstructions specifi ed in the
device safety m an u al
– 30 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 1 to en try: System ati c capabi l i ty i s determ i ned wi th referen ce to th e requ i rem en ts for th e avoi dan ce an d
con trol of system ati c faul ts i n I EC 61 508-2: 201 0 an d I EC 61 508-3:201 0.
Note 2 to entry: Th e system ati c fai l ure m echani sm depends on the n atu re of th e devi ce. For a devi ce com pri sed
sol el y of hard ware, on l y h ard ware fai l u re m echani sm s are consi dered. For a devi ce com pri sed of h ard ware an d
software, i t i s necessary to con si der th e i n teracti on s between h ard ware an d software fai l u re m echani sm s.
Note 3 to entry: A system ati c capabi l i ty of SC N for a devi ce m eans th at th e system ati c safety i nteg ri ty of SC N
has been m et wh en th e d evi ce i s appl i ed i n accord ance wi th the i n structi ons speci fi ed i n th e devi ce safety m an ual
for SC N .
3. 2. 81
system atic fai l u re
fai l ure related to a pre-existi ng fau l t, wh ich con sistentl y occurs un der particu lar con diti ons,
an d wh ich can on l y be elim i nated by rem ovi ng th e fau lt by a m odificati on of th e desig n ,
m anu factu ri ng process, operati n g procedures, docum entati on or oth er rel evan t factors
Note 1 to entry: Th e cause of system ati c fai l ures of th e software m ay be kn own as "bu g s".
Note 2 to entry: Correcti ve m ai nten ance wi th out m odi fi cati on woul d u su al l y not el i m i n ate th e fai l u re cause whi ch
i nvol ves th e fai l u re u nder parti cu l ar condi ti on s.
Note 3 to entry: A system ati c fai l u re can be reprod u ced by del i beratel y appl yi n g th e sam e con di ti on s, al th ou g h
not al l reprodu ci bl e fai l u res are system ati c.
Note 4 to entry: E xam pl es of fau l ts l eadi n g to system ati c fai l u re i ncl ud e h u m an error that ori g i n ates i n:
– the SRS;
– the desi g n , m anu factu re, i n stal l ati on , operati on or m ai n ten an ce of the h ard ware;
– the desi g n or i m pl em entati on of software (i n cl udi n g appl i cati on prog ram ) .
Note 5 to en try: Si m i l ar devi ces desi g ned, i n stal l ed, operated, i m pl em ented or m ai n tai n ed i n the sam e way are
li kel y to contai n th e sam e fau l ts. Th erefore they are subj ect to com m on cause fai l u res when th e parti cu l ar
condi ti on s occur.
3. 2. 82
system ati c safety integ ri ty
part of th e safety i n tegrity of the SI S relati n g to system atic fail ures in a dan gerous m ode of
fai lu re
Note 1 to entry: System ati c safety i nteg ri ty cann ot usu al l y be qu an ti fi ed (as di sti nct from h ard ware safety
i nteg ri ty) .
N ote 2 to en try: See 3. 2. 26 al so.
3. 2. 83
targ et fai lu re m easu re
perform ance requ ired from the SI F an d specified i n term s of eith er the averag e probabil ity of
fai l ure to perform th e SI F on dem and for dem an d m ode of operati on or th e averag e frequ ency
of a dan g erou s fai l ure for conti n uous m ode of operation
Note 1 to entry: Th e rel ati on shi p between th e targ et fai l u re m easu res an d the SI L are g i ven i n Tabl es 4 and 5.
3. 2. 84
tolerabl e ri sk
level of risk wh ich is accepted in a g iven context based on th e current val ues of soci ety
Note 1 to entry: See I EC 61 51 1 -3:201 6, An n ex A.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 5]
3. 2. 85
u nd etected
u nreveal ed
covert
not detected or n ot reveal ed or not overt
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 31 –
© I EC 201 7
Note 1 to entry: I n I EC 61 51 1 and except when th e context sug g ests an oth er m ean i ng , th e term “d an g erous
un d etected fai l u res/faul ts” i s rel ated to dan g erous fai l u res/fau l ts n ot detected by di ag n osti c tests.
3.2.86
vali dation
confirm ation by exam ination and provisi on of obj ecti ve evi dence th at th e particu l ar
requ irem ents for a specific i n ten ded u se are fu lfill ed
Note 1 to entry: I n th e I EC 61 51 1 seri es thi s m eans dem on strati ng that the SI F(s) an d SI S after i n stal l ati on m eet
th e SRS i n al l respects.
3.2.87
verification
confirm ation by exam in ati on an d provision of obj ective evidence that th e requ irem ents h ave
been fu lfil led
Note 1 to en try: I n th e I EC 61 51 1 seri es thi s i s the acti vi ty of dem onstrati ng for each ph ase of th e rel evant SI S
safety l i fe-cycl e by anal ysi s and/or tests, th at, for speci fi c i n pu ts, th e ou tpu ts m eet i n al l respects th e obj ecti ves
an d req u i rem ents set for th e speci fi c phase.
Note 2 to entry: E xam pl e veri fi cati on acti vi ti es i n cl u de:

– revi ews on outputs (docu m en ts from al l phases of the safety l i fe-cycl e) to ensu re com pl i an ce wi th th e
obj ecti ves an d req ui rem en ts of th e ph ase taki n g i n to accou n t th e speci fi c i npu ts to th at ph ase;
– desi g n revi ews;
– tests perform ed on the desi g ned products to en su re th at they perform accordi ng to th ei r speci fi cati on;
– i n teg rati on tests perform ed wh ere di fferen t parts of a system are pu t tog ether i n a step- by-step m ann er an d by
the perform an ce of en vi ron m en tal tests to ensu re that al l the parts work tog ether i n th e speci fi ed m an n er.
3.2.88
watchdog
com bi nation of diagn ostics and an ou tpu t device (typicall y a swi tch) for m on itori n g th e correct
operati on of th e program m able el ectron ic (PE) device an d takin g acti on u pon detecti on of an
incorrect operati on
Note 1 to entry: Th e watch dog con fi rm s that the software system i s operati ng correctl y by the reg ul ar resetti n g of
an extern al devi ce (e. g . , h ard ware el ectron i c watchdog ti m er) by an output d evi ce con trol l ed by th e software.
Note 2 to entry: Th e watchdog can be u sed to de-en erg i ze a g roup of safety ou tputs wh en dang erous fai l ures are
detected i n ord er to ach i eve or m ai n tai n a safe state of th e process wi th respect to th e hazard ous even t. Th e
watchd og i s used to i n crease th e on-l i ne d i ag nosti c coverag e of the PE l og i c sol ver (see 3. 2. 1 3 an d 3. 2. 1 5) .
3.3 Abbreviation s
Abbrevi ations used throug h ou t I EC 61 51 1 are g i ven i n Tabl e 1 . Also i ncl u ded are som e
com m on abbreviations rel ated to process sector fu nction al safety.
Table 1 – Abbreviations used i n IEC 61 51 1

Abbrevi ati on Ful l expressi on
AC/DC Al tern ati ng cu rrent/d i rect curren t
AI ChE Am eri can I nsti tute of Ch em i cal En g i n eers
ALARP As l ow as reasonabl y practi cabl e
AN SI Am eri can N ati onal Stan d ards I n sti tu te
AP Appl i cati on prog ram
BPCS Basi c process con trol system
CCPS Centre for Chem i cal Process Safety (AI ChE)
DC Di ag nosti c coverag e
E/E/PE El ectri cal /el ectron i c/prog ram m abl e el ectroni c
EMC El ectro-m ag n eti c com pati bi l i ty
– 32 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
FAT Factory acceptan ce test
FPL Fi xed prog ram l ang u ag e
FSA Fu n cti on al safety assessm en t
FSMS Fu n cti on al safety m anag em en t system
FTA Fau l t tree anal ysi s
FVL Fu l l vari abi l i ty l ang u ag e
H FT H ard ware fau l t tol eran ce
H &RA H azard & ri sk assessm en t
H MI H u m an M ach i n e I n terface
I EC I ntern ati onal El ectrotech n i cal Com m issi on
I SA I ntern ati onal Soci ety of Autom ati on
I SO I ntern ati onal Org an i zati on for Standardi zati on
LVL Li m i ted vari abi l i ty l an g u ag e
MooN “M ” ou t of “N ” chan n el archi tectu re
MPRT Maxi m u m perm i tted repai r ti m e
MRT Mean repai r ti m e
MTTR Mean ti m e to restorati on
N FPA N ati on al Fi re Protecti on Associ ati on (U S)
NP N on -prog ram m abl e
OEM Ori g i n al Equ i pm en t Manu factu rer
PE Prog ram m abl e el ectron i cs
PES Prog ram m abl e el ectron i c system
PFD Probabi l i ty of d an g erous fai l ure on d em an d
PFD avg Averag e probabi l i ty of d an g erou s fai l ure on dem an d
Probabi l i ty (averag e frequ en cy of dan g erou s fai l ures) of
PFH
fai l u re per h ou r
pl Pl ural
PLC Prog ram m abl e l og i c con trol l er
SAT Si te acceptan ce test
SC System ati c capabi l i ty
SI F Safety i n stru m ented fu ncti on
SI L Safety i n teg ri ty l evel
SI S Safety i n strum ented system
SRS Safety req ui rem ent speci fi cati on
4 Conformance to the IEC 61 51 1 -1 :201 6
To conform to th e I EC 61 51 1 -1 : 201 6, i t shall be shown that each of the requ irem en ts ou tli n ed
in Clause 5 throug h Clause 1 9 has been satisfied to th e defin ed criteri a an d th erefore th e
clauses’ obj ecti ves h ave been m et.
5 Management of functi onal safety
5.1 Objective
The obj ective of the requ irem ents of Clau se 5 is to i dentify th e m an ag em ent acti vities th at are
necessary to ensure th e function al safety obj ecti ves are m et.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 33 –
© I EC 201 7
NOTE 1 : Cl ause 5 i s sol el y ai m ed at th e achi evem en t an d m ai n ten an ce of the fu ncti on al safety of SI S and i s
separate an d di sti n ct from g en eral h eal th an d safety m easu res necessary for th e achi evem ent of safety i n th e
workpl ace.
5.2 Requirements
5.2.1 General
The policy an d strateg y for ach ievi n g fu ncti onal safety sh al l be identified tog eth er wi th th e
m ethods for eval u ating th eir ach i evem ent an d sh all be com m un icated with in the org anization.
5.2.2 Organization and resources

5.2.2.1 Persons, departm ents, org an i zations or oth er u nits wh ich are responsibl e for
carryi n g out and revi ewi ng each of th e SI S safety life-cycl e ph ases shal l be i den tified an d be
inform ed of th e responsi bil i ties assig ned to th em .
5.2.2.2 Persons, departm ents or org ani zati ons i n vol ved i n SI S safety l ife-cycl e acti vities
shal l be com peten t to carry out th e acti vities for wh ich th ey are accou ntable.
The fol l owin g i tem s shall be addressed an d docu m ented wh en consi derin g the com petence of
persons, departm en ts, organ izations or oth er un i ts i n vol ved i n SI S safety life-cycle acti viti es:
a) en g i neeri ng knowl edge, train i n g an d experience appropriate to th e process appl icati on ;
b) en g i neeri ng kn owl edg e, trai n in g an d experi ence appropri ate to th e applicabl e tech nol og y
used (e. g . , electrical , electron ic or prog ram m able electron ic) ;
c) en g i neeri ng knowl edge, trai ni n g an d experi ence appropri ate to th e sensors and fin al
elem en ts;
d) safety en g in eerin g knowl edg e (e. g . , process safety an al ysis) ;
e) knowledge of the leg al and reg u l atory fu ncti onal safety requ irem ents;
f) adequ ate m an agem ent and l eadersh ip ski l ls appropriate to th eir role in th e SI S safety l ife-
cycl e acti vities;
g) un derstandin g of th e poten tial consequ ence of an event;
h) th e SI L of the SI F;
i) th e n ovel ty and com plexity of the appl ication an d the techn olog y.
5.2.2.3 A procedure sh all be i n pl ace to m an ag e com petence of al l th ose i n vol ved in the SI S
life cycl e. Periodic assessm ents shal l be carri ed ou t to docum en t the com petence of
indi vi du als agai nst th e acti vi ties th ey are perform ing an d on ch an g e of an in divi du al wi th i n a
role.
5.2.3 Risk evaluation and risk management

Hazards sh all be i den tifi ed, risks evalu ated an d th e n ecessary risk reducti on determ in ed as
defin ed i n Clau se 8.
NOTE I t m ay be benefi ci al to consi der al so potenti al capi tal l osses, for econ om i c reason s.
5.2.4 Safety planning

Safety plan ni n g sh all take place to defin e th e acti vities th at are requ ired to be carri ed o u t
alon g with th e persons, departm en ts, org an i zati ons or other u ni ts responsibl e to carry out
th ese activiti es. Th is plann i n g sh al l be u pdated as necessary throug h ou t the entire SI S safety
life-cycle (see Clause 6) an d carried out to a detail ed acti vity l evel com m ensurate with th e
role th e indi vi du al or org an i zati on is perform in g i n the SI S safety l ife-cycl e.
NOTE Th e safety pl ann i n g can be i n corporated i n

– 34 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
– a secti on i n th e qu al i ty pl an en ti tl ed “SI S Safety Li fe-cycl e Pl an”; or
– a separate docu m ent enti tl ed “SI S Safety Li fe-cycl e Pl an ”; or
– several docum ents wh i ch m ay i ncl ude com pan y procedu res or worki n g practi ces.
5.2.5 Implementi ng and moni toring

5.2.5.1 Procedures sh all be im pl em ented to ensure prom pt follow-up an d satisfactory
resolu ti on of recom m endati ons pertai n i ng to the SI S arisi n g from
a) hazard anal ysis an d risk assessm en t;
b) assurance activiti es;
c) verificati on acti viti es;
d) vali dati on acti viti es;
e) FSAs;
f) functional safety audi ts;
g) post-inci den t and post-accident acti vities.
5.2.5 . 2 An y su ppl ier, providi n g produ cts or services to an organ i zation that h as overall
responsibi lity for on e or m ore ph ases of th e SI S safety l ife-cycl e, sh all deli ver products or
services as specifi ed by th at org an izati on an d sh al l h ave a qu al i ty m an agem ent system .
Procedures shal l be i n place to dem onstrate th e adequacy of the qu al ity m an agem ent system .
I f a su ppl ier m akes an y functi onal safety claim s for a product or service, wh ich are used by
th e organ i zati on to dem onstrate com pli ance wi th th e requ irem en ts of th is part of I EC 61 51 1 ,
th e su ppli er shal l h ave a function al safety m anag em ent system . Procedu res shal l be i n pl ace
to dem onstrate th e adequ acy of the fu ncti on al safety m anag em ent system .
The fu ncti onal safety m an ag em ent system shal l m eet th e requi rem en ts of the basic safety
stan dard I EC 61 508-1 :201 0, Cl ause 6, or the fu n ctional safety m an ag em ent requ irem ents of
th e stan dard derived from I EC 61 508 to wh ich fu ncti on al safety cl aim s are m ade.
5.2.5.3 Procedures sh all be im pl em en ted to evalu ate th e perform ance of th e SI S against its
safety requ irem ents to:
• i dentify and prevent system atic fai lu res wh ich cou ld j eopardi ze safety;
• m onitor and assess wh ether rel i abi l ity param eters of the SI S are i n accordance wi th th ose
assum ed du ri n g th e design ;
• defin e the necessary corrective acti on to be taken if th e fail ure rates are g reater th an what
was assum ed duri ng desi gn ;
• com pare th e dem an d rate on th e SI F duri n g actu al operation with the assu m ptions m ade
duri n g risk assessm en t when the SI L requirem en ts were determ in ed.
5.2.5.4 For existi n g SI S desi gn ed an d constru cted in accordance wi th code, stan dards, or
practices prior to th e issu e of th is standard the user sh al l determ in e th at th e equ ipm en t is
desi g ned, m ai ntained, in spected, tested, and operati ng in a safe m ann er.
5.2.6 Assessment, au diting and revisions

5.2.6.1 Function al safety assessment (FSA)
5.2.6.1 .1 A procedure shal l be defin ed and execu ted for a FSA in such a way that a
ju dg em ent can be m ade as to th e fu nction al safety an d safety integri ty ach ieved by every SI F
of the SI S. Th e procedu re sh all requ ire th at a FSA team be appoin ted wh ich i nclu des th e
tech nical, application an d operations expertise n eeded for th e particu l ar application .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 35 –
© I EC 201 7
The m em bersh ip of the FSA team shal l i nclu de at least on e sen i or com peten t
5. 2. 6 . 1 . 2
person not i n volved in th e proj ect desi gn team (for stag es 1 , 2 an d 3) or not i n vol ved in the
operati on an d m ai nten an ce of th e SI S (for stag es 4 and 5) .
5. 2. 6 . 1 . 3 The fol lowi n g shal l be considered wh en plan n i ng a FSA:

– th e scope of the FSA;
– wh o is to partici pate i n th e FSA;
– th e ski l ls, responsibil iti es an d au thori ties of the FSA team ;
– th e i nform ati on th at wi l l be g en erated as a resu lt of an y FSA acti vity;
– th e i den tity of an y oth er safety bodies in volved in the FSA;
– th e resou rces requ ired to com pl ete th e FSA activity;
– th e level of in depen dence of th e FSA team ;
– th e m eth ods by wh ich th e FSA wi l l be reval i dated after m odifications.
NOTE When the FSA team i s l arg e; con si d erati on can be g i ven to havi n g m ore th an one sen i or com petent
i ndi vi d ual on th e team who i s i ndepen dent from th e proj ect team .
A FSA team shal l review the work carri ed out on all phases of the safety l ife cycl e
5. 2. 6 . 1 . 4
prior to th e stag e covered by th e assessm en t that have n ot been alread y covered by previ ous
FSAs. I f previous FSAs h ave been carri ed out then th e FSA team sh all consider th e
concl usions and recom m en dations of th e previ ous assessm ents . The stag es i n th e SI S safety
life-cycle at wh ich th e FSA acti viti es are to be carri ed out sh all be i dentified duri ng the safety
plan ni n g.
NOTE 1 Addi ti on al FSA acti vi ti es can be i ntrod u ced as n ew h azards are i d en ti fi ed, after m odi fi cati on an d at
peri odi c i nterval s duri n g operati on.
NOTE 2 Consi derati on can be g i ven to carryi n g out FSA acti vi ti es at th e fol l owi n g stag es (see Fi g u re 7) .
– Stag e 1 – After th e H &RA h as been carri ed ou t, the requi red protecti on l ayers have been i den ti fi ed and th e
SRS has been devel oped.
– Stag e 2 – After the SI S h as been desi g n ed.
– Stag e 3 – After th e i n stal l ati on , pre-com m i ssi on i ng an d fi n al val i d ati on of th e SI S h as been com pl eted and
operati on and m ai nten ance procedures have been devel oped.
– Stag e 4 – After g ai ni ng experi ence i n operati n g an d m ai nten an ce.
– Stag e 5 – After m odi fi cati on an d pri or to decom m i ssi oni ng of a SI S.
NOTE 3 The n um ber, si ze and scope of FSA acti vi ti es can d epen d u pon the speci fi c ci rcu m stan ces. Th e factors i n
th i s deci si on are l i kel y to i ncl u de:
– si ze of proj ect;
– deg ree of com pl exi ty;
– SI L;
– durati on of proj ect;
– con sequ en ce i n th e even t of fai l ure;
– deg ree of stan d ardi zati on of d esi g n featu res;
– safety reg u l atory requ i rem en ts;
– previ ous experi en ce wi th a si m i l ar desi g n;
– g i vi ng con si derati on to rel evan t factors su ch as:
• ti m e i n operati on;
• n um ber and scope of ch an g es i n operati on;
• proof test freq uen cy.
Prior to th e h azards bein g presen t th e FSA team shal l u ndertake functi onal safety
5. 2. 6 . 1 . 5
assessm en t(s) an d sh all confirm :
– 36 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e H &RA h as been carried ou t (see 8. 1 ) ;
• th e recom m en dations arisi ng from the H &RA that appl y to the SI S have been im plem ented
or resol ved;
• proj ect desi g n chan g e procedures are in pl ace an d h ave been properl y im pl em ented;
• th e recom m endati ons arisi ng from an y FSA h ave been resol ved;
• th e SI S is desig n ed, constructed an d install ed i n accordance with th e SRS, an y
differences h avi ng been i den tified an d resolved;
• th e safety, operati ng , m ai nten ance an d em ergency procedures pertai ni n g to th e SI S are i n
place;
• th e SI S val idati on plan n in g is appropri ate an d th e vali dation activiti es h ave been
com pl eted;
• th e em ployee trai ni n g h as been com pleted an d appropriate i nform ati on abou t th e SI S h as
been provided to th e m ai ntenance an d operatin g person nel;
• plans or strateg ies for im plem en tin g fu rth er FSAs are in pl ace.
5.2.6.1 .6 Where desi gn , devel opm ent and produ cti on tools are u sed for an y SI S safety l ife-
cycle acti vity, th ey sh al l th em sel ves be su bject to an assessm en t dem onstrati ng that th ey do
not h ave an y n eg ati ve i m pact on th e SI S or th e output of the tools sh all be confi rm ed by
verificati on procedures.
NOTE 1 Th e deg ree to whi ch such tool s can be ad dressed wi l l d epend u pon thei r i m pact on th e ri sk l evel to be
ach i eved.
NOTE 2 E xam pl es of d evel opm en t and producti on tool s i ncl u d e si m ul ati on an d m odel l i n g tool s, m easu ri n g
equ i pm ent, test equi pm en t, eq ui pm en t used du ri ng m ai n ten ance acti vi ti es an d con fi g u rati on m anag em ent tool s.
NOTE 3 Qual i ty assuran ce of tool s i ncl u d es, but i s n ot l i m i ted to, traceabi l i ty to cal i brati on stan dards, operati n g
hi story an d defect l i st.
5.2.6.1 .7 The resu lts of the FSA sh all be avail able tog eth er wi th an y recom m endati on
com in g from th is assessm ent.
5.2.6.1 .8 Al l rel evan t i nform ation sh all be m ade available to th e FSA team upon their
requ est.
5.2.6.1 .9 I n cases where a FSA is carried ou t on a m odification the assessm en t shal l

consi der th e im pact anal ysis carried ou t on the proposed m odification and confirm th at the
m odificati on work perform ed is in com pl iance with th e requi rem en ts of I EC 61 51 1 .
NOTE Safety l i fe cycl e (i ncl u di ng FSA) requ i rem en ts rel ated to SI S m odi fi cati ons can be foun d i n 1 7. 2. 3.
5.2.6.1 .1 0 A FSA sh al l also be carried ou t peri odicall y du ri n g th e operations and

m ainten ance ph ase to en sure th at m ain ten ance and operati on are bein g carried ou t accordi n g
to th e assum ptions m ade during desig n an d that the requ irem en ts with in I EC 61 51 1 for safety
m anag em en t and verification are bei n g m et.
5.2.6.2 Functional safety au dit and revi sion

5.2.6.2.1 The pu rpose of th e au dit is to revi ew i nform ati on docum ents and records to
determ in e wh eth er th e fu ncti on al safety m an ag em en t system (FSM S) is in place, u p to date,
an d bein g foll owed. Where g aps are i dentified, recom m endati ons for im provem ents are m ade.
5.2.6.2.2 Al l procedu res identifi ed as n ecessary resu ltin g from al l safety life-cycle acti viti es
shal l be su bj ect to safety au di t.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 37 –
© I EC 201 7
5. 2. 6. 2. 3 Function al safety au di t sh al l be perform ed by an in dependent person n ot
un dertaki ng work on the SI S to be audited. Procedu res sh al l be defi n ed an d execu ted for
au diti n g com pl i ance wi th requ irem ents incl u di n g:
• th e frequ ency of the fu ncti onal safety au dit acti viti es;
• th e degree of i n depen dence between the persons, departm ents, org an i zati ons or oth er
u n i ts carryin g ou t th e work an d th ose carryi n g ou t the fu ncti on al safety au di ti ng acti vities;
• th e recordi n g and fol low-u p activiti es.
5. 2. 6. 2. 4M an ag em ent of chan g e procedures sh all be in place to i nitiate, docum en t, review,
im plem ent an d approve chan ges to th e SI S oth er than replacem en t in kin d (i. e. , l ike for like,
an exact du pl icate of an el em en t or an approved su bsti tu tion that does not requ ire
m odificati on to th e SI S as i nstall ed) .
5. 2. 6. 2. 5 M an ag em ent of ch ang e procedures shall be in place that i dentifi es ch ang es th at

wi l l affect th e requ irem ents on th e SI S (e. g . , re-desi g n of a BPCS, chan g es to m an n in g i n a
certain area) .
5. 2. 7 SI S c o n f i g u ra t i o n m an a g em en t
5. 2. 7. 1Procedu res for config urati on m an agem ent of th e SI S durin g an y SI S safety l ife-cycl e
ph ase sh al l be avai labl e.
NOTE I n parti cul ar, th e fol l owi n g can be speci fi ed:

– th e stag e at wh i ch form al con fi g u rati on m anag em en t i s to be i m pl em en ted;
– th e proced ures to be u sed for un i qu el y i den ti fyi n g al l com ponen ts of a SI S or SI S-su bsystem (e. g . , devi ces,
appl i cati on prog ram m i ng ) ;
– th e procedu res for preventi n g u nau th ori zed devi ces from enteri ng servi ce.
5. 2. 7. 2 The SI S software, h ardware an d procedures used to develop an d execute the

appl ication program sh al l be su bj ect to config urati on m an ag em en t an d shal l be m ai ntai ned
un der revision control .
NOTE SI S software i ncl ud es appl i cati on prog ram (e. g . , i n l og i c sol vers) ; em bed ded software (e. g . , sen sors, l og i c
sol vers, fi nal el em ents) ; uti l i ty software (tool s) .
6 S a f e t y l i f e - c yc l e r e q u i r e m e n t s
6. 1 Obj ecti ves
The obj ecti ves of Clau se 6 are:

• to defin e th e ph ases an d establ ish the requ irem ents of th e SI S safety life-cycle acti vities;
• to defi n e and org ani ze th e tech n ical acti vi ties in to a SI S safety l ife-cycle;
• to ensu re that adequ ate plan ni n g exists (or is developed) that m akes certain that th e SI S
m eets th e safety requ irem ents.
NOTE 1 Th e overal l approach of th e I E C 61 51 1 seri es i s sh own i n Fi g u re 7. I t can be stressed that th i s approach
i s for i l l u strati on an d i s onl y m ean t to i ndi cate the typi cal SI S safety l i fe-cycl e acti vi ti es from i ni ti al con cepti on
throug h decom m i ssi oni n g .
– 38 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Manage- Safety Hazard and risk Verifica-

ment of life-cycle assessment tion
functional structure 1 Clause 8
safety and
and planning
functional Allocation of safety
safety functions to
assess- protection layers
ment and 2 Clause 9
auditing
Safety requirements
specification for the safety
instrumented system
3 Clause 1 0
Stage 1
Design and
Design and engineering of development of other
safety instrumented system means of
Clauses 1 1 , 1 2 and 1 3 risk reduction
4
Clause 9
Stage 2
Installation, commissioning
and validation
5 Clauses 1 4 and 1 5
Stage 3
Operation and maintenance
6 Clause 1 6
Stage 4
Modification
7 Clause 1 7
Clauses 7
6.2 of and 1 2.5
Clause 5 Clause 6 Stage 5
Decommissioning
10 11
8 Clause 1 8 9
Key:
Typical direction of information flow.
No detailed requirements given in this standard.
Requirements given in this standard.

NOTE 1 : Stages 1 through 5 inclusive are defined in 5.2.6.1 .4.
NOTE 2: All references are to Part 1 unless otherwise noted.
IEC
Figu re 7 – SIS safety l ife-cycle ph ases and FSA stages
NOTE 2 I nform ati on i n Fi g ure 7 m ay fl ow from operati on an d m ai nten ance back to the earl i er l i fe-cycl e stag es to
refl ect tracki ng of i nci den ts an d fai l u res and to veri fy en g i neeri n g assu m pti on s.
6.2 Requirem ents

6.2.1 A SI S safety life-cycl e i ncorporatin g the requ irem en ts of the I EC 61 51 1 series sh al l be
defin ed durin g safety plan n in g . The safety l ife-cycl e sh al l also address the appl ication
prog ram m in g (see 6. 3. 1 ) .
6.2.2 Each ph ase of th e SI S safety l ife-cycle sh all be defi n ed in term s of its i n puts, ou tpu ts
an d verification acti vi ties (see Table 2) .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 39 –
© I EC 201 7
Table 2 – SIS safety life-cycle overview (1 of 2)
Safety l i fe-cycl e phase Obj ecti ves Requi re- Inpu ts Outputs
or acti vi ty ments
Fi g ure 7 Ti tl e Cl ause
box
num ber
1 H &RA To determ i ne the hazards Cl ause 8 Process desi g n , A descri pti on of the
and hazardou s events of l ayout, m an ni n g h azards, of th e
the process and arran g em ents, req u i red safety
associ ated equ i pm ent, the safety targ ets fun cti on (s) an d of
sequen ce of even ts the associ ated ri sk
l ead i n g to th e h azardous red u cti on
event, th e process ri sks
associ ated wi th th e
h azardous even t, the
req u i rem en ts for ri sk
red u cti on an d th e safety
fun cti on s requ i red to
ach i eve th e necessary ri sk
red u cti on
2 Al l ocati on of Al l ocati on of safety Cl ause 9 A descri pti on of the Descri pti on of
safety fun cti ons fun cti on s to protecti on requ i red SI F an d al l ocati on of safety
to protecti on l ayers an d for each SI F, associ ated safety req u i rem en ts
l ayers the associ ated SI L i n teg ri ty
requ i rem ents
3 SI S safety To speci fy th e Cl ause 1 0 Descri pti on of SI S safety
req ui rem ents req u i rem en ts for each SI S, al l ocati on of safety req u i rem en ts;
speci fi cati on i n term s of th e requi red requ i rem en ts appl i cati on
SI F an d th ei r associ ated prog ram safety
safety i n teg ri ty, i n order to req u i rem en ts
ach i eve th e requ i red
fun cti on al safety
4 SI S desi g n an d To desi g n th e SI S to m eet Cl auses 1 1 , SI S safety Desi g n of the SI S
eng i n eeri n g the requi rem en ts for SI F 12 requ i rem ents h ard ware an d
and th ei r associ ated safety appl i cati on
i n teg ri ty Appl i cati on prog ram i n
prog ram safety con form an ce wi th
requ i rem ents the SI S safety
req u i rem en ts;
pl an n i n g for the
SI S i n teg rati on test
5 SI S i nstal l ati on To i n teg rate an d test th e Cl auses 1 4, SI S desi g n Fu l l y fun cti on i n g
com m i ssi on i ng SI S 15 SI S i n conform ance
and val i dati on SI S i n teg rati on test wi th the SI S safety
To val i d ate that th e SI S pl an req u i rem en ts.
m eets i n al l respects the
req u i rem en ts for safety i n SI S safety Resul ts of SI S
term s of the req ui red SI F req u i rem en ts i nteg rati on tests
and th ei r associ ated safety Pl an for th e safety
i n teg ri ty Resul ts of th e
val i dati on of th e i nstal l ati on, com -
SI S m i ssi on i ng an d
val i dati on acti vi ti es
– 40 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Table 2 (2 of 2)
Safety l i fe-cycl e phase or Obj ecti ves Requi re- I nputs Outputs
acti vi ty ments
Fi g ure Ti tl e Cl ause
7 box
num ber
6 SI S operati on To en su re th at th e Cl au se 1 6 SI S safety Resu l ts of th e
an d m ai ntenance fu ncti on al safety of the SI S req u i rem en ts operati on an d
i s m ai n tai ned d uri ng m ai nten an ce
operati on an d m ai nten ance SI S desi g n acti vi ti es
Pl an for SI S
operati on an d
m ai nten an ce
7 SI S m odi fi cati on To m ake correcti on s, Cl ause 1 7 Revi sed SI S safety Resu l ts of SI S
en h an cem en ts or req ui rem ents m odi fi cati on
adaptati ons to the SI S,
en su ri ng th at the requi red
SI L i s ach i eved an d
m ai n tai n ed
8 Decom m i ssi on - To ensu re proper revi ew, Cl au se 1 8 As bui l t safety SI F pl aced ou t of
i ng sector org an i zati on , an d req u i rem en ts an d servi ce
en su re SI F rem ai ns process
appropri ate i n form ati on
9 SI S veri fi cati on To test and eval u ate th e Cl ause 7, Pl an for the Resul ts of the
ou tpu ts of a g i ven phase to 1 2. 5 veri fi cati on of the veri fi cati on of the
en su re correctn ess and SI S for each ph ase SI S for each phase
consi stency wi th respect to
th e prod ucts an d stan dards
provi ded as i n pu t to that
ph ase
10 SI S FSA To i n vesti g ate an d arri ve Cl au se 5 Pl an ni n g for SI S Resu l ts of SI S FSA
at a j u d g em ent on th e FSA
fu ncti on al safety achi eved
by th e SI S SI S safety
req u i rem en t
11 Safety l i fecycl e To establ i sh h ow th e 6. 2 N ot appl i cabl e Safety pl an
stru cture and l i fecycl e steps are
pl an ni n g accom pl i shed
6.2.3 For al l SI S safety l ife-cycle ph ases, safety plan n in g sh al l take place to defi ne the
activiti es, criteri a, tech n i qu es, m easures, procedu res and responsibl e organ isation/people to:
• ensure th at th e SI S safety requ irem ents are ach ieved for all relevant m odes of th e
process; th is i ncl udes both fu ncti onal an d safety i n tegrity requ irem ents;
• ensure proper instal l ati on an d com m ission i ng of th e SI S;
• ensure th e safety i ntegrity of th e SI F after i nstall ati on ;
• m aintai n th e safety integ rity du ri ng operati on (e. g . , proof testing , fai l ure anal ysis) ;
• m anag e th e process h azards duri n g m ai n ten ance activiti es on th e SI S.
6.2.4 I f at an y stag e of the safety life-cycle, a ch an g e is requ ired pertain i ng to an earl i er l ife-
cycl e phase, then th at earl ier SI S safety life-cycle ph ase an d the subsequent ph ases sh al l be
re-exam i ned, altered as requ ired an d re-verified.
6.3 Appli cation prog ram SIS safety l ife-cycle requ irem ents
6.3.1 Each ph ase of the applicati on prog ram safety l ife-cycl e (see Fi gure 8) sh all be defi ned
in term s of i ts el em en tary activiti es, obj ecti ves, requ ired i n pu t i nform ation and outpu t resu lts
an d verification requ irem en ts (see Table 3) .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 41 –
© I EC 201 7
SIS SIS subsystem* *sensors,

SRS architecture logic solver(s) or
Clause 1 0 final elements
Hardware safety requirements

Programmable Non-programmable
electronic hardware hardware
Box 4 in Figure 8: Design and engineering

of the safety instrument function
Programmable electronic Non-programmable
selection including Hardware design and
embedded Software development
Application Program safety life-cycle and Tools
Application Program Safety
1 0.3.2 Requirements
Appl. Program safety 1 2.1 to Application Program

1 5.2.2 validation planning 1 2.3 Design
1 2.4 and Appl. Program imp. 1 6 and Operation and modification

1 2.6 Methods & Tools 17 procedures
1 2.5 and Appl. Program

7.2.2 Review and testing
To box 6 and 7
in Figure 7 SIS Integration Test SIS install and validate
Clause 1 3 Clauses 1 4 and 1 5
IEC
Figu re 8 – Application prog ram safety life-cycl e and its relation sh ip

to th e SIS safety li fe-cycl e
– 42 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Table 3 – Application program safety life-cycle: overview (1 of 2)
Safety l i fe-cycl e phase

Requi re-
Fi g u re 8 Ti tl e Obj ecti ves ments Inputs Outputs
box Cl ause
number
1 0. 3. 2 Appl i cati on To speci fy appl i cati on 1 0. 3 SI S safety SI S appl i cati on
prog ram prog ram safety 1 1 .5 req ui rem ents. prog ram safety
safety requ i rem en ts for each SI S Safety m an ual s of req u i rem en ts
req u i rem en ts n ecessary to i m pl em en t the sel ected SI S. speci fi cati on .
the requ i red SI F. Veri fi cati on i nform ati on .
SI S archi tectu re.
To speci fy th e
requ i rem en ts for
appl i cati on prog ram for
each SI F al l ocated to th at
SI S.
1 5. 2. 2 Appl i cati on To devel op a pl an for 1 5. 2. 2, SI S appl i cati on SI S safety val i dati on
prog ram val i dati n g th e appl i cati on 1 5. 2. 5 prog ram safety pl an ni n g .
safety prog ram . req u i rem en ts.
val i dati on
pl an n i n g Veri fi cati on i nform ati on .
1 2. 1 to Appl i cati on Archi tectu re. 1 2. 1 SI S appl i cati on Descri pti on of th e
1 2. 3 prog ram To create an appl i cati on (al so prog ram safety arch i tectu re desi g n ,
devel opm ent prog ram archi tectu re th at 1 0. 3, req u i rem en ts. e. g . , seg reg ati on of
ful fi l s th e speci fi ed 1 2. 2) appl i cati on prog ram
requ i rem en ts for i nto rel ated process
SI S h ard ware su b-system an d SI L,
appl i cati on prog ram safety. arch i tectu re desi g n e. g . , recog ni ti on of
constrai nts. com m on appl i cati on
To revi ew and eval u ate the prog ram m odu l es such
req u i rem en ts pl aced on as pu m p or val ve
the appl i cati on prog ram by sequen ces.
the h ard ware archi tectu re
of th e SI S.
Appl i cati on prog ram
To speci fy th e proced u res arch i tectu re and su b-
for the devel opm ent of th e system i nteg rati on test
appl i cati on prog ram . req ui rem ents.
Veri fi cati on i nform ati on .

Appl i cati on To devel op th e appl i cati on SI S appl i cati on Appl i cati on prog ram
prog ram prog ram desi g n . 1 2. 3 prog ram safety desi g n.
desi g n To i denti fy a sui tabl e set of req u i rem en ts. Proced u res for u se
con fi g u rati on , l i brary, du ri ng prog ram m i n g .
m an ag em ent, an d Descri pti on of th e Descri pti on of th e
si m ul ati on an d test tool s, arch i tectu re standard
over th e safety l i fe-cycl e of desi g n. (m an ufacturers) l i brary
the appl i cati on prog ram . fun cti on s to be u sed.
Man u al s of th e
SI S. Veri fi cati on i n form ati on.
Safety Manu al of
th e sel ected SI S
l og i c sol ver.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 43 –
© I EC 201 7
Table 3 (2 of 2)

Requi re-
Fi g u re 8 Ti tl e Obj ecti ves ments Inpu ts Outputs
box Cl ause
num ber
1 2. 4 Appl i cati on Appl i cati on d evel opm en t 1 2. 4 Descri pti on of th e Appl i cati on prog ram
1 2. 6 prog ram and appl i cati on m odu l e 1 2. 3. 4 desi g n. (e. g . , fu ncti on bl ock
i m pl em en tati devel opm en t. Li st of m anu al s di ag ram s, l adder l og i c) .
on 1 2. 6
To i m pl em ent th e an d procedu res of Appl i cati on prog ram
appl i cati on prog ram that th e sel ected l og i c si m ul ati on an d
ful fi l s the speci fi ed sol ver for u se wi th i n teg rati on test.
req u i rem en ts for th e appl i cati on Speci al purpose
appl i cati on safety. prog ram . appl i cati on prog ram
To u se appropri ate safety req u i rem ents.
su pport tool s and Veri fi cati on i n form ati on.
prog ram m i n g l an g u ag es.
1 2. 5 Appl i cati on To veri fy that th e 1 2. 5 Appl i cati on Appl i cati on prog ram test
7. 2. 2 prog ram req u i rem en ts for 7. 2. 2 prog ram resul ts.
veri fi cati on appl i cati on prog ram safety si m u l ati on an d Veri fi ed an d tested
h ave been achi eved. i nteg rati on test appl i cati on prog ram
To show th at al l SI S req u i rem en ts system .
appl i cati on prog ram s (stru ctu re based
testi ng ) . Veri fi cati on i nform ati on .
i n teract correctl y to
perform th ei r i nten ded Appl i cati on
fun cti on s an d d o not prog ram
perform un i ntend ed arch i tectu re
fun cti on s. i nteg rati on test
a req u i rem en ts.
13 SI S To i n teg rate th e Cl ause Appl i cati on Appl i cati on prog ram and
i n teg rati on appl i cati on prog ram onto 13 prog ram an d l og i c l og i c sol ver i n teg rati on
test the targ et l og i c sol ver, sol ver i nteg rati on test resu l ts.
i n cl u di ng i nteracti on wi th a test requ i rem en ts.
sam pl e set of fi el d devi ces
and or si m u l ator.
6.3.2 M eth ods, tech n iques an d tools sh al l be appli ed for each l ife-cycle phase i n accordance
wi th 1 2. 6. 2.
6.3.3 Each ph ase of th e SI S safety l ife-cycle for wh ich safety plan ni n g h as been carri ed out
shal l be verifi ed (see Clau se 7) an d the resu l ts sh all be available as descri bed i n Cl ause 1 9.
7 Verification
7.1 Objective
The obj ecti ve of Cl ause 7 is to dem onstrate by revi ew, anal ysis and/or testin g that the
requ ired ou tpu ts satisfy th e defi n ed requ irem ents for the appropri ate ph ases (Fig ure 7) as
identified by the verificati on pl ann in g.
7.2 Requi rements

7.2.1 Verificati on plan n i ng sh al l be carri ed out th rou g hou t the SI S safety life- cycle an d sh al l
defin e all activi ti es requ ired for the appropriate ph ase (Fig ure 7) of th e safety l ife- cycle,
inclu din g the appl ication program . Verification pl ann i n g sh al l conform to th e I EC 61 51 1 seri es
by addressi ng th e foll owi ng :
– 44 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e verification activi ti es;
• th e procedures, m easures an d tech n iqu es to be used for verificati on incl u din g
im plem entation and resol ution of resu lti n g recom m en dati ons;
• wh en th ese acti viti es wi ll take place;
• th e persons, departm en ts and org an i zati ons responsible for th ese acti viti es, i nclu di ng
l evels of i ndepen dence;
• i dentification of item s to be verified;
• i dentification of th e inform ation ag ainst wh ich the verificati on is carri ed out;
• th e adequacy of the ou tputs ag ainst th e requ irem en ts for th at ph ase;
• correctness of the data;
• how to han dle n on -conform ances;
• tools and su pporting an al ysi s;
• th e com pl eten ess of th e SI S im plem entation an d the traceabi lity of the requ irem en ts;
• th e readabili ty and au dit-abi l ity of the docu m en tati on ;
• th e testabi lity of the desi gn .
7. 2 . 2 Where th e verification incl u des testi n g , th e verificati on pl ann in g sh all also address th e
fol lowi ng :
• th e strateg y for integ rati on of appl ication prog ram an d h ardware an d field devices,
i nclu din g th e in teg rati on of su b-system s that shall com pl y with oth er stan dards (such as
m achinery or burn er) ;
• test scope (describes th e test set-up an d wh at type of test to be perform ed i nclu din g th e
hardware, appl ication program m ing , and program m ing devices to be i nclu ded) ;
• test cases an d test data (th ese wi l l be specific scenarios wi th the associ ated data) ;
• types of tests to be perform ed;
• test en vironm ent incl u din g tools, hardware, al l software an d requ ired config uration ;
• test cri teri a (e. g . , pass/fai l criteri a) on wh ich the resu lts of th e test wil l be evalu ated;
• procedures for correcti ve action on fai lu re durin g test;
• ph ysical l ocation(s) (e. g. , factory or site) ;
• depen dence on extern al function ali ty;
• appropriate personn el;
• m anag em en t of chan ge;
• non-conform ances.
7. 2 . 3N on-safety fu ncti ons in tegrated wi th safety fu ncti ons shal l be verifi ed for n on-
interference with the safety fu ncti ons.
7. 2 . 4 Verificati on shal l be perform ed accordi n g to th e verification pl an n in g .
7. 2 . 5Du rin g testin g , an y m odificati on sh al l be subj ected to an im pact anal ysis wh ich sh al l
determ in e all SI S com ponen ts im pacted and th e n ecessary re- verification activities.
7. 2 . 6Th e resu lts of th e verificati on process sh all be avai labl e (see Cl ause 1 9) , inclu ding
wh eth er th e obj ecti ve an d cri teria of th e tests h ave been m et.
NOTE 1 Sel ecti on of tech n i q ues an d m easu res for th e veri fi cati on process and the deg ree of i n depen dence
depends u pon a n um ber of factors i n cl u di n g deg ree of com pl exi ty, n ovel ty of d esi g n, n ovel ty of tech n ol og y an d
requ i red SI L.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 45 –
© I EC 201 7
NOTE 2 E xam pl es of som e veri fi cati on acti vi ti es i n cl u d e d esi g n revi ews, u se of tool s an d tech ni qu es i ncl u di n g
software veri fi cati on tool s an d com pu ter based desi g n an al ysi s tool s.
8 Process H&RA
8.1 Objectives
The obj ecti ves of th e requ irem en ts of Clause 8 are to determ i ne:
• th e h azards an d h azardou s even ts of th e process an d associated equ ipm ent;
• th e sequ ence of events l eading to the h azardous even t;
• th e process risks associated wi th the h azardous even t;
• an y requ irem ents for risk reducti on ;
• th e safety fu nctions requ i red to ach ieve th e necessary risk reducti on;
• if an y of the safety fu ncti ons are SI Fs.
NOTE 1 Cl au se 8 add resses process eng i n eers, h azard and ri sk speci al i sts, safety m anag ers as wel l as
i n stru m en t en g i n eers. I ts purpose i s to recog ni ze th e m ul ti -di sci pl i n ary approach typi cal l y req ui red for th e
determ i nati on of SI F.
NOTE 2 Wh ere reasonabl y practi cabl e, processes can be desi g n ed to be i n h erentl y safe. When th i s is n ot
practi cabl e, oth er l ayers of protecti on (see Fi g ure 9) can be requi red. I n som e appl i cati ons, i n du stry stan dards can
speci fy th e u se of parti cu l ar protecti on l ayers.
NOTE 3 Th e ri sk redu cti on can be accom pl i shed u si ng several l ayers of protecti on an d th e l ayers can be
i ndependent, su ffi ci ent, depen dabl e an d audi tabl e (see Cl au se 9) .
8.2 Requirements
8.2.1 A H &RA shal l be carried out on th e m aterials, process and equ ipm en t. I t sh all resu l t i n:
• a descri pti on of each i dentifi ed h azardou s event and th e factors th at con tri bu te to it;
• a descri pti on of th e likelihood and consequ ence of each h azardous even t;
• consi deration of process operatin g m odes such as n orm al operation , start-u p, shu tdown ,
m ainten ance, process u pset, and em ergency sh u tdown ;
• th e determ in ation of additi onal risk reducti on necessary to ach ieve the requ ired fu ncti on al
safety;
• a descri ption of, or references to inform ation on , th e m easu res taken to reduce or rem ove
hazards and risk;
• a detail ed description of th e assum ptions m ade durin g the an al ysis of the risks incl u di n g
dem an d rates on the protecti on layers and th e averag e frequ ency of dan g erou s fai lures of
th e in i ti atin g sou rces, an d of an y credi t taken for operation al constrain ts or hum an
interven ti on;
• identification of th ose safety fu ncti on(s) applied as SI F(s) .
N OTE 1 I n d eterm i n i n g th e safety i n teg ri ty req u i rem en ts, accou nt can be taken of the effects of com m on
cause between system s th at create dem an ds an d th e protecti on l ayers that are d esi g n ed to respon d to those
dem ands. An exam pl e of th i s wou l d be wh ere dem an ds can ari se throu g h BPCS fai l u re an d th e equi pm en t
u sed wi th i n th e protecti ve l ayers i s si m i l ar or i den ti cal to th e equi pm ent used wi th i n th e BP CS. I n such cases,
a dem and cau sed by a fai l u re of BPCS equi pm en t m ay n ot be respon ded to effecti vel y i f a com m on cau se has
ren dered si m i l ar equ i pm en t i n the protecti on l ayer to be i n effecti ve. I t m ay not be possi bl e to recog ni ze
com m on cau se probl em s du ri n g the i n i ti al h azard i d en ti fi cati on an d ri sk anal ysi s becau se at su ch an earl y
stag e th e d esi g n of th e protecti on l ayers wi l l not n ecessari l y have been com pl eted. I n such cases, i t can be
n ecessary to reconsi d er th e safety i nteg ri ty requ i rem ents an d SI F on ce th e desi g n of the SI S an d oth er
protecti on l ayers has been com pl eted. I n d eterm i n i n g wheth er th e overal l desi g n of process an d protecti on
l ayers m eets req ui rem ents, com m on cau se fai l u res wi l l be consi dered.
N OTE 2 E xam pl es of tech n i q ues th at can be used to establ i sh th e req u i red SI Ls of SI Fs are i l l ustrated i n
I EC 61 51 1 -3: 201 6.
8.2.2 Th e average frequ ency of dan g erou s fai lu res of a BPCS as an in i tiati ng sou rce sh all
not be assum ed to be < 1 0 -5 per hour.
– 46 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
8.2.3 Th e H &RA shal l be recorded i n such a way th at th e relationship between the above
item s is cl ear and traceable.
NOTE 1 Th e above req u i rem en ts do not m andate that the safety i nteg ri ty requ i rem ents have to be assi g n ed as
num eri cal val ues. Qu al i tati ve or sem i -qu anti tati ve approach es (see I EC 61 51 1 -3: 201 6, An n exes C, D & E ) can al so
be used.
NOTE 2 Th e safety i n teg ri ty requi rem ents vary depen di n g on th e appl i cati on an d nati on al l eg al requ i rem ents. An
accepted pri nci pl e i n m any coun tri es i s that addi ti on al ri sk redu cti on m easu res can be appl i ed un ti l th e cost
i n cu rred becom es di sproporti on ate to th e i m provem ent i n safety i n teg ri ty ach i eved.
8.2.4 A securi ty risk assessm ent shal l be carri ed out to i dentify th e secu rity vu ln erabil iti es of
th e SI S. I t shal l resu lt in :
• a descri ption of the devices covered by th is risk assessm ent (e. g . , SI S, BPCS or an y oth er
device conn ected to th e SI S) ;
• a descripti on of iden tified threats th at cou ld expl oit vu ln erabi l ities and resu lt i n secu ri ty
even ts (inclu di n g i nten tion al attacks on th e h ardware, applicati on prog ram s an d related
software, as wel l as u n in ten ded events resu ltin g from hum an error) ;
• a descri pti on of the poten tial consequ ences resu lting from th e security even ts an d th e
l ikeli hood of th ese even ts occurri ng ;
• consi deration of variou s ph ases such as desig n , im plem entation , com m ission i ng ,
operati on, an d m ainten ance;
• th e determ in ati on of requ irem ents for addi tion al risk reducti on ;
• a descri pti on of, or references to i nform ation on , th e m easures taken to redu ce or rem ove
th e threats.
NOTE 1 G ui dance rel ated to SI S secu ri ty i s provi d ed i n I SA TR84. 00. 09, I SO/I EC 27001 : 201 3, an d
I EC 62443-2-1 :201 0.
NOTE 2 Th e i n form ati on and control of bou ndary con di ti ons n eeded for th e secu ri ty ri sk assessm en t are typi cal l y
wi th owner/operati n g com pan y of a faci l i ty, n ot wi th th e su ppl i er. Wh ere thi s i s the case, th e obl i g ati on to com pl y
wi th 8. 2. 4 can be wi th th e own er/operati n g com pan y of th e faci l i ty.
NOTE 3 The SI S securi ty ri sk assessm en t can be i n cl u ded i n an overal l process au tom ati on securi ty ri sk
assessm en t.
NOTE 4 Th e SI S secu ri ty ri sk assessm ent can ran g e i n focu s from an i n di vi du al SI F to al l SI Ss wi thi n a com pany.
9 Allocation of safety functions to protection layers

9.1 Objectives
The obj ecti ves of th e requ irem en ts of Clause 9 are to
• all ocate safety fu ncti ons to protection l ayers;
• determ in e th e requ ired SI Fs;
• determ in e for each SI F the associ ated safety i n tegrity requ irem en ts.
NOTE 1 Accou nt can be taken, duri n g the process of al l ocati on , of oth er i n d ustry standards or cod es.
N OTE 2 The i nteg ri ty requ i rem ents for each SI F m i g h t i ncl ude th e associ ated ri sk red u cti on , PFD, PFH or SI L.
9.2 Requirements of the allocation process

9.2.1 Th e al l ocation process sh al l resu l t i n
• th e al l ocation of safety functions requ ired to ach ieve th e n ecessary ri sk reducti on to
specific protecti on layers;
• th e al locati on of risk redu cti on or averag e frequ en cy of dan g erou s fail ure to each SI F.
NOTE Leg i sl ati ve req ui rem ents or oth er i n du stry cod es m ay i nfl uen ce the al l ocati on process.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 47 –
© I EC 201 7
9.2.2 Th e requ ired SI L shall be deri ved takin g into accou n t th e requi red PFD or PFH th at is
to be provided by the SI F.
NOTE Fu rth er g ui dance can be fou nd i n I EC 61 51 1 -3: 201 6.
9.2.3 For each SI F operatin g in dem an d m ode, th e requ ired SI L sh all be specified i n
accordance wi th eith er Table 4 or Tabl e 5.
9.2.4 For each SI F operatin g in con tin u ou s m ode, th e requ ired SI L shal l be specified in
accordance wi th Tabl e 5.
Table 4 – Safety i ntegrity requ irem ents: PFD avg

DEM AND M ODE OF OPERATI ON
Safety i nteg ri ty PFD a vg Requi red ri sk redu cti on
l evel (SI L)
4 ≥ 1 0 − 5 to < 1 0 − 4 > 1 0 000 to ≤ 1 00 000
3 ≥ 1 0 − 4 to < 1 0 − 3 > 1 000 to ≤ 1 0 000
2 ≥ 1 0 − 3 to < 1 0 − 2 > 1 00 to ≤ 1 000
1 ≥1 0−2 to < 1 0−1 > 1 0 to ≤ 1 00
Table 5 – Safety i ntegrity requ irem ents: averag e frequ ency of dang erous failu res of th e
SIF
CONTI NUOUS M ODE OR DEM AND M ODE OF OPERATION
Safety i nteg ri ty Averag e frequen cy of
l evel (SI L) dang erou s fai l ures (fai l ures per hou r)
4 ≥ 1 0 − 9 to < 1 0 −8
3 ≥ 1 0 − 8 to < 1 0 − 7
2 ≥ 1 0 − 7 to < 1 0 −6
1 ≥ 1 0 − 6 to < 1 0 −5
NOTE 1 Fu rther expl an ati on of m odes of operati on can be fou n d i n 3. 2. 39.
NOTE 2 The SI L i s defi n ed n um eri cal l y so as to provi de an obj ecti ve m easu re for com pari son of al ternate d esi g n s
and sol uti ons. H owever, i t i s recog n i zed that, g i ven th e cu rren t state of kn owl edg e, m an y system ati c causes of
fai l u re can onl y be assessed q ual i tati vel y.
NOTE 3 The requi red averag e frequen cy of dan g erous fai l u res for a con ti n u ou s or dem an d m ode SI F i s
determ i ned by con si d eri ng th e ri sk cau sed by fai l ure of th e conti n uous or dem an d m ode SI F tog eth er wi th th e
fai l u res of oth er devi ces th at l ead to th e sam e ri sk, taki ng i n to con si d erati on th e ri sk redu cti on provi ded by oth er
9.2.5 I n cases wh ere th e allocati on process resul ts in a risk reducti on requ irem ent of
> 1 0 000 or averag e frequ ency of dang erou s fai l ures < 1 0 -8 per h our for a si n g le SI S or m u lti ple
SI Ss or SI S in conj u ncti on with a BPCS protecti on layer, th ere shal l be a reconsi deration of
th e appl ication (e. g. , process, oth er protection layers) to determ in e i f an y of the risk
param eters can be m odi fied so th at the risk reduction requ irem en t of > 1 0 000 or averag e
frequency of dan g erous fail ures < 1 0 -8 per h our is avoided. Th e revi ew sh al l consider wh ether:
– th e process or vessels/pipe work can be m odifi ed to rem ove or reduce h azards at th e
sou rce;
– additi onal safety-rel ated system s or oth er ri sk reduction m eans, not based on
i nstru m entation, can be i ntrodu ced;
– th e severity of th e consequ ence can be redu ced, e. g. , reducin g the am ou n t of hazardous
m aterial;
– 48 – I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV
© I EC 201 7
– th e likelih ood of the specified consequ ence can be redu ced e. g. , reducin g th e likelih ood of
th e i n iti ating source of th e h azardous event.
NOTE Appl i cati on s wh i ch requ i re th e u se of a si n g l e SI F wi th a ri sk red u cti on requ i rem en t > 1 0 000 or averag e
freq u en cy of dan g erous fai l u res < 1 0 - 8 per hou r need to be avoi d ed becau se of th e di ffi cu l ty of ach i evi ng an d
m ai ntai n i n g su ch h i g h l evel s of perform an ce throug h out th e SI S safety l i fe-cycl e. Ri sk redu cti on requi rem ent
> 1 0 000 or averag e freq uen cy of dan g erou s fai l u res < 1 0 - 8 per hou r can req ui re h i g h l evel s of com peten ce an d hi g h
l evel s of coverag e for al l factory acceptan ce testi n g , proof testi n g , veri fi cati on, an d val i dati on acti vi ti es.
9. 2. 6 I f after fu rth er consideration of th e application an d confirm ati on that a risk reducti on

requ irem ent > 1 0 000 or averag e frequ ency of dan gerous fai l ures < 1 0 -8 per hour is sti ll
requ ired, th en consi derati on shou ld be g iven to ach i evi ng the safety in tegrity requirem en t
usin g a n u m ber of protecti on l ayers (e. g . , SI S or BPCS) with lower risk reductio n
requ irem ents. I f the risk reducti on is al located to m u ltiple protecti on layers th en such
protecti on l ayers sh all be in depen dent from each oth er or th e l ack of in dependence sh al l be
assessed an d sh own to be su ffici en tl y low com pared to th e risk reducti on requ irem ents. Th e
fol l owing factors sh all be consi dered during th is assessm ent:
– com m on cause of fai lu re of SI S an d th e cause of dem and;
N OTE 1 Th e extent of the com m on cau se can be assessed by consi d eri n g th e di versi ty of al l d evi ces where
fai l u re cou l d cau se a dem an d and al l d evi ces of the BPCS protecti on l ayer and/or th e SI S used for ri sk
red u cti on .
N OTE 2 An exam pl e of com m on cause between the SI S and the cau se of dem an d i s i f l oss of process control
throug h sen sor fau l t or fai l u re can cau se a d em and and th e sensor used for control i s of the sam e type as the
sen sor used for th e SI S.
– com m on cause of fai lu re wi th oth er protection layers providi n g risk reducti on;
N OTE 3 Th e exten t of th e com m on cau se can be assessed by con si deri ng the d i versi ty of al l devi ces of th e
BPCS protecti on l ayer and/or th e SI S used to ach i eve th e ri sk red ucti on req ui rem en ts.
N OTE 4 An exam pl e of com m on cau se between SI Ss provi di n g ri sk red u cti on i s wh en two separate an d
i n dependent SI Ss wi th di verse m easu rem ents an d di verse l og i c sol vers are u sed bu t the fi n al actu ati on
devi ces are two sh ut off val ves of si m i l ar types or a si n g l e sh ut off val ve actuated by both SI Ss.
– an y depen denci es th at m ay be introduced by com m on operati ons, m ai ntenance,
i nspecti on or test activiti es or by com m on proof test procedures and proof test tim es;
N OTE 5 Even i f th e protecti ve l ayers are d i verse th en synchronou s proof testi ng wi l l red u ce th e overal l ri sk
red u cti on achi eved an d thi s can be a si g ni fi cant factor i m ped i ng achi evem ent of the n ecessary ri sk reducti on
for the hazardou s event.
N OTE 6 When hi g h l evel s of ri sk redu cti on are req ui red an d proof tests are desynch ron i sed accordi n g to Note
5 th en the dom i n an t factor i s n orm al l y com m on cau se fai l u re even i f m ul ti pl e i n depen d en t protecti on l ayers are
u sed to red u ce ri sk. Dependency wi thi n and between protecti on l ayers provi di n g ri sk red u cti on for the sam e
h azardous even t can be assessed an d shown to be suffi ci en tl y l ow.
9. 2. 7 I f a risk reduction requi rem en t > 1 0 000 or averag e frequ ency of dang erous fai l ures
< 1 0 -8 per h our is to be i m plem en ted, wh eth er al located to a si ng le SI S or m u ltiple SI S or SI S
i n conj u ncti on with a BPCS protecti on l ayer, th en a furth er risk assessm en t sh al l be carri ed
ou t u si ng a qu an titati ve m eth odol og y to confirm th at th e safety i n tegrity requ irem ents are
ach i eved. The m eth odol og y shal l take in to con si derati on dependency an d com m on cause
fail ures between th e SI S an d:
– an y other protecti on layer whose fail ure wou l d pl ace a dem an d on it;
– an y other SI S reducin g the l ikel i hood of th e h azardous event;
– an y oth er risk reducti on m eans th at reduce th e l ikel i hood of th e h azardous even t (e. g . ,
safety alarm s) .
9. 2. 8 I f th e risk reducti on requ ired for a hazardou s event is al l ocated to m ulti pl e SI Fs in a
si ng l e SI S, then the SI S shal l m eet the overal l risk reducti on requ irem ent.
9. 2. 9 Th e resu l ts of th e all ocation process sh al l be recorded so that th e SI Fs are descri bed

i n term s of the function al n eeds of the process, e. g . , th e acti ons to be taken , set poin ts,
reaction tim es, activation del ays, fau lt treatm ent, val ve cl osure requ irem en ts, an d in term s of
th e risk reducti on requ irem ents.
I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV – 49 –
© I EC 201 7
NOTE Th i s descri pti on can be i n an u nam bi g uous l og i cal form and can be referred to as th e process requ i rem en ts
speci fi cati on or th e safety d escri pti on . Th e d escri pti on can m ake the i n ten t and the approach u sed i n the al l ocati on
process cl ear. Th e process req ui rem en ts speci fi cati on i s u sed as i n put i nform ati on for the SRS covered i n
Cl ause 1 0 and can be suffi ci en tl y detai l ed to ensure ad equ ate speci fi cati on of th e SI S and i ts devi ces. For
exam pl e, the descri pti on can i n cl u de th e set-poi n ts for sen sors, the process safety ti m e avai l abl e for response, and
th e val ve cl osu re req u i rem en ts.
9.3 Requirem ents on the basic process control system as a protection l ayer
9.3.1 Th e basic process con trol system m ay be claim ed as a protecti on layer as sh own in
Fig u re 9.
COMMUNITY EMERGENCY RESPONSE

Emergency broadcasting
PLANT EMERGENCY RESPONSE

Evacuation procedures
MITIGATION
Mechanical mitigation systems
Safety instrumented systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
CONTROL and MONITORING

Basic process control system
Monitoring systems (process alarms)
PROCESS
IEC
Figu re 9 – Typi cal protection layers and risk reduction m eans
9.3.2 Th e risk reducti on cl aim ed for a BPCS protecti on layer sh al l be ≤ 1 0.
NOTE Con si derati on can be g i ven to th e fact th at a BPCS m ay al so be an i n i ti ati ng sou rce for th e d em and on th e
protecti on l ayer.
9.3.3 I f th e risk reducti on claim ed for a BPCS protection layer is > 1 0, then th e BPCS sh al l
be design ed and m an ag ed to th e requ irem en ts with in th e I EC 61 51 1 seri es.
9.3.4 I f it is not i ntended th at th e BPCS conform to th e I EC 61 51 1 seri es, then :

• no m ore than one BPCS protection layer sh al l be cl aim ed for the sam e sequ ence of event
leadin g to th e h azardou s even t wh en th e BPCS is the i n iti atin g sou rce for th e dem and on
th e protection l ayer; or
• no m ore th an two BPCS protecti on l ayers sh al l be cl aim ed for th e sam e sequ ence of event
l eadin g to th e h azardous even t wh en th e BPCS is not the in i ti atin g source of th e dem and.
NOTE Th e i den ti fi ed BPCS protecti on l ayer can con si st of one BPCS as th e i n i ti ati n g sou rce for th e d em an d (see
8. 2. 2) and a second i nd epen d en t BPCS protecti on l ayer (see 9. 3. 2 and 9. 3. 3) or u p to two i nd epen d en t BPCS
protecti on l ayers wh en th e i ni ti ati n g sou rce i s n ot rel ated to BPCS fai l u re.
– 50 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
9. 3. 5When 9. 3. 4 appl i es, each BPCS protection layer sh all be in dependent an d separate
from the i ni tiating source an d from each oth er to the extent that the claim ed risk reducti on of
each BPCS protecti on layer is n ot com prom ised.
NOTE 1 Th e assessm en t of separati on an d i nd epen den ce can con si der wh at i s necessary to ach i eve th e ri sk
red ucti on, e. g . , th e cen tral processi n g u n i ts (CPU ) , i n pu t/outpu t m odu l es, rel ays, fi el d devi ces, appl i cati on
prog ram m i ng , networks, prog ram database, eng i n eeri n g tool s, h um an m ach i ne i n terface, by-pass tool s and other
devi ces.
NOTE 2 A hot backup con trol l er i s not consi dered to be i n depen dent of the pri m ary control l er because i t i s subj ect
to com m on cause fai l u re (for exam pl e, h ot backup con trol l ers h ave com pon en ts th at are com m on to both the
pri m ary and th e backu p control l er, su ch as th e backpl an e, fi rm ware, di ag n osti cs, transfer m echani sm s and
un d etected dan g erous fai l u res) .
9. 4 R eq u i rem en t s f o r p rev e n t i n g com m on c au s e, com m on m o d e an d d ep en d en t
fa i l u re s
9. 4. 1Th e desi g n of the protection layers sh al l be assessed to ensu re th at the l ikel ih ood of
com m on cause, com m on m ode an d dependent fai l ures between :
• protection layers;
• protection layers an d th e BPCS.
are sufficientl y l ow in com parison to th e overal l safety i ntegri ty requ i rem ents of th e protection
layers. Th e assessm ent m ay be qu al itative or qu anti tati ve u n l ess 9. 2. 7 appl ies.
NOTE A defi n i ti on of depen d ent fai l ure i s provi ded i n 3. 2. 1 2.
9. 4. 2 Th e assessm ent shall consider th e fol l owin g:
• i ndepen dence between protection l ayers;

• di versi ty between protection layers;
• ph ysical separati on between differen t protecti on l ayers;
• com m on cause fai lu res between protection layers and between protecti on layers and
BPCS.
NOTE 1 Com m on cau ses from th e process can be add ressed. Pl u g g i n g of rel i ef val ves m ay cause th e sam e
probl em s as pl u g g i n g of sensors i n a SI S.
NOTE 2 I nd epen d en ce an d ph ysi cal separati on can be addressed. A H u m an M ach i n e I nterface, SI S/BPCS
networks or bypass m eans can cause com m on cau se fai l u re.
1 0 SI S safet y req u i rem e n t s spe ci fi cat i o n (S R S)
1 0. 1 Obj ecti ve
The obj ecti ve of Cl au se 1 0 is to specify the requ irem ents for th e SI S, inclu din g an y
appl ication program s an d the arch i tectu re of the SI S.
1 0. 2 G en e ra l req u i rem en ts
The safety requ irem ents shal l be deri ved from the al locati on of SI F an d from th ose
requ irem ents identifi ed durin g H &RA. The SI S requ irem ents sh all be expressed and
structu red i n su ch a way th at th ey are
• cl ear, precise, verifi able, m aintai nable an d feasi bl e;
• wri tten to ai d com preh en si on an d i nterpretati on by th ose wh o wil l u ti l ise th e i nform ation at
an y ph ase of th e safety l i fe-cycl e.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 51 –
© I EC 201 7
1 0. 3 SI S safety req u i rem en ts
1 0. 3. 1 Th e obj ecti ve of 1 0. 3 is to addresses issu es th at shal l be considered wh en

devel opi ng th e SI S safety requi rem en ts.
1 0. 3. 2 Th ese requ irem en ts shal l be suffici ent to desi gn the SI S an d shal l i nclu de a
descri ption of th e in tent an d approach appl ied durin g th e developm en t of the SI S safety
requ irem ents as appl icabl e:
• a description of all th e SI F n ecessary to achieve th e requ ired function al safety (e. g . , a
cause an d effect di agram , l og ic n arrati ve) ;
• a list of th e plant i n pu t an d ou tput devices rel ated to each SI F wh ich is cl earl y identified by
th e pl an t m eans of equ ipm ent i dentification (e. g . , field tag l ist) ;
• requ irem ents to i den tify and take accou nt of com m on cause fai l ures;
• a defi n iti on of the safe state of th e process for each i den tifi ed SI F, such th at a stable state
has been ach ieved an d th e specified hazardou s even t h as been avoi ded or suffici en tl y
m iti gated;
• a defin i ti on of an y in di vi du all y safe process states wh ich, wh en occurri n g concurren tl y,
create a separate h azard (e. g . , overload of em erg ency storag e, m ultipl e rel ief to flare
system ) ;
• th e assum ed sources of dem an d an d dem and rate on each SI F;
• requ irem ents rel ati n g to proof test i ntervals;
• requ irem ents rel ati n g to proof test im pl em en tation ;
• response tim e requ irem ents for each SI F to bri n g th e process to a safe state with i n th e
process safety tim e;
N OTE See I EC 61 51 1 -2:201 6 for fu rth er di scu ssi on of process safety ti m e.
• th e requ ired SI L an d m ode of operation (dem an d/con tin u ous) for each SI F;
• a descri ption of SI S process m easurem ents, rang e, accuracy and th eir trip poin ts;
• a descri ption of SI F process ou tpu t acti ons an d the cri teri a for successfu l operation , e. g . ,
leakage rate for val ves;
• th e fu ncti on al rel ati onsh ip between process i nputs an d outpu ts, inclu din g l og ic,
m athem atical fu ncti ons and an y requ ired perm issi ves for each SI F;
• requ irem ents for m anu al shu tdown for each SI F;
• requ irem ents rel ati n g to en erg ize or de-en erg ize to trip for each SI F;
• requ irem ents for resetti n g each SI F after a sh u tdown (e. g. , requ irem ents for m anual , sem i -
au tom atic, or au tom atic final el em en t resets after trips) ;
• m axim um all owable spuriou s trip rate for each SI F;
• fai l ure m odes for each SI F an d desired response of th e SI S (e. g . , alarm s, au tom atic sh ut-
down ) ;
• an y specific requ irem ents related to th e procedures for startin g u p and restartin g the SI S;
• all in terfaces between th e SI S an d an y oth er system (i ncl u din g the BPCS an d operators) ;
• a descri pti on of th e m odes of operation of th e pl an t and requ irem ents rel ating to SI F
operati on withi n each m ode;
• th e appl icati on program safety requ irem ents as l isted in 1 0. 3. 23;
• requ irem ents for bypasses incl udin g wri tten procedu res to be appl i ed duri ng the bypassed
state wh ich describe h ow th e bypasses wi l l be adm in istrativel y con troll ed an d th en
subsequ entl y cl eared;
• th e specification of an y action n ecessary to ach ieve or m aintain a safe state of th e
process i n th e even t of fau lt(s) bei ng detected in th e SI S , taking i n to accou nt of all
relevant h um an factors;
– 52 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e m ean repair tim e wh ich is feasibl e for th e SI S, taki n g in to accou nt the travel tim e,
l ocation, spares h oldi n g, service con tracts, en vironm ental constrain ts;
• i dentification of the dan gerous com bin ati ons of ou tpu t states of the SI S th at need to be
avoi ded;
• i dentification of th e extrem es of all en vironm en t conditions th at are l ikel y to be
encoun tered by th e SI S duri n g sh i ppi n g, storag e, i nstallation an d operati on . Th is m ay
requ ire consi deration of th e fol l owing : tem perature, hum i dity, contam in an ts, groun din g ,
electrom agn etic interference/radi o frequ ency i nterference (EM I /RFI ) , shock/vibration,
electrostatic disch arg e, electrical area cl assificati on , floodi n g , li gh tni n g , and oth er rel ated
factors;
• i dentification of norm al an d abn orm al process operati n g m odes for both th e plant as a
wh ole (e. g . , plant start-up) an d indi vi du al plant operati n g procedu res (e. g. , equ ipm ent
m ainten ance, sensor cali bration or repair) . Addi ti on al SI Fs m ay be requ i red to su pport
th ese process operatin g m odes;
• defin i tion of the requ irem ents for an y SI F n ecessary to survi ve a m aj or accident even t,
e. g. , tim e requ ired for a valve to rem ain operation al in th e even t of a fire.
Th e appl icati on prog ram safety requ irem ents sh al l be deri ved from the SRS an d
1 0 . 3. 3
chosen arch itecture (arrang em en t and in tern al structu re) of th e SI S. Th e appl ication program
safety requ irem ents m ay be l ocated i n th e SRS or i n a separate docum ent (e. g. , appl ication
program requ irem ents specificati on) . The in pu t to th e appl ication program safety requirem en ts
for each SI S subsystem shal l incl ude:
a) th e specified safety requ i rem ents of each SI F, incl udi n g sensor votin g , etc. ;
b) th e requ irem en ts resu l ti ng from th e SI S arch itectu re and th e safety m anual such as
l im itations an d constrain ts of th e h ardware an d em bedded software;
c) an y requ irem ents of safety plan ni n g arisin g from 5. 2. 4.
1 0. 3. 4 Th e applicati on prog ram safety requ irem en ts sh all be specified for each
program m able SI S devi ce n ecessary to im plem en t the requ ired SI F consisten t with the
arch itecture of the SI S.
1 0 . 3. 5 Th e applicati on program safety requ irem ents specificati on shal l be sufficien tl y

detai l ed to al low th e desig n and im pl em entation to ach ieve th e requi red fu nction al safety an d
to all ow a fu nction al safety assessm en t to be carri ed ou t. The fol lowin g sh all be consi dered:
• th e SI Fs su pported by th e appl icati on program an d th eir SI L;
• real tim e perform ance param eter such as, CPU capacity, n etwork bandwi dth, acceptable
real tim e perform ance i n th e presence of fau l ts, an d al l tri p si gn als are recei ved with i n a
specified tim e period;
• program sequ enci n g and tim e del ays if appl icable;
• equ i pm ent an d operator i nterfaces and th eir operabili ty;
• all relevant m odes of operati on of the process as specified i n the SRS;
• acti on to be taken on bad process vari abl e su ch as sensor val u e out of ran g e, excessi ve
ran g e of chan ge, frozen valu e, detected open circu it, detected short circu it;
• functi ons en abli n g proof testin g and au tom ated di ag n ostics tests of extern al devices (e. g . ,
sensors an d fi n al elem en ts) perform ed i n the appli cati on program ;
• appl ication program self-m oni torin g (e. g . , applicati on dri ven watch-dogs an d data ran g e
vali dation ) ;
• m onitori ng of oth er devices wi th in th e SI S (e. g. , sensors an d fi n al elem ents) ;
• an y requ irem ents rel ated to peri odic testin g of SI F when the process is operati on al;
• references to th e i npu t docu m en ts (e. g. , specification of th e SI F, config urati on or
arch itecture of the SI S, h ardware safety i n teg rity requ irem ents of the SI S) ;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 53 –
© I EC 201 7
• th e requ irem en ts for com m u nication i n terfaces, inclu din g m easures to l i m it their use an d
th e validi ty of data an d com m ands both recei ved an d transm itted ;
• process dan gerou s states (for exam ple cl osure of two isol ati on g as valves at th e sam e
tim e th at cou ld lead to pressure fluctu ati ons th u s l eading to a dang erous state) g enerated
by th e applicati on program shall be i dentified an d avoi ded;
• defin i tions of process variabl e val idation cri teri a for each SI F.
1 0. 3. 6 Th e appl ication program safety requ irem en ts specificati on shall be expressed an d
structu red i n such a way th at th ey:
• describe th e in tent and approach u n derpi n n in g th e application program safety
requ irem ents;
• are clear an d un derstan dable to those wh o wi l l u ti l ize th e docu m en t at an y ph ase of th e
SI S safety l ife-cycle; th i s incl udes th e u se of term in olog y an d descriptions wh ich are
un am bi g u ous and u nderstood by al l users (e. g . , plant operators, m ain ten ance person nel,
application program m ers) ;
• are verifi able, testable, m odifiable;
• are traceabl e back throu gh all del iverabl es i nclu din g the detail ed desi g n docum ents, the
SRS an d the H &RA th at i den tifies th e requ ired SI F an d SI L.
1 1 SI S d e si g n an d en g i n eeri n g
1 1 .1 Obj ecti ve
The obj ecti ve of th e requ irem ents of Cl ause 1 1 is to desig n one or m u lti ple SI S to provide th e
SI F and m eet th e specifi ed in tegrity requ irem en ts (e. g . , SI L, associ ated risk reducti on , PFD
an d /or PFH ) .
1 1 .2 G en e ra l req u i rem en ts
Th e desi g n of the SI S sh all be in accordance wi th th e SI S safety requ irem ents

1 1 . 2. 1
specifications, taki ng in to accoun t all th e requirem en ts of Cl ause 1 1 .
1 1 . 2. 2 Where th e SI S is to im pl em en t both SI Fs and n on-SI Fs th en all the h ardware,

em bedded software an d appl ication program that can n eg ativel y affect an y SI F u nder norm al
an d fau l t con diti ons shal l be treated as part of th e SI S an d com pl y with the requ irem ents for
th e h i gh est SI L of an y of th e SI Fs it can im pact.
Where the SI S is to im pl em ent SI F of different SI L, then the shared or com m on

1 1 . 2. 3
hardware an d em bedded software an d applicati on program sh al l conform to the hi g hest SI L.
NOTE Em bedded software or appl i cati on prog ram s of di fferen t SI L cou l d coexi st i n th e sam e devi ce provi ded i t
can be d em on strated th at th e SI F of l ower SI L cann ot n eg ati vel y affect the SI F of th e hi g h er SI L.
1 1 . 2. 4 I f it is i ntended n ot to qu alify the BPCS to th e I EC 61 51 1 seri es, th en th e SI S sh al l be

desi g ned to be separate an d i ndepen den t from th e BPCS to the extent that the safety i nteg ri ty
of th e SI S is n ot com prom ised.
NOTE 1 Operati n g i n form ati on can be exch an g ed but n ot com prom i se the fun cti on al safety of th e SI S.
NOTE 2 Devi ces of the SI S can al so be used for fun cti on s of th e BPCS i f i t can be dem onstrated th at a fai l u re of
the BPCS does not com prom i se th e SI F of the SI S.
1 1 . 2. 5 Requ irem en ts for operabi li ty, m aintain abi lity, di agn ostics, inspecti on an d testabili ty
shal l be addressed durin g the desig n of th e SI S i n order to reduce th e l ikelih ood of dan gerou s
fai l ures.
– 54 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 1 .2.6 Th e desi gn of th e SI S shall take in to accou n t h u m an capabil ities an d l im itati ons and
be su itable for th e tasks assig n ed to operators an d m ai ntenance staff. The desi g n of operator
interfaces sh al l fol low g ood hum an factors practice and sh all accom m odate th e l ikel y level of
trai n in g that operators sh ou l d recei ve.
NOTE 1 For exam pl e, h um an factor studi es m ay be n ecessary i f operati on req ui res d ata en try of l i m i ts or oth er
operator i n put on a reg ul ar basi s.
1 1 .2.7 Th e SI S sh al l be desig ned i n such a way that once it h as placed th e process i n a safe
state, the process sh al l rem ain i n th e safe state u n til a reset has been i ni tiated un l ess
oth erwise directed by th e SRS.
1 1 .2.8 Man u al m eans (e. g . , em erg ency stop pu sh button) , in depen den t of th e l og ic solver,
shall be provided to actu ate the SI S final el em ents u n less otherwi se directed by th e SRS.
1 1 .2.9 Th e desig n of th e SI S shal l take in to con si derati on al l aspects of i ndepen dence an d

depen dency between th e SI S and BPCS, an d the SI S an d oth er protection l ayers.
1 1 .2.1 0 A device used by the BPCS sh al l not be u sed by th e SI S where a fai l ure of th at
device m ay resu lt in both a dem and on th e SI F an d a dan gerous fai lu re of th e SI F, u n less an
an al ysis h as been carried out to confirm th at th e overall risk is acceptable.
NOTE When a part of th e SI S i s al so u sed for control purposes an d a dang erou s fai l ure of the com m on equ i pm en t
woul d cause a d em an d on the fun cti on perform ed by the SI S, then a n ew ri sk i s i ntrod u ced . Th e ad di ti on al ri sk i s
depen dent on th e dan g erou s fai l u re rate of th e shared devi ce because i f th e sh ared devi ce fai l s, a dem an d wi l l be
created i m m edi atel y to wh i ch the SI S m ay not be capabl e of respon di n g . For th at reason, addi ti on al an al ysi s can
be n ecessary i n th ese cases to en su re th at th e dang erous fai l u re rates of the shared devi ces are suffi ci en tl y l ow.
Sensors an d val ves are exam pl es where sh ari ng of equ i pm en t wi th th e BPCS i s often consi d ered.
1 1 .2.1 1 For an y SI S device that on loss of uti l ity (e. g . , el ectrical power, air, h ydrau lics or
pn eum atic su ppl y) does not fai l to the safe state, loss of u ti l i ty an d SI S circu it i ntegri ty sh al l
be detected and al arm ed (e. g. , en d-of-l ine m on itori n g, su ppl y pressure m easurem en t,
h ydrau l ic or pneum atic pressure m on itorin g) an d acti on taken accordin g to 1 1 . 3.
NOTE 1 U ti l i ty i n teg ri ty can be i m proved th roug h u si n g a su ppl em entary su ppl y (e. g . , battery back-u p,
uni n terru pti bl e power suppl i es, ai r reservoi r, h yd rau l i c accum u l ator, secon d g as su ppl y) .
NOTE 2 Th e l oss of a uti l i ty i s l i kel y to affect m ul ti pl e SI Fs and, possi bl y, m u l ti pl e SI Ss. H ence com m on cause
fai l u re of m ul ti pl e SI Fs can be consi dered.
1 1 .2.1 2 The desi gn of the SI S sh all be such that it provi des th e n ecessary resil ience agai nst
th e i den tifi ed securi ty risks (see 8. 2. 4) .
NOTE G ui d ance rel ated to SI S secu ri ty i s provi d ed i n I SA TR84. 00. 09, I SO/I EC 27001 : 201 3, an d I EC 62443-2-
1 : 201 0.
1 1 .2.1 3 A safety m an u al coveri n g operation, m ain ten ance, fau lt detection an d constraints
associ ated wi th th e SI S shal l be avail able coveri ng th e intended config urati ons of the devices
an d the in ten ded operating en vironm ent.
1 1 .2.1 4 All com m un ications u sed to im pl em ent a SI F shal l be establ ish ed usi ng tech n iqu es
appropriate for safety applications to m eet th e requ ired SI L.
1 1 .3 Requirements for system behaviour on detection of a fault

1 1 .3.1 When a dan g erou s fau l t in a SI S h as been detected (by di agn ostic tests, proof tests
or by an y other m eans) then com pensatin g m easures sh al l be taken to m aintai n safe
operati on. I f safe operati on can n ot be m ai ntain ed, a specifi ed acti on to ach ieve or m aintain a
safe state of th e process sh all be taken . Where the com pensati n g m easures depen d on an
operator taki n g specific acti on i n response to an alarm (e. g . , open in g or cl osin g a val ve) th en
th e al arm shall be considered part of th e SI S.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 55 –
© I EC 201 7
NOTE 1 Th e speci fi ed acti on (fau l t reacti on) requ i red to achi eve or m ai n tai n a safe state of th e process can be
speci fi ed i n the SRS (see 1 0. 3. 1 ) . I t can con si st of th e safe sh u td own of the process or of that part of th e process
wh i ch rel i es on th e fau l ty SI S for ri sk redu cti on .
NOTE 2 Th e com pensati ng m easures requ i red for con ti n u ed safe operati on s can d epend on safety i nteg ri ty
requ i rem ents, th e tol erabl e ri sk associ ated wi th th e h azard ou s event, th e h ard ware faul t tol erance of th e SI S, th e
anti ci pated M RT and th e avai l abi l i ty of an y oth er l ayers of protecti on. I n som e cases i t can be adequ ate to ensure
acti on i s taken to en su re repai r of the dang erou s fai l u re wi thi n the assum ed MPRT i n th e cal cul ati on of the PFDavg
but i n oth er cases i t can be j udg ed n ecessary to provi de other m easures to com pensate for the red uced ri sk
red u cti on u nti l th e SI S i s ful l y restored. See al so 1 6. 2. 3.
1 1 .3.2 Where an y dan g erou s fau lt in an SI S is brou g ht to th e atten ti on of an operator by an

alarm then the al arm sh al l be subj ect to appropri ate proof testin g an d m an agem en t of chan g e.
1 1 .4 Hardware fault tol erance

1 1 .4.1 Th e SI S shal l h ave a m inim um H FT with respect to each SI F i t im pl em ents.
NOTE Th i s does not excl u de the possi bi l i ty that th e H FT m ay be red uced bel ow th e m i n i m u m requi rem ent at
certai n ti m es duri n g operati on of th e system fol l owi ng th e occu rrence of faul ts.
1 1 .4.2 When th e SI S can be spl it into i n depen den t SI S su bsystem s (e. g . sensors, log ic
sol vers an d fin al elem ents) , th en th e HFT can be assig n ed at the SI S su bsystem l evel .
1 1 .4.3 Th e H FT of th e SI S or its SI S su bsystem s sh al l be in accordance wi th;

• 1 1 . 4. 5 to 1 1 . 4. 9 of clause 1 1 or,
• th e requ irem en ts of 7. 4. 4. 2 (rou te 1 H) of I EC 61 508-2: 201 0 or,
• th e requ irem en ts of 7. 4. 4. 3 (rou te 2H ) of I EC 61 508-2:201 0.
NOTE Th e route devel oped i n I EC 61 51 1 i s deri ved from rou te 2 H of I EC 61 508-2: 201 0.
1 1 .4.4 When determ in i ng th e achieved HFT, certain fau lts m ay be excl uded, provided that
th e l ikel ih ood of th em occurrin g is very l ow in relati on to the safety i ntegrity requ irem en ts. An y
such fau lt excl usions sh al l be j ustifi ed an d docum en ted.
NOTE Fu rth er i n form ati on abou t faul t excl u si on can be fou n d i n I SO1 3849-1 :2006 an d I SO1 3849-2: 201 2.
1 1 .4.5 Th e m in im u m H FT for a SI S (or i ts SI S su bsystem s) im pl em enting a SI F of a

specified SI L shal l be i n accordance wi th Tabl e 6 an d if appropriate 1 1 . 4. 6 an d 1 1 . 4. 7.
NOTE Th e H FT req u i rem en ts i n Tabl e 6 represen t the m i n i m um system or, where rel evan t, th e SI S su bsystem
red un dan cy. Dependi n g on th e appl i cati on , devi ce fai l u re rate an d proof-testi n g i nterval , add i ti onal redu n d an cy can
be requ i red to sati sfy th e fai l ure m easure for th e SI L of th e SI F accordi ng to 1 1 . 9.
Table 6 – M ini mum HFT requ irements according to SIL

SI L M i nim um req ui red HFT
1 (an y m ode) 0
2 (l ow dem and m ode) 0
2 (hi g h d em an d or conti n uou s m ode) 1
3 (an y m ode) 1
4 (an y m ode) 2
1 1 .4.6 For a SI S or SI S su bsystem th at does n ot u se FVL or LVL prog ram m abl e devices an d
if th e m in im u m HFT as specified in Tabl e 6, wou ld resu lt i n additi on al fail ures an d lead to
decreased overal l process safety, th en th e H FT m ay be reduced. This shal l be j ustified an d
docu m en ted. The j ustificati on sh al l provi de evi dence that th e proposed arch itecture is su itabl e
for its in ten ded pu rpose an d m eets the safety i n tegrity requ irem en ts.
– 56 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
NOTE Faul t tol eran ce i s th e preferred sol u ti on to achi eve th e requ i red confi dence th at a robu st archi tectu re h as
been achi eved. When 1 1 . 4. 6 appl i es, th e purpose of th e j usti fi cati on i s to d em on strate that th e proposed
al tern ati ve arch i tecture provi d es an eq u i val ent or better sol u ti on. Thi s m ay vary d epen d i ng on the appl i cati on
an d/or th e tech nol og y i n u se; exam pl es i n cl u d e: back-u p arran g em ents (e. g . , an al yti cal redu n dancy, repl aci n g a
fai l ed sen sor ou tput by ph ysi cal cal cu l ati on resul ts from other sensors outpu ts) ; usi ng m ore rel i abl e i tem s of the
sam e techn ol og y (i f avai l abl e) ; chan g i n g for a m ore rel i abl e techn ol og y; d ecreasi n g com m on cause fai l u re i m pact
by u si n g di versi fi ed tech n ol og y; i ncreasi n g th e desi g n m arg i n s; con strai n i ng the en vi ron m ental con di ti ons (e. g . for
el ectroni c com pon ents) ; decreasi ng th e rel i abi l i ty u ncertai nty by g ath eri n g m ore fi el d feedback or expert j u dg m ent.
1 1 .4.7 I f a fau lt tolerance equ al to zero resul ts from appl yin g 1 1 . 4. 6, the j u stification requ ired
by 1 1 . 4. 6 sh al l provi de evi dence that th e related dan g erou s failu re m odes can be excluded, i n
accordance wi th 1 1 . 4. 4 i nclu din g considerati on of the poten ti al for system atic failures.
1 1 .4.8 FVL an d LVL program m abl e devices shal l have diag nostic coverag es n ot less th an 60
%.
1 1 .4.9
Reli abil ity data u sed in th e calcu l ati on of th e fail ure m easure sh al l be determ in ed by
an upper bou n d statistical confi dence l im it of n o less then 70 %.
1 1 .5 Requirements for selection of devices

1 1 .5.1 Objectives
The obj ecti ves of th e requ irem en ts of 1 1 . 5 are to:
• specify th e requ irem ents for the sel ecti on of devi ces wh ich are to be used as part of th e
SI S;
• specify th e requ irem en ts to en able a device to be i ntegrated i n th e arch i tecture of a SI S ;
• specify acceptance criteri a for devices in term s of associ ated SI F an d safety in tegri ty
requ irem ents.
1 1 .5.2 General requirements
1 1 .5.2.1 Devices selected for u se as part of a SI S wi th a specifi ed SI L sh all be i n
accordance with I EC 61 508-2:201 0 an d I EC 61 508-3:201 0 and/or 1 1 . 5. 3 throug h 1 1 . 5. 6, as
appropri ate.
NOTE Devi ces assessed ag ai nst I EC 61 508-2:201 0 an d I EC 61 508-3: 201 0 can be appl i ed i n accordance wi th th e
req u i rem en ts for system ati c capabi l i ty i n I EC 61 508-2: 201 0.
1 1 .5.2.2 Al l devices sh all be sui tabl e for th e operatin g en vironm ent as determ in ed throu g h
consi deration of th e m anufacturer’s docum entati on , th e constrai nts with i n th e SRS an d the
reliabi li ty param eters assu m ed i n respect of 1 1 . 9. Su itabil ity of th e sel ected devices sh al l
always be considered i n the con text of th e operati ng en vironm ent.
NOTE Devi ces m ay exhi bi t d i fferent fai l u re rates dependent on the operati n g en vi ronm ent and m ode of operati on .
Fai l u re rate d ata avai l abl e from m an u factu rers m ay n ot be val i d i n al l appl i cati on s. For exam pl e, the fai l u re rate
and fai l u re m ode d i stri buti on can be di fferen t for a val ve th at i s freq uen tl y exerci sed versus on e th at stan ds sti l l for
long peri ods of ti m e.
1 1 .5.3 Requirements for the selection of devices based on prior use

1 1 .5.3.1 Appropriate evidence sh al l be available th at the devices are su itabl e for u se in the
SI S.
NOTE 1 Th e m ai n i nten t of the pri or use eval u ati on i s to g ath er evi d ence that the d an g erou s system ati c faul ts
have been redu ced to a suffi ci entl y l ow l evel com pared to th e req ui red safety i nteg ri ty.
NOTE 2 Level of detai l of th e evi den ce can be i n accordan ce wi th th e com pl exi ty of the con si dered d evi ce.
NOTE 3 A pri or u se eval u ati on i n vol ves g atheri n g docum en ted i nform ati on con cern i ng th e devi ce perform ance i n
a si m i l ar operati n g en vi ron m en t. Pri or use dem on strates th e fu ncti on al i ty an d i n teg ri ty of the i n stal l ed devi ce,
i n cl u di ng the process i n terfaces, fu l l d evi ce boun dary, com m un i cati on s, an d u ti l i ti es. Th e m ai n i nten t of th e pri or
use eval u ati on i s to g ath er evi den ce that th e dang erou s system ati c fau l ts h ave been red uced to a su ffi ci en tl y l ow
level com pared to the requi red safety i nteg ri ty.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 57 –
© I EC 201 7
NOTE 4 Pri or use data can con tri bute to a database for the cal cul ati on of hard ware fai l u re rates as descri bed i n
1 1 . 9. 3.
1 1 .5.3.2 Th e evi dence of su i tabil ity sh al l i ncl u de the fol lowi n g :

• consi deration of th e m anufactu rer’s qu al ity, m an ag em en t and confi g urati on m an ag em en t
system s;
• adequ ate identificati on and specificati on of th e devices;
• dem onstrati on of the perform ance of th e devices in sim il ar operati ng en vironm ents;
N OTE 1 I n th e case of fi el d devi ces (e. g . , sensors an d fi n al el em ents) fu l fi l l i n g a g i ven speci fi cati on , the
beh avi ou r of the devi ce i n th e operati n g en vi ron m ent i s u su al l y i denti cal i n safety an d n on -safety appl i cati on s.
Th erefore, evi d ence of th e perform ance of si m i l ar devi ces i n non -safety appl i cati on s can al so be used to
sati sfy th i s req ui rem ent.
• th e vol um e of th e operating experi ence.
N OTE 2 For fi el d devi ces, i n form ati on rel ati ng to operati n g experi en ce i s m ai nl y recorded i n th e u ser’ s l i st of
equ i pm ent approved for u se i n thei r faci l i ti es, based on an extensi ve hi story of su ccessful perform ance i n
safety an d n on -safety appl i cati on s, and on th e el i m i nati on of equ i pm en t n ot perform i ng i n a sati sfactory
m an ner. Th e l i st of fi el d devi ces can be u sed to support cl ai m s of experi ence i n operati on, provi ded th at:
– th e l i st i s u pd ated and m oni tored reg u l arl y;
– fi el d d evi ces are on l y added when su ffi ci en t operati ng experi en ce h as been obtai n ed;
– fi el d d evi ces are rem oved when they show a hi story of not perform i n g i n a sati sfactory m an n er;
– th e operati n g en vi ronm en t i s i n cl uded i n th e l i st wh ere rel evan t.
N OTE 3 Devi ce perform ance i s h i g h l y affected by the operati n g en vi ron m en t. I t i s g eneral l y recom m en ded
th at sel ecti on of d evi ces can be based on ad equ ate perform ance of an i nstal l ed su ffi ci en t n um ber of devi ces i n
m u l ti pl e i n stal l ati ons for a su ffi ci ent operati n g ti m e. The g ai ned experi ence can al l ow ti m e to reveal earl y
fai l u res, such as those rel ated to speci fi cati on, h an dl i n g , i n stal l ati on, and com m i ssi oni n g .
N OTE 4 Th e am ou nt of operati on al experi en ce to g ai n credi bl e stati sti cal rel i abi l i ty data i s typi cal l y m uch
h i g h er com pared to the operati on al experi en ce n ecessary to g et evi den ce of pri or u se.
1 1 .5.3.3 Al l devices selected on th e basis of prior use shall be identified by a specified

revision n um ber and sh al l be un der th e con trol of a m anag em ent of ch ang e procedure. I n the
case of a chan ge bein g m ade to th e device, th e con tin u ed val idi ty of th e evi dence of pri or use
shall be j ustified by evalu ati ng th e si gn ificance of the chan ge m ade.
1 1 .5.4 Req uirements for selection of FPL prog rammable devices (e.g ., field devices)
based on pri or u se
1 1 .5.4.1 For SI L 1 , SI L 2, and SI L 3, th e requ irem ents of 1 1 . 5. 2 and 1 1 . 5. 3 appl y, together
wi th th e fol l owin g subcl auses.
1 1 .5.4.2 Al l config urati on options of th e device possibl y infl uenci ng safety shal l be identifi ed
an d considered. I t is im portan t to check th at wh erever specific setti n gs are not defi ned that
th e defaul t setti ngs of the device are confirm ed to be appropri ate. U n u sed features of th e
devices sh all be i den tified in th e evi dence of sui tabil ity, and it shal l be establish ed th at they
are un l ikel y to j eopardi ze the requ ired SI F.
1 1 .5.4.3 For th e speci fic config urati on an d operati n g en vironm en t of the device, the
evidence of su itabil i ty sh all consi der:
• characteristics of in put and ou tpu t si gn als;
• m odes of use;
• functi ons an d config urati ons used;
• prior u se in sim ilar operati n g en vironm ents.
1 1 .5.4.4 I n addition , for SI L 3 appl ications, an assessm ent of th e FPL devi ce shall be carri ed
ou t to show that:
• th e FPL device is both able to perform the requ ired functions and th at pri or use h as sh own
th ere is a low en ou g h probabil i ty th at it wi ll fai l i n a way wh ich cou ld lead to a h azardous
– 58 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
even t wh en used as part of th e SI S, du e to ei th er random hardware fai l ures or system atic
fau lts in h ardware or software;
• appropri ate standards for h ardware an d software h ave been appl ied;
• th e FPL device h as been u sed or tested i n confi gu rations represen tati ve of th e i ntended
operati onal profi l es.
1 1 .5.5 Req uirem ents for selection of LVL prog rammable d evices based on prior u se
1 1 .5.5.1 Th e followi n g requ irem ents appl y to PE devices used i n SI Ss wh ich im pl em en t SI L
1 or SI L 2 SI Fs.
1 1 .5.5.2 Th e requ irem ents of 1 1 . 5. 4 appl y.
1 1 .5.5.3 Where there is an y difference between th e operatin g en viron m ent of a devi ce as

experi enced previ ousl y, an d th e operatin g en vironm ent of th e device wh en used wi th in th e
SI S, th en an y such differences sh al l be i dentified an d th ere shal l be an assessm ent based on
an al ysis an d testi ng , as appropriate, to show th at the likel i hood of system atic fau lts wh en
used i n the SI S is sufficientl y l ow.
1 1 .5.5.4 Th e operati ng experience consi dered necessary to j ustify the su itabi li ty sh all be
determ in ed takin g i n to accou n t:
• th e SI L of the SI F;
• th e com pl exity an d functi on al ity of the devices.
1 1 .5.5.5 For SI L 1 or 2 appl ications, a safety con fig ured PE log ic solver m ay be used
provided th at al l the fol lowi n g addi ti onal provisi on s are m et:
• u n derstandin g of u nsafe fail ure m odes;
• u se of tech n i qu es for safety confi g uration th at address th e iden tifi ed fai l ure m odes;
• th e em bedded software h as a g ood h istory of use for safety appl icati ons;
• protecti on ag ainst u nau th orized or u n i nten ded m odifications.
NOTE A safety confi g u red PE l og i c sol ver i s a g en eral pu rpose i nd u stri al g rade PE l og i c sol ver whi ch i s
speci fi cal l y con fi g u red by th e OEM, a system s en g i n eer or th e en d-u ser for use i n safety appl i cati ons.
1 1 .5.5.6 A form al assessm ent of an y PE l og ic solver used in a SI L 2 application sh all be

carried out to sh ow th at:
• it is both able to perform th e requi red functions an d th at pri or use h as sh own th ere is a l ow
en oug h probabi l ity th at i t wi l l fail i n a way wh ich cou ld lead to a h azardous event wh en
u sed as part of th e SI S, du e to eith er ran dom h ardware fai l ures or system atic fau lts i n
hardware or software;
• m easures are im pl em ented to detect fau lts durin g program executi on and in itiate
appropri ate responses; these m easures sh all com prise all of th e fol lowi n g:
– program sequ ence m on itorin g ;
– protecti on of code ag ai nst m odifications or fai l ure detecti on by on- li ne m on i tori ng ;
– fai l ure assertion or diverse program m ing ;
– ran g e ch eck of vari ables or plausibil i ty ch eck of valu es;
– m odu lar approach ;
– appropri ate coding standards have been u sed for th e em bedded and uti l ity software;
– testin g in typical confi gurations, wi th test cases represen tati ve of the intended
operati onal profi les;
– trusted verified software m odu les an d com pon en ts h ave been used;
– th e system has u n derg on e d yn am ic anal ysis an d testi ng ;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 59 –
© I EC 201 7
– th e system does n ot use artifici al intel l ig ence or dyn am ic reconfi gurati on;
– docum en ted fau l t-inserti on testin g (n egati ve testin g) h as been perform ed.
1 1 .5.6 Req uirements for selection of FVL programm able devi ces
When the appl ications are program m ed u si ng a FVL, th e PE device sh al l be in accordance
wi th I EC 61 508-2: 201 0 and I EC 61 508-3: 201 0.
1 1 .6 Field devices
1 1 .6.1 Fi eld devices sh all be sel ected an d instal led to m i nim i ze fai lu res th at cou ld resu lt i n
inaccurate inform ati on due to condi ti ons arisi n g from the operatin g en vironm en t. Con diti ons
th at shou l d be considered inclu de corrosi on , freezi n g of m aterials i n pi pes, suspen ded sol i ds,
pol ym eri zation, coki ng , tem peratu re and pressure extrem es, condensation in dry-leg im pu lse
lin es, an d i nsuffici ent con densation in wet-leg im pu lse li n es.
1 1 .6.2 Energ i ze to trip circu i ts sh al l appl y m eans to ensure ci rcu it an d power su ppl y
integrity.
NOTE 1 An exam pl e of su ch m eans i s an en d-of-l i ne m on i tor, wh ere a pi l ot cu rrent i s con ti n u ou sl y m oni tored to
detect ci rcu i t conti n ui ty an d wh ere th e pi l ot cu rren t i s not of suffi ci en t m ag ni tu de to affect proper I /O operati on.
NOTE 2 Addi ti on al requ i rem ents for l oss of power can be foun d i n 1 1 . 2. 1 1 .
1 1 .6.3 Sm art sensors shal l be write-protected to prevent inadvertent m odificati on, un l ess
appropri ate safety review (e. g . , H &RA) al lows the use of read/write.
NOTE Th e revi ew can take i n to accou nt h u m an factors su ch as fai l u re to fol l ow procedu res.
1 1 .7 Interfaces
1 1 .7.1 General
I n terfaces to the SI S can i nclu de, but are n ot l im ited to:
• operator i n terface(s) ;
• m ainten ance/eng i n eerin g i n terface(s) ;
• com m unication i nterface(s) .
1 1 .7.2 Operator interface requ irements
1 1 .7.2.1 Where the SI S operator interface is vi a th e BPCS operator interface, accou n t sh all
be taken of credibl e fail ures th at m ay occur in th e BPCS operator i nterface.
NOTE Th i s can i n cl ud e prepari n g pl an s to en abl e an ord erl y safe sh utdown i n th e even t of total fai l u re of th e
operati on al di spl ays.
1 1 .7.2.2 Th e desig n of the SI S shal l m in im i ze th e n eed for operator sel ecti on of opti ons an d
th e n eed to bypass th e system wh ile h azards are present. I f the desi g n does requ ire th e use
of operator actions, the desig n sh ou ld i ncl ude faci liti es for protecti on ag ainst operator error.
NOTE I f th e operator has to sel ect a parti cul ar opti on , th ere can be a confi rm ati on step.
1 1 .7.2.3 Bypass switch es or m eans sh al l be protected to preven t u n au th ori zed use (e. g. , by
key l ocks or passwords i n conj u ncti on with effecti ve m an ag em en t controls) .
NOTE Con si derati on can be g i ven to en forci n g ti m e l i m i ts on bypass operati on and to l i m i ti n g th e n um ber of
bypasses th at can be acti ve at any on e ti m e.
1 1 .7.2.4 Th e SI S statu s i nform ation th at is critical to m ain tai n i ng th e SI F sh all be avai labl e
as part of th e operator i nterface. This inform ati on m ay incl u de:
– 60 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• wh ere th e process is i n i ts sequence;
• i ndication th at SI S protecti ve action h as occu rred;
• i ndication th at a protective fu ncti on is bypassed;
• i ndication th at autom atic acti on(s) such as degradation of voti n g an d/or fau lt h andli ng h as
occurred;
• status of sensors an d fi n al elem en ts;
• th e loss of en erg y wh ere th at en erg y l oss im pacts safety;
• th e resu lts of diag n ostics;
• fai l ure of en vironm en tal con ditioni n g equ ipm ent wh ich is necessary to support th e SI S.
1 1 .7.2.5 Th e SI S operator in terface desig n (see 1 1 . 7. 2. 7) sh all be such as to prevent
chan ges to the SI S application program .
1 1 .7.2.6 Where inform ation is transferred from the BPCS to th e SI S, system s, equ i pm ent or
procedures sh al l be appl ied to confirm th at th e correct inform ati on h as been transferred an d
th at th e safety i ntegrity of th e SI S is n ot com prom ised.
NOTE Th e system s, equ i pm ent or proced ures used can i ncl u de con trol over sel ecti ve wri ti n g from the BPCS to
speci fi c SI S vari abl es.
1 1 .7.2.7 Th e desi g n of th e SI S operator i nterface vi a th e BPCS operator i nterface sh all be

such that provision of i ncorrect inform ati on or data from th e BPCS to th e SI S sh al l not
com prom ise safety.
1 1 .7.3 Maintenance/engineering interface requirements

1 1 .7.3.1 Th e desi g n of th e SI S m ai ntenance/eng i n eeri n g in terface sh al l ensure th at an y
fai l ure of th is in terface sh all n ot adversel y affect th e abi lity of the SI S to carry out th e requ ired
SI Fs. Th is m ay requ ire discon n ecting of m ainten ance/en g in eerin g i nterfaces, such as
program m in g pan els, during n orm al SI S operati on .
1 1 .7.3.2 Th e m ain ten ance/en g in eerin g i n terface shall provi de the fol lowi n g fu ncti ons with
access securi ty protection to each:
• SI S m ode of operation, prog ram , data, m eans of disabl ing al arm com m unicati on , test,
bypass, m ainten ance;
• SI S di agn ostics, voti n g and fau lt h andli ng services;
• add, del ete, or m odify applicati on program ;
• data necessary to trou bl eshoot th e SI S;
• wh ere bypasses are requ ired th ey shou l d be i nstalled such th at al arm s and m anu al
shu tdown facil iti es are not disabled.
1 1 .7.3.3 Th e m ain ten an ce/eng ineeri ng in terface shal l n ot be used as the operator in terface.
1 1 .7.3.4 Enabl ing an d disabl ing the read-wri te access sh al l be carri ed ou t on l y by a
config urati on m anag em en t process usin g the m aintenance/eng in eeri ng i nterface with
appropriate docum entati on an d security m easures such as auth en tication an d user secure
chan nels.
1 1 .7.4 Communication interface requirements

1 1 .7.4.1 Th e desi g n of an y SI S com m un ication i nterface shal l ensu re that an y fail ure of the
com m unication interface shall n ot adversel y affect the abi lity of th e SI S to ach i eve or m ain tai n
a safe state of th e process.
I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV – 61 –
© I EC 201 7
1 1 .7.4.2 When th e SI S is able to com m unicate wi th the BPCS and periph erals, th e
com m unicati on interface, BPCS, or periph erals shal l n ot adversel y im pact an y of th e SI Fs
wi thi n the SI S.
1 1 .7.4.3 Th e com m unicati on interface shal l be suffici en tl y robust to withstan d electro-

m agnetic interference incl uding power surges wi th ou t causin g a dang erous fai l ure of the SI S.
1 1 .7.4.4Th e com m unicati on i nterface shal l be su itabl e for com m unicati on between devices
referenced to different el ectrical grou n d poten tials.
NOTE An al ternate m edi um (e. g . , fi bre opti cs) can be requ i red.
1 1 .8 Maintenance or testing design requirements

1 1 .8.1 Th e desig n sh al l al low for testin g of th e SI S either end- to-en d or in
segm en ts. Where
th e i nterval between sch edu led process down tim e is greater than th e proof test i nterval , th en
on-l i n e test faci l ities are requ ired.
NOTE Th e term “en d -to-en d” m ean s from process fl u i d at sen sor end to process fl ui d at actuati on en d.
1 1 .8.2 When on-l ine proof testin g is requ ired, test faci l iti es sh al l be an i ntegral part of th e
SI S desi gn .
1 1 .8.3 When test or bypass facil ities are i ncluded in the SI S, th ey shal l conform with
th e foll owi n g:
• The SI S sh al l be desig n ed in accordance with th e m ai nten ance and testi ng requ irem en ts
defin ed i n th e SRS;
• The operator sh al l be alerted to the bypass of an y portion of the SI S via an al arm or
operati n g procedure.
1 1 .8.4 Th e m axim um tim e the SI S is all owed to be i n bypass (repair or testin g) wh i l e safe
operati on of th e process is conti n ued sh all be defi ned.
1 1 .8.5
Com pensati ng m easures th at ensure con tin u ed safe operation shal l be provi ded in
accordance wi th 1 1 . 3 wh en th e SI S is i n bypass (repair or testin g) .
1 1 .8.6 Forci ng of in puts an d outputs i n PE SI S shall n ot be used as a part of applicati on

prog ram (s) , operati ng procedure(s) and m ai ntenance (except as n oted bel ow) .
Forci ng of inputs and outpu ts wi th out taking th e SI S ou t of service sh al l n ot be all owed u n less
suppl em ented by procedures an d access security. An y su ch forcin g shall be an n ou nced or set
off an alarm , as appropri ate.
1 1 .9 Quantification of random failure

1 1 .9.1 Th e calcu l ated failu re m easure of each SI F sh al l be equal to, or better th an, th e
targ et fail ure m easure rel ated to th e SI L as specified in th e SRS. This shall be determ in ed by
calcu lati on .
NOTE I n com pl ex appl i cati on s, th e h azard ou s event frequ ency can be used as an al tern ati ve to the targ et fai l u re
m easu res (e. g . , wh ere di fferen t dem an d cau ses h ave di fferent safety i n teg ri ty requ i rem en ts or where non -
i ndependent SI Ss act i n sequ ence) .
1 1 .9.2 Th e calcu lated failu re m easure of each SI F du e to ran dom fail u res sh all take i n to
accou nt al l contri buti ng factors i nclu di ng th e foll owi n g:
a) th e arch itectu re of the SI S an d of i ts SI S su bsystem s where rel evant as they relate to
each SI F u n der considerati on ;
– 62 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
b) th e estim ated fail ure rate related to each fai l ure m ode, du e to ran dom hardware fai lu res,
wh ich wou ld contri bu te to a dan g erou s fai l ure of th e SI S bu t wh ich are detected by
diag nostic tests;
c) th e estim ated fail ure rate related to each fai l ure m ode, du e to ran dom hardware fai lu res,
wh ich wou ld con tribu te to a dan g erous fail ure of the SI S wh ich are u n detected by th e
diag nostic tests but wh ich are detected by proof tests :
d) th e estim ated fail ure rate rel ated to each fai lure m ode, due to random hardware fai lu re,
wh ich wou ld con tribu te to a dan g erous fail ure of the SI S wh i ch are u n detected by th e
diag nostic tests and u n detected by proof tests;
e) th e su sceptibi lity of the SI S to fail ures caused by the proof tests th em sel ves;
f) th e su sceptibi lity of the SI S to com m on cause fai l u res;
g) th e diag n ostic coverag e of an y periodic diag nostic tests, the associated di ag n ostic test
i nterval an d the probabil ity of fai lu re of the di ag nostic faci l ities;
h) th e coverag e of an y periodic proof tests, th e associated proof test procedure and th e
reli abili ty for th e proof test faci l ities and procedure;
i) th e repair tim es for detected fai lu res and th e state of th e SI S du rin g repai rs (on l i ne or off
l in e) ;
j ) th e estim ated dan g erou s fai l ure rate of an y com m unicati on process in an y m odes wh ich
wou ld cau se a dang erou s failure of th e SI S (both detected and un detected by di ag n ostic
tests) ;
k) th e estim ated likeli h ood th at operator response wou ld cau se a dang erou s failure of th e
SI S (both detected an d u ndetected by di ag n ostic tests) ;
l ) th e rel iabi l ity of an y uti l ity n ecessary for the SI S.
NOTE Several m odel l i n g approach es are avai l abl e an d th e m ost appropri ate approach i s a m atter for th e anal yst
an d can depend on the ci rcum stances. Avai l abl e m ean s i ncl u de (see I EC 61 508-6:201 0, an n ex B) :
– cau se conseq u ence an al ysi s;
– rel i abi l i ty bl ock di ag ram s;
– fau l t-tree an al ysi s;
– Markov m odel s;
– Petri nets m odel s.
The probabi l i sti c cal cul ati ons can be perform ed an al yti cal l y or by n u m eri cal si m ul ati on (e. g . , Monte Carl o
si m u l ati on ) .
Th e reli abil ity data used when qu antifyi ng th e effect of ran dom fail ures sh al l be
1 1 . 9. 3
credible, traceable, docu m ented, ju stified an d sh all be based on field feedback from sim il ar
devices used in a sim il ar operatin g en vironm ent.
NOTE 1 Th i s i ncl u des u ser col l ected data, vend or/provi der/user d ata d eri ved from data col l ected on devi ces, data
from g en eral fi el d feed back rel i abi l i ty d atabases, etc. I n som e cases, eng i n eeri n g j u dg em en t can be used to assess
m i ssi n g rel i abi l i ty d ata or eval u ate th e i m pact on rel i abi l i ty d ata col l ected i n a di fferen t operati n g envi ron m en t.
NOTE 2 The l ack of rel i abi l i ty data refl ecti ve of th e operati n g en vi ron m ent i s a recurrent shortcom i ng of
probabi l i sti c cal cu l ati ons. End -u sers can org ani ze rel evant devi ce rel i abi l i ty d ata col l ecti on s i n accord ance wi th
I EC 60300-3-2: 2004 or I SO 1 4224: 2006 to i m prove th e i m pl em entati on of th e I EC 61 51 1 seri es.
NOTE 3 Ven d or data based on returns can be restri cted to a popu l ati on wh ere th ere i s ful l knowl edg e of the
operati on al en vi ronm en t an d ful l y record ed i n accordan ce wi th I EC 60300-3-2: 2004 or I SO 1 4224:2006. Th e user
can al so record th e operati on al en vi ron m en t for the SI F an d be abl e to dem onstrate th at th e vend or’s operati on al
en vi ronm ent data m atches th e en vi ronm ent of th e SI F.
1 1 . 9. 4 Th e rel i abi l ity data uncertai nti es sh al l be assessed and taken into accou nt wh en
calcu l ati ng th e fai l ure m easure.
NOTE 1 Th e rel i abi l i ty d ata u ncertai n ti es can be eval uated accordi n g to the am ou nt of fi el d feedback (l ess fi el d
feed back resu l ts i n m ore u ncertai nty) or/an d exerci se of expert j u dg em en t. Pu bl i shed stan d ards (I EC 60605-4) ,
Bayesi an approaches, eng i n eeri n g j udg em en t tech ni qu es, etc. can be u sed to esti m ate th e rel i abi l i ty data
uncertai n ti es.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 63 –
© I EC 201 7
NOTE 2 Th e fol l owi ng tech ni qu es can be used for cal cu l ati n g th e fai l ure m easu res (m ore i nform ati on can be
foun d i n I EC 61 51 1 -2:201 6) :
– use of an u pper boun d confi dence of 70 % for each i n pu t rel i abi l i ty param eter i n stead of i ts m ean i n order to
obtai n con servati ve poi nt esti m ati ons of th e fai l u re m easu res, or;
– use th e probabi l i sti c di stri buti ons fun cti on s of i n pu t rel i abi l i ty param eters, perform Mon te Carl o si m u l ati ons to
obtai n an h i stog ram represen ti ng th e d i stri buti on of th e fai l u re m easu re an d assess a con servati ve val ue from
th i s di stri bu ti on (e. g . , that th ere i s a 90 % confi den ce that th e true fai l ure m easu re i s better th an the val u e
cal cul ated) .
1 1 . 9. 5I f, for a particu l ar desig n, th e target fai lu re m easu re for th e relevant SI F is n ot

ach i eved th en :
a) identify th e devices or param eters con tribu ti n g m ost to the fai l ure m easu re;
N OTE Faul t tree cut-set an al ysi s can be usefu l here.
b) eval u ate th e effect of possi ble im provem ent m easu res on the i den ti fied devices or
param eters (e. g . , m ore reli able devices, addi ti on al defences ag ainst com m on m ode
fai l ures, i ncreased di ag nostic or proof test coverag e, i ncreased redu n dancy, redu ced
proof test interval, stag g erin g tests, etc. ) ;
c) select and im pl em ent im provem en t m easu res to establ ish th e new resu lt;
d) com pare the n ew resu lt to the targ et fai l ure m easu re and repeat the steps a) to d) u nti l th e
targ et failu re m easure is ach i eved in a conservati ve m an n er.
1 2 S I S a p p l i c a t i o n p r o g r a m d e ve l o p m e n t
1 2. 1 Obj ecti ve
The objecti ve of Cl ause 1 2 is to defi n e the requ irem ents for th e developm ent of th e
appl ication program .
1 2.2 G e n e ra l req u i rem en ts
1 2. 2. 1 Th e appl icati on program of the SI S shal l be i n accordance wi th th e applicati on

program safety requ irem en ts (see 1 0. 3. 3) an d all th e requ irem en ts of th is cl ause for all SI L u p
to an d i nclu din g SI L 3.
1 2. 2. 2 The appl ication program m er shall review th e inform ati on in th e SRS an d th e

appl ication prog ram safety requ irem ents to ensure th at the requirem en ts are com preh ensi ve,
un am bi g uous, u n derstan dable an d consisten t. An y defici encies in the appl ication program
safety requ irem ents sh all be i den tified an d resol ved, an d if chan ges are m ade to th e
appl ication program safety requi rem en ts, an im pact an al ysis sh all be carri ed ou t .
1 2. 2. 3 Th e I EC 61 51 1 series addresses program m ing in Lim ited Vari abil i ty Lan gu ag es (LVL)
an d th e use of devices usin g Fixed Program Lang u ag es (FPL) . Th e I EC 61 51 1 series does
not address Fu ll Vari abili ty Lan g uag e (FVL) an d the I EC 61 51 1 series does not address SI L 4
application prog ram m ing . Where fu ncti on bl ocks are written in FVL th en these shall be
devel oped an d m odifi ed un der I EC 61 508-3: 201 0.
1 2. 2. 4 Where the appl icati on program of the SI S is to im plem en t both safety an d non-safety
functions, then al l of the applicati on program shall be treated as part of th e SI S and sh al l
com pl y wi th this stan dard an d i n additi on, it sh al l be sh own throu g h assessm ent an d test th at
th e n on-safety fu nctions can n ot in terfere with th e safety fu ncti ons.
1 2. 2. 5 Th e appl ication program shall be design ed i n such a way as to ensure that once th e
SI S h as pl aced th e process i n a safe state, th e process rem ains i n th e safe state, i nclu di ng
un der loss of power condi tions an d on power restoration , u n til a reset has been initi ated
un l ess oth erwise directed by the SRS.
NOTE 1 I f th e SI F does not have a reset th en th ere can be a docu m en ted en g i n eeri n g arg u m en t as to wh y i t i s
acceptabl e to rei ni ti ate th e process wi th ou t requ i ri ng th e safe del ay a reset wou l d i m pose.
– 64 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
NOTE 2 M ore i n form ati on can be fou n d i n 1 1 . 2. 7.
1 2.2.6 Duri n g SI S start-up (or power up) th e appl ication program shal l ensure th at safety
ou tpu ts rem ain in th e safe state (typical l y de-energ i zed state) u nti l a reset has been i n iti ated
1 2.2.7 Th e appl icati on program shal l be desi gn ed i n such a way th at al l parts of the
appl ication program are execu ted on every applicati on prog ram scan un l ess th ere is a specific
altern ate requ irem en t that is su pported in the safety m an u al. Process safety tim e
requ irem ents sh all be considered wh en establ ish i ng applicati on program scan n in g
requ irem ents.
1 2.2.8 Th e SI S applicati on program and data shall be subj ect to m odification, revisi on
con trol , versi on m an ag em ent, back-up an d restoration procedu res.
1 2.2.9 Th e appl ication prog ram specifi es requ irem ents for appl ication program m ing for u sers
an d in tegrators of SI Ss. I n particu lar, requ irem ents for th e fol l owin g are specifi ed The SI S
appl ication program safety li fe cycle pl ann i n g sh al l address th e fol l owing aspects:
• SI S safety l ife-cycle phases an d acti viti es th at are to be appl i ed du ri ng th e desi g n an d
developm en t of th e applicati on program . These requ irem ents inclu de th e appl ication of
m easures an d tech n i qu es, wh ich are in ten ded to avoi d errors in th e application prog ram
an d to control fai lures wh ich m ay occur;
• i nform ation relatin g to th e application prog ram validati on to be passed to the org an i zati on
carryi n g out th e SI S i nteg ration ;
• preparation of inform ation and procedures concern in g the appl icati on prog ram needed by
th e user for th e operation an d m ai nten an ce of th e SI S;
• procedu res an d specifications to be m et by th e organ izati on carryi n g ou t m odificati ons of
th e appl icati on program .
1 2.3 Application program design
1 2.3.1 An appl icati on prog ram desig n sh all address al l SI S log ic i n cl udi ng all process
operati n g m odes for each SI F.
1 2.3.2 Th e in pu t to the appl icati on program desi gn sh all be the SRS i nclu di ng th e
appl ication program requ irem ents (see Clause 1 0) , the SI S archi tecture (see Clau se 1 1 ) an d
th e m eans an d tools for devel opi ng th e applicati on program desig n (see 1 2. 6) . Th e application
prog ram desi g n sh al l be consisten t wi th an d traceabl e back to th e SRS.
1 2.3.3 Th e applicati on program desi g n shal l al l ow an assessm ent of fu ncti on al safety to be

carried out.
1 2.3.4 Th e applicati on program desig n and its decom positi on in to m odu les if appl icabl e,
shal l address h ow th e requ irem ents are to be im plem en ted, i nclu din g the fol lowin g as
appropriate:
• th e functions that enable th e process to ach i eve or m ain tai n a safe state;
• th e specification of al l i den tifi ed application program com pon ents, and th e description of
con n ecti ons an d i nteracti ons between identified com pon ents ;
• th e tim i ng constrai nts associ ated wi th the applicati on program functi ons an d th eir
im pl em entati on in prog ram scan tim e(s) ;
• a detail ed description of the standard li brary m odu les (fu ncti on blocks) bein g u sed ;
• a detail ed description of the application specific m odu les (fu nction blocks) bein g u sed;
• a descri ption of th e way m em ory all ocation h as been ach ieved;
• th e l ist of g l obal vari abl es used an d the way i n wh ich th eir i ntegrity is protected;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 65 –
© I EC 201 7
• i dentification of al l n on -SI F and th e in terfaces to n on-safety rel ated parts of th e
appl ication prog ram , to ensure that they can n ot affect th e proper operati on of an y SI F;
• defin i tion of i npu t and output i nterfaces, inclu din g tag listin gs an d th e associated data
types;
• detai ls of the data exch an g ed between th e SI S appl icati on program an d th e operator
i nterfaces;
• detai ls of th e data exch an g ed between the SI S application program and th e BPCS an d
peri pherals such as pri nters, data storag e, etc. ;
• how extern al an d i n tern al di ag n ostic inform ation wi ll be processed an d log g ed;
• detail ed descripti on of h ow th e operati on an d m ain ten ance interfaces are im plem ented,
i nclu din g the way i n wh ich alarm s are pri oritised, i ndicated and accepted;
• a detail ed descri pti on of an y applicati on l evel di agn ostics that m ay be im plem en ted such
as extern al watch dogs, application data in tegrity checki n g , sensor vali dation to m eet th e
requ ired SI L;
• system config urati on checks i nclu din g th e existence and accessi bi li ty of expected
hardware devices an d software m odu les;
• how the com plexity i n th e appl icati on program desig n is m in im ised e. g . , throu g h use of
m odu lar desi gn an d sim pl e fu ncti onal ity;
• functi ons rel ated to th e detecti on , an n unciati on an d m an agem en t of fau lts i n SI S
subsystem s;
• functi ons related to the periodic testi ng of SI F on-l ine;
• functi ons related to the periodic testi ng of SI F off-l i ne;
• functi ons th at all ow m ai nten ance of the SI S to be carried ou t safel y;
• references to docum en ts on wh ich th e applicati on program desig n specificati on is based .
1 2.3.5 Th e appl icati on program desi g n sh all ensure:
• com pl eteness with respect to the SRS an d i ts i ntended purpose;
• correctness wi th respect to th e SRS an d i ts intended purpose;
• freedom from am big u ity, i. e. , clear to th ose wh o wi ll util i ze th e docum ent at an y stag e of
th e SI S safety life-cycl e; th is i ncl udes the use of term in ol og y an d descriptions wh ich are
u n am bi g uous an d u n derstood by pl ant operators an d system m ain tai n ers, as well as th e
appl ication program m ers;
• freedom from desi g n fau lts.
1 2.4 Application program implementation
1 2.4.1 Th e application program devel opm en t m eth odolog y sh al l com pl y wi th the
devel opm en t tools an d restricti ons g i ven by th e m anufacturer of the SI S PE su bsystem on
wh ich th e applicati on program sh all be u sed.
1 2.4.2 Th e fol lowi n g i n form ation sh all be con tai ned in the appl ication program or rel ated
docu m en tation :
a) th e appl ication program orig i n ator;
b) a descri ption of th e purpose of the appl ication program ;
c) th e versi ons of the safety m anu als th at were used;
d) identification of th e depen dency of each SI F on th e parts (m odu l es) of th e applicati on
program ;
e) traceabi lity to the appl icati on program safety requ irem ents specificati on;
f) i dentification of each SI F an d its SI L;
– 66 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
g) identification and descripti on of the sym bols used, incl udin g log ic con venti ons, stan dard
library fu ncti ons, applicati on library functions;
h) identification of th e SI S log ic solver in pu t and ou tpu t sig nals;
i) wh ere th e overall SI S uti l ises com m unicati ons, a descripti on of th e com m unicati ons
inform ation flow;
N OTE An exam pl e wou l d be wh ere a SI F u ses several l og i c sol vers.
j) a description of th e prog ram stru cture, inclu di n g a description of th e order of th e l og ical
processing of data with respect to th e in pu t/ou tpu t su b-system s an d an y l im itations
im posed by scan tim es;
k) I f requi red by the SRS, th e m eans by wh i ch :
• th e correctn ess of fiel d data is ensured, (e. g . , com parison between an al og sensors to
im prove th e di ag n ostic coverag e) ;
• th e correctn ess of data sent over a com m uni cati on li nk is ensured (e. g. , wh en
com m unicati n g from an H MI , before im plem en tation of a com m and an ‘ack’ or
'acknowl edge’ is transm itted) ;
• com m unicati ons are m ade secure (e. g. , cyber security m easures) ;
l) version i den tificati on an d a h istory of ch ang es.
1 2.4.3 I f previ ousl y developed application program li brary fu ncti ons are to be u sed as part of
th e desig n, th eir su itabi l i ty sh al l be j ustifi ed an d based u pon :
• com pl i ance to I EC 61 508; if proven-i n-use evalu ati on for FVL in com pli ance to
I EC 61 508-3: 201 0 is u n dertaken, th e prog ram m able devices on wh ich th e applicati on
program li brary functions execute shal l also be evalu ated as proven- in -use accordi n g to
I EC 61 508-2: 201 0; or
• com pl iance to I EC 61 51 1 pri or use requirem en ts (see 1 1 . 5. 4 or 1 1 . 5. 5) wh en using FPL or
LVL;
• i n al l cases, dem onstratin g th at an y u n u sed functions do n ot adversel y im pact th e
appl ication prog ram .
1 2.4.4 Th e appl icati on program sh al l be produced in a structu red way so as to ach ieve:
• m odu lar decom positi on of th e fu nction al ity;
• keep the com plexi ty of SI F appl ication program to a m in im um consisten t with th at of the
com pl exity of th e requi red SI F;
• testabi lity of function ality (i nclu di ng fau l t tolerant features) an d of the i n ternal structure of
th e appl ication program ;
• traceabi lity to, an d explanation of, applicati on fu n cti ons and associ ated constrain ts;
• on e to one m appi ng between the h ardware arch i tecture and applicati on program
arch i tectu re.
1 2.5 Requirements for application program verification (review and testing)
1 2.5.1 Verification plan n in g sh all be carri ed out i n accordance with Cl ause 7.
1 2.5.2 Th e appl icati on program inclu di ng i ts docum en tation sh all be reviewed by a
com petent person n ot i n vol ved i n th e ori g i nal developm en t. Th e approach used for the review
an d the revi ew resul ts sh all be docu m ented.
1 2.5.3 Th e appl ication program , i ncl udi ng its decom position i nto m odu les if appropriate,
shal l be verified throu g h review, anal ysis, sim u l ation an d testi n g tech n i qu es usin g written
procedu res an d test specifications, th at shal l be carri ed ou t to confirm that the appl icati on
program functions m eet th e SRS an d th at un i ntended functions are n ot execu ted an d that
th ere are n o u n inten ded side effects with respect to th e SI F. Th e followi n g shal l be
addressed:
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 67 –
© I EC 201 7
• conform ance to th e applicati on program desi g n specificati on , the defi ned m eans and
procedures, and th e requ irem ents of safety val idati on an d test plan n in g ;
• exercisi n g of al l parts of the appl ication program ;
• exercisi n g a representati ve rang e of data conditions;
• testin g for fai l ure con diti ons (i . e. , n egati ve testin g) ;
• tim ing an d th e sequ ence of executi on ;
• testin g of com m unicati on s to and from th e SI S;
N OTE Wherever feasi bl e th e com m u ni cati on overl oad con di ti on can be veri fi ed an d tested.
• i ntegrati on of th e off-l in e appl icati on program wi th the l og ic sol ver h ardware an d the
u n derl yi n g PE;
• i ntern al data flow checks to confirm th at th e log ic sol ver is not j u st apparen tl y workin g, but
is workin g as expected;
• wh en possi ble, i ntegrati on of th e appl icati on program an d 3rd party devices.
1 2.5.4 The m appin g of the I /O data to th e applicati on program , i nclu di ng data type an d
ran g e, sh al l be verified.
1 2.5.5 Durin g testin g , m odificati ons to th e appli cati on prog ram shall be subj ect to an im pact
an al ysis i n order to determ ine:
• all appl ication prog ram parts im pacted;
• th e n ecessary re-desig n an d re-verificati on acti vities.
1 2.5.6 Th e resul ts of applicati on prog ram testi ng shall be docum ented an d i ncl ude:
• th e versi ons of the appl ication program an d i ts su pportin g docum en tati on bein g tested;
• th e versi ons of su pportin g software and test tools;
• nam es of th e person(s) who perform ed th e tests and reviews and dates;
• descri pti ons of th e tests, reviews and dates perform ed;
• th e test resu lts;
• wh eth er th e obj ecti ve an d cri teri a of th e tests h ave been m et;
• if th ere was a failu re duri ng th e test, the reasons wh y the failu re occurred, the an al ysis of
th e fai l ure and th e records of its correcti on an d re- test requ irem en ts.
1 2.6 Requirements for application program methodology and tools
1 2.6.1 Th e application prog ram developm ent sh al l com pl y wi th the constrain ts i n th e
appl icabl e safety m an ual (s) .
NOTE When revi ewi n g th e safety m an ual (s) can be revi ewed an d, i f requi red for a speci fi c appl i cati on , ad di ti onal
procedu res for an d/or constrai nts on the u se of m eth odol og i es an d tool s can be i m pl em ented.
1 2.6.2 Methods, techn i qu es an d tools sh al l be selected an d appl ied for each l ife-cycle ph ase
so as to:
• m inim ize th e risk of introducin g fau lts in to th e appl ication program ;
• reveal an d rem ove fau l ts th at alread y exist i n the applicati on program ;
• ensu re as far as is practi cabl e that an y fau lts rem ain i ng in th e applicati on program wil l n ot
l ead to un acceptabl e resu lts;
• en h ance th e m eans of m an ag in g m odificati ons of th e appl ication program throu g h out th e
l ifetim e of th e SI S;
• provide evidence th at th e appl icati on program h as th e requ ired qual ity.
– 68 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 3 Factory acceptance test (FAT)
1 3.1 Objective
The objective of Clause 1 3 is to test the devices of the SI S to ensure th at th e requ irem en ts
defin ed i n th e SRS are m et.
NOTE 1 By testi ng the l og i c sol ver, associ ated software an d h ard ware pri or to i nstal l ati on , errors can be readi l y
i denti fi ed an d corrected.
NOTE 2 The FAT i s som eti m es referred to as an i n teg rati on test an d can be part of th e val i dati on .
NOTE 3 Testi n g of fi el d el em en ts tog eth er wi th th e l og i c sol ver can be recom m ended wh en th ere n eeds to be a
hi g h confi d en ce i n operati on pri or to fi n al i nstal l ati on , e. g . , su bsea appl i cati on s.
1 3.2 Recommend ati ons

1 3.2.1 Th e n eed for a FAT sh all be specified du ri ng th e safety plan ni n g for a proj ect.
NOTE 1 Cl ose co-operati on between th e l og i c sol ver su ppl i er an d desi g n contractor can be req ui red i n order to
devel op the i nteg rati on tests.
NOTE 2 Th e acti vi ti es fol l ow th e d esi g n an d devel opm en t ph ases an d precede th e i nstal l ati on an d com m issi oni n g .
NOTE 3 Th e acti vi ti es are appl i cabl e to th e SI S subsystem s wi th or wi th out prog ram m abl e el ectroni cs.
NOTE 4 I t i s usual for th e FAT to take pl ace i n a factory envi ron m ent pri or to i nstal l ati on an d com m i ssi oni n g i n
th e pl an t.
1 3.2.2 Th e plan n in g for a FAT shal l specify th e followi n g :

• Types of tests to be perform ed i nclu di ng black-box system functi onal i ty tests; perform ance
tests; in tern al checks; perform ance tests ; en viron m ental tests; i nterface testi n g; testi ng in
degraded or fau l ted conditi on; excepti on testi ng ; testi ng for safe reaction in case of power
fai l ure (inclu di n g restart after power restored) ; an d appl ication of th e SI S m ainten ance and
operati n g m an uals;
N OTE 1 Bl ack-box fu ncti onal i ty testi n g i s a test desi g n m eth od th at treats th e system as a “bl ack box”, so i t
does n ot expl i ci tl y use knowl edg e of i ts i ntern al structure. Bl ack- box test d esi g n i s usu al l y descri bed as
focusi ng on testi n g fu ncti on requi rem ents. Syn onym s for bl ack box i n cl u d e beh avi oural , fun cti on al , opaqu e-
box, an d cl osed -box testi n g .
N OTE 2 Perform an ce tests determ i n e whether the system m eets tim i n g , rel i abi l i ty an d avai l abi l i ty, i n teg ri ty,
safety targ ets an d constrai nts.
N OTE 3 Envi ron m ental tests i n cl u de E MC, l i fe-an d stress-testi ng .
N OTE 4 I ntern al d ata fl ow checks can be carri ed ou t to confi rm that th e SI S i s processi ng i n put data and
g en erati ng ou tpu t response as speci fi ed.
• Test cases, test descripti on an d test data;
N OTE 5 Cl ari ty i n defi n i ng wh o i s responsi bl e for devel opi ng the test case an d wh o i s g oi n g to be responsi bl e
for carryi n g out th e test an d wi tn essi ng th e test can be very i m portan t.
• Depen dence on oth er system s/i nterfaces;
• Test en vironm ent an d tools;
• Log ic sol ver, sensor and fin al elem en t confi guration;
• Test criteri a on wh ich th e com pl eti on of th e test sh all be ju dged;
• Procedures for correcti ve action on fai l ure of test;
• Test personn el com peten ces;
• Ph ysical l ocation ;
• H azards posed by the testin g especi all y deal in g wi th stored en erg y;
• A clear diagram of th e test-set u p.
• Recordin g of tests con ducted, data, resu lts an d observati ons wh ilst th e tests are bei n g
con ducted.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 69 –
© I EC 201 7
N OTE 6 Tests th at can not be physi cal l y dem on strated are n orm al l y resol ved by a form al l i n e of reason i n g as
to wh y th e SI S achi eves th e requ i rem en t, targ et or con strai n t.
1 3. 2. 3 Th e FAT shal l take place on a defin ed versi on of the log ic sol ver.
Th e FAT shall be con ducted i n accordan ce wi th th e FAT plan n in g. These tests sh all
1 3. 2. 4
show that al l th e logic perform s correctl y.
1 3. 2. 5 For each test carri ed ou t th e fol l owi n g sh all be addressed:

• th e version of the test pl ann i n g bei n g used;
• th e SI F an d perform ance ch aracteristic bein g tested;
• th e detai led test procedu res and test descri ptions;
• a chron ol og ical record of th e test activities;
• th e tools, equ i pm ent an d i nterfaces used.
1 3. 2. 6 Th e resu lts of FAT sh al l be docum en ted, stating
• th e test cases;
• wh eth er th e obj ecti ves and test criteri a h ave been m et.
I f th ere is a failure duri n g test, the reasons for th e fail ure sh all be docum en ted an d an al ysed
an d the appropri ate corrective action sh ou l d be im plem en ted.
1 3. 2. 7Durin g FAT, an y m odification or ch an g e sh al l be su bj ect to a safety anal ysis to

determ in e:
• th e extent of im pact on each SI F;
• th e extent of testi ng an d verificati on wh ich shal l be defi ned and im pl em ented.
NOTE Com m i ssi on i ng can com m en ce wh i l st correcti ve acti on i s u nd ertaken, depen di ng on the resu l ts of th e FAT.
1 4 SI S i n stal l ati on an d com m i ssi on i n g
1 4. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 4 are to:

• i nstall th e SI S accordi ng to th e specifications and drawi n gs;
• com m ission th e SI S so th at it is read y for fin al system val i dation .
NOTE Th e pu rpose of com m issi on i ng acti vi ti es i s to en su re that each of th e SI S devi ces i s i ndi vi du al l y read y to
operate, as speci fi ed i n th e desi g n ph ase.
1 4. 2 R eq u i rem en ts
1 4. 2. 1 I nstal lati on and com m ission i ng pl ann in g sh all defi ne all activiti es requ ired for
installati on and com m issi on in g. The pl ann i ng shal l provide the fol lowi ng :
• th e i nstal lation an d com m ission in g acti vi ties;
• th e procedures, m easu res an d tech niques to be u sed for i nstal l ati on an d com m issi on ing ;
• wh en th ese acti viti es sh all take place;
• th e persons, departm ents an d org an izations responsi ble for th ese acti viti es.
I nstal l ation and com m issi on ing plan n in g m ay be in tegrated i n th e overall proj ect pl an n ing
wh ere appropriate.
– 70 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 4. 2. 2 All SI S devices shal l be properl y i nstalled accordi ng to th e desi gn an d i ns tal l ati on
plan(s) .
1 4. 2. 3Th e SI S shal l be com m ission ed i n accordance wi th plan n in g in preparati on for the

fin al system vali dati on . Com m ission ing acti vi ties shal l i nclu de, but not be lim ited to,
confirm ation of th e foll owi ng :
• earthi n g (groun din g) h as been properl y con nected;
• en erg y sources have been properl y conn ected an d are operation al;
• transportati on stops an d packin g m aterials h ave been rem oved;
• no ph ysical dam age is presen t;
• all instrum ents h ave been properl y calibrated an d confi g u red;
• all fi eld devices are operation al;
• l og ic sol ver and in put/ou tpu ts are operati onal ;
• th e i nterfaces to oth er system s and peri pherals are operati onal;
• all com m unicati ons between rem ote SI S system s are operati on al.
1 4. 2. 4 Appropriate records of th e com m ission in g of th e SI S sh all be produced, stating th e
resu l ts of th e acti vities an d wh eth er th e obj ecti ves an d criteri a identified duri n g th e desi gn
ph ase h ave been m et. I f th ere is a fail ure, th e reasons for the fai lu re sh all be recorded.
1 4. 2. 5 Where it h as been establ ish ed that th e actu al i nstal lation does not conform to the
desi g n inform ati on th en the difference sh all be evalu ated by a com petent person and im pact
of th e difference on safety sh all be determ in ed. I f it is establ ished th at th e difference has n o
im pact on safety, th en the desi gn i nform ation shal l be u pdated to “as-bu il t” status. I f th e
difference has a n egati ve im pact on safety, then th e i nstall ati on sh al l be m odifi ed to m eet th e
desi g n requ irem ents.
1 5 SI S s afet y val i d at i o n
1 5. 1 Obj ecti ve
The obj ecti ve of the requ irem ents of Cl ause 1 5 is to validate, th rou gh inspecti on an d testi ng ,
th at th e instal led an d com m issioned SI S an d i ts associ ated SI F(s) ach i eve the requ irem ents
as stated in th e SRS.
NOTE Th i s i s som etim es referred to as a si te acceptan ce test (SAT) .
1 5. 2. 1 Val i dation pl an n ing of the SI S shal l be carried out th rou gh out th e SI S safety life-cycle
an d sh al l defi n e al l acti vi ti es and equ ipm en t requ i red for validati on. Th e fol lowin g item s sh al l
be incl u ded:
• th e vali dati on acti viti es i nclu din g validati on of th e SI S wi th respect to th e SRS i nclu di ng
im plem entati on and resol uti on of resu lti n g recom m en dations;
• vali dation of al l rel evan t process operatin g m odes of th e process an d its associ ated
equ i pm ent inclu din g;
– preparati on for use i nclu din g setti ng an d adj ustm en t;
– start-up, autom atic, m an ual , sem i-autom atic, stead y state of operation ;
– re-setti n g , sh u tdown , m ai ntenance;
– oth er m odes i den tifi ed in previ ous phases of th e SI S safety l ife-cycle;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 71 –
© I EC 201 7
• th e procedures, m easures an d tech n iqu es to be used for validati on, incl u di n g h ow
validation activiti es can be perform ed , wi thout pu tti ng the pl an t an d process at risk of th e
hazardous events th e SI S is to protect ag ainst;
• wh en th ese acti viti es sh all take pl ace;
• th e persons, departm en ts an d org an i zati ons responsible for th ese acti vities an d the l evels
of in dependence for vali dati on acti viti es;
• reference to i nform ati on ag ainst wh ich val i dation sh al l be carried out (e. g. , cause an d
effect ch art) ;
• th e equ i pm en t an d faci li ti es that n eeds to be i n stal l ed or m ade avail able (e. g . isolation
val ves an d l eak detection equi pm en t th at wil l be n eeded for the testi n g of val ves) .
N OTE E xam pl es of val i dati on acti vi ti es i n cl ud e l oop testi n g , l og i c testi n g , cal i brati on procedu res, si m u l ati on
of appl i cati on prog ram .
1 5 . 2. 2 Vali dati on plan ni n g for th e appl icati on prog ram shal l i nclude the foll owi ng :
• i dentification of th e applicati on program functi on s wh ich n eeds to be vali dated for each
process operatin g m ode before com m ission i ng beg ins;
• th e tech n ical strateg y for th e validati on inclu ding (wh ere relevant) :
– m anual an d au tom ated techn iques;
– static an d d yn am ic techn i qu es;
– an al ytical and statistical tech n i qu es.
• i n accordance with th e preceding bul let, th e m easures (tech n iqu es) an d procedures th at
wil l be used for confirm i ng th at each SI F conform s wi th th e specified safety requ irem en ts
an d th e specifi ed SI L;
• th e requ ired en vironm ent in wh ich the vali dati on acti vities are to take pl ace (e. g. , for tests
th is wou l d i nclu de cal ibrated tools an d equ i pm ent) ;
• th e appl ication program ;
• th e pass/fai l criteria for accom pl ishi n g val idati on i nclu din g :
– th e requ ired process an d operator i npu t sig n als wi th th eir sequ ences an d th eir valu es;
– th e antici pated output sig nals with th ei r sequ ences an d th eir val ues;
– oth er acceptance cri teri a, for exam pl e m em ory usage, tim in g an d valu e tol erances.
• th e pol icies and procedures for eval u ating th e resu lts of th e vali dati on , particu l arl y
fai l ures;
• all docum ents (see Clau se 1 9) are val idated for accuracy, consistency and traceabi lity of
th e SI F from i ncepti on du ri ng th e H &RA throu gh th e fin al i nstalled SI F.
1 5 . 2. 3 Where m easurem ent accuracy is requi red as part of th e validati on then i nstrum en ts
used for th is fu nction shou l d be cal i brated ag ai nst a specification traceable to a stan dard
wi thi n an u ncertain ty appropri ate to th e appl icati on . I f such a calibration is not feasi ble, an
altern ative m eth od shal l be used and docu m en ted.
1 5 . 2. 4 Th e vali dati on of the SI S and its associ ated SI F(s) shall be carried ou t in accord ance
wi th th e SI S val idati on pl an n in g . Vali dati on activi ti es sh al l i nclu de, but not be lim ited to, the
fol l owing :
• confirm ation that th e SI S perform s un der n orm al an d abnorm al process operatin g m odes
(e. g . , start-u p, sh utdown) as identified i n th e SRS;
• confirm ation th at adverse interaction of th e BPCS and other con nected system s do not
affect th e proper operation of th e SI S;
• th e SI S properl y com m un icates (wh ere requ ired) with the BPCS or an y oth er system or
network, i nclu din g during abnorm al con ditions such as a data overl oad;
– 72 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• sensors, l og ic sol ver, an d fi nal elem en ts perform i n accordance with th e SRS, inclu di n g al l
redu ndant chan nels, incl udi n g abn orm al con diti on such as data overl oad;
N OTE I f a factory acceptan ce test (FAT) was perform ed on the l og i c sol ver as descri bed i n Cl ause 1 3, credi t
can be taken for val i dati on of the l og i c sol ver by th e FAT. After al l equ i pm ent i s i n stal l ed i n th e pl an t, fu l l l oop
val i dati on wi l l test th e l og i c sol ver fun cti on al i ty and i ts conn ecti ons to oth er SI S subsystem s.
• SI S desi gn docum en tation is consistent with the in stal l ed system ;
• confirm ation th at th e SI F perform s as specified on in vali d process vari able valu es (e. g. ,
ou t of ran g e) ;
• th e proper sh u tdown sequence is acti vated;
• th e SI S provi des th e proper an n unci ation an d proper operati on displ ay;
• com putati ons that are inclu ded i n th e SI S are correct for expected ran ge of val u es but also
at lim its an d over the lim i ts;
• th e SI S reset fu nctions perform as defi n ed in th e SRS;
• bypass functions operate correctl y;
• start-up overri des operate correctl y;
• m anual shu tdown system s operate correctl y;
• th e proof-test pol icy docu m ented i n the m aintenan ce procedures;
• diag nostic alarm function s perform as requ ired;
• confirm ation that the SI S perform s as requ ired on loss of util iti es (e. g . , electrical power,
air, h ydrau l ics) an d confirm ation that, wh en th e uti liti es are restored, th e SI S retu rns to the
desired state;
• confirm ation th at th e EMC im m unity, as specifi ed i n the SRS (see 1 0. 3) , h as been
ach i eved.
1 5 . 2. 5 Th e val idati on of the appl ication program shall determ in e wh ether:
• all of th e specifi ed appl ication program safety requ irem ents (see 1 0. 3. 2) are correctl y
perform ed;
• th e applicati on program does n ot j eopardize th e safety requi rem en ts u nder SI S fau lt
con ditions and in degraded m odes of operation an d for BPCS fau lt conditions for an y
i nterfaces between th e SI S an d BPCS;
• th e appl ication program does not jeopardi ze the safety requ irem ents by executi ng
‘’u n used’’ software fu ncti on ality, i . e. , fu nction al ity not defi ned i n the specifi cati on .
The i nform ation of th e validati on acti vi ti es sh al l be available.
1 5 . 2. 6Th e resu lts from th e val idati on plan activi ti es shall represen t an d cover th e entire SI S
validati on process. SI S vali dation docum en tation shal l be produced wh ich provi des:
• th e versi on of the SI S val i dation plan n i ng being used;
• th e SI F(s) u n der test (or an al ysis) , alon g with th e specific reference to the requ irem ent
i dentified du rin g the SI S vali dati on pl an nin g;
• tools and equ ipm en t used, along wi th th ei r cali brati on data;
• th e resu lts of each test;
• th e versi on of the test specification u sed;
• th e cri teri a for acceptance of th e com pl eted tests;
• th e versi on of the SI S h ardware, applicati on prog ram (s) , an d oth er software bein g tested;
• an y discrepancy between expected an d actu al resu l ts an d th e resolu tion of th at
discrepancy;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 73 –
© I EC 201 7
• th e an al ysis m ade an d the decisions taken on whether to con ti n ue the test or to issu e a
chan ge requ est, i n th e case wh ere discrepancies occur.
1 5. 2. 7 Th e resu lts sh all be verified ag ainst the expected resu l ts. Al l discrepancies sh al l be
an al ysed and th e fin din gs sh al l be avai labl e as part of th e vali dati on docum en tati on . Th is
shal l inclu de th e an al ysis m ade an d th e decisi ons taken on wh eth er to continu e th e vali dati on
or to issu e a ch an ge request and to retu rn to an earli er part of th e devel opm ent l ife-cycl e.
1 5. 2. 8 After the SI S vali dation an d prior to the i den tifi ed hazards being presen t, th e fol l owin g
acti vities sh all be carried out:
• all bypass fu nctions (e. g . , PE log ic sol ver an d PE sensor forces, disabled al arm s) shal l be
returned to th eir n orm al positi on ;
• all process isolati on val ves sh al l be set accordi ng to the process start-u p requ irem ents
an d procedu res;
• all test m aterials (e. g . , fl u i ds) shall be rem oved;
• all com m ission ing overri des and force perm issi ves sh al l be rem oved.
1 6 SI S o p erati o n a n d m a i n t en an ce
1 6. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 6 are to ensure th at:
• th e requ ired SI L of each SI F is m ain tai n ed duri n g operati on an d m ainten an ce;
• th e SI S is operated an d m aintai ned i n a way that su stains th e requ ired safety in teg rity.
1 6. 2. 1 Operation an d m ain ten ance pl ann i n g for the SI S shal l be carri ed out. I t shal l provi de
th e foll owi n g:
• rou tin e an d abn orm al operation activiti es;
• i nspection, proof testin g, preventi ve and breakdown m ain ten ance acti vi ties;
• th e procedures, m easu res an d tech niques to be u sed for operation an d m ai nten ance;
• th e operati on al response to fau l ts an d fail ures iden tified by di ag n ostics, inspecti ons or
proof-tests;
• verificati on of conform ity to operations an d m ai n tenance procedures;
• wh en th ese acti vities sh al l take pl ace;
• th e persons, departm ents an d org an i zations responsi ble for th ese acti vities;
• a SI S m ai ntenance pl an .
N OTE Th e SI S m ai nten ance pl an can state di fferent m ai ntenance featu res dependi n g on th e SI L l evel .
1 6. 2. 2Operation an d m ainten ance procedu res shal l be developed in accordance with th e

relevant safety pl an n i ng an d sh al l provi de th e followi ng :
a) th e routi ne m eth ods an d procedures wh ich n eed to be carried ou t to m aintain th e "as
desig ned" function al safety of the SI S;
b) th e procedures used to ensu re th e qu al ity and consistency of proof testin g , an d to ensure
adequ ate vali dati on is bei ng perform ed after repl acem ent of an y device;
c) th e m easu res an d constrain ts th at are n ecessary to prevent an u nsafe state an d/or reduce
th e consequ ences of a hazardous even t durin g m ainten ance or operati on (e. g . , wh en a
system needs to be bypassed for testi ng or m ai ntenance, wh at additi on al risk reduction
needs to be im pl em ented) ;
d) th e m eth ods an d procedu res wh ich are used to test th e diag n ostics;
– 74 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
e) th e inform ati on wh ich n eeds to be m ai ntain ed on SI S fail ure and the dem and rates on th e
SI S;
f) procedures for col l ecti ng data related to th e dem and rate and SI S rel i abi l ity param eters ;
N OTE 1 Col l ecti on an d an al ysi s of fai l u re data h as m an y ben efi ts i ncl udi n g the potenti al to reduce
m ai nten an ce costs i f fai l u res rates i n operati on are si g ni fi can tl y l ower th an wh at were predi cted du ri n g d esi g n .
I m pl em entati on costs of n ew i nstal l ati ons can al so be red u ced becau se n ew desi g ns can be based on l ess
conservati ve fai l u re rates.
g) th e inform ation wh ich needs to be m ain tai n ed sh owing resu l ts of au dits and tests on th e
SI S;
h) th e m aintenance procedu res to be fol lowed wh en fau lts or fail ures occur in th e SI S,
incl u din g:
• procedures for fau l t diag nostics and repair;
• procedures for reval idati on ;
• m ainten ance reporting requ irem en ts;
• procedures for trackin g m ainten ance perform ance.
NOTE 2 Con si derati on s i ncl u de:
– procedu res for reporti n g fai l u res;
– procedu res for an al ysi n g system ati c fai l ures ;
– the acti on s to al l ow safe shu td own i n the event of BPCS fai l u re;
– ensuri n g that test eq ui pm en t i s properl y cal i brated an d m ai ntai ned.
1 6 . 2. 3 Operation procedures sh al l be m ade avai labl e. Com pensati n g m easu res th at ensu re
con tin u ed safety wh i le th e SI S is disabl ed or deg raded du e to bypass (repair or testin g) shal l
be appli ed wi th th e associated operation l im its (duration , process param eters, etc. ) . The
operator sh al l be provided wi th i nform ation on the procedures to be appl ied before an d du rin g
bypass an d wh at sh ou ld be don e before th e rem oval of th e bypass an d th e m axim um tim e
all owed to be in th e bypass state. Th is i nform ation sh al l be reviewed on a reg u l ar basis.
NOTE Th e operati ng an d m ai n ten an ce procedu res can i n cl u de veri fi cati on that bypasses are rem oved after proof
testi n g .
Contin ued process operation with a SI S device i n bypass shal l on l y be perm i tted if a
1 6 . 2. 4
hazards anal ysis h as determ in ed th at com pensati ng m easures are i n pl ace an d th at they
provi de adequate risk reduction . Operatin g procedures sh al l be devel oped accordi n g l y.
1 6 . 2. 5 Operation an d m aintenance sh all proceed in accordance wi th th e relevant

procedu res.
1 6 . 2. 6 Operators sh al l be trai n ed on th e fu ncti on an d operati on of the SI S in their area. Th is

trai n in g sh al l ensure that th ey u nderstan d:
• how the SI S functions (tri p poi n ts an d the resu l tin g action that is taken by th e SI S) ;
N OTE 1 Th i s can al so i n cl u de i m pact of an SI S acti on to rem ai ni ng operati on al pl ant.
• th e h azard the SI S is protectin g agai nst;
• th e correct operation an d m an agem en t of al l bypass/overri de swi tches an d u nder what
circum stances these bypasses are to be u sed;
• th e operati on of an y m anu al sh utdown switches and m an u al start-u p activi ty an d when
th ese m an u al switch es are to be acti vated;
N OTE 2 Th i s can i n cl ud e “system reset” an d “system restart”.
• expectation on acti vati on of an y di agn ostic al arm s (e. g. , wh at action shal l be taken wh en
an y SI S al arm is activated i ndicatin g th ere is a problem with the SI S) ;
• th e proper verification of th e di ag n ostics.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 75 –
© I EC 201 7
1 6.2.7 Th e status of al l bypasses shal l be recorded in a bypass l og. Al l bypasses n eed
au thori zati on an d i n dicati on .
1 6.2.8 Mai nten ance person n el sh all be trai ned as requ ired to sustain fu l l fu ncti on al
perform ance of th e SI S (hardware an d software) to m eet th e target SI L of each SI F.
1 6.2.9 Discrepanci es between expected behavi our an d actu al behavi ou r of the SI S sh al l be

an al ysed and, wh ere n ecessary, m odifications m ade such th at the requ ired safety is
m aintained. Th is sh al l inclu de m onitori n g th e fol lowi n g:
• th e dem an d rate on each SI F (see 5. 2. 5. 3) ;
• th e acti ons taken fol l owin g a dem an d on th e system ;
• th e fail ures an d fai l ure m odes of equ i pm ent form ing part of th e SI S, i nclu din g th ose
i dentified du rin g n orm al operati on, inspecti on , testi ng or dem and on a SI F;
• th e cause of the dem an ds;
• th e cause an d frequ ency of spurious tri ps;
• th e fai l ure of equ ipm en t form in g part of an y com pensatin g m easures.
1 6.2.1 0 The operati on an d m ai ntenance procedures m ay require revisi on , if necessary,
fol l owing :
• functi onal safety au di ts;
• tests on th e SI S;
• experi ence from norm al or abn orm al operation an d m ai n ten ance events.
1 6.2.1 1 Written proof-test procedures sh all be devel oped for every SI F to reveal dan g erou s
fai l ures u ndetected by diag n ostics. Th ese wri tten test procedu res sh all descri be every step
th at is to be perform ed and shal l inclu de:
• th e correct operation of each sensor an d fi n al elem ent;
• correct log ic acti on ;
• correct al arm s an d i n dicati ons.
NOTE Th e fol l owi n g m ethods can be u sed to determ i ne th e u nd etected fai l u res that n eed to be tested:
– exam i nati on of fau l t trees;
– fai l u re m ode an d effect an al ysi s;
– rel i abi l i ty cen tred m ai nten ance.
1 6.2.1 2 SI S spare parts shal l be identifi ed an d sh al l be m ade avai l able to m in im ize th e

bypass durati on du e to u navailabi l ity of an y repl acem ent part for th e SI S.
NOTE Repl acem ents that are not i n ki n d (l i ke for l i ke) can be m anag ed as a m odi fi cati on to the SI S.
1 6.2.1 3 Persons respon sible for operations an d m ain ten ance shall revi ew th e h azard an d
risk anal ysis, all ocation and desig n to ensure th e assum ptions m ade are vali d e. g .
assum pti ons on occu pan cy an d corrosi on protecti on .
1 6.3 Proof testing and inspection

1 6.3.1 Proof testing
1 6.3.1 .1 Periodic proof tests sh al l be conducted usi ng a written procedure to reveal
un detected fau lts th at preven t th e SI S from operati n g in accordance wi th the SRS.
NOTE 1 Parti cul ar attenti on can be m ade to i denti fy fai l u re cau ses that m ay l ead to com m on cau se fai l u res.
NOTE 2 Fun cti onal test procedu res can al so em ph asi ze th e n eed to avoi d i n trod u ci ng com m on cau se fai l ures.
– 76 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Th e en ti re SI S shal l be tested i nclu din g th e sensor(s) , the l og ic solver and th e fi n al
1 6. 3. 1 . 2
elem en t(s) (e. g . , shu tdown val ves and m otors) .
N OTE Testi n g of th e SI S can be perform ed ei th er en d -to-en d or i n seg m en ts (see 1 1 . 8. 1 ) .
1 6. 3. 1 . 3 Th e sch edu le for the proof tests sh al l be accordin g to th e SRS. The frequ ency of
proof tests for a SI F sh all be determ in ed throug h PFD avg or PFH calcu l ati on in accordance
wi th 1 1 . 9 for th e SI S as instal led i n the operati ng en vironm ent.
NOTE Di fferen t parts of th e SI S can req u i re di fferen t test i n terval s, for exam pl e, th e l og i c sol ver can requi re a
di fferen t test i nterval th an th e sen sors or fi nal el em en ts.
1 6. 3. 1 . 4An y deficiencies foun d durin g th e proof testing sh al l be repaired in a safe and

tim el y m an n er. A proof test shall be repeated after the repair is com pleted.
At som e peri odic in terval (determ in ed by th e user) , th e frequ ency of testin g shall be
1 6. 3. 1 . 5
re-eval uated based on various factors i nclu din g h istorical test data, plant experience an d
hardware degradati on .
NOTE Th e user can ad j u st th e test frequ en cy based on th i s data and an an al ysi s of th e ori g i nal basi s for test
freq uen cy.
An y ch an g e to the appl ication program requ ires fu ll val i dation an d a proof test of
1 6. 3. 1 . 6
an y SI F im pacted by th e chan ge. Exceptions to th is are allowed if appropriate revi ew an d

partial testin g of ch an g es are carried ou t to ensure th e ch an g es were desig n ed per th e
updated safety requ irem en ts and correctl y im pl em ented .
1 6. 3. 1 . 7Su itabl e m an agem en t procedu res sh al l be appl ied to review deferrals an d prevent
si gn ificant delay to proof testin g .
1 6. 3. 2 I n specti on
Each SI S shall be peri odical l y visu al l y inspected to ensure there are no u n au thori zed
m odificati ons an d n o observable deteri orati on (e. g . , m issin g bol ts or instru m ent covers, rusted
brackets, open wires, broken con dui ts, broken h eat tracing , and m issi n g i nsu lation) .
NOTE Th ese probl em s cou l d i n di cate an i n crease i n th e freq uency of faul ts.
1 6. 3. 3 Docu m en t ati o n o f p ro o f t e s t s an d i n sp ecti on
The u ser sh al l m ai n tain records that certify th at proof tests an d i nspections were com pleted
as requ ired. These records sh all incl ude the fol l owin g i nform ation as a m i n im um :
a) descri pti on of the tests and inspections perform ed i nclu di ng identificati on of th e test
procedure used;
b) dates of th e tests and inspections;
c) nam e of th e person(s) who perform ed th e tests and inspecti ons;
d) serial num ber or other u n i que i dentifier of th e system tested (e. g . , l oop n um ber, tag
num ber, equi pm en t n um ber, an d SI F n um ber) ;
e) resu lts of the tests an d inspecti on i nclu din g th e “as-fou n d” condi tion , all fau lts fou nd
(i ncl u din g the fai lu re m ode) and th e "as-left" con dition .
1 7 SI S m o d i fi cati o n
1 7. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 7 are:

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 77 –
© I EC 201 7
• th at m odifications to an y SI S are properl y plan n ed, reviewed approved and docum ented
,
pri or to m akin g th e ch an g e;
• to ensure that th e requ ired safety i ntegrity of th e SI S is m ai ntain ed despite of an y chan ges
m ade to th e SI S.
N OTE Modi fi cati ons to th e BPCS, other equ i pm en t, process or operati ng condi ti on s can be revi ewed to
determ i ne wh eth er th ey are su ch th at th e n atu re or frequ ency of dem an ds on the SI S wi l l be affected. Th ose
h avi ng an ad verse effect can be consi d ered fu rth er to d eterm i ne wh ether the l evel of ri sk redu cti on wi l l sti l l be
suffi ci en t.
1 7. 2. 1 Pri or to carryi n g ou t an y m odification to a SI S, procedures for au thori zi n g an d

con troll i n g chan ges shal l be in pl ace.
1 7. 2. 2Th e procedures shall incl ude a cl ear m ethod of iden tifyi n g an d requ esti n g th e work to
be don e an d the hazards that m ay be affected.
1 7. 2. 3 Pri or to carryi n g ou t an y m odification to a SI S (i ncl u din g th e appli cati on program ) an

an al ysis sh all be carried ou t to determ ine the im pact on fu ncti onal safety as a resu lt of th e
proposed m odification. When th e an al ysis shows th at th e proposed m odification cou ld im pact
safety th en th ere shal l be a retu rn to the first ph ase of th e SI S safety life-cycl e affected by th e
m odificati on.
Safety pl an n ing for the m odificati on and re-verificati on shall be avai labl e.
1 7. 2. 4
Modifications and re-verificati ons sh al l be carri ed ou t i n accordance wi th th e plan n in g .
1 7. 2. 5 Al l docum en tati on affected by th e m odificati on shall be u pdated.
1 7. 2. 6 Modificati on acti vity sh al l n ot beg in u ntil a FSA is com pl eted i n accordance with
5. 2. 6. 1 . 9 an d after proper auth orisation .
1 7. 2. 7Appropriate inform ation shal l be m ain tain ed for all ch ang es to th e SI S. Th e

inform ation sh all incl u de:
• a descri ption of th e m odificati on or chan ge;
• th e reason for the ch ang e;
• identified h azards an d SI Fs wh ich m ay be affected;
• an an al ysis of th e im pact of th e m odification acti vity on th e SI S;
• all approvals requ ired for the chan ges;
• tests u sed to verify that th e ch ang e was properl y im pl em ented an d the SI S perform s as
requ ired;
• detai ls of al l SI S m odificati on acti vities (e. g . , a m odification log ) ;
• appropri ate config urati on h istory;
• tests used to verify th at th e chan ge h as n ot adversel y im pacted parts of the SI S wh ich
were n ot m odifi ed.
1 7. 2. 8 Modificati on shall be perform ed wi th qu alified person nel wh o h ave been properl y
trai ned. Al l affected and appropriate personn el sh ou l d be n otified of the chan ge an d trained
with reg ard to th e ch an g e.
1 8 SI S d ecom m i ssi on i n g
1 8. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Cl ause 1 8 are to ensu re th at:
– 78 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• prior to decom m ission i n g an y SI S from acti ve service, a proper revi ew i s con ducted an d
requ ired au th ori zati on is obtai n ed;
• th e requ ired SI F(s) rem ai n operati onal duri ng decom m ission i ng acti viti es.
1 8. 2. 1 Pri or to carryi n g out an y decom m ission in g of part or all of a SI S or SI F, procedu res

for au th ori zi n g an d con troll in g chan ges shall be i n pl ace.
Th e procedures shal l i nclu de a cl ear m ethod of i den tifyi n g an d requ estin g th e work to
1 8. 2. 2
be don e an d iden tifyi n g the hazards th at m ay be affected.
1 8. 2. 3 An an al ysis shall be carried ou t on the im pact on fu nction al safety as a resu lt of th e

proposed decom m ission ing activity. The assessm ent shal l inclu de an u pdate of th e H &RA
sufficient to determ in e th e scope of im pact to the SI S safety l ife cycle. The subsequ ent SI S
safety life-cycle ph ases shal l n eed to be re-eval u ated. The assessm en t sh al l also consi der:
• functi onal safety du rin g the execution of th e decom m issioni n g acti vi ti es;
• th e im pact of decom m ission i n g the SI S on adj acent operatin g u n its an d faci lity services.
1 8. 2. 4 Th e resu lts of th e im pact anal ysis sh all be used durin g safety pl ann i n g to re-
im pl em ent the relevant requ irem ents of the I EC 61 51 1 series incl u din g re-verification and re-
vali dati on .
1 8. 2. 5Decom m issi onin g acti viti es sh al l n ot beg i n wi th out proper docum en tation and
au thorization.
1 9 I n fo rm ati o n an d d o c u m en tati o n req u i rem e n t s
1 9. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 9 are to ensure th at the n ecessary inform ation
is avail able an d docum en ted i n order th at:
• all ph ases of th e SI S safety l ife-cycl e can be effectivel y perform ed;
• verification , validati on an d FSA acti viti es can be effectivel y perform ed.
1 9. 2. 1 Th e docum entati on requi red by th e I EC 61 51 1 seri es sh al l be availabl e to personn el

im pl em enti n g th e requ irem ents of th e I EC 61 51 1 series.
1 9. 2. 2 Th e docum en tation shal l:
• descri be th e i nstal l ation , system or equ ipm en t and the u se of i t;

• be accurate an d u p to date;
• be easy to u nderstan d;
• su it the purpose for wh ich i t is i ntended;
• be available in an accessi bl e, m aintai nable an d editabl e form , so th at appropri ate an d
relevant docum en ts can be readil y an d accuratel y identifi ed, l ocated, retrieved an d
revised.
NOTE Fu rth er detai l s of th e requ i rem ents for i n form ati on are i n cl u d ed i n Cl au se 1 4 an d Cl au se 1 5.
1 9. 2. 3 Th e docum entation sh all have un i qu e iden titi es so it sh al l be possi bl e to reference

th e different parts.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 79 –
© I EC 201 7
1 9. 2. 4 Th e docum en tation shall h ave desi g nations indicati n g th e type of i nform ation .
1 9 . 2 . 5 Th e docu m en tation sh all be traceable to th e fu ncti on al and i ntegrity requ irem ents
arisin g from th is stan dard, incl u din g the H &RA.
1 9 . 2. 6Th e docum en tati on sh al l h ave a revision i ndex (for exam pl e, version n um bers) to
m ake i t possibl e to identify different versi ons of th e i nform ation .
1 9 . 2. 7 Th e docum en tation shal l be structured to m ake it possibl e to search for rel evan t
inform ation. I t sh all be possi bl e to iden tify the latest revisi on (versi on) of a docum en t.
NOTE Th e ph ysi cal structu re of the d ocu m entati on can vary depend i n g upon a nu m ber of factors su ch as the si ze
of th e system , i ts com pl exi ty an d th e org an i zati on al req u i rem ents.
1 9 . 2. 8 Al l rel evan t docu m entation sh al l be revised, am en ded, revi ewed, approved an d shal l
be un der th e control of an appropriate inform ation control sch em e.
1 9 . 2. 9 Current docum entati on pertain ing to the foll owi n g sh all be m ai ntai ned:
a) th e resu lts of th e H &RA an d the rel ated assum ptions;
b) th e e q u i pm en t u sed for SI F to g eth er wi th i ts safety re q u i rem en ts;
c) th e organ ization responsi ble for m ain tai n i ng fu ncti on al safety;
d) th e procedu res necessary to achieve and m aintain fu ncti onal safety of th e SI S;
e) th e m odification i nform ati on as defin ed i n 1 7. 2. 5;
f) th e safety m an u al(s) ;
g) desig n, im plem en tati on , test an d validati on.
NOTE Fu rth er detai l s of th e requ i rem ents for i n form ati on are i n cl u d ed i n 1 2. 4. 2, Cl auses 1 4 an d 1 5 an d i n 1 6. 3. 3.
– 80 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Bibliograph y
I EC 60050 (all parts) , International Electrotechnical Vocabulary (avail able at
<http://www.electropedia.org/)
I SO/I EC Gu ide 51 : 201 4, Safety aspects – Guidelines for their inclusion in standards
IEC 60300-3-2:2004, Dependability management – Part 3-2: Application guide – Collection of

dependability data from the field
IEC 60605-4:2001 , Equipment reliability testing – Part 4: Statistical procedures for

exponential distribution – Point estimates, confidence intervals, prediction intervals and
tolerance intervals
IEC 6061 7-1 2:1 997, Graphical symbols for diagrams – Part 1 2: Binary logic elements 1
I EC TS 61 000-1 -2:2008, Electromagnetic compatibility (EMC) – Part 1 -2: General –

Methodology for the achievement of functional safety of electrical and electronic systems
including equipment with regard to electromagnetic phenomena
I EC 61 025, Fault tree analysis (FTA)
I EC 61 1 31 -3: 201 3, Programmable controllers – Part 3: Programming language
I EC 61 1 31 -6: 201 2, Programmable controllers – Part 6: Functional Safety
I EC 61 506:1 997, Industrial-process measurement and control – Documentation of application

software
I EC 61 508-4:201 0, Functional safety of electrical/electronic/programmable electronic safety

related systems – Part 4: Definitions and abbreviations

related systems – Part 6: Guidelines on the application of IEC 61 508-2 and IEC 61 508-3
I EC 61 51 1 -2: 201 6,
Functional safety – Safety instrumented systems for the process industry
sector – Part 2: Guidelines for the application of IEC 61 51 1 -1 :201 6
I EC 61 51 1 -3:201 6,
sector – Part 3: Guidance for the determination of the required safety integrity levels
I EC 61 784-3:201 0, Industrial communication networks – Profiles – Part 3: Functional safety

fieldbuses – General rules and profile definitions
I EC 62443-2-1 : 201 0, Industrial communication networks – Network and system security –

Part 2-1 : Establishing an industrial automation and control system security program
I EC 62682 : 201 4, Management of alarms for the process industry
I SO/I EC 2382:2006, Information technology – Vocabulary
I SO/I EC 27001 :201 3, Information technology – Security techniques – Information security

management systems – Requirements
___________
1 Withdrawn .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 81 –
© I EC 201 7
I SO/I EC 90003: 201 4, Software engineering – Part 3: Guidelines for the application of
ISO 9001 :2000 to computer software
ISO 2382-1 : 1 993, Information technology – Vocabulary – Part 1 : Fundamental terms
ISO 9000: 2005, Quality management systems – Fundamentals and vocabulary
I SO 9001 : 2008, Quality management systems – Requirements
I SO TR 1 2489: 201 3, Petroleum, petrochemical and natural gas industries – Reliability

modelling and calculation of safety systems
I SO 1 3849-1 :2006,Safety of machinery – Safety related parts of control systems – Part 1 :

General principles for design
ISO 1 3849-2:201 2, Safety of machinery – Safety related parts of control systems – Part 2:
Validation
ISO 1 4224:2006, Petroleum, petrochemical and natural gas industries- Collection and
exchange of reliability and maintenance of data for equipment
I SA TR 84. 00. 04 Part 1 :201 5, Guidelines on the Implementation of ANSI/ISA-84. 00. 01 -2004
(IEC 61 51 1 )
I SA TR 84. 00. 09:201 3, Security Countermeasures Related to Safety Instrumented Systems

(SIS)
___________
IEC 61 51 1 -1
®
Edition 2.1 201 7-08
FINAL VERSION

sector –
Part 1 : Framework, definitions, system, hardware and application programming
requirements
IEC 61 51 1 -1 :201 6-02+AMD1 :201 7-08 CSV(en)
–2– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
CONTENTS
FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 N orm ati ve references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2
3 Term s, defi n itions and abbrevi ations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 1 Term s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 2 Term s and defi n i ti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
3. 3 Abbreviati ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Conform ance to th e I EC 61 51 1 -1 :201 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 Man ag em en t of fu nction al safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 2 Org an i zati on an d resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 3 Risk evalu ation an d risk m anag em en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 4 Safety pl ann i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5. 2. 5 I m plem enti ng an d m on i tori ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5. 2. 6 Assessm ent, audi ti n g an d revisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5. 2. 7 SI S config urati on m an ag em ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 Safety l ife-cycle requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6. 3 Applicati on program SI S safety l ife-cycle requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Process H &RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9 Al locati on of safety fu ncti ons to protection l ayers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 2 Requ irem en ts of th e al location process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9. 3 Requ irem en ts on th e basic process con trol system as a protection l ayer . . . . . . . . . . . . . . 49
9. 4 Requ irem en ts for preventi ng com m on cause, com m on m ode an d depen den t
fail ures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0 SI S safety requ irem ents specification (SRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1 0. 3 SI S safety requ irem ents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1 1 SI S desi gn an d eng i n eering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 .1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 . 2 General requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
1 1 . 3 Requ irem en ts for system behavi ou r on detection of a fau lt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1 1 . 4 H ardware fau l t tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1 1 . 5 Requ irem en ts for selecti on of devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –3–
© I EC 201 7
1 1 . 5. 1
Obj ecti ves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 2
General requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 3
Requirem en ts for th e sel ecti on of devices based on pri or use . . . . . . . . . . . . . . . . . . . . . . . . 56
1 1 . 5. 4
Requirem en ts for selecti on of FPL program m abl e devices (e. g . , fi eld
devices) based on pri or u se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1 1 . 5. 5 Requirem en ts for selecti on of LVL program m abl e devices based on
prior use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
1 1 . 5. 6 Requirem en ts for selecti on of FVL prog ram m abl e devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 6 Fi eld devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7 I n terfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 2 Operator interface requ irem ents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1 1 . 7. 3 Mai nten ance/eng i n eerin g i n terface requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1 1 . 7. 4 Com m u nicati on in terface requi rem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1 1 . 8 Mai nten ance or testi ng desig n requirem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1 1 . 9 Qu an tificati on of ran dom fail ure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1 2 SI S application program devel opm en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1 2. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
1 2. 3 Applicati on program desi gn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
1 2. 4 Applicati on program im plem entation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1 2. 5 Requ irem en ts for appl ication program verificati on (review and testi n g) . . . . . . . . . . . . . . . . . 66
1 2. 6 Requ irem en ts for appl icati on prog ram m eth odol og y an d tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1 3 Factory acceptance test (FAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 3. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 3. 2 Recom m endati ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1 4 SI S instal lati on an d com m ission in g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 4. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 4. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1 5 SI S safety val idation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 5. 1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 5. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
1 6 SI S operation an d m ain tenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 6. 3 Proof testing an d inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
1 6. 3. 1 Proof testi ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
1 6. 3. 2 I nspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 6. 3. 3 Docum entation of proof tests an d inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7 SI S m odification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
1 7. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8 SI S decom m ission i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8. 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1 8. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9 I nform ation an d docum en tation requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9. 1 Objecti ves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
1 9. 2 Requ irem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
–4– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
Bibl iograph y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Fig u re 1 – Overall fram ework of the I EC 61 51 1 seri es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Fig u re 2 – Relati onsh i p between I EC 61 51 1 an d I EC 61 508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0
Fig u re 3 – Detai l ed relati onsh i p between I EC 61 51 1 an d I EC 61 508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1
Fig u re 4 – Relati onsh i p between safety instrum ented fu nctions an d oth er fu ncti ons . . . . . . . . . . . . . . 1 2
Fig u re 5 – Prog ram m abl e el ectronic system (PES) : structure and term in olog y . . . . . . . . . . . . . . . . . . . . . . 24
Fig u re 6 – Exam pl e of SI S arch itectures com prisi n g three SI S su bsystem s . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Fig u re 7 – SI S safety l ife-cycl e ph ases and FSA stag es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Fig u re 8 – Appl icati on program safety l ife-cycl e and its relati onsh i p to th e SI S safety
life-cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Fig u re 9 – Typical protection layers an d risk reducti on m eans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Tabl e 1 – Abbrevi ations used in I EC 61 51 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Tabl e 2 – SI S safety life-cycl e overvi ew (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Tabl e 3 – Appl ication program safety life-cycl e: overview (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Tabl e 4 – Safety i n tegri ty requi rem en ts: PFD avg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Tabl e 5 – Safety i n tegri ty requi rem en ts: average frequ ency of dang erous fai l ures of the
SI F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Tabl e 6 – M in im um HFT requ irem ents accordin g to SI L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –5–
© I EC 201 7
I NTERNATI ON AL ELECTROTECH NI CAL COMMI SSI ON
____________
FOREWORD
1 ) Th e I n ternati on al El ectrotechn i cal Com m i ssi on (I EC) i s a worl d wi d e org an i zati on for stan dardi zati on com pri si n g
al l n ati on al el ectrotech ni cal com m i ttees (I EC N ati onal Com m i ttees) . The obj ect of I EC i s to prom ote
i n ternati on al co-operati on on al l q uesti on s concern i n g stand ardi zati on i n th e el ectri cal an d el ectron i c fi el ds. To
thi s en d and i n addi ti on to other acti vi ti es, I EC pu bl i sh es I n ternati on al Stan dards, Tech n i cal Speci fi cati ons,
Tech ni cal Reports, Pu bl i cl y Avai l abl e Speci fi cati ons (PAS) an d Gu i des (h ereafter referred to as “I EC
Publ i cati on (s) ”) . Th ei r preparati on i s entrusted to tech ni cal com m i ttees; an y I EC N ati onal Com m i ttee i n terested
i n th e su bj ect deal t wi th m ay parti ci pate i n th i s preparatory work. I nternati on al , g overn m ental an d n on -
g overn m ental org an i zati ons l i ai si n g wi th th e I EC al so parti ci pate i n th i s preparati on. I E C col l aborates cl osel y
wi th th e I n tern ati onal Org an i zati on for Stan d ardi zati on (I SO) i n accordan ce wi th con di ti on s determ i ned by
ag reem en t between th e two org an i zati on s.
2) Th e form al deci si on s or ag reem en ts of I EC on tech ni cal m atters express, as n earl y as possi bl e, an i ntern ati onal
con sen su s of opi ni on on th e rel evant su bj ects si n ce each tech ni cal com m i ttee h as representati on from al l
i n terested I EC N ati on al Com m ittees.
3) I EC Pu bl i cati ons h ave th e form of recom m endati on s for i n tern ati onal use an d are accepted by I EC N ati onal
Com m i ttees i n th at sense. Whi l e al l reasonabl e efforts are m ade to ensure th at th e tech n i cal content of I EC
Publ i cati on s i s accu rate, I EC can n ot be h el d respon si bl e for th e way i n wh i ch th ey are used or for an y
m i si nterpretati on by an y en d u ser.
4) I n order to prom ote i n tern ati onal u ni form i ty, I EC N ati on al Com m i ttees un d ertake to appl y I EC Pu bl i cati on s
transparentl y to the m axi m um extent possi bl e i n th ei r nati on al an d reg i on al publ i cati ons. An y d i verg ence
between an y I EC Pu bl i cati on an d the correspon di ng nati on al or reg i on al pu bl i cati on sh al l be cl earl y i n di cated i n
the l atter.
5) I EC i tsel f d oes n ot provi de an y attestati on of con form i ty. I n depend ent certi fi cati on bodi es provi de con form i ty
assessm ent servi ces and, i n som e areas, access to I EC m arks of con form i ty. I EC i s not responsi bl e for an y
servi ces carri ed out by i n d epen den t certi fi cati on bodi es.
6) Al l u sers sh ou l d en su re th at th ey h ave the l atest edi ti on of th i s publ i cati on .
7) N o l i abi l i ty shal l attach to I EC or i ts di rectors, em pl oyees, servants or ag en ts i ncl u di n g i n di vi du al experts an d
m em bers of i ts tech n i cal com m i ttees and I EC Nati on al Com m i ttees for any person al i n j u ry, property d am ag e or
other dam ag e of any n atu re wh atsoever, wheth er di rect or i n di rect, or for costs (i n cl u d i ng l eg al fees) an d
expenses ari si ng out of th e pu bl i cati on, u se of, or rel i an ce upon, th i s I EC P ubl i cati on or an y oth er I EC
Publ i cati ons.
8) Atten ti on i s drawn to th e N orm ati ve references ci ted i n th i s publ i cati on. U se of the referenced publ i cati on s i s
i n di spensabl e for th e correct appl i cati on of th i s publ i cati on .
9) Atten ti on i s drawn to th e possi bi l i ty th at som e of th e el em en ts of th i s I EC Pu bl i cati on m ay be th e su bj ect of
paten t ri g hts. I EC sh al l n ot be h el d responsi bl e for i den ti fyi n g any or al l such patent ri g h ts.
DISCLAIM ER
This Consolidated version is n ot an offi cial IEC Standard and has been prepared for
user conveni ence. On ly th e cu rren t versions of th e stan dard and its am endment(s)
are to be considered th e offi cial docu ments.
This Consolidated version of IEC 61 51 1 -1 bears th e edition nu mber 2.1 . It consists of

the second editi on (201 6-02) [docu men ts 65A/777/FDIS and 65A/784/RVD], its
corrig end um 1 (201 6-09) an d its am endm ent 1 (201 7-08) [docum ents 65A/844/FDIS and
65A/848/RVD]. The tech nical content is identical to the base edition and i ts amendment.
This Fi nal version does not show where the technical content is modified by
am endment 1 . A separate Redline version with all chang es hig hlighted is avai lable in
this pu bl ication.
–6– I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
I ntern ati on al Stan dard I EC 61 51 1 -1 h as been prepared by su bcom m ittee 65A: System
aspects, of I EC tech n ical com m ittee 65: I n dustri al -process m easurem ent, control and
au tom ati on.
This secon d editi on can cels an d repl aces the fi rst edition pu blish ed in 2003. Th is edi tion
constitutes a tech n ical revisi on. Th is editi on i nclu des the fol l owing si gn ificant tech nical
chan ges wi th respect to the previ ous edi tion:
• references and requi rem en ts to software repl aced wi th references an d requ irem ents to
appl ication prog ram m ing ;
• functi onal safety assessm ent requ irem ents provided wi th m ore detail to im prove
m anag em en t of fu ncti on al safety.
• m anag em en t of chan ge requ irem ent added;
• securi ty risk assessm en t requ irem ents added;.
• requ irem ents expanded on th e basic process con trol system as a protection l ayer;
• requ irem ents for h ardware fau lt tolerance m odifi ed and sh oul d be revi ewed carefull y to
u n derstand user/in tegrator opti ons.
The text of th is stan dard is based on the fol lowi n g docum en ts:
FDI S Report on voti n g

65A/777/FDI S 65A/784/RVD
Fu l l inform ati on on th e voti ng for th e approval of th is stan dard can be fou nd i n th e report on
voti ng in dicated in th e above table.
This publicati on has been drafted i n accordance wi th th e I SO/I EC Directi ves, Part 2.
A list of al l parts i n th e I EC 61 51 1 seri es, pu blish ed u n der th e g eneral ti tle Functional safety –
safety instrumented systems for the process industry sector, can be fou n d on th e I EC websi te.
The com m ittee h as deci ded that the con ten ts of th is pu blication wi ll rem ai n unch ang ed u nti l
th e stabi l i ty date in dicated on the I EC website un der "h ttp: //webstore. i ec. ch " in th e data
related to th e specific pu blication. At th is date, th e publicati on wi ll be
• reconfi rm ed,
• wi thdrawn ,
• repl aced by a revised editi on, or
• am ended.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –7–
© I EC 201 7
I NTRODUCTI ON
Safety instrum en ted system s (SI Ss) h ave been u sed for m an y years to perform safety
instrum ented fu ncti ons (SI Fs) in the process i n du stries. I f instrum en tation is to be effecti vel y
used for SI Fs, i t is essenti al that th is instrum entati on ach ieves certain m i nim u m stan dards
an d perform ance levels.
The I EC 61 51 1 seri es addresses th e appl ication of SI Ss for th e process in dustri es. Th e

I EC 61 51 1 seri es also addresses a process H azard an d Risk Assessm ent (H &RA) to be
carried ou t to en abl e the specification for SI Ss to be deri ved. Oth er safety system s'
con tribu ti ons are onl y considered wi th respect to th e perform ance requ irem ents for th e SI S.
The SI S i nclu des all devices n ecessary to carry out each SI F from sensor(s) to fi n al
elem en t(s) .
The I EC 61 51 1 seri es has two concepts wh ich are fu ndam en tal to its appl ication : SI S safety
life-cycle an d safety integ rity l evels (SI Ls) .
The I EC 61 51 1 series addresses SI Ss wh ich are based on the use of

electrical /electron ic/program m abl e el ectron ic tech nolog y. Where other techn ol og ies are used
for l og ic sol vers, the basi c princi pl es of th e I EC 61 51 1 seri es sh ould be appli ed to ensure th e
functi onal safety requ irem ents are m et. Th e I EC 61 51 1 series also addresses th e SI S sensors
an d fin al elem en ts reg ardless of th e techn ol og y u sed. The I EC 61 51 1 series is process
industry specific withi n th e fram ework of th e I EC 61 508 seri es.
The I EC 61 51 1 seri es sets ou t an approach for SI S safety l ife-cycle acti vities to ach i eve these
m inim um princi ples. Th is approach h as been adopted i n order that a rational an d consistent
tech nical policy i s used.
I n m ost situ ations, safety i s best ach i eved by an i n herentl y safe process desi g n. H owever in
som e instances this is n ot possi ble or n ot practical . I f necessary, th is m ay be com bi n ed wi th a
protective system or system s to address an y resi du al identifi ed risk. Protecti ve system s can
rel y on different techn olog ies (chem ical, m echan ical , h ydrau lic, pn eum atic, electrical,
electron ic, an d program m abl e electron ic) . To faci l itate th is approach , th e I EC 61 51 1 series:
• addresses th at a H &RA i s carri ed ou t to i dentify the overall safety requ irem ents;
• addresses th at an all ocation of the safety requ irem ents to th e SI S is carri ed out;
• works wi th in a fram ework wh ich is appl icabl e to all instrum ented m eans of ach i evin g
functi onal safety;
• detai ls th e use of certain activi ties, such as safety m anag em ent, which m ay be applicabl e
to all m eth ods of ach ievi ng fu ncti on al safety.
The I EC 61 51 1 seri es on SI S for th e process indu stry:
• addresses al l SI S safety l ife-cycl e ph ases from in itial concept, desi gn , im plem entation,
operati on an d m ai nten an ce throug h to decom m ission i ng ;
• en ables existi ng or n ew cou n try specific process i ndu stry stan dards to be harm oni zed with
th e I EC 61 51 1 seri es.
The I EC 61 51 1 seri es is in ten ded to l ead to a h i gh level of consistency (e. g. , of un derl yin g
princi ples, term in olog y, and inform ation) wi th in th e process industries. This shou ld have both
safety and econ om ic benefits. Fig ure 1 below sh ows an overal l fram ework of the I EC 61 51 1
series.
In j urisdicti ons where th e g overni n g au th oriti es (e. g. , n ati onal , federal, state, provi nce, cou n ty,
city) h ave establish ed process safety desi g n, process safety m an ag em en t, or oth er
reg u l ati ons, these take precedence over the requ irem ents defi n ed i n th e I EC 61 51 1 series.
–8– I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
© I EC 201 7
Technical Support
requirements parts
PART 1 References
Clause 2
Development of the overall safety
requirements (concept, scope definition, PART 1
hazard and risk assessment)
Definitions and
Clause 8 abbreviations
Clause 3
PART 1
PART 1
Allocation of the safety requirements to Conformance
the safety instrumented functions and Clause 4
development of the safety requirements PART 1
specification
Management of
Clauses 9 and 10 functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for requirements
safety SIS application Clause 6
instrumented programming
systems Clause 12 PART 1
Clause 11
Verification
Clause 7
PART 1
PART 1
Factory acceptance testing, Information
installation and commissioning and requirements
safety validation of safety Clause 19
instrumented systems PART 1
Clauses 13, 14, and 15
Guideline for the
application of part 1
PART 1 PART 2
Operation and maintenance,
modification and retrofit, Guidance for the
decommissioning or disposal of determination of the
safety instrumented systems required safety
Clauses 16, 17, and 18 integrity levels
PART 3
IEC
Figu re 1 – Overall framework of th e IEC 61 51 1 series

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV –9–
© I EC 201 7
1 Scope
This part of I EC 61 51 1 g i ves requ irem ents for the specification, desig n , i nstall ation, operati on
an d m aintenance of a safety i nstrum ented system (SI S) , so that i t can be confidentl y
en trusted to ach ieve or m ain tain a safe state of the process. I EC 61 51 1 -1 h as been
developed as a process sector im plem en tati on of I EC 61 508:201 0.
In particu l ar, I EC 61 51 1 -1 :
a) specifies the requ irem ents for ach i evin g functional safety but does n ot specify wh o is
responsible for im pl em enti n g the requi rem ents (e. g. , desig n ers, su ppli ers,
own er/operati n g com pan y, contractor) . This responsi bi li ty wil l be assig ned to differen t
parties accordin g to safety plan n in g , proj ect pl an n ing and m anag em en t, an d nation al
reg u l ations;
b) appl ies wh en devices th at m eets th e requ irem en ts of the I EC 61 508 series published in
201 0, or I EC 61 51 1 -1 :201 6 [1 1 . 5] , is i nteg rated into an overal l system th at is to be u sed
for a process sector appl ication . I t does not appl y to m an ufacturers wi sh ing to claim th at
devices are su itabl e for use in SI Ss for th e process sector (see I EC 61 508-2:201 0 and
I EC 61 508-3: 201 0) ;
c) defin es the relationshi p between I EC 61 51 1 an d I EC 61 508 (see Fi gures 2 an d 3) ;
d) appl ies when appl icati on program s are devel oped for system s h avin g l im ited variabi li ty
l an g uag e or wh en u si n g fixed program m in g lang u ag e devices, bu t does not appl y to
m anufacturers, SI S design ers, i nteg rators an d u sers th at develop em bedded software
(system software) or use ful l vari abi l ity l an gu ages (see I EC 61 508-3: 201 0) ;
e) applies to a wi de vari ety of i n du stri es wi thi n the process sector for exam pl e, chem icals, oil
an d gas, pu lp an d paper, pharm aceu ti cal s, food an d beverag e, an d non -nuclear power
g en eration ;
N OTE 1 Wi th i n the process sector som e appl i cati on s m ay have addi ti onal requi rem ents that have to be
sati sfi ed.
f) ou tl in es the relati onsh i p between SI Fs an d oth er i nstru m en ted functions (see Figu re 4) ;
g) resu lts in th e identification of th e function al requi rem ents and safety i ntegri ty requirem en ts
for th e SI F taki n g i nto accou n t th e risk reducti on ach ieved by oth er m eth ods;
h) specifies l ife-cycl e requ irem ents for system arch itecture an d h ardware confi g uration ,
appl ication program m ing , an d system integrati on ;
i) specifies requ irem ents for appl ication program m ing for users an d i ntegrators of SI Ss.
j) applies wh en function al safety is ach ieved usi n g on e or m ore SI Fs for the protecti on of
person nel , protecti on of the gen eral pu blic or protecti on of the en vironm ent;
k) m ay be applied i n n on -safety appl icati ons for exam ple asset protection ;
l) defin es requ irem ents for im plem enti n g SI Fs as a part of the overal l arran g em ents for
ach i evin g function al safety;
m ) uses a SI S safety l ife-cycle (see Fig ure 7) and defines a l ist of acti vi ti es wh ich are
necessary to determ in e the fu ncti onal requ irem en ts an d th e safety i ntegri ty requ irem en ts
for th e SI S;
– 10 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
n) specifies that a H &RA is to be carried ou t to defi n e th e safety fu ncti onal requ irem en ts an d
safety i n tegrity l evels (SI L) of each SI F;
N OTE 2 Fi g u re 9 presents an overvi ew of ri sk redu cti on m eans.
o) establish es nu m erical targets for averag e probabili ty of failure on dem and (in dem an d
m ode) an d average frequ ency of dan gerous fai lures (i n dem an d m ode or con ti n uous
m ode) for each SI L;
p) specifies m in im um requ irem ents for h ardware fau l t tol erance (HFT) ;
q) specifies m easures an d tech n i qu es requi red for ach ievi ng th e specified SI L;
r) defin es a m axim u m level of fu nctional safety perform ance (SI L 4) wh ich can be ach i eved
for a SI F im plem ented accordi n g to I EC 61 51 1 -1 ;
s) defin es a m in im um level of fu ncti on al safety perform ance (SI L 1 ) below wh ich
I EC 61 51 1 -1 does n ot appl y;
t) provi des a fram ework for establ ish in g th e SI L but does n ot specify th e SI L requ ired for
specific applications (wh ich shou l d be establ ished based on knowl edg e of th e particu lar
appl ication and on th e overall targeted risk redu ction ) ;
u) specifies requ irem ents for al l parts of the SI S from sensor to final el em en t(s) ;
v) defin es the inform ati on th at is needed duri ng th e SI S safety l ife-cycle;
w) specifies th at the desi gn of th e SI S takes into accou n t hu m an factors;
x) does n ot pl ace an y direct requi rem en ts on th e i n di vidu al operator or m ain tenance person :
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and instrumented
suppliers of systems designers,
devices integrators and
users
IEC 61 508
IEC 61 51 1
IEC
Figu re 2 – Relati on ship between IEC 61 51 1 and IEC 61 508

NOTE 3 I EC 61 508 i s al so u sed by safety i nstrum en ted desi g n ers, i nteg rators an d users wh ere di rected i n
I EC 61 51 1 .
© I EC 201 7
I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARDS
PROCESS
PROCESS SECTOR
SECTOR SOFTWARE AND
HARDWARE APPLICATION
PROGRAM
– 11 –
DEVELOPING USING PRIOR USING DEVELOPING DEVELOPING DEVELOPING
NEW USE HARDWARE EMBEDDED APPLICATION APPLICATION
HARDWARE HARDWARE DEVELOPED (SYSTEM) PROGRAM PROGRAM
DEVICES DEVICES AND SOFTWARE USING FULL USING LIMITED
ASSESSED VARIABILITY VARIABILITY
ACCORDING LANGUAGES OR FIXED
TO IEC 61 508 PROGRAM
LANGUAGES
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW

IEC 61 508 IEC 61 51 1 IEC 61 51 1 IEC 61 508-3 IEC 61 508-3 IEC 61 51 1
IEC
Figu re 3 – Detail ed relation shi p between IEC 61 51 1 and IEC 61 508
NOTE 4 Su bcl ause 7. 2. 2 i n I EC 61 51 1 -1 : 201 6 an d A. 7. 2. 2 i n I EC 61 51 1 -2: 201 6 con tai n g u i dan ce on han dl i ng i n teg rati on of su b-system s th at com pl y wi th other stan d ards (su ch as
m achi n ery , bu rn er, etc. ) .
– 12 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Start
No Is this an Yes
Instrumented
function?
Yes No No Safety Yes

Safety
Function? instrumented
function?
Continuous Demand
Not relevant Mode?
Other
Other means of instrumented Continuous Demand mode
risk reduction means of risk Mode SIF Mode SIF
reduction
Standard specifies activities which are to be carried out but requirements are not detailed
IEC
Figu re 4 – Rel ati onship between safety in stru mented functions and oth er fu nctions
2 Normati ve references
The foll owi ng docum en ts, i n wh ole or i n part, are norm ati vel y referenced i n th is docum en t and
are in dispensabl e for i ts appl ication . For dated references, on l y the editi on cited appli es. For
un dated references, th e l atest editi on of th e referenced docum en t (i nclu ding an y
am endm ents) appli es.
I EC 61 508-1 : 201 0, Functional safety of electrical/electronic/programmable electronic safety-

related systems – Part 1: General Requirements

related systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems

related systems – Part 3: Software requirements
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 13 –
© I EC 201 7
3 Terms, definitions and abbreviations
3.1 Terms
Term s are listed alph abetical l y in 3. 2.
3.2 Terms and definitions

For the purposes of th is docum en t, the fol lowi ng defin i tions appl y.
I n som e cases these defi ni ti on s di ffer from the defi n i ti on s of the sam e term s i n I EC 61 508-4:201 0. I n som e cases
th i s i s due to the term i nol og y u sed i n the process sector. I n other cases th ese defi ni ti ons h ave been al i g n ed wi th
oth er rel evant defi ni ti ve references (e. g . , I EC 60050 th e I ntern ati on al El ectrotech ni cal Vocabu l ary,
I SO/I EC G ui de 51 : 201 3) . H owever, un l ess otherwi se stated, th ere i s no di fference i n the tech ni cal m eani n g
between these d efi n i ti on s an d the d efi n i ti on s of the sam e term s i n I EC 61 508-4: 201 0.
3.2.1
architecture
configuration
specific config urati on of hardware an d software com pon ents in a system
Note 1 to entry: I n the I EC 61 51 1 seri es thi s can m ean, for exam pl e, arrang em ent of SI S su bsystem s, th e i n tern al
stru ctu re of a SI S subsystem or th e i nternal stru cture of SI S appl i cati on prog ram s.
3.2.2
asset protection
functi on al l ocated to a system an d design ed for the purpose of preventi ng loss or dam ag e to
assets
3.2.3
basic process control system
BPCS
system wh ich respon ds to i npu t si g nals from the process, i ts associated equ ipm en t, oth er
program m able system s an d/or operators and g enerates output si gn als causi n g the process
an d its associ ated equ i pm ent to operate in the desired m an n er but wh ich does n ot perform
an y SI F
Note 1 to en try: A BPCS i ncl udes al l of th e d evi ces necessary to ensu re th at the process operates i n the d esi red
m an ner.
Note 2 to entry: A BPCS typi cal l y m ay i m pl em ent vari ous fu ncti ons su ch as process con trol fun cti on s,
m on i tori n g , an d al arm s.
3.2.4
bypass
action or facil ity to prevent al l or parts of th e SI S function ali ty from bei n g execu ted
Note 1 to entry: E xam pl es of bypassi ng i ncl ud e:

– th e i n pu t si g nal i s bl ocked from the tri p l og i c wh i l e sti l l presenti n g th e i n put param eters and al arm to th e
operator;
– the outpu t si g n al from the tri p l og i c to a fi n al el em en t i s hel d i n the n orm al state preventi n g fi nal el em en t
operati on ;
– a ph ysi cal bypass l i ne i s provi d ed arou n d th e fi nal el em ent;
– presel ected i n pu t state (e. g . , on /off i npu t) or set i s forced by m eans of an en g i n eeri n g tool (e. g . , i n the
appl i cati on prog ram ) .
Note 2 to entry: Oth er term s are al so u sed to refer to bypassi n g , su ch as overri de, defeat, di sabl e, force, or
i n hi bi t or m u ti n g .
3.2.5
channel
device or group of devices that i n depen den tl y perform (s) a specifi ed fu ncti on
– 14 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 1 to en try: The d evi ces wi th i n a chan n el cou l d i ncl u de i n pu t/output (I /O) devi ces, l og i c sol vers, sen sors, and
fi n al el em ents.
Note 2 to en try: A du al ch an nel (i . e. , a two-ch an n el ) con fi g u rati on i s on e wi th two chan n el s th at i nd epend entl y
perform the sam e fun cti on . Ch ann el s m ay be i d en ti cal or d i verse.
Note 3 to en try: Th e term can be used to descri be a com pl ete system or a porti on of a system (e. g . , sensors or
fi n al el em ents) .
Note 4 to en try: Ch ann el descri bes SI S hardware arch i tectu ral featu res often used to m eet h ard ware faul t
tol erance req u i rem en ts.
3. 2. 6
com mon cau se
3. 2. 6.1
com mon cau se fai lu res , pl
concurrent fai l ures of differen t devices, resu l ti n g from a sin g l e even t, wh ere th ese fail ures are
not consequences of each oth er
Note 1 to entry: Al l the fai l u res due to a com m on cause do n ot n ecessari l y occu r exactl y at th e sam e ti m e and thi s
m ay al l ow ti m e to detect th e occu rren ce of th e com m on cau se before a SI F i s actu al l y fai l ed.
Note 2 to entry: Com m on cau se fai l u res can al so l ead to com m on m ode fai l u res.
Note 3 to entry: The poten ti al for com m on cause fai l ures redu ces th e effect of system redu n dan cy or fau l t
tol erance (e. g . , i n creases the probabi l i ty of fai l u re of two or m ore ch an n el s i n a m u l ti pl e chan nel system ) .
Note 4 to entry: Com m on cause fai l ures are depen dent fai l u res. Th ey m ay be d u e to extern al even ts (e. g . ,
tem peratu re, h u m i di ty, overvol tag e, fi re, and corrosi on ) , system ati c faul t (e. g . , desi g n, assem bl y or i nstal l ati on
errors, bu g s) , h u m an error (e. g . , m i su se) , etc.
Note 5 to entry: By extensi on, a com m on cause fai l u re (i n si ng u l ar form ) i s a fai l u re bel on g i ng to a set of
concurren t fai l u res (pl u ral form ) accordi n g to 3. 2. 6. 1 defi ni ti on .
3. 2. 6.2
com mon mod e fai lu res , pl
concurrent fail ures of differen t devices ch aracteri zed by th e sam e fail ure m ode (i . e. , i den tical
fau lts)
Note 1 to entry: Com m on m ode fai l ures m ay h ave di fferen t causes.
Note 2 to entry: Com m on m ode fai l ures can al so be th e resu l t of com m on cau se fai l u res (3. 2. 6. 1 ) .
Note 3 to en try: Th e potenti al for com m on m ode fai l u res reduces th e effecti ven ess of system redu ndan cy and
faul t tol erance (e. g . , fai l u re of two or m ore ch ann el s i n th e sam e way, cau si n g th e sam e erron eou s resul t) .
Note 4 to en try: By extensi on , a com m on m ode fai l u re (i n si ng u l ar form ) i s a fai l ure bel ong i n g to a set of
concu rren t fai l u res (pl u ral form ) accordi n g to 3. 2. 6. 2 defi ni ti on .
3. 2. 7
com pensati ng m easu re
tem porary im pl em en tation of plan n ed and docum ented m eth ods for m anag i ng risks duri ng an y
peri od of m ai ntenance or process operati on wh en it is kn own th at the perform ance of th e SI S
is degraded
3. 2. 8
com pon ent
on e of th e parts of a system , SI S su bsystem , or device perform i ng a specifi ed fu ncti on
Note 1 to entry: Com pon en t m ay al so i n cl u de software.

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 15 –
© I EC 201 7
3. 2. 9
confi g u ration manag em ent
disci pl in e of identifyi n g the com ponen ts and th e arran gem ents of th ose com pon ents of an
evol ving system for th e purposes of control li ng ch an g es to th ose com pon ents, an d
m aintain in g conti nu i ty of th e system an d traceabil i ty of an y ch ang es throu g hou t th e l ife-cycl e
3. 2. 9.1
con servative approach
cau tiou s way of doing an al ysis an d calcul ations
Note 1 to en try: I n the safety fi el d, each ti m e an an al ysi s, assum pti on s, or cal cu l ati on h as to be don e (about
m odel s, i nput d ata, com pu tati on s, etc. ) i t can be chosen i n order to be su re to produ ce pessi m i stic resu l ts.
3. 2. 1 0
control system
system wh ich respon ds to i n pu t si g n als from th e process and/or from an operator and
gen erates outpu t si g nals causi n g th e process to operate in th e desired m ann er
Note 1 to entry: Th e con trol system i ncl u des sen sors an d fi n al el em en ts and m ay be ei th er a BPCS or a SI S or
a com bi n ati on of the two.
3. 2. 1 1
d ang erou s fai lu re
fai l ure wh ich im pedes or disables a g i ven safety action
Note 1 to entry: A fai l u re i s "d ang erou s" on l y wi th reg ard to a g i ven SI F.
Note 2 to entry: Wh en fau l t tol eran ce i s i m pl em en ted, a d an g erou s fai l ure can l ead to ei ther:
– a deg raded SI F where the safety acti on i s avai l abl e but there i s ei ther a hi g h er PFD or a PFH , or
– a di sabl ed SI F wh ere th e safety acti on i s com pl etel y di sabl ed or th e h azardous even t h as been i n du ced.
Note 3 to entry: Wh en n o fau l t tol eran ce i s i m pl em en ted, al l dan g erou s fai l u res l ead to a d i sabl ed SI F.
3. 2. 1 2
d epen d ent fai l u re
fai l ure wh ose probabil i ty can n ot be expressed as th e sim pl e product of th e u ncondi tion al
probabi l ities of th e i n di vi du al even ts wh ich cau sed i t
Note 1 to en try: Two events A and B are d epend ent i f th e probabi l i ty of occurren ce of A an d B, P(A an d B) , i s
g reater th an P(A) × P(B) .
Note 2 to entry: See 9. 4. 2 an d I EC 61 51 1 -3: 201 6, Ann ex J for consi derati on of d ependent fai l u res between
N ote 3 to en try: Depen dent fai l ures i ncl ud e com m on cau se.
3. 2. 1 3
d etected
reveal ed
overt
relatin g to h ardware an d software failures or fau l ts wh ich are n ot h i dden becau se th ey
an n ou nce th em selves or are discovered throu g h n orm al operation or throug h dedicated
detecti on m eth ods
Note 1 to entry: Th ere are som e di fferences i n th e use of these term s:

– Overt i s used for fai l ures or faul ts whi ch ann oun ce th em sel ves wh en th ey occu r (e. g . , du e to th e ch ang e of
state) . The repai r of such fai l ures can beg i n as soon as they h ave occu rred.
– Detected i s u sed for fai l u res or faul ts wh i ch do not an nou nce them sel ves wh en th ey occu r an d wh i ch rem ai n
hi dd en u n ti l d etected by som e m eans (e. g . , di ag nosti c tests, proof tests, operator i nterven ti on l i ke ph ysi cal
i nspecti on an d m an ual tests) . The repai r of su ch fai l u res can beg i n onl y after th ey h ave been reveal ed. See
Note 2 for th e speci fi c u se of thi s term i n I EC 61 51 1 .
– Reveal ed i s used for fai l u res or fau l ts that becom e evi den t du e to bei n g overt or as a resul t of bei n g d etected.
– 16 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 2 to entry: I n I EC 61 51 1 an d except wh en th e con text su g g ests anoth er m ean i n g , the term dangerous
detected failures/faults i s rel ated to d ang erou s fai l u res detected by di ag n osti c tests.
Note 3 to en try: Wh en th e detecti on i s very fast (e. g . , by di ag n osti c tests) th en th e detected fai l u res or fau l ts can
be consi d ered to be overt fai l ures or fau l ts.
When th e detecti on i s n ot very fast (e. g . , by proof tests) the detected fai l u res or fau l ts can not be con si dered to be
overt fai l u res or fau l ts wh en ad dressi n g safety i nteg ri ty l evel s.
Note 4 to entry: A dan g erou s reveal ed fai l ure can onl y be treated as a safe fai l u re i f effecti ve m easu res,
autom ati c or m anu al , are taken i n a sh ort en oug h ti m e to m ai n tai n process safety.
3. 2. 1 4
d evi ce
hardware, with or wi th ou t software, capable of perform in g a specifi ed fu nction
Note 1 to entry: E xam pl es are sensors, l og i c sol vers, fi nal el em ents, operator i nterfaces, an d fi el d wi ri n g .
3. 2. 1 4. 1
fiel d d evi ce
SI S or BPCS device conn ected directl y to th e process or l ocated in cl ose proxim ity to th e
process
Note 1 to entry: E xam pl es are sensors, fi n al el em ents an d m anu al swi tches.
3. 2. 1 5
d iag nosti cs
frequent (in relation to th e process safety tim e) au tom atic test to reveal fau lts
3. 2. 1 5. 1
d iag nosti c coverag e
DC
fraction of dan gerou s fai lu res rates detected by diag nostics. Di agn ostic coverag e does n ot
inclu de an y faul ts detected by proof tests
Note 1 to en try: Di ag nosti c coverag e i s typi cal l y appl i ed to SI S devi ces or SI S subsystem s. E. g . , th e di ag n osti c
coverag e i s typi cal l y determ i ned for a sen sor, fi n al el em en t or a l og i c sol ver.
Note 2 to entry: For safety appl i cati ons th e di ag n osti c coverag e i s typi cal l y appl i ed to d ang erou s fai l u res of SI S
devi ces or SI S subsystem s. For exam pl e, th e di ag n osti c coverag e for th e d an g erou s fai l u res of a devi ce i s
DC = λ D D / λ D T , wh ere λ DD i s the dan g erou s d etected fai l u re rate an d λ DT i s th e total dang erou s fai l ure rate. For a
SI S subsystem wi th i ntern al redun dan cy, DC i s ti m e depen dan t: DC (t)= λ DD (t)/ λ D T (t) .
Note 3 to entry: Wh en th e di ag n osti c coverag e (DC) and th e total dang erou s fai l ure rate ( λ D T ) are g i ven, the
detected ( λ D D ) and un d etected dan g erous fai l u res ( λ DU ) can be com pu ted as fol l ows:
λ D D = DC × λ D T an d λ DU = (1 -D C) × λ DT .
3. 2. 1 6
d iversity
different m eans of perform ing a requ ired fu nction
Note 1 to entry: Di versi ty m ay be achi eved by di fferent ph ysi cal m eans, di fferen t prog ram m i ng techn i q ues, or
di fferen t d esi g n approaches.
3. 2. 1 7
error
discrepancy between a com puted, observed or m easured valu e or conditi on and th e tru e,
specified or th eoretical l y correct value or condition
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-02]
3. 2. 1 8
fai l u re
loss of abil ity to perform as requ ired
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 17 –
© I EC 201 7
Note 1 to entry: A fai l u re of a devi ce i s an event that resul ts i n a faul t state of that devi ce.
Note 2 to en try: When th e l oss of abi l i ty i s cau sed by a l atent faul t, th e fai l ure occu rs when a parti cul ar set of
ci rcum stances i s en coun tered.
Note 3 to en try: Perform ance of requi red fu n cti on s n ecessari l y excl u des certai n behavi ou r, and som e fun cti on s
m ay be speci fi ed i n term s of beh avi ou r to be avoi d ed. Th e occu rren ce of such beh avi ou r i s a fai l u re.
Note 4 to en try: Fai l u res are ei th er ran d om or system ati c ( see 3. 2. 59 an d 3. 2. 81 ) .
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-01 , m odifi ed – N otes to entry h ave been ch ang ed]
3. 2. 1 8. 1
fai l u re m od e
m anner in wh ich fail ure occurs
Note 1 to entry: A fai l u re m ode m ay be d efi ned by th e fu n cti on l ost or the state transi ti on that occurred.
[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-1 7]
3. 2. 1 9
fau l t
inabi li ty to perform as requ ired, du e to an in tern al state
Note 1 to entry: A fau l t of an i tem resul ts from a fai l u re, ei th er of th e i tem i tsel f, or from a defi ci ency i n an earl i er
stag e of th e l i fe-cycl e, su ch as speci fi cati on, d esi g n, m an ufactu re or m ai n ten an ce.
Note 2 to en try: A fau l t of a d evi ce resu l ts i n a fai l u re wh en a parti cu l ar set of ci rcu m stan ces i s encou ntered.
[SOU RCE: I EC 60050-1 92:201 5, 1 92-04-01 , m odified – Som e n otes to entry h ave been
chan ged, oth ers h ave been del eted]
3. 2. 20
fau l t avoid an ce
use of techn i ques an d procedures wh ich aim to avoi d the i ntrodu ction of faul ts du ri ng an y
ph ase of th e SI S safety l i fe-cycl e
3. 2. 20. 1
fau l t exclu sion
elim i nation from furth er consi deration of fau lts du e to im probable fai lure m odes
Note 1 to en try: Fu rth er i n form ati on abou t faul t excl usi on can be foun d i n I SO 1 3849-1 an d I SO 1 3849-2. After
those stand ards faul t excl usi on can be based on
– the techn i cal i m probabi l i ty of occurrence of som e fau l ts,
– g en eral l y accepted tech ni cal experi en ce, i n depen den t of the con si dered appl i cati on;
– techn i cal req ui rem ents rel ated to the appl i cati on an d th e speci fi c hazard.
Note 2 to entry: Fai l u re m odes, i denti fi ed i n th e d evi ces perform i ng th e safety fun cti on, can be excl u d ed because
th ei r rel ated d an g erous fai l ure rate(s) are very l ow com pared to th e targ et fai l u re m easu re for the safety fu n cti on
un der consi derati on . That i s, the sum of th e dang erou s fai l ure rates of al l seri al devi ces on whi ch fau l t excl u si on i s
bei n g cl ai m ed, g en eral l y can not exceed m ore th an 1 % of th e targ et fai l u re m easure.
3. 2. 21
fau l t tol eran ce
abi lity of a functional item to continu e to perform a requ ired fu ncti on in th e presence of fau lts
or errors
3. 2. 22
final element
part of the BPCS or SI S that im plem en ts the ph ysi cal acti on n ecessary to ach ieve or m aintai n
a safe state
– 18 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 1 to en try: E xam pl es are val ves, swi tch g ear, an d m otors, i ncl u di ng thei r au xi l i ary el em en ts (su ch as
sol enoi d val ve and actuator u sed to operate a val ve) .
3.2.23
functional safety
part of th e overal l safety rel ati ng to th e process an d the BPCS wh ich depen ds on th e correct
functi onin g of th e SI S an d oth er protection l ayers
3.2.24
functional safety assessment
FSA
in vestig ati on, based on evi dence, to j u dg e th e fun cti onal safety ach ieved by on e or m ore SI S
an d/or other protecti on layers
3.2.25
functional safety au dit
system atic and i n depen den t exam i nation to determ ine wh eth er th e procedures specific to th e
functi onal safety requ irem ents com pl y wi th th e plann ed arran gem ents, are im plem en ted
effecti vel y an d are su itable to ach i eve th e specified objecti ves
Note 1 to entry: A fu ncti on al safety audi t m ay be carri ed out as part of a FSA.
3.2.26
hardware safety integ rity
part of the safety i ntegri ty of th e SI S rel atin g to random hardware fail ures in a dan g erou s
m ode of fai lu re
Note 1 to entry: Th e two fai l ure m easures that are rel evant i n th i s con text are th e averag e frequ ency of
dan g erou s fai l ure and the averag e probabi l i ty of fai l u re on dem and.
Note 2 to en try: See 3. 2. 82.
3.2.27
harm
inj ury or dam ag e to th e h eal th of peopl e, or dam age to property or to th e en vironm en t
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 ]
3.2.27.1
harmfu l event
hazardous event wh ich h as caused h arm
Note 1 to entry: Wheth er or not a hazard ou s event resu l ts i n h arm depen ds on wh eth er peopl e, property, or th e
peopl e can escape the conseq uences of th e even t after i t h as occurred. A h azard ous event wh i ch has caused harm
i s term ed a harm ful even t.
3.2.28
hazard
poten tial sou rce of harm
Note 1 to en try: Th e term i n cl u des d ang er to person s ari si n g wi th i n a sh ort ti m e scal e (e. g . , fi re an d expl osi on )
an d al so th ose th at h ave a l ong -term effect on a person 's h eal th (e. g . , rel ease of a toxi c substan ce or
rad i oacti vi ty) .
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 2, m odifi ed – Note 1 to en try h as been added]
3.2.28.1
hazardou s event
even t th at can cause h arm
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 19 –
© I EC 201 7
Note 1 to entry: Wh ether or not a hazardou s event resul ts i n harm depends on wh eth er peopl e, property or the
peopl e can escape th e conseq u en ces of th e event after i t h as occu rred.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4: 3. 3, m odifi ed – see N ote 1 ]
3. 2. 28. 2
h azard ou s si tu ation
circum stance i n wh ich people, property or the en vironm ent are exposed to on e or m ore
hazards
[SOU RCE: I SO/I EC G u i de 51 :201 4, 3. 4]
3. 2. 29
h u m an error
inten ded or u ni n ten ded h um an action or i n action that produces an i nappropriate resu lt
Note 1 to entry: Mi stakes, sl i ps, an d l apses are exam pl es of hu m an errors.
Note 2 to entry: Th i s excl udes m al i ci ous acti on .
3. 2. 30
impact an al ysi s
activity of determ in in g th e effect th at a ch ang e to a fu nction or com ponen t wi l l have to other
functi ons or com ponen ts i n th e system as wel l as i n oth er system s
3. 2. 31
ind epend ent org ani zati on
org an i zation that is separate an d disti nct, by m an agem ent and other resou rces, from th e
org an izations responsibl e for the acti vi ties that take place du ri n g th e speci fic ph ase of th e SI S
safety l ife-cycle th at is su bj ect to th e FSA or vali dati on
3. 2. 32
in d epend en t person
person wh o is separate an d distinct from th e acti vities wh ich take pl ace du ri n g th e specific
ph ase of th e SI S safety life-cycle that is subj ect to th e FSA or val idation an d does n ot h ave
direct responsibil i ty for th ose acti vities
3. 2. 33
in pu t fu n ction
functi on wh ich m on itors th e process an d its associated equ i pm en t in order to provide i n pu t
inform ation for th e l og ic sol ver
Note 1 to entry: An i npu t fu ncti on coul d be a m anu al fu n cti on .
3. 2. 34
instru m ent
apparatus used in perform ing an acti on (typical l y fou nd in i nstrum ented system s)
3. 2. 34. 1
instru m ented system
system com posed of sensors (e. g. , pressure, fl ow, tem perature transm i tters) , log ic solvers
(e. g . , program m able con trol lers, distri buted con trol system s, discrete con trol lers) , an d final
elem en ts (e. g . , con trol val ves, m otor con trol circu i ts)
Note 1 to entry: I n stru m ented system s perform i nstrum en ted fu n cti on s i ncl u di n g con trol , m on i tori n g , al arm and
protecti ve fu ncti ons. I n strum en ted system s can be SI S (see 3. 2. 67) or BPCS (see 3. 2. 3) .
3. 2. 35
log i c fu n cti on
functi on wh ich perform s th e transform ations between i n pu t inform ation (provi ded by on e or
m ore in pu t functions) an d outpu t inform ation (used by one or m ore ou tpu t functions)
– 20 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 1 to en try: Log i c fu n cti ons provi de the transform ati on from one or m ore i n pu t fun cti on s to on e or m ore ou tpu t
fu ncti on s.
Note 2 to entry: For fu rth er g u i dan ce, see I EC 61 1 31 -3: 201 2 an d I EC 6061 7-1 2: 1 997.
3.2.36
logi c solver
part of either a BPCS or SI S th at perform s on e or m ore log ic fu ncti on(s)
Note 1 to entry: I n I EC 61 51 1 the fol l owi n g term s for l og i c sol vers are used:
- el ectri cal l og i c system s for el ectro-m ech an i cal techn ol og y;
- el ectron i c l og i c system s for el ectron i c techn ol og y;
- PE l og i c system for prog ram m abl e el ectroni c system s.
Note 2 to en try: E xam pl es are: el ectri cal system s, el ectroni c system s, prog ram m abl e el ectroni c system s,
pneu m ati c system s, and h ydraul i c system s. Sen sors and fi nal el em en ts are n ot part of th e l og i c sol ver.
3.2.36.1
safety config ured PE logic solver
gen eral purpose i n dustrial grade PE l og ic sol ver which is specifical l y confi gured for use i n
safety appl ications
Note 1 to entry: Fu rth er g ui dance can be foun d i n 1 1 . 5.
3.2.37
maintenance/engi neering interface
hardware an d software provided to al l ow proper SI S m ai ntenance or m odifi cati on
Note 1 to en try: Mai n ten ance/eng i n eeri n g i n terface can i n cl ude i n stru cti ons and d i ag nosti cs wh i ch m ay be fou nd
i n software, prog ram m i n g term i n al s wi th appropri ate com m uni cati on protocol s, di ag n osti c tool s, i ndi cators, bypass
devi ces, test devi ces, an d cal i brati on d evi ces.
3.2.37.1
mean repair time
MRT
expected overall repair ti m e
Note 1 to entry: M RT en com passes the ti m es (b) , (c) an d (d) of the ti m es for MTTR (see 3. 2. 37. 2) .
3.2.37.2
mean ti me to restoration
MTTR
expected tim e to ach ieve restoration
Note 1 to entry: MTTR en com passes:

– th e ti m e to detect the fai l ure (a) ;
– th e ti m e spent before starti n g the repai r (b) ;
– the effecti ve ti m e to repai r (c) ;
– the ti m e before the com pon ent i s put back i nto operati on (d) .
Th e start ti m e for (b) i s the en d of (a) ; th e start ti m e for (c) i s th e en d of (b) ; th e start ti m e for (d) i s th e en d of (c) .
3.2.37.3
maxi mum permi tted repair time
MPRT
m axim um duration al lowed to repair a fau l t after it has been detected
Note 1 to entry: Th e MRT m ay be u sed as MPRT but the MP RT m ay be d efi n ed wi th out reg ards to th e M RT:
– A MPRT sm al l er th an th e M RT can be ch osen to d ecrease th e probabi l i ty of hazard ou s even t.
– A MPRT g reater th an th e MRT can be ch osen i f the probabi l i ty of hazardou s even t can be rel axed.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 21 –
© I EC 201 7
Note 2 to en try: Wh en a MP RT has been defi ned i t can be u sed i n pl ace of the M RT for cal cu l ati ng the probabi l i ty
of ran dom h ard ware fai l u res.
3.2.38
miti gation
action th at reduces th e consequ ence(s) of a hazardous event
Note 1 to en try: E xam pl es i n cl ude em erg en cy depressu ri zati on or cl osi n g ven ti l ati on dam pers on detecti on or
con fi rm ed fi re or g as l eak or i n i ti ati on of del ug e on con fi rm ed fi re d etecti on.
3.2.39
mode of operation (of a SIF)
way i n wh ich a SI F operates wh ich m ay be ei th er low dem an d m ode, h ig h dem an d m ode or
con tin u ous m ode
a) low demand mode: m ode of operati on wh ere the SI F is on l y perform ed on dem an d, in
order to transfer th e process i nto a specified safe state, an d wh ere the frequ ency of
dem an ds is no greater th an on e per year.
b) high demand mod e: m ode of operati on wh ere th e SI F, is on l y perform ed on dem an d, in
order to transfer th e process into a specified safe state, an d wh ere the frequ ency of
dem an ds is greater th an on e per year.
c) continuous mod e: m ode of operation wh ere the SI F retains th e process i n a safe state as
part of norm al operati on.
3.2.39.1
deman d mode SIF
SI F operati n g i n low dem an d m ode (3. 2. 39 a) ) or h ig h dem an d m ode (3. 2. 39 b) )
Note 1 to entry: I n th e event of a dang erou s fai l u re of the SI F, a h azardous even t can onl y occur
– i f th e fai l u re i s u n detected an d a dem and occu rs before th e n ext proof test;
– i f th e fai l u re i s d etected by th e di ag nosti c tests but the rel ated process an d i ts associ ated eq u i pm en t has n ot
been m oved to a safe state before a dem an d occu rs.
Note 2 to entry: I n hi g h dem an d m ode, i t wi l l n orm al l y be appropri ate to u se th e con ti n u ous m ode cri teri a.
Note 3 to entry: Th e safety i n teg ri ty l evel s for SI F operati ng i n dem and m ode are d efi n ed i n Tabl es 4 and 5.
3.2.39.2
continuous mode SIF
SI F operati n g i n conti nu ous m ode (3. 2. 39 c) )
Note 1 to en try: I n th e even t of a dan g erou s fai l u re of the SI F a hazard ou s even t wi l l occu r wi th out fu rth er fai l ure
un l ess acti on i s taken to preven t i t wi thi n th e process safety ti m e.
Note 2 to en try: Conti n u ou s m ode covers th ose SI F wh i ch i m pl em en t con ti n u ou s control to m ai ntai n fu n cti on al
safety.
Note 3 to en try: The safety i n teg ri ty l evel s for SI F operati n g i n conti n uou s m ode are defi n ed i n Tabl e 5.
3.2.40
modu le
self-con tain ed part of a SI S applicati on program (can be in tern al to a prog ram or a set of
program s) that perform s a specifi ed fu ncti on (e. g . , fin al elem en t start/stop/test sequence, an
appl ication specific sequ ence with i n a SI F)
Note 1 to entry: I n th e context of I EC 61 1 31 -3:201 2, a software m odul e i s a fun cti on or fu n cti on bl ock.
Note 2 to entry: Most m odu l es h ave repeti ti ve usag e wi thi n an appl i cati on prog ram .
3.2.41
MooN
SI S, or part th ereof, m ade u p of “ N” in depen dent chan nels, wh ich are so con n ected, th at “ M”
chan nels are su ffici en t to perform the SI F
– 22 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.42
necessary risk reduction
risk reducti on to be ach i eved by the SI S(s) an d/or oth er protection l ayers to ensure that th e
tol erable risk is not exceed ed
3.2.43
non-prog rammable system
(NP) system
system based on n on-com puter tech nologi es (i. e. , a system not based on program m abl e
electron ics [PE] or software)
Note 1 to en try: E xam pl es woul d i n cl u de h ard -wi red el ectri cal or el ectron i c system s, m ech an i cal , h yd raul i c, or
pn eu m ati c system s.
3.2.44
operating environment
con diti ons i nh erent to th e instal lation of a device that potentiall y affects its functi onal ity an d
safety i n tegri ty, such as:
• external en vironm en t, e. g. , wi nteri zation n eeds, hazardous area cl assificati on ;
• process operatin g con ditions, e. g . , extrem es i n tem perature, pressure, vibrati on ;
• process com posi tion, e. g . , sol i ds, sal ts, or corrosi ves;
• process in terfaces;
• i ntegrati on with in th e overall plant m aintenance an d operatin g m an agem en t system s;
• com m unicati on th rou gh-put, e. g. , el ectro-m ag n etic i n terference; an d
• u ti l ity qu ali ty, e. g . , electrical power, air, h ydrau l ics.
Note 1 to en try: Som e process appl i cati ons m ay have speci al operati n g en vi ronm ent req ui rem ents n ecessary to
survi ve a m aj or acci den t event. For exam pl e som e equ i pm ent req u i res speci al encl osu res, pu rg i n g , or fi re
protecti on .
3.2.45
operating mode
process operating mode
an y plan n ed state of process operati on, i nclu ding m odes such as start-up after em erg ency
shu tdown , norm al start-u p, operati on, and sh utdown , tem porary operation s, an d em ergency
operation an d sh utdown
3.2.46
operator interface
m eans by wh ich inform ati on is com m un icated between a h um an operator an d th e SI S (e. g . ,
display i nterfaces, in dicating li g hts, pu sh -bu ttons, horns, alarm s)
Note 1 to entry: Th e operator i n terface i s som etim es referred to as th e hu m an -m ach i ne i n terface (H MI ) .
3.2.47
output function
functi on wh ich controls th e process an d its associ ated equ ipm en t accordin g to ou tpu t
inform ation from th e l og ic function
3.2.48
performance
accom plishm en t of a g iven action or task m easured ag ainst th e specification an d th e
I EC 61 51 1 seri es
3.2.49
phase
peri od with i n th e SI S safety l ife-cycl e wh ere acti vities descri bed i n th e I EC 61 51 1 seri es take
place
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 23 –
© I EC 201 7
3.2.50
prevention
action th at reduces th e li keli h ood of occu rrence of a h azardous even t
3.2.51
prior use
docu m en ted assessm ent by a user that a device is su itable for u se i n a SI S and can m eet th e
requ ired fu nction al and safety i ntegrity requ irem ents, based on previous operati n g experience
in sim il ar operatin g en vironm en ts
Note 1 to en try: To q u al i fy a SI S devi ce on th e basi s of pri or u se, th e user can d ocum ent th at th e d evi ce h as
achi eved sati sfactory perform an ce i n a si m i l ar operati n g en vi ronm ent. U n derstan di n g h ow th e eq u i pm ent behaves
i n th e operati ng en vi ronm ent i s necessary to ach i eve a hi g h d eg ree of certai n ty that the pl an n ed desi g n,
i nspecti on, testi n g , m ai nten ance, an d operati on al practi ces are su ffi ci ent.
Note 2 to entry: Proven i n use i s based on the m an ufactu rer’s desi g n basi s (e. g . , tem peratu re l i m i t, vi brati on l i m i t,
corrosi on l i m i t, desi red m ai n tenance su pport) for h i s devi ce. Pri or u se d eal s wi th d evi ce’s i n stal l ed perform ance
wi thi n a process sector appl i cati on i n a speci fi c operati ng en vi ronm en t whi ch i s often d i fferent th an th e
m an ufactu rer’s desi g n basi s.
3.2.52
process risk
risk arisin g from th e process con ditions caused by abnorm al even ts (inclu ding BPCS
m alfu nction)
Note 1 to en try: Th e ri sk i n th i s con text i s th at associ ated wi th the speci fi c h azardous event i n wh i ch SI S are to be
used to provi d e th e n ecessary ri sk red u cti on (i . e. , the ri sk associ ated wi th fu n cti on al safety) .
Note 2 to en try: Process ri sk anal ysi s i s d escri bed i n I EC 61 51 1 -3: 201 6. The m ai n pu rpose of determ i ni n g the
process ri sk i s to establ i sh a referen ce poi nt for th e ri sk wi th out taki ng i n to accou n t th e protecti on l ayers.
Note 3 to entry: Assessm ent of thi s ri sk can i n cl ud e associ ated h um an factor i ssues.
Note 4 to en try: Thi s term eq uates to “E UC ri sk” i n I EC 61 508-4:201 0.
3.2.52.1
process safety time
tim e peri od between a failu re occu rri ng i n the process or th e basic process control system
(wi th th e poten ti al to g i ve rise to a hazardous even t) and the occurrence of th e h azardou s
even t if th e SI F is n ot perform ed
Note 1 to entry: Th i s i s a property of th e process on l y. Th e SI F has to detect th e fai l u re an d com pl ete i ts acti on
soon enou g h to preven t th e h azardou s even t taki n g i nto accou nt an y process l ag (e. g . cool i n g of a vessel ) .
3.2.53
prog rammable electronics
PE
item based on com pu ter tech n olog y wh i ch m ay be com prised of hardware, software, and of
input an d/or ou tput un i ts
Note 1 to entry: Thi s term covers m i cro-el ectroni c devi ces based on on e or m ore central processi n g un i ts (CP U )
tog eth er wi th associ ated m em ori es. E xam pl es of process sector prog ram m abl e el ectron i cs i n cl u de:
– sm art sen sors and fi n al el em ents;
– prog ram m abl e el ectroni c l og i c sol vers i ncl u di n g :
– prog ram m abl e control l ers;
– prog ram m abl e l og i c control l ers;
– l oop con trol l ers.
3.2.54
prog rammable electronic system
PES
system for con trol, protection or m on i tori n g based on on e or m ore program m abl e electron ic
devices, incl uding al l devices of th e system such as power su ppli es, sensors an d other i n put
– 24 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
devices, data h ig h ways an d other com m unication paths, actu ators and oth er ou tpu t devices
(see Fig ure 5)
Extent of PES Input interfaces Communications Output interfaces

(e.g., A-D (e.g., D-A
converters) converters)
Programmable
electronics (PE)
(see note)
Input devices Output devices/final elements

(e.g., sensors) (e.g., actuators)
Basic PES structure
NOTE The programmable electronics are shown centrally located but could exist at several places in the PES.
IEC
Figu re 5 – Programmable electronic system (PES): stru ctu re and term inol og y
3.2.55
prog rammi ng
coding
process of desig ni n g, writin g an d testi n g a set of i nstru ctions for sol vi n g a probl em or
processi ng data
Note 1 to entry: I n th e I EC 61 51 1 seri es, prog ram m i n g i s typi cal l y associ ated wi th PE.
3.2.56
proof test
peri odic test perform ed to detect dan gerous h idden fau lts in a SI S so th at, if n ecessary, a
repair can restore the system to an ‘as new’ condi ti on or as cl ose as practi cal to th is condition
3.2.57
protecti on layer
an y i n dependent m ech an ism th at reduces risk by con trol , preven tion or m iti gation
Note 1 to en try: I t can be a process en g i neeri n g m ech an i sm su ch as th e si ze of vessel s contai n i n g hazard ou s

ch em i cal s, a m ech an i cal m echani sm su ch as a rel i ef val ve, a SI S or an adm i ni strati ve procedu re su ch as an
em erg ency pl an ag ai nst an i m m i nen t h azard. Th ese responses m ay be autom ated or i n i ti ated by h u m an acti ons
(see Fi g u re 9) .
3.2.58
quality
total ity of ch aracteristics of an enti ty th at bear on i ts abil ity to satisfy stated an d im pl ied n eeds
Note 1 to entry: See I SO 9000 for m ore d etai l s.
3.2.59
random h ardware failu re
fai l ure, occurrin g at a ran dom tim e, wh ich resu lts from on e or m ore of the possi ble
degradation m ech an ism s in the hardware
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 25 –
© I EC 201 7
Note 1 to en try: Th ere are m any d eg rad ati on m echani sm s occurri ng at d i fferen t rates i n d i fferent com ponen ts an d
si n ce m anu factu ri n g tol erances cau se com pon en ts to fai l due to th ese m echan i sm s after di fferent ti m es i n
operati on , fai l u res of a total eq u i pm en t com pri si n g m any com pon ents occu r at predi ctabl e rates bu t at
un predi ctabl e (i . e. , ran dom ) ti m es.
Note 2 to en try: Two m aj or di fferen ces di sti ng u i sh the ran d om h ard ware fai l u res an d th e system ati c fai l u res:
– a ran dom hard ware fai l ure i n vol ves onl y th e system i tsel f whi l e a system ati c fai l ure i nvol ves both the system
i tsel f (a faul t) an d a parti cu l ar con di ti on (see 3. 2. 81 ) . Th en a rand om h ard ware fai l u re i s ch aracteri zed by a
si n g l e rel i abi l i ty param eter (i . e. , th e fai l u re rate) wh i l e a system ati c fai l u re i s ch aracteri zed by two rel i abi l i ty
param eters (i . e. , th e probabi l i ty of the pre-exi sti n g faul t an d the h azard rate of the parti cul ar con di ti on ) .
– a system ati c fai l ure can be el i m i n ated after bei n g d etected wh i l e ran dom h ard ware fai l u res cann ot.
Thi s i m pl i es th at the rel i abi l i ty param eters of ran dom hard ware fai l u res can be esti m ated from fi el d feedback wh i l e
i t i s very di ffi cu l t to do th e sam e for system ati c fai l u res. A qual i tati ve approach i s preferred for system ati c fai l u res.
[SOU RCE: I EC 61 508-4: 201 0, 3. 6. 5, m odified – The notes have been ch an ged]
3. 2. 60
red u nd an cy
th e existence of m ore th an on e m eans for perform ing a requ ired fu nction or for represen tin g
inform ation
Note 1 to entry: E xam pl es are th e use of du pl i cate d evi ces an d th e ad di ti on of pari ty bi ts.
Note 2 to entry: Redu n dan cy i s used pri m ari l y to i m prove rel i abi l i ty or avai l abi l i ty.
[SOU RCE: I EC 61 508-4: 201 0, 3. 4. 6]
3. 2. 61
ri sk
com bi nation of th e probabil i ty of occurrence of h arm and th e severi ty of th at h arm
Note 1 to entry: Th e probabi l i ty of occu rrence i ncl u des th e exposu re to a h azardou s si tu ati on , the occu rren ce of a
hazardous event, an d th e possi bi l i ty to avoi d or l i m i t th e harm .
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 8]
3. 2. 62
safe fail u re
fai l ure wh ich favou rs a g i ven safety action
Note 1 to entry: A fai l u re i s "safe" on l y wi th reg ard to a g i ven safety fun cti on .
Note 2 to entry: Wh en fau l t tol eran ce i s i m pl em en ted, safe fai l u re can l ead to ei th er:
– operati on wh ere the safety acti on i s avai l abl e but wi th a h i g her probabi l i ty of success on dem an d or a l ower
l i kel i hood to cau se a h azardou s event;
– a spuri ous operati on wh ere the safety acti on i s i ni ti ated.
Note 3 to entry: When n o fau l t tol erance i s i m pl em en ted, safe fai l u res resul t i n the i ni ti ati on of the safety acti on
reg ardl ess of th e process con d i ti on. Th i s i s al so kn own as a spu ri ou s tri p.
Note 4 to entry: A spu ri ous tri p m ay be safe wi th reg ard to a g i ven safety fun cti on but m ay be dang erou s wi th
reg ard to anoth er safety fu ncti on .
Note 5 to entry: Spu ri ou s tri ps m ay al so h ave detri m ental effects on the produ cti on avai l abi l i ty of th e process.
3. 2. 63
safe state
state of the process wh en safety is ach ieved
Note 1 to entry: Som e states are safer th an oth ers an d i n g oi n g from a h azardou s con di ti on to th e fi nal safe state,
or i n g oi n g from the n om i nal safe condi ti on to a h azard ous con di ti on, the process m ay have to g o th roug h a n um ber
of i n term edi ate safe-states.
Note 2 to entry: For som e si tu ati ons, a safe state exi sts onl y so l ong as th e process i s conti nu ousl y con trol l ed.
Su ch conti nu ous control m ay be for a sh ort or an i nd efi n i te peri od of ti m e.
– 26 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 3 to en try: A state wh i ch i s safe wi th reg ard to a g i ven safety fu n cti on m ay i ncrease th e probabi l i ty of
hazardou s even t wi th reg ard to an oth er g i ven safety fu n cti on. I n th i s case, th e m axi m um al l owabl e averag e
spuri ous tri p frequ en cy (see 1 0. 3. 2) for th e fi rst fu n cti on can con si d er th e poten ti al i ncreased ri sk associ ated wi th
th e oth er fu ncti on .
3.2.64
safety
freedom from risk wh ich is n ot tolerabl e
Note 1 to en try: Accordi n g to I SO/I EC Gu i de 51 th e term s "acceptabl e ri sk" an d "tol erabl e ri sk" are con si dered to
be syn on ym ou s.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 4, m odified – Th e n ote h as been added]
3.2.65
safety function
functi on to be im pl em en ted by one or m ore protection layers, wh ich is i nten ded to ach i eve or
m aintai n a safe state for th e process, wi th respect to a specific h azardous even t
3.2.66
safety instrumented fun ction
SIF
safety fu ncti on to be im plem ented by a safety i nstrum ented system (SI S)
Note 1 to entry: A SI F i s desi g ned to ach i eve a requ i red SI L wh i ch i s determ i n ed i n rel ati onshi p wi th th e oth er
protecti on l ayers parti ci pati n g to th e red u cti on of th e sam e ri sk.
3.2.67
safety instrumented system
SIS
instrum ented system u sed to im plem ent on e or m ore SI Fs
Note 1 to en try: A SI S i s com posed of any com bi nati on of sen sor (s) , l og i c sol ver (s) , and fi n al el em ents(s) (e. g . ,
see Fi g u re 6) . I t al so i ncl ud es com m un i cati on an d anci l l ary equi pm ent (e. g . , cabl es, tubi n g , power su ppl y, i m pul se
l i nes, heat traci n g ) .
Note 2 to entry: A SI S m ay i n cl u de software.
Note 3 to en try: A SI S m ay i n cl u de h u m an acti on as part of a SI F (see I SA TR84. 00. 04: 201 5, part 1 ) .
SIS architecture and safety

instrumented function Sensors Logic solver Final elements
example with different
devices shown NP NP NP
PE PE PE
PE
H/W S/W H/W S/W
H/W S/W
IEC
Figu re 6 – Example of SIS arch itectures compri sin g th ree SIS subsystems
3.2.68
safety integ rity
abi lity of the SI S to perform the requ ired SI F as and wh en requ ired
Note 1 to en try: Th i s d efi n i ti on i s equ i val en t to th e depen dabi l i ty of th e SI S wi th reg ard to th e requ i red SI F.
Depen dabi l i ty, bei n g often u n d erstood as an econ om i cal rath er th an a safety concept, has n ot been used to avoi d
con fu si on.
Note 2 to entry: Abi l i ty i n cl u des both th e fu ncti on al respon se (e. g . , cl osi n g a speci fi ed val ve wi th i n a speci fi ed
ti m e) and the l i kel i h ood th at th e SI S wi l l act as requ i red.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 27 –
© I EC 201 7
Note 3 to en try: I n d eterm i n i n g safety i n teg ri ty, al l cau ses of ran dom h ard ware and system ati c fai l ures wh i ch l ead
to an u nsafe state can be i ncl uded (e. g . , h ard ware fai l u res, software i nd u ced fai l u res an d fai l u res du e to el ectri cal
i nterferences) . Som e of th ese types of fai l u re, i n parti cul ar random hard ware fai l u res, m ay be q u an ti fi ed usi n g su ch
m easu res as th e averag e dan g erou s fai l u re freq u ency or th e probabi l i ty of fai l u re on d em and. H owever, safety
i nteg ri ty al so d epends on m any system ati c factors, wh i ch cann ot be accu ratel y qu anti fi ed and are often con si d ered
qu al i tati vel y th rou g h out the l i fe-cycl e. Th e l i kel i hood th at system ati c fai l ures resul t i n dan g erous fai l u re of th e SI S
i s redu ced th rou g h h ard ware fau l t tol eran ce (see 1 1 . 4) or oth er m eth ods an d tech ni qu es .
N ote 4 to entry: Safety i nteg ri ty com pri ses h ard ware safety i n teg ri ty (see 3. 2. 26) an d system ati c safety i n teg ri ty
(see 3. 2. 82) , but com pl ex fai l u res caused by th e con j u ncti on of both h ardware an d system ati c i n teracti on can al so
be consi d ered.
3. 2. 69
s af e t y i n t eg ri t y l ev e l
SI L
discrete l evel (on e out of four) all ocated to the SI F for specifyi n g the safety i n tegrity
requ irem ents to be ach ieved by th e SI S
Note 1 to entry: Th e hi g h er th e SI L, th e l ower the expected PFD avg th e l ower the averag e frequ en cy of a
dan g erou s fai l ure cau si n g a h azardous even t.
Note 2 to entry: Th e rel ati on shi p between th e targ et fai l u re m easure an d th e SI L i s speci fi ed i n Tabl es 4 an d 5.
Note 3 to entry: SI L 4 i s rel ated to the hi g h est l evel of safety i n teg ri ty; SI L 1 i s rel ated to the l owest
Note 4 to entry: Th i s d efi ni ti on di ffers from the defi ni ti on i n I EC 61 508-4: 201 0 to refl ect di fferen ces i n process
3. 2. 69. 1
, pl
s af e t y i n t eg ri t y req u i re m e n t s
set of th e I EC 61 51 1 requ irem en ts wh ich sh al l be satisfi ed by a SI S to claim a g iven SI L for a

SI F im plem en ted by th is SI S
Note 1 to entry: Th e safety i n teg ri ty req u i rem ents are stren g th en ed when the rel ated SI L i n creases.
3. 2. 70
SI S s af et y l i f e - c yc l e
necessary acti vi ties in vol ved in th e im pl em en tati on of SI F occu rri ng during a period of tim e
th at starts at th e concept ph ase of a proj ect an d fin ish es wh en al l of th e SI F are n o l ong er
avail able for u se
Note 1 to entry: The term “fu ncti on al safety l i fe-cycl e” i s stri ctl y m ore accu rate, but th e adj ecti ve “fu ncti on al ” i s
not con si d ered n ecessary i n thi s case wi th i n th e context of the I EC 61 51 1 seri es.
Note 2 to entry: Th e SI S safety l i fe-cycl e m odel u sed i n I EC 61 51 1 i s sh own i n Fi g u re 7.
3. 2. 71
safety m an u al
fu n ct i o n al safety m an u al
inform ation that defines h ow a SI S device, su bsystem or system can be safel y applied
Note 1 to entry: Th e safety m anu al m ay i ncl u de i n pu ts from th e m an ufactu rer as wel l as from th e user.
Note 2 to entry: For I EC 61 508 com pl i ant devi ces, th e m anu factu rer’s i npu t i s th e safety m an ual ,
Note 3 to entry: Th i s cou l d be a g en eri c stan d-al one d ocu m en t, or a col l ecti on of docum ents.
3. 2. 72
s af e t y req u i re m e n t s s p ec i fi c a t i o n
SR S
specification contai ni n g the fu ncti onal requ irem en ts for th e SI Fs an d their associ ated safety
integrity levels
[SOU RCE: I EC 61 508-4: 201 0, 3. 5. 1 1 , m odified – Al ig n ed wi th I EC 61 51 1 term in olog y]

– 28 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
3.2.73
sensor
part of th e BPCS or SI S that m easures or detects th e process con dition
Note 1 to entry: E xam pl es are transm i tters, transdu cers, process swi tches, and posi ti on swi tches.
3.2.74
software
program s, procedures, data, ru l es an d an y associated docum en tati on pertain in g to th e
operation of a data processi ng system
Note 1 to entry: Software i s i n depen dent of th e m edi um on whi ch i t i s record ed.
Note 2 to entry: For exam pl es of di fferen t types of software, see 3. 2. 75 an d 3. 2. 76.
3.2.75
application programmi ng lang uag es
3.2.75.1
fixed prog ram langu ag e
FPL
lan g uag e i n wh ich the u ser is lim ited to adj ustm en t of a few pre-defi ned and fixed set of
param eters
Note 1 to entry: Typi cal exam pl es of devi ce appl i cati on s wi th FP L are: sm art sen sor (e. g . , pressu re transm i tter
wi thou t control al g ori thm s) , sm art fi nal el em ent (e. g . val ve wi th ou t control al g ori thm s) , sequ en ce of events
recorder, set poi nts for dedi cated sm art al arm box) . Th e u se of FPL i s often referred to as "confi g urati on of th e
devi ce".
3.2.75.2
limited variability lang u ag e
LVL
program m in g l an g uag e for com m erci al an d in dustrial prog ram m able el ectron ic con troll ers wi th
a rang e of capabi li ties li m ited to their appl ication as defi ned by the associ ated safety m an ual .
The notation of this lan g u ag e m ay be textual or graph ical or h ave ch aracteristics of both.
Note 1 to entry: Thi s type of l ang u ag e i s desi g n ed to be easi l y un derstood by process sector u sers, an d provi d es
th e capabi l i ty to com bi ne pred efi ned, appl i cati on speci fi c, l i brary fu ncti ons to i m pl em ent the SRS. LVL provi des a
cl ose fu ncti on al correspon den ce wi th th e fun cti ons requ i red to ach i eve th e appl i cati on .
Note 2 to entry: I EC 61 51 1 assum es th at the constrai nts necessary to ach i eve th e safety properti es are achi eved
by th e com bi nati on of th e safety m anu al , th e cl osen ess of the l ang u ag e n otati on s to th e fu n cti on s th e appl i cati on
prog ram m er needs to defi n e th e process con trol al g ori thm s, an d th e com pi l e ti m e an d ru n ti m e ch ecks wh i ch the
l og i c sol ver provi der em beds i n to th e l og i c sol ver system prog ram and the l og i c sol ver devel opm en t en vi ronm en t.
The con strai nts i d en ti fi ed i n th e certi fi cati on report an d safety m an ual can en su re th e rel evan t req u i rem en ts of
I EC 61 508-3:201 0 are sati sfi ed .
Note 3 to entry: LVL i s th e m ost com m on l y u sed l ang uag e wh en th e I EC 61 51 1 seri es refers to “appl i cati on
prog ram ”.
3.2.75.3
full variabil ity lan gu ag e
FVL
lan g uag e desi gn ed to be com preh ensi bl e to com puter prog ram m ers an d th at provi des th e
capabil ity to im pl em ent a wi de vari ety of functi ons an d appl ications
Note 1 to entry: Typi cal exam pl e of system s usi ng FVL are g eneral pu rpose com puters.
Note 2 to entry: I n th e process sector, FVL i s foun d i n em bedded software an d rarel y i n appl i cati on prog ram m i n g .
Note 3 to entry: FVL exam pl es i ncl ude: Ada, C, Pascal , I nstru cti on Li st, assem bl er l an g uag es, C ++ , J ava, SQL.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 29 –
© I EC 201 7
3. 2. 76
s o ft wa re & p ro g ram t yp es
3. 2. 76. 1
ap p l i c at i o n p ro g ram
program specific to th e u ser application con tai n in g, in g en eral, l og ic sequ ences, perm issi ves,
lim its an d expressions th at control the in pu t, output, calcu lations, an d decisi ons n ecessary to
m eet th e SI S fu ncti onal requ irem ents
3. 2. 76. 2
em b ed d ed s o ft wa re
software th at is part of th e system suppl ied by th e m an u factu rer an d is not accessi ble for
m odificati on by the en d-u ser
Note 1 to en try: Em bedded software i s al so referred to as fi rm ware or system software. See 3. 2. 75. 3 ful l
vari abi l i ty l an g u ag e.
3. 2. 76. 3
u t i l i t y s o ft wa re
software tools for th e creati on , m odification , an d docum en tati on of appl ication program s
Note 1 to entry: Th ese software tool s are not req ui red for th e operati on of the SI S.
3. 2. 77
ap p l i c a t i o n p ro g ram l i f e- c yc l e
activiti es occu rrin g du ri ng a period of tim e th at starts wh en th e appl ication program is

concei ved an d ends wh en th e appl icati on program is perm an entl y disused
Note 1 to en try: An appl i cati on prog ram l i fe-cycl e typi cal l y i n cl u des a requ i rem en ts ph ase, devel opm en t ph ase,
test ph ase, i n teg rati on ph ase, i nstal l ati on phase an d m odi fi cati on phase.
Note 2 to entry: Software, i n cl udi n g appl i cati on prog ram , can not be m ai ntai n ed; rath er, i t i s m odi fi ed.
3. 2. 78
SI S s u b s yst em
indepen dent part of a SI S wh ose disablin g dan g erous fai lure resu lts in a disabl i ng dang erous
fai lu re of the SI S
Note 1 to entry: Fi g u re 6 i l l u strates a SI S m ade of th ree SI S subsystem s.
Note 2 to en try: From the cut set approach poi n t of vi ew (see I EC 61 025) a m i n i m al cut set of a SI S su bsystem i s
al so a m i n i m al cut set of th e whol e SI S. Th erefore th e SI Fs i m pl em ented wi thi n a SI S are en ti rel y depen dent on the
SI S subsystem s of thi s SI S (i . e. , wh en a SI S subsystem fai l s, the rel ated SI Fs al so fai l ) .
3. 2. 79
s ys t em
set of devices, wh ich i nteract accordin g to a specificati on
Note 1 to entry: A person can be part of a system .
Note 2 to en try: Th i s defi ni ti on devi ates from th e defi n i ti on i n I EC 61 508 to refl ect di fferen ces i n process sector
term i n ol og y.
3. 2. 80
s ys t em at i c c ap ab i l i t y
m easure (expressed on a scal e of SC 1 to SC 4) of the confi dence th at th e system atic safety

integrity of a device m eets the requ irem en ts of th e specifi ed SI L, i n respect of the specifi ed
safety function , wh en th e device is appl i ed i n accordance with the i nstructions specifi ed in the
device safety m an u al
Note 1 to en try: System ati c capabi l i ty i s determ i n ed wi th referen ce to th e requi rem ents for th e avoi d an ce an d
con trol of system ati c faul ts i n I EC 61 508-2: 201 0 an d I EC 61 508-3:201 0.
– 30 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Note 2 to entry: The system ati c fai l u re m ech an i sm depends on th e natu re of the devi ce. For a devi ce com pri sed
sol el y of hard ware, on l y hard ware fai l u re m echani sm s are con si dered. For a devi ce com pri sed of h ard ware and
software, i t i s n ecessary to con si der th e i nteracti ons between hard ware an d software fai l u re m ech an i sm s.
Note 3 to en try: A system ati c capabi l i ty of SC N for a d evi ce m eans that the system ati c safety i nteg ri ty of SC N
has been m et wh en th e d evi ce i s appl i ed i n accord an ce wi th th e i nstru cti on s speci fi ed i n th e devi ce safety m anu al
for SC N .
3. 2. 81
system atic fai l u re
fai l ure related to a pre-existi ng fau l t, wh ich con sistentl y occurs un der particu lar con diti ons,
an d wh ich can on l y be elim i nated by rem ovi ng th e fau lt by a m odificati on of th e desig n ,
m anu factu ri ng process, operati n g procedures, docum entati on or oth er rel evan t factors
Note 1 to entry: Th e cause of system ati c fai l ures of th e software m ay be kn own as "bu g s".
Note 2 to entry: Correcti ve m ai nten ance wi th out m odi fi cati on woul d u su al l y not el i m i n ate th e fai l u re cause whi ch
i nvol ves th e fai l u re u nder parti cu l ar condi ti on s.
Note 3 to entry: A system ati c fai l u re can be reprod u ced by del i beratel y appl yi n g th e sam e con di ti on s, al th ou g h
not al l reprodu ci bl e fai l u res are system ati c.
Note 4 to entry: E xam pl es of fau l ts l eadi n g to system ati c fai l u re i ncl ud e h u m an error that ori g i n ates i n:
– the SRS;
– the desi g n , m anu factu re, i nstal l ati on , operati on or m ai nten ance of the h ard ware;
– the desi g n or i m pl em entati on of software (i n cl udi n g appl i cati on prog ram ) .
Note 5 to en try: Si m i l ar devi ces desi g ned, i n stal l ed, operated, i m pl em ented or m ai n tai n ed i n the sam e way are
li kel y to contai n th e sam e faul ts. Th erefore they are subj ect to com m on cau se fai l u res wh en th e parti cul ar
condi ti on s occur.
3. 2. 82
system ati c safety integ ri ty
part of th e safety i n tegrity of the SI S relati n g to system atic fail ures in a dan gerous m ode of
fai lu re
Note 1 to entry: System ati c safety i nteg ri ty cann ot usu al l y be qu an ti fi ed (as di sti nct from h ard ware safety
i nteg ri ty) .
N ote 2 to en try: See 3. 2. 26 al so.
3. 2. 83
targ et fai lu re m easu re
perform ance requ ired from the SI F an d specified i n term s of eith er the averag e probabil ity of
fai l ure to perform th e SI F on dem and for dem an d m ode of operati on or th e averag e frequ ency
of a dan g erou s fai l ure for conti n uous m ode of operation
Note 1 to entry: Th e rel ati on shi p between th e targ et fai l u re m easu res an d the SI L are g i ven i n Tabl es 4 and 5.
3. 2. 84
tolerabl e ri sk
level of risk wh ich is accepted in a g iven context based on th e current val ues of soci ety
Note 1 to entry: See I EC 61 51 1 -3:201 6, An n ex A.
[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 5]
3. 2. 85
u nd etected
u nreveal ed
covert
not detected or n ot reveal ed or not overt
Note 1 to entry: I n I EC 61 51 1 and except when th e context sug g ests an oth er m ean i ng , th e term “d an g erous
un d etected fai l u res/faul ts” i s rel ated to dan g erous fai l u res/fau l ts n ot detected by di ag n osti c tests.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 31 –
© I EC 201 7
3.2.86
vali dation
confirm ation by exam ination and provisi on of obj ecti ve evi dence th at th e particu lar
requ irem ents for a specifi c in ten ded use are fu lfil l ed
Note 1 to entry: I n th e I EC 61 51 1 seri es thi s m eans dem on strati ng that the SI F(s) an d SI S after i n stal l ati on m eet
th e SRS i n al l respects.
3.2.87
verification
confirm ation by exam in ati on an d provisi on of obj ecti ve evidence that th e requ irem ents h ave
been fu lfill ed
Note 1 to en try: I n th e I EC 61 51 1 seri es thi s i s the acti vi ty of dem onstrati ng for each ph ase of th e rel evant SI S
safety l i fe-cycl e by anal ysi s and/or tests, th at, for speci fi c i n pu ts, th e outputs m eet i n al l respects th e obj ecti ves
an d req u i rem ents set for th e speci fi c phase.
Note 2 to entry: E xam pl e veri fi cati on acti vi ti es i n cl u de:

– revi ews on outputs (docu m ents from al l phases of the safety l i fe-cycl e) to ensu re com pl i an ce wi th th e
obj ecti ves an d req ui rem en ts of th e ph ase taki n g i n to accou n t th e speci fi c i npu ts to th at ph ase;
– desi g n revi ews;
– tests perform ed on the desi g ned products to ensure that th ey perform accordi n g to th ei r speci fi cati on ;
– i n teg rati on tests perform ed wh ere di fferen t parts of a system are pu t tog ether i n a step- by-step m ann er an d by
the perform an ce of en vi ron m en tal tests to ensu re that al l the parts work tog ether i n th e speci fi ed m an ner.
3.2.88
watchdog
com bi nation of diagn ostics and an ou tpu t device (typicall y a swi tch) for m on itori n g th e correct
operati on of th e program m able el ectron ic (PE) device an d takin g acti on u pon detecti on of an
incorrect operati on
Note 1 to entry: Th e watch dog con fi rm s that the software system i s operati ng correctl y by the reg ul ar resetti n g of
an extern al devi ce (e. g . , h ard ware el ectron i c watchdog ti m er) by an output d evi ce con trol l ed by th e software.
Note 2 to entry: Th e watchdog can be u sed to de-en erg i ze a g roup of safety ou tputs wh en dang erous fai l ures are
detected i n ord er to ach i eve or m ai n tai n a safe state of th e process wi th respect to th e hazard ous even t. Th e
watchd og i s used to i n crease th e on-l i ne d i ag nosti c coverag e of the PE l og i c sol ver (see 3. 2. 1 3 an d 3. 2. 1 5) .
3.3 Abbreviation s
Abbrevi ations used throug h ou t I EC 61 51 1 are g i ven i n Tabl e 1 . Also i ncl u ded are som e
com m on abbreviations rel ated to process sector fu nction al safety.
Table 1 – Abbreviations used i n IEC 61 51 1

AC/DC Al tern ati ng cu rrent/d i rect curren t
AI ChE Am eri can I nsti tute of Ch em i cal En g i n eers
ALARP As l ow as reasonabl y practi cabl e
AN SI Am eri can N ati onal Stand ards I nsti tu te
AP Appl i cati on prog ram
BPCS Basi c process con trol system
CCPS Centre for Chem i cal Process Safety (AI ChE)
DC Di ag nosti c coverag e
E/E/PE El ectri cal /el ectron i c/prog ram m abl e el ectroni c
EMC El ectro-m ag n eti c com pati bi l i ty
FAT Factory acceptan ce test
FPL Fi xed prog ram l ang u ag e
– 32 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
FSA Fu n cti on al safety assessm en t
FSMS Fu n cti on al safety m anag em en t system
FTA Fau l t tree anal ysi s
FVL Fu l l vari abi l i ty l ang u ag e
H FT H ard ware fau l t tol eran ce
H &RA H azard & ri sk assessm en t
H MI H u m an M ach i n e I n terface
I EC I ntern ati onal El ectrotech n i cal Com m issi on
I SA I ntern ati onal Soci ety of Autom ati on
I SO I ntern ati onal Org an i zati on for Standardi zati on
LVL Li m i ted vari abi l i ty l an g u ag e
MooN “M ” ou t of “N ” chan n el archi tectu re
MPRT Maxi m u m perm i tted repai r ti m e
MRT Mean repai r ti m e
MTTR Mean ti m e to restorati on
N FPA N ati on al Fi re Protecti on Associ ati on (U S)
NP N on -prog ram m abl e
OEM Ori g i n al Equ i pm en t Manu factu rer
PE Prog ram m abl e el ectron i cs
PES Prog ram m abl e el ectron i c system
PFD Probabi l i ty of d an g erous fai l ure on d em an d
PFD avg Averag e probabi l i ty of d an g erou s fai l ure on dem an d
Probabi l i ty (averag e frequ en cy of dan g erou s fai l ures) of
PFH
fai l u re per h ou r
pl Pl ural
PLC Prog ram m abl e l og i c con trol l er
SAT Si te acceptan ce test
SC System ati c capabi l i ty
SI F Safety i n stru m ented fu ncti on
SI L Safety i n teg ri ty l evel
SI S Safety i n strum ented system
SRS Safety req ui rem ent speci fi cati on
4 Conformance to the IEC 61 51 1 -1 :201 6
To conform to th e I EC 61 51 1 -1 : 201 6, i t shall be shown that each of the requ irem en ts ou tli n ed
in Clause 5 throug h Clause 1 9 has been satisfied to th e defin ed criteri a an d th erefore th e
clauses’ obj ecti ves h ave been m et.
5 Management of functi onal safety
5.1 Objective
The obj ective of the requ irem ents of Clau se 5 is to i dentify th e m an ag em ent acti vities th at are
necessary to ensure th e function al safety obj ecti ves are m et.
NOTE 1 : Cl ause 5 i s sol el y ai m ed at th e achi evem en t an d m ai n ten an ce of the fu ncti on al safety of SI S and i s
separate an d di sti n ct from g en eral h eal th an d safety m easu res necessary for th e achi evem ent of safety i n th e
workpl ace.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 33 –
© I EC 201 7
5.2 Requirements
5.2.1 General
The policy an d strateg y for ach ievi n g fu ncti onal safety sh al l be identified tog eth er with th e
m ethods for evalu ati ng th eir ach i evem ent an d sh al l be com m un icated with i n the org anization.
5.2.2 Organization and resources

5.2.2.1 Persons, departm ents, org an i zations or oth er u ni ts wh ich are responsibl e for
carryi n g out and revi ewi ng each of th e SI S safety life-cycl e ph ases shal l be i den tifi ed an d be
inform ed of th e responsibil i ties assi g ned to th em .
5.2.2.2 Persons, departm ents or org ani zati ons i n vol ved i n SI S safety l ife-cycle acti vities
shal l be com peten t to carry ou t th e acti vi ties for wh ich th ey are accou ntabl e.
The fol l owin g item s shall be addressed an d docu m ented wh en consi deri n g the com petence of
persons, departm en ts, org an i zati ons or oth er u n i ts i n vol ved i n SI S safety l ife-cycle acti viti es:
a) en g i neeri ng knowl edge, train i n g an d experience appropriate to th e process appl icati on ;
b) en g i neering kn owledg e, trai n in g an d experi ence appropri ate to th e applicable tech nol og y
used (e. g . , electrical , electron ic or program m abl e electron ic) ;
c) en g i neering knowledge, trai ni n g an d experience appropri ate to th e sensors and fi n al
elem en ts;
d) safety en g in eerin g knowl edg e (e. g . , process safety an al ysis) ;
e) knowledge of the leg al and reg u l atory fu ncti onal safety requ irem ents;
f) adequ ate m an agem ent and l eadersh ip ski l ls appropriate to th eir role in th e SI S safety l ife-
cycle acti vities;
g) un derstandin g of th e poten tial consequ ence of an event;
h) th e SI L of the SI F;
i) th e n ovel ty and com plexi ty of the appl ication an d the techn ol og y.
5.2.2.3 A procedure sh all be i n pl ace to m an ag e com petence of al l th ose in volved i n the SI S
life cycl e. Periodic assessm ents shal l be carried ou t to docu m en t the com petence of
indi vi du als agai nst th e acti vi ties th ey are perform i ng an d on ch an g e of an in dividu al with i n a
role.
5.2.3 Risk evaluation and risk management

Hazards sh all be i den tifi ed, risks evalu ated an d th e n ecessary risk reducti on determ in ed as
defin ed i n Clau se 8.
NOTE I t m ay be benefi ci al to consi der al so potenti al capi tal l osses, for econ om i c reason s.
5.2.4 Safety planning

Safety plan ni n g sh all take place to defin e th e activi ties th at are requ ired to be carried out
alon g with th e persons, departm en ts, org an i zati ons or other u ni ts responsibl e to carry out
th ese activiti es. Th is plann i n g sh al l be u pdated as necessary throug h ou t the entire SI S safety
life-cycle (see Clause 6) an d carried out to a detail ed acti vity l evel com m ensurate with th e
role th e indi vi du al or org an i zati on is perform in g i n the SI S safety l ife-cycl e.
NOTE Th e safety pl ann i n g can be i n corporated i n

– a secti on i n th e qu al i ty pl an en ti tl ed “SI S Safety Li fe-cycl e Pl an”; or
– a separate docu m ent enti tl ed “SI S Safety Li fe-cycl e Pl an ”; or
– several docum ents whi ch m ay i ncl ude com pany procedu res or worki n g practi ces.
– 34 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
5.2.5 Implementi ng and moni toring
5.2.5.1 Procedures sh all be im pl em ented to ensu re prom pt foll ow-u p an d satisfactory
resoluti on of recom m endations pertai n i ng to the SI S arisi n g from
a) hazard anal ysis an d risk assessm en t;
b) assurance activiti es;
c) verificati on acti viti es;
d) vali dati on acti viti es;
e) FSAs;
f) functional safety audi ts;
g) post-inci den t and post-accident acti vities.
5.2.5 . 2 An y su ppl ier, providin g produ cts or services to an organ ization that h as overal l
responsibi l ity for on e or m ore ph ases of th e SI S safety l ife-cycle, sh al l del iver products or
services as specifi ed by th at org an izati on an d sh al l h ave a qu ali ty m an ag em ent system .
Procedu res shal l be i n pl ace to dem onstrate th e adequ acy of the qu al ity m an agem ent system .
I f a suppl ier m akes an y functi onal safety claim s for a produ ct or service, wh ich are used by
th e organ i zati on to dem onstrate com pli ance with th e requ irem en ts of th is part of I EC 61 51 1 ,
th e su ppl i er shall h ave a function al safety m anag em ent system . Procedures shal l be i n place
to dem onstrate th e adequacy of the fu ncti on al safety m anag em ent system .
The fu nctional safety m an agem ent system shal l m eet th e requirem en ts of the basic safety
stan dard I EC 61 508-1 :201 0, Cl ause 6, or the fu n cti onal safety m an ag em ent requ irem ents of
th e stan dard deri ved from I EC 61 508 to wh ich fu ncti on al safety cl aim s are m ade.
5.2.5.3 Procedures sh all be im pl em en ted to eval uate th e perform ance of th e SI S ag ai nst its
safety requ irem ents to:
• i dentify and prevent system atic fai lu res wh ich cou l d j eopardize safety;
• m onitor and assess wh ether rel i abi l ity param eters of the SI S are i n accordance wi th th ose
assum ed duri n g th e desig n ;
• defin e the necessary correcti ve acti on to be taken if th e fai l ure rates are g reater th an what
was assum ed duri ng desi gn ;
• com pare th e dem an d rate on th e SI F duri n g actu al operati on with the assu m ptions m ade
duri n g risk assessm en t when the SI L requi rem en ts were determ in ed.
5.2.5.4 For existi n g SI S desi gn ed an d constru cted in accordance wi th code, stan dards, or
practices prior to th e issu e of th is standard the user sh al l determ in e th at th e equ ipm en t is
desi g ned, m ai ntained, in spected, tested, and operati ng in a safe m ann er.
5.2.6 Assessment, au diting and revisions

5.2.6.1 Functional safety assessment (FSA)
5.2.6.1 .1 A procedu re shal l be defi n ed and execu ted for a FSA in such a way that a
judg em ent can be m ade as to th e function al safety an d safety i nteg ri ty ach i eved by every SI F
of the SI S. Th e procedu re sh all requ ire th at a FSA team be appoin ted wh ich i nclu des th e
tech nical, appl ication an d operations expertise n eeded for th e particu lar appl ication .
5.2.6.1 .2 The m em bersh ip of the FSA team shal l i nclu de at least on e sen i or com peten t
person not in volved in th e proj ect desi gn team (for stag es 1 , 2 an d 3) or not i n volved in the
operati on an d m ai nten an ce of th e SI S (for stages 4 and 5) .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 35 –
© I EC 201 7
5. 2. 6 . 1 . 3 The fol lowi n g shal l be considered wh en plan n i ng a FSA:
– th e scope of the FSA;
– wh o is to partici pate i n th e FSA;
– th e ski l ls, responsibi l iti es an d au thori ties of the FSA team ;
– th e i nform ati on th at wi ll be g en erated as a resu lt of an y FSA acti vi ty;
– th e iden tity of an y oth er safety bodies in vol ved in the FSA;
– th e resou rces requ ired to com plete th e FSA acti vity;
– th e l evel of i n depen dence of th e FSA team ;
– th e m eth ods by wh i ch th e FSA wi l l be reval idated after m odifications.
NOTE When the FSA team i s l arg e; con si d erati on can be g i ven to havi n g m ore th an one sen i or com petent
i ndi vi d ual on th e team who i s i ndepen dent from th e proj ect team .
A FSA team shal l review the work carri ed out on all phases of the safety l ife cycl e
5. 2. 6 . 1 . 4
prior to th e stag e covered by th e assessm en t that have n ot been alread y covered by previ ous
FSAs. I f previous FSAs h ave been carri ed out then th e FSA team sh all consider th e
concl usions and recom m en dations of th e previ ous assessm ents . The stag es i n th e SI S safety
life-cycle at wh ich th e FSA acti viti es are to be carri ed out sh all be i dentified duri ng the safety
plan ni n g.
NOTE 1 Addi ti on al FSA acti vi ti es can be i ntrod u ced as n ew hazards are i d enti fi ed, after m odi fi cati on and at
peri odi c i nterval s duri n g operati on.
NOTE 2 Consi derati on can be g i ven to carryi n g out FSA acti vi ti es at th e fol l owi n g stag es (see Fi g u re 7) .
– Stag e 1 – After th e H &RA h as been carri ed out, the requ i red protecti on l ayers have been i den ti fi ed and th e
SRS has been devel oped.
– Stag e 2 – After the SI S h as been desi g n ed.
– Stag e 3 – After th e i n stal l ati on , pre-com m i ssi on i ng an d fi n al val i d ati on of th e SI S h as been com pl eted and
operati on and m ai nten ance procedures have been devel oped.
– Stag e 4 – After g ai ni ng experi ence i n operati n g an d m ai nten an ce.
– Stag e 5 – After m odi fi cati on an d pri or to decom m i ssi oni ng of a SI S.
NOTE 3 Th e n u m ber, si ze an d scope of FSA acti vi ti es can depend upon th e speci fi c ci rcu m stances. The factors i n
th i s deci si on are l i kel y to i n cl u de:
– si ze of proj ect;
– deg ree of com pl exi ty;
– SI L;
– durati on of proj ect;
– con sequ ence i n th e event of fai l u re;
– deg ree of stand ardi zati on of d esi g n featu res;
– safety reg u l atory requ i rem en ts;
– previ ou s experi en ce wi th a si m i l ar desi g n ;
– g i vi ng consi derati on to rel evan t factors su ch as:
• ti m e i n operati on;
• n um ber and scope of ch an g es i n operati on ;
• proof test freq uen cy.
Prior to th e h azards bein g presen t th e FSA team shal l u ndertake functi onal safety
5. 2. 6 . 1 . 5
assessm en t(s) an d sh al l confirm :
– 36 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e H &RA h as been carried ou t (see 8. 1 ) ;
• th e recom m en dations arisi ng from the H &RA that appl y to the SI S have been im plem ented
or resol ved;
• proj ect desi g n chan g e procedures are in pl ace an d h ave been properl y im pl em ented;
• th e recom m endati ons arisi ng from an y FSA h ave been resol ved;
• th e SI S is desig n ed, constructed an d install ed i n accordance with th e SRS, an y
differences h avi ng been i den tified an d resolved;
• th e safety, operati ng , m ai nten ance an d em ergency procedures pertai ni n g to th e SI S are in
place;
• th e SI S val idati on plan n in g is appropri ate an d th e vali dation activiti es h ave been
com pl eted;
• th e em ployee trai ni n g h as been com pleted an d appropriate i nform ati on abou t th e SI S h as
been provided to th e m ai ntenance an d operatin g person nel ;
• plans or strateg ies for im plem en tin g fu rth er FSAs are in pl ace.
5.2.6.1 .6 Where desi gn , devel opm ent and produ cti on tools are u sed for an y SI S safety l ife-
cycle acti vity, th ey sh al l th em sel ves be su bject to an assessm en t dem onstrating that th ey do
not h ave an y n eg ative i m pact on th e SI S or th e output of the tools sh all be confi rm ed by
verificati on procedures.
NOTE 1 Th e deg ree to whi ch such tool s can be ad dressed wi l l d epend u pon thei r i m pact on th e ri sk l evel to be
ach i eved.
NOTE 2 E xam pl es of d evel opm en t and producti on tool s i ncl u d e si m ul ati on an d m odel l i n g tool s, m easu ri n g
equ i pm ent, test equi pm en t, eq ui pm en t used du ri ng m ai n ten ance acti vi ti es an d con fi g u rati on m anag em ent tool s.
NOTE 3 Qual i ty assuran ce of tool s i ncl ud es, bu t i s n ot l i m i ted to, traceabi l i ty to cal i brati on stan dards, operati n g
hi story an d defect l i st.
5.2.6.1 .7 The resu lts of the FSA sh all be avail able tog eth er wi th an y recom m endati on
com in g from th is assessm ent.
5.2.6.1 .8 Al l rel evan t i nform ation sh all be m ade available to th e FSA team upon their
requ est.
5.2.6.1 .9 I n cases where a FSA is carried ou t on a m odification the assessm en t shal l

consi der th e im pact anal ysis carried ou t on the proposed m odification and confirm th at the
m odificati on work perform ed is in com pl iance with th e requi rem en ts of I EC 61 51 1 .
NOTE Safety l i fe cycl e (i ncl u di n g FSA) requi rem ents rel ated to SI S m odi fi cati on s can be fou n d i n 1 7. 2. 3.
5.2.6.1 .1 0 A FSA sh al l also be carried ou t peri odicall y du ri n g th e operations and

m ainten ance ph ase to en sure th at m ain ten ance and operati on are bein g carried ou t accordi n g
to th e assum ptions m ade during desig n an d that the requ irem en ts with in I EC 61 51 1 for safety
m anag em en t and verification are bei n g m et.
5.2.6.2 Functional safety au dit and revi sion

5.2.6.2.1 The purpose of the au di t is to revi ew inform ation docum en ts and records to
determ in e wh eth er th e fu ncti on al safety m an ag em en t system (FSM S) is in place, u p to date,
an d bein g foll owed. Where g aps are i dentified, recom m endati ons for im provem ents are m ade.
5.2.6.2.2 Al l procedu res identified as n ecessary resu ltin g from all safety life-cycle acti viti es
shal l be su bj ect to safety au di t.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 37 –
© I EC 201 7
5. 2. 6. 2. 3 Function al safety au di t sh al l be perform ed by an in dependent person n ot
un dertaki ng work on the SI S to be audited. Procedu res sh al l be defi n ed an d execu ted for
au diti n g com pl i ance wi th requ irem ents incl u di n g:
• th e frequ ency of the fu ncti onal safety au dit acti viti es;
• th e degree of i n depen dence between the persons, departm ents, org an i zati ons or oth er
u n i ts carryin g ou t th e work an d th ose carryi n g out the fu nction al safety audi ting activiti es;
• th e recordi n g and fol low-u p activiti es.
5. 2. 6. 2. 4M an ag em ent of chan g e procedures sh all be in place to i nitiate, docum en t, review,
im plem ent an d approve chan ges to th e SI S oth er than replacem en t in kin d (i. e. , like for like,
an exact du plicate of an el em en t or an approved su bsti tu tion that does not requ ire
m odificati on to th e SI S as i nstall ed) .
5. 2. 6. 2. 5 M an ag em ent of ch ang e procedures shall be in place that i dentifi es ch ang es th at

wi l l affect th e requ irem ents on th e SI S (e. g . , re-desi g n of a BPCS, chan ges to m an n in g in a
certain area) .
5. 2. 7 SI S c o n f i g u ra t i o n m an a g e m en t
5. 2. 7. 1Procedu res for config urati on m an agem ent of th e SI S durin g an y SI S safety l ife-cycle
ph ase sh al l be avai labl e.
NOTE I n parti cul ar, th e fol l owi n g can be speci fi ed:

– th e stag e at wh i ch form al con fi g u rati on m anag em en t i s to be i m pl em en ted;
– th e proced ures to be u sed for un i qu el y i den ti fyi n g al l com ponen ts of a SI S or SI S-su bsystem (e. g . , devi ces,
appl i cati on prog ram m i ng ) ;
– th e procedu res for preventi n g un authori zed devi ces from en teri n g servi ce.
5. 2. 7. 2 The SI S software, h ardware an d procedures u sed to develop an d execu te the

appl ication program sh al l be su bj ect to config urati on m an ag em en t an d shal l be m ai ntai ned
un der revision control .
NOTE SI S software i n cl u d es appl i cati on prog ram (e. g . , i n l og i c sol vers) ; em bed ded software (e. g . , sensors, l og i c
sol vers, fi nal el em ents) ; uti l i ty software (tool s) .
6 S a f e t y l i f e - c yc l e r e q u i r e m e n t s
6. 1 Obj ecti ves
The obj ecti ves of Clau se 6 are:

• to defin e th e ph ases an d establ ish the requ irem ents of th e SI S safety life-cycle acti vities;
• to defi n e and org ani ze th e tech n ical acti vi ties in to a SI S safety l ife-cycle;
• to ensu re that adequ ate plan ni n g exists (or is developed) that m akes certain that th e SI S
m eets th e safety requ irem ents.
NOTE 1 Th e overal l approach of th e I E C 61 51 1 seri es i s sh own i n Fi g u re 7. I t can be stressed that th i s approach
i s for i l l ustrati on an d i s onl y m ean t to i ndi cate the typi cal SI S safety l i fe-cycl e acti vi ti es from i n i ti al concepti on
throug h decom m i ssi oni n g .
– 38 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Manage- Safety Hazard and risk Verifica-

ment of life-cycle assessment tion
functional structure 1 Clause 8
safety and
and planning
functional Allocation of safety
safety functions to
assess- protection layers
ment and 2 Clause 9
auditing
Safety requirements
specification for the safety
instrumented system
3 Clause 1 0
Stage 1
Design and
Design and engineering of development of other
safety instrumented system means of
Clauses 1 1 , 1 2 and 1 3 risk reduction
4
Clause 9
Stage 2
Installation, commissioning
and validation
5 Clauses 1 4 and 1 5
Stage 3
Operation and maintenance
6 Clause 1 6
Stage 4
Modification
7 Clause 1 7
Clauses 7
6.2 of and 1 2.5
Clause 5 Clause 6 Stage 5
Decommissioning
10 11
8 Clause 1 8 9
Key:
Typical direction of information flow.
No detailed requirements given in this standard.
Requirements given in this standard.

NOTE 1 : Stages 1 through 5 inclusive are defined in 5.2.6.1 .4.
NOTE 2: All references are to Part 1 unless otherwise noted.
IEC
Figu re 7 – SIS safety l ife-cycle ph ases and FSA stages
NOTE 2 I nform ati on i n Fi g ure 7 m ay fl ow from operati on an d m ai nten ance back to the earl i er l i fe-cycl e stag es to
refl ect tracki ng of i nci den ts an d fai l u res and to veri fy en g i neeri n g assum pti on s.
6.2 Requirem ents

6.2.1 A SI S safety life-cycl e i ncorporatin g the requ irem en ts of the I EC 61 51 1 series sh al l be
defin ed durin g safety plan n in g . The safety l ife-cycl e sh al l also address the appl ication
prog ram m in g (see 6. 3. 1 ) .
6.2.2 Each ph ase of th e SI S safety l ife-cycle sh all be defi n ed in term s of its i n puts, ou tpu ts
an d verification acti vi ties (see Table 2) .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 39 –
© I EC 201 7
Table 2 – SIS safety life-cycle overvi ew (1 of 2)
Safety l i fe-cycl e phase Obj ecti ves Requi re- Inpu ts Outputs
or acti vi ty ments
Fi g ure 7 Ti tl e Cl ause
box
num ber
1 H &RA To determ i ne the hazards Cl ause 8 Process desi g n , A descri pti on of the
and hazardou s events of l ayout, m an ni n g h azards, of th e
the process and arran g em ents, req u i red safety
associ ated equ i pm ent, the safety targ ets fun cti on (s) an d of
sequen ce of even ts the associ ated ri sk
l ead i n g to th e h azardous red u cti on
event, th e process ri sks
associ ated wi th th e
h azardous even t, the
req u i rem en ts for ri sk
red u cti on an d th e safety
fun cti on s requ i red to
ach i eve th e necessary ri sk
red u cti on
2 Al l ocati on of Al l ocati on of safety Cl ause 9 A descri pti on of the Descri pti on of
safety fun cti ons fun cti on s to protecti on requ i red SI F an d al l ocati on of safety
to protecti on l ayers an d for each SI F, associ ated safety req u i rem en ts
l ayers the associ ated SI L i n teg ri ty
requ i rem ents
3 SI S safety To speci fy th e Cl ause 1 0 Descri pti on of SI S safety
req ui rem ents req u i rem en ts for each SI S, al l ocati on of safety req u i rem en ts;
speci fi cati on i n term s of th e requi red requ i rem en ts appl i cati on
SI F an d th ei r associ ated prog ram safety
safety i n teg ri ty, i n order to req u i rem en ts
ach i eve th e requ i red
fun cti on al safety
4 SI S desi g n an d To desi g n th e SI S to m eet Cl auses 1 1 , SI S safety Desi g n of the SI S
eng i n eeri n g the requi rem en ts for SI F 12 requ i rem ents h ard ware an d
and th ei r associ ated safety appl i cati on
i n teg ri ty Appl i cati on prog ram i n
prog ram safety con form an ce wi th
requ i rem ents the SI S safety
req u i rem en ts;
pl an n i n g for the
SI S i n teg rati on test
5 SI S i nstal l ati on To i n teg rate an d test th e Cl auses 1 4, SI S desi g n Fu l l y fun cti on i n g
com m i ssi on i ng SI S 15 SI S i n conform ance
and val i dati on SI S i n teg rati on test wi th the SI S safety
To val i d ate that th e SI S pl an req u i rem en ts.
m eets i n al l respects the
req u i rem en ts for safety i n SI S safety Resul ts of SI S
term s of the req ui red SI F req u i rem en ts i nteg rati on tests
and th ei r associ ated safety Pl an for th e safety
i n teg ri ty Resul ts of th e
val i dati on of th e i nstal l ati on, com -
SI S m i ssi on i ng an d
val i dati on acti vi ti es
– 40 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Table 2 (2 of 2)
Safety l i fe-cycl e phase or Obj ecti ves Requi re- I nputs Outputs
acti vi ty ments
Fi g ure Ti tl e Cl ause
7 box
num ber
6 SI S operati on To en su re th at th e Cl au se 1 6 SI S safety Resu l ts of th e
an d m ai ntenance fu ncti on al safety of the SI S req u i rem en ts operati on an d
i s m ai n tai ned d uri ng m ai nten an ce
operati on an d m ai nten ance SI S desi g n acti vi ti es
Pl an for SI S
operati on an d
m ai nten an ce
7 SI S m odi fi cati on To m ake correcti on s, Cl ause 1 7 Revi sed SI S safety Resu l ts of SI S
en h an cem en ts or req ui rem ents m odi fi cati on
adaptati ons to the SI S,
en su ri ng th at the requi red
SI L i s ach i eved an d
m ai n tai n ed
8 Decom m i ssi on - To ensu re proper revi ew, Cl au se 1 8 As bui l t safety SI F pl aced ou t of
i ng sector org an i zati on , an d req u i rem en ts an d servi ce
en su re SI F rem ai ns process
appropri ate i n form ati on
9 SI S veri fi cati on To test and eval u ate th e Cl ause 7, Pl an for the Resul ts of the
ou tpu ts of a g i ven phase to 1 2. 5 veri fi cati on of the veri fi cati on of the
en su re correctn ess and SI S for each ph ase SI S for each phase
consi stency wi th respect to
th e prod ucts an d stan dards
provi ded as i n pu t to that
ph ase
10 SI S FSA To i n vesti g ate an d arri ve Cl au se 5 Pl an ni n g for SI S Resu l ts of SI S FSA
at a j u d g em ent on th e FSA
fu ncti on al safety achi eved
by th e SI S SI S safety
req u i rem en t
11 Safety l i fecycl e To establ i sh h ow th e 6. 2 N ot appl i cabl e Safety pl an
stru cture and l i fecycl e steps are
pl an ni n g accom pl i shed
6.2.3 For al l SI S safety l ife-cycle ph ases, safety plan n in g sh al l take place to defi ne the
activiti es, criteri a, tech n i qu es, m easures, procedu res and responsibl e organ isation/people to:
• ensure th at th e SI S safety requ irem ents are ach ieved for all relevant m odes of th e
process; th is i ncl udes both fu ncti onal an d safety i n tegrity requ irem ents;
• ensure proper instal l ati on an d com m ission i ng of th e SI S;
• ensure th e safety i ntegrity of th e SI F after i nstall ati on ;
• m aintai n th e safety integ rity du ri ng operati on (e. g . , proof testing , fai l ure anal ysis) ;
• m anag e th e process h azards duri n g m ai n ten ance activiti es on th e SI S.
6.2.4 I f at an y stag e of the safety life-cycle, a ch an g e is requ ired pertain i ng to an earl i er l ife-
cycl e phase, then th at earl ier SI S safety life-cycle ph ase an d the subsequent ph ases sh al l be
re-exam i ned, altered as requ ired an d re-verified.
6.3 Appli cation prog ram SIS safety l ife-cycle requ irem ents
6.3.1 Each ph ase of the applicati on prog ram safety l ife-cycl e (see Fi gure 8) sh all be defi ned
in term s of i ts el em en tary activiti es, obj ecti ves, requ ired i n pu t i nform ation and outpu t resu lts
an d verification requ irem en ts (see Table 3) .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 41 –
© I EC 201 7
SIS SIS subsystem* *sensors,

SRS architecture logic solver(s) or
Clause 1 0 final elements
Hardware safety requirements

Programmable Non-programmable
electronic hardware hardware
Box 4 in Figure 8: Design and engineering

of the safety instrument function
Programmable electronic Non-programmable
selection including Hardware design and
embedded Software development
Application Program safety life-cycle and Tools
Application Program Safety
1 0.3.2 Requirements
Appl. Program safety 1 2.1 to Application Program

1 5.2.2 validation planning 1 2.3 Design
1 2.4 and Appl. Program imp. 1 6 and Operation and modification

1 2.6 Methods & Tools 17 procedures
1 2.5 and Appl. Program

7.2.2 Review and testing
To box 6 and 7
in Figure 7 SIS Integration Test SIS install and validate
Clause 1 3 Clauses 1 4 and 1 5
IEC
Figu re 8 – Application prog ram safety life-cycl e and its relation sh ip

to th e SIS safety li fe-cycl e
– 42 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Table 3 – Application program safety life-cycle: overview (1 of 2)

Requi re-
Fi g ure 8 Ti tl e Obj ecti ves ments Inputs Outputs
box Cl ause
number
1 0. 3. 2 Appl i cati on To speci fy appl i cati on 1 0. 3 SI S safety SI S appl i cati on
prog ram prog ram safety 1 1 .5 req ui rem ents. prog ram safety
safety requ i rem en ts for each SI S Safety m an ual s of req u i rem en ts
req u i rem en ts n ecessary to i m pl em en t the sel ected SI S. speci fi cati on .
the requ i red SI F. Veri fi cati on i nform ati on .
SI S archi tectu re.
To speci fy th e
requ i rem en ts for
appl i cati on prog ram for
each SI F al l ocated to th at
SI S.
1 5. 2. 2 Appl i cati on To devel op a pl an for 1 5. 2. 2, SI S appl i cati on SI S safety val i dati on
prog ram val i dati n g th e appl i cati on 1 5. 2. 5 prog ram safety pl an ni n g .
safety prog ram . req u i rem en ts.
val i dati on
pl an n i n g Veri fi cati on i nform ati on .
1 2. 1 to Appl i cati on Archi tectu re. 1 2. 1 SI S appl i cati on Descri pti on of th e
1 2. 3 prog ram To create an appl i cati on (al so prog ram safety arch i tectu re desi g n ,
devel opm ent prog ram archi tectu re th at 1 0. 3, req u i rem en ts. e. g . , seg reg ati on of
ful fi l s th e speci fi ed 1 2. 2) appl i cati on prog ram
requ i rem en ts for i nto rel ated process
SI S h ard ware su b-system an d SI L,
appl i cati on prog ram safety. arch i tectu re desi g n e. g . , recog ni ti on of
constrai nts. com m on appl i cati on
To revi ew and eval u ate the prog ram m odu l es such
req u i rem en ts pl aced on as pu m p or val ve
the appl i cati on prog ram by sequen ces.
the h ard ware archi tectu re
of th e SI S.
Appl i cati on prog ram
To speci fy th e proced u res arch i tectu re and su b-
for the devel opm ent of th e system i nteg rati on test
appl i cati on prog ram . req ui rem ents.
Veri fi cati on i nform ati on .

Appl i cati on To devel op th e appl i cati on SI S appl i cati on Appl i cati on prog ram
prog ram prog ram desi g n . 1 2. 3 prog ram safety desi g n.
desi g n To i denti fy a sui tabl e set of req u i rem en ts. Proced u res for u se
con fi g u rati on , l i brary, du ri ng prog ram m i n g .
m an ag em ent, an d Descri pti on of th e Descri pti on of th e
si m ul ati on an d test tool s, arch i tectu re standard
over th e safety l i fe-cycl e of desi g n. (m an ufacturers) l i brary
the appl i cati on prog ram . fun cti on s to be u sed.
Man u al s of th e
SI S. Veri fi cati on i n form ati on.
Safety Manu al of
th e sel ected SI S
l og i c sol ver.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 43 –
© I EC 201 7
Table 3 (2 of 2)

Requi re-
Fi g u re 8 Ti tl e Obj ecti ves ments Inpu ts Outputs
box Cl ause
num ber
1 2. 4 Appl i cati on Appl i cati on d evel opm en t 1 2. 4 Descri pti on of th e Appl i cati on prog ram
1 2. 6 prog ram and appl i cati on m odu l e 1 2. 3. 4 desi g n. (e. g . , fu ncti on bl ock
i m pl em en tati devel opm en t. Li st of m anu al s di ag ram s, l adder l og i c) .
on 1 2. 6
To i m pl em ent th e an d procedu res of Appl i cati on prog ram
appl i cati on prog ram that th e sel ected l og i c si m ul ati on an d
ful fi l s the speci fi ed sol ver for u se wi th i n teg rati on test.
req u i rem en ts for th e appl i cati on Speci al purpose
appl i cati on safety. prog ram . appl i cati on prog ram
To u se appropri ate safety req u i rem ents.
su pport tool s and Veri fi cati on i n form ati on.
prog ram m i n g l an g u ag es.
1 2. 5 Appl i cati on To veri fy that th e 1 2. 5 Appl i cati on Appl i cati on prog ram test
7. 2. 2 prog ram req u i rem en ts for 7. 2. 2 prog ram resul ts.
veri fi cati on appl i cati on prog ram safety si m u l ati on an d Veri fi ed an d tested
h ave been achi eved. i nteg rati on test appl i cati on prog ram
To show th at al l SI S req u i rem en ts system .
appl i cati on prog ram s (stru ctu re based
testi ng ) . Veri fi cati on i nform ati on .
i n teract correctl y to
perform th ei r i nten ded Appl i cati on
fun cti on s an d d o not prog ram
perform un i ntend ed arch i tectu re
fun cti on s. i nteg rati on test
a req u i rem en ts.
13 SI S To i n teg rate th e Cl ause Appl i cati on Appl i cati on prog ram and
i n teg rati on appl i cati on prog ram onto 13 prog ram an d l og i c l og i c sol ver i n teg rati on
test the targ et l og i c sol ver, sol ver i nteg rati on test resu l ts.
i n cl u di ng i nteracti on wi th a test requ i rem en ts.
sam pl e set of fi el d devi ces
and or si m u l ator.
6.3.2 M eth ods, tech n iques an d tools sh al l be appli ed for each l ife-cycle phase i n accordance
wi th 1 2. 6. 2.
6.3.3 Each ph ase of th e SI S safety l ife-cycle for wh ich safety plan ni n g h as been carri ed out
shal l be verifi ed (see Clau se 7) an d the resu l ts sh all be available as descri bed i n Cl ause 1 9.
7 Verification
7.1 Objective
The obj ecti ve of Cl ause 7 is to dem onstrate by revi ew, anal ysis and/or testin g that the
requ ired ou tpu ts satisfy th e defi n ed requ irem ents for the appropri ate ph ases (Fig ure 7) as
identified by the verificati on pl ann in g.
7.2 Requi rements

7.2.1 Verificati on plan n i ng sh al l be carri ed out th rou g hou t the SI S safety life- cycle an d sh al l
defin e all activi ti es requ ired for the appropriate ph ase (Fig ure 7) of th e safety l ife- cycle,
inclu din g the appl ication program . Verification pl ann i n g sh al l conform to th e I EC 61 51 1 seri es
by addressi ng th e foll owi ng :
– 44 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e verification activi ti es;
• th e procedures, m easures an d tech n iqu es to be used for verificati on incl u din g
im plem entation and resol ution of resu lti n g recom m en dati ons;
• wh en th ese acti viti es wi ll take place;
• th e persons, departm en ts and org an izations responsibl e for th ese activiti es, i nclu di ng
l evels of i ndepen dence;
• i dentification of item s to be verified;
• i dentification of th e inform ation ag ainst wh ich the verificati on is carri ed out;
• th e adequacy of the ou tputs ag ainst th e requ irem en ts for th at ph ase;
• correctness of the data;
• how to han dle n on -conform ances;
• tools and su pporting an al ysi s;
• th e com pl eten ess of th e SI S im plem entation an d the traceabi lity of the requ irem en ts;
• th e readabili ty and au dit-abi l ity of the docum en tati on ;
• th e testabi lity of the desi gn .
7. 2. 2 Where th e verification inclu des testin g, th e verification pl ann i n g sh all also address th e
fol lowi ng :
• th e strateg y for integ rati on of appl ication prog ram an d h ardware an d field devices,
i nclu din g th e in teg ration of su b-system s that shal l com pl y wi th oth er stan dards (such as
m achi nery or burn er) ;
• test scope (describes th e test set-u p an d wh at type of test to be perform ed i ncl u din g th e
hardware, appl icati on prog ram m ing , and prog ram m ing devices to be i nclu ded) ;
• test cases an d test data (th ese wil l be specific scenari os wi th the associ ated data) ;
• types of tests to be perform ed;
• test en vironm ent incl u din g tools, hardware, al l software an d requ ired config uration ;
• test cri teri a (e. g . , pass/fail cri teri a) on wh ich the resu lts of th e test wi l l be evalu ated;
• procedures for correcti ve action on fail ure du ri n g test;
• ph ysical location(s) (e. g . , factory or site) ;
• depen dence on extern al function ali ty;
• appropri ate personn el;
• m anag em en t of chan g e;
• non-conform ances.
7. 2. 3 N on-safety fu nctions in tegrated with safety fu ncti ons shal l be verifi ed for n on-
interference with the safety fu ncti ons.
7. 2. 4 Verificati on shal l be perform ed accordi n g to th e verificati on pl an n in g.
7. 2. 5 Durin g testin g , an y m odification sh al l be subj ected to an im pact anal ysis wh ich sh al l

determ in e all SI S com ponen ts im pacted and th e n ecessary re- verificati on acti vi ties.
7. 2. 6 Th e resu lts of th e verification process sh all be avail able (see Clause 1 9) , i nclu di ng
wh eth er th e obj ecti ve an d cri teri a of th e tests h ave been m et.
NOTE 1 Sel ecti on of tech n i q ues an d m easu res for th e veri fi cati on process and the deg ree of i n depen dence
depends u pon a n um ber of factors i n cl u di n g deg ree of com pl exi ty, n ovel ty of d esi g n, n ovel ty of tech n ol og y an d
requ i red SI L.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 45 –
© I EC 201 7
NOTE 2 E xam pl es of som e veri fi cati on acti vi ti es i n cl u d e d esi g n revi ews, u se of tool s an d tech ni qu es i n cl u di n g
software veri fi cati on tool s an d com puter based desi g n an al ysi s tool s.
8 Process H&RA
8.1 Objectives
The obj ecti ves of th e requ irem en ts of Cl ause 8 are to determ i ne:
• th e h azards an d h azardous even ts of th e process an d associated equ ipm ent;
• th e sequ ence of events l eading to the h azardous even t;
• th e process risks associated wi th the h azardous even t;
• an y requ irem ents for risk red u ction ;
• th e safety fu nctions requ i red to ach ieve th e necessary risk redu ction;
• if an y of the safety functi ons are SI Fs.
NOTE 1 Cl au se 8 add resses process eng i n eers, h azard and ri sk speci al i sts, safety m anag ers as wel l as
i n stru m en t en g i n eers. I ts purpose i s to recog ni ze th e m ul ti -di sci pl i n ary approach typi cal l y req u i red for th e
determ i nati on of SI F.
NOTE 2 Where reason abl y practi cabl e, processes can be desi g n ed to be i n h eren tl y safe. When th i s is not
practi cabl e, oth er l ayers of protecti on (see Fi g u re 9) can be requ i red. I n som e appl i cati on s, i n du stry stan dards can
speci fy th e u se of parti cul ar protecti on l ayers.
NOTE 3 Th e ri sk red u cti on can be accom pl i sh ed usi n g several l ayers of protecti on (see Cl au se 9) .
8.2 Requirements
8.2.1 A H &RA shal l be carried out on th e m aterials, process and equ ipm en t. I t sh all resu l t i n:
• a descri pti on of each i dentifi ed h azardou s event and th e factors th at con tri bu te to it;
• a descri pti on of th e likelihood and consequ ence of each h azardous even t;
• consi deration of process operatin g m odes such as n orm al operation , start-u p, shu tdown ,
m ainten ance, process u pset, and em ergency sh u tdown ;
• th e determ in ation of additi onal risk reducti on necessary to ach ieve the requ ired fu nction al
safety;
• a descri ption of, or references to i nform ation on , th e m easures taken to reduce or rem ove
hazards and risk;
• a detail ed description of th e assum ptions m ade durin g the an al ysis of the risks incl u di n g
dem an d rates on the protecti on layers and th e averag e frequ ency of dan g erou s fai lures of
th e in i ti atin g sou rces, an d of an y credi t taken for operation al constrain ts or hum an
interven ti on;
• identification of th ose safety fu ncti on(s) applied as SI F(s) .
N OTE 1 I n d eterm i n i n g th e safety i n teg ri ty req ui rem ents, accoun t can be taken of th e effects of com m on
cau se between system s th at create dem ands an d th e protecti on l ayers that are desi g n ed to respon d to th ose
dem an ds. An exam pl e of th i s woul d be where dem an ds can ari se throu g h BPCS fai l u re and th e equi pm en t
u sed wi thi n th e protecti ve l ayers i s si m i l ar or i den ti cal to th e equi pm en t used wi th i n th e BP CS. I n such cases,
a dem an d caused by a fai l u re of BPCS equ i pm en t m ay n ot be respon ded to effecti vel y i f a com m on cau se h as
ren dered si m i l ar equ i pm en t i n th e protecti on l ayer to be i neffecti ve. I t m ay n ot be possi bl e to recog ni ze
com m on cau se probl em s du ri n g th e i n i ti al h azard i d en ti fi cati on an d ri sk an al ysi s becau se at su ch an earl y
stag e th e d esi g n of th e protecti on l ayers wi l l not n ecessari l y have been com pl eted. I n such cases, i t can be
n ecessary to reconsi d er th e safety i nteg ri ty requ i rem ents an d SI F on ce th e desi g n of the SI S an d oth er
protecti on l ayers has been com pl eted. I n d eterm i n i n g wheth er th e overal l desi g n of process an d protecti on
l ayers m eets req ui rem ents, com m on cause fai l u res wi l l be consi dered.
N OTE 2 E xam pl es of tech n i q ues th at can be used to establ i sh th e req u i red SI Ls of SI Fs are i l l ustrated i n
I EC 61 51 1 -3: 201 6.
8.2.2 Th e average frequ ency of dan g erou s fai lu res of a BPCS as an in itiati ng sou rce sh all
not be assum ed to be < 1 0 -5 per hour.
– 46 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
8.2.3 Th e H &RA shal l be recorded i n such a way th at th e relationship between the above
item s is cl ear and traceable.
NOTE 1 Th e above req u i rem en ts do not m andate that the safety i nteg ri ty requ i rem ents have to be assi g n ed as
num eri cal val ues. Qu al i tati ve or sem i -qu anti tati ve approach es (see I EC 61 51 1 -3: 201 6, An n exes C, D & E ) can al so
be used.
NOTE 2 Th e safety i n teg ri ty requi rem ents vary depen di n g on th e appl i cati on an d nati on al l eg al requ i rem ents. An
accepted pri nci pl e i n m any coun tri es i s that addi ti on al ri sk redu cti on m easu res can be appl i ed un ti l th e cost
i n cu rred becom es di sproporti on ate to th e i m provem en t i n safety i nteg ri ty achi eved.
8.2.4 A securi ty risk assessm ent shal l be carri ed out to i dentify th e secu rity vu ln erabil iti es of
th e SI S. I t shal l resu lt in :
• a descri ption of the devices covered by th is risk assessm ent (e. g . , SI S, BPCS or an y oth er
device conn ected to th e SI S) ;
• a descripti on of iden tified threats th at cou ld expl oit vu ln erabi l i ti es and resu lt in securi ty
even ts (inclu di n g i nten tion al attacks on th e h ardware, applicati on prog ram s an d related
software, as wel l as u n in ten ded events resu ltin g from hum an error) ;
• a descri pti on of the poten tial consequ ences resu lting from th e security even ts an d th e
l ikeli hood of th ese even ts occurri ng ;
• consi deration of variou s ph ases such as desig n , im plem entation , com m ission i ng ,
operati on, an d m ainten ance;
• th e determ in ati on of requ irem ents for addition al risk reducti on ;
• a descri pti on of, or references to i nform ation on , th e m easures taken to redu ce or rem ove
th e threats.
NOTE 1 G ui dance rel ated to SI S secu ri ty i s provi d ed i n I SA TR84. 00. 09, I SO/I EC 27001 : 201 3, an d
I EC 62443-2-1 :201 0.
NOTE 2 Th e i n form ati on and control of bou n dary con di ti on s needed for th e secu ri ty ri sk assessm en t are typi cal l y
wi th owner/operati n g com pan y of a faci l i ty, n ot wi th th e su ppl i er. Wh ere th i s i s the case, th e obl i g ati on to com pl y
wi th 8. 2. 4 can be wi th th e own er/operati n g com pan y of the faci l i ty.
NOTE 3 The SI S securi ty ri sk assessm en t can be i n cl u ded i n an overal l process au tom ati on securi ty ri sk
assessm en t.
NOTE 4 Th e SI S secu ri ty ri sk assessm ent can ran g e i n focu s from an i n di vi du al SI F to al l SI Ss wi thi n a com pany.
9 Allocation of safety functions to protection layers

9.1 Objectives
The obj ecti ves of th e requ irem en ts of Clause 9 are to
• all ocate safety fu ncti ons to protection l ayers;
• determ in e th e requ ired SI Fs;
• determ in e for each SI F the associ ated safety in tegrity requ irem en ts.
NOTE 1 Accou nt can be taken, duri n g the process of al l ocati on, of oth er i nd u stry stan dards or cod es.
N OTE 2 The i nteg ri ty requ i rem ents for each SI F m i g h t i ncl ude th e associ ated ri sk red u cti on , PFD, PFH or SI L.
9.2 Requirements of the allocation process

9.2.1 Th e al l ocation process sh al l resu l t i n
• th e al l ocation of safety functions requ ired to ach ieve th e n ecessary ri sk reducti on to
specific protecti on layers;
• th e al locati on of risk redu cti on or averag e frequ en cy of dan g erou s fail ure to each SI F.
NOTE Leg i sl ati ve req ui rem ents or oth er i n du stry cod es m ay i nfl uen ce the al l ocati on process.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 47 –
© I EC 201 7
9.2.2 Th e requ ired SI L shall be deri ved takin g into accou n t th e requi red PFD or PFH th at is
to be provided by the SI F.
NOTE Fu rth er g ui dance can be fou nd i n I EC 61 51 1 -3: 201 6.
9.2.3 For each SI F operatin g in dem an d m ode, th e requ ired SI L sh all be specified i n
accordance wi th eith er Table 4 or Tabl e 5.
9.2.4 For each SI F operatin g in con tin u ou s m ode, th e requ ired SI L shal l be specified in
accordance wi th Tabl e 5.
Table 4 – Safety i ntegrity requ irem ents: PFD avg

DEM AND M ODE OF OPERATI ON
Safety i nteg ri ty PFD a vg Requi red ri sk redu cti on
l evel (SI L)
4 ≥ 1 0 − 5 to < 1 0 − 4 > 1 0 000 to ≤ 1 00 000
3 ≥ 1 0 − 4 to < 1 0 − 3 > 1 000 to ≤ 1 0 000
2 ≥ 1 0 − 3 to < 1 0 − 2 > 1 00 to ≤ 1 000
1 ≥1 0−2 to < 1 0−1 > 1 0 to ≤ 1 00
Table 5 – Safety i ntegrity requ irem ents: averag e frequ ency of dang erous failu res of th e
SIF
CONTI NUOUS M ODE OR DEM AND M ODE OF OPERATION
Safety i nteg ri ty Averag e frequen cy of
l evel (SI L) dang erou s fai l ures (fai l ures per hou r)
4 ≥ 1 0 − 9 to < 1 0 −8
3 ≥ 1 0 − 8 to < 1 0 − 7
2 ≥ 1 0 − 7 to < 1 0 −6
1 ≥ 1 0 − 6 to < 1 0 −5
NOTE 1 Fu rther expl an ati on of m odes of operati on can be fou n d i n 3. 2. 39.
NOTE 2 The SI L i s defi n ed n um eri cal l y so as to provi de an obj ecti ve m easu re for com pari son of al ternate d esi g n s
and sol uti ons. H owever, i t i s recog n i zed that, g i ven th e cu rren t state of kn owl edg e, m an y system ati c causes of
fai l u re can onl y be assessed q ual i tati vel y.
NOTE 3 The requi red averag e frequen cy of dan g erous fai l u res for a conti n uou s or dem and m ode SI F i s
determ i ned by con si d eri ng th e ri sk cau sed by fai l u re of th e conti n uous or dem an d m ode SI F tog eth er wi th th e
fai l u res of oth er devi ces that l ead to th e sam e ri sk, taki n g i nto con si d erati on th e ri sk redu cti on provi ded by oth er
9.2.5 I n cases wh ere th e allocati on process resul ts in a risk reducti on requ irem ent of
> 1 0 000 or averag e frequ ency of dang erou s fai l ures < 1 0 -8 per h our for a si n g le SI S or m u lti ple
SI Ss or SI S in conj u ncti on with a BPCS protecti on layer, th ere shal l be a reconsi deration of
th e appl ication (e. g. , process, oth er protection layers) to determ in e i f an y of the risk
param eters can be m odi fied so th at the risk reduction requ irem en t of > 1 0 000 or averag e
frequency of dan g erous fail ures < 1 0 -8 per h our is avoided. Th e revi ew sh al l consider wh ether:
– th e process or vessels/pipe work can be m odifi ed to rem ove or reduce h azards at th e
sou rce;
– additi onal safety-rel ated system s or oth er ri sk reduction m eans, not based on
instrum entation, can be introduced;
– th e severity of th e consequ ence can be reduced, e. g. , redu cin g the am ou n t of hazardous
m aterial ;
– 48 – I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV
© I EC 201 7
– th e likelih ood of the specified consequ ence can be redu ced e. g. , reducin g th e likelih ood of
th e i n iti ating source of th e h azardous event.
NOTE Appl i cati on s wh i ch requ i re th e u se of a si n g l e SI F wi th a ri sk red u cti on requ i rem en t > 1 0 000 or averag e
freq u en cy of dan g erous fai l u res < 1 0 - 8 per hou r need to be avoi d ed becau se of th e di ffi cu l ty of ach i evi ng an d
m ai ntai n i n g su ch h i g h l evel s of perform an ce throug h out th e SI S safety l i fe-cycl e. Ri sk redu cti on requi rem ent
> 1 0 000 or averag e freq uen cy of dan g erou s fai l u res < 1 0 - 8 per hou r can req ui re h i g h l evel s of com peten ce an d hi g h
l evel s of coverag e for al l factory acceptan ce testi n g , proof testi n g , veri fi cati on, an d val i dati on acti vi ti es.
9. 2. 6 I f after fu rth er consideration of th e application an d confirm ati on that a risk reducti on

requ irem ent > 1 0 000 or averag e frequ ency of dan gerous fai l ures < 1 0 -8 per hour is sti ll
requ ired, th en consi derati on shou ld be g iven to ach i evi ng the safety in tegrity requirem en t
usin g a n u m ber of protecti on l ayers (e. g . , SI S or BPCS) with lower risk reductio n
requ irem ents. I f the risk reducti on is al located to m u ltiple protecti on layers th en such
protecti on l ayers sh all be in depen dent from each oth er or th e l ack of in dependence sh al l be
assessed an d sh own to be su ffici en tl y low com pared to th e risk reducti on requ irem ents. Th e
fol l owing factors sh all be consi dered during th is assessm ent:
– com m on cause of fai lu re of SI S an d th e cause of dem and;
N OTE 1 Th e extent of the com m on cau se can be assessed by consi d eri n g th e di versi ty of al l d evi ces where
fai l u re cou l d cau se a dem an d and al l d evi ces of the BPCS protecti on l ayer and/or th e SI S used for ri sk
red u cti on .
N OTE 2 An exam pl e of com m on cause between the SI S and the cau se of dem an d i s i f l oss of process control
throug h sen sor fau l t or fai l u re can cau se a d em and and th e sensor used for control i s of the sam e type as the
sen sor used for th e SI S.
– com m on cause of fai lu re wi th oth er protection layers providi n g risk reducti on;
N OTE 3 Th e exten t of th e com m on cau se can be assessed by con si deri ng the d i versi ty of al l devi ces of th e
BPCS protecti on l ayer and/or th e SI S used to ach i eve th e ri sk red ucti on req ui rem en ts.
N OTE 4 An exam pl e of com m on cau se between SI Ss provi di n g ri sk red u cti on i s wh en two separate an d
i n dependent SI Ss wi th di verse m easu rem ents an d di verse l og i c sol vers are u sed bu t the fi n al actu ati on
devi ces are two sh ut off val ves of si m i l ar types or a si n g l e sh ut off val ve actuated by both SI Ss.
– an y depen denci es th at m ay be introduced by com m on operati ons, m ai ntenance,
i nspecti on or test activiti es or by com m on proof test procedures and proof test tim es;
N OTE 5 Even i f th e protecti ve l ayers are d i verse th en synchronou s proof testi ng wi l l red u ce th e overal l ri sk
red u cti on achi eved an d thi s can be a si g ni fi cant factor i m ped i ng achi evem ent of the n ecessary ri sk reducti on
for the hazardou s event.
N OTE 6 When hi g h l evel s of ri sk redu cti on are req ui red an d proof tests are desynch ron i sed accordi n g to Note
5 th en the dom i n an t factor i s n orm al l y com m on cau se fai l u re even i f m ul ti pl e i n depen d en t protecti on l ayers are
u sed to red u ce ri sk. Dependency wi thi n and between protecti on l ayers provi di n g ri sk red u cti on for the sam e
h azardous even t can be assessed an d shown to be suffi ci en tl y l ow.
9. 2. 7 I f a risk reduction requi rem en t > 1 0 000 or averag e frequ ency of dang erous fai l ures
< 1 0 -8 per h our is to be i m plem en ted, wh eth er al located to a si ng le SI S or m u ltiple SI S or SI S
i n conj u ncti on with a BPCS protecti on l ayer, th en a furth er risk assessm en t sh al l be carri ed
ou t u si ng a qu an titati ve m eth odol og y to confirm th at th e safety i n tegrity requ irem ents are
ach i eved. The m eth odol og y shal l take in to con si derati on dependency an d com m on cause
fail ures between th e SI S an d:
– an y other protecti on layer whose fail ure wou l d pl ace a dem an d on it;
– an y other SI S reducin g the l ikel i hood of th e h azardous event;
– an y oth er risk reducti on m eans th at reduce th e l ikel i hood of th e h azardous even t (e. g . ,
safety alarm s) .
9. 2. 8 I f th e risk reducti on requ ired for a hazardou s event is al l ocated to m ulti pl e SI Fs in a
si ng l e SI S, then the SI S shal l m eet the overal l risk reducti on requ irem ent.
9. 2. 9 Th e resu l ts of th e all ocation process sh al l be recorded so that th e SI Fs are descri bed

i n term s of the function al n eeds of the process, e. g . , th e acti ons to be taken , set poin ts,
reaction tim es, activation del ays, fau lt treatm ent, val ve cl osure requ irem en ts, an d in term s of
th e risk reducti on requ irem ents.
I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV – 49 –
© I EC 201 7
NOTE Th i s descri pti on can be i n an u nam bi g uous l og i cal form and can be referred to as th e process requ i rem en ts
speci fi cati on or th e safety d escri pti on . Th e d escri pti on can m ake the i n ten t and the approach u sed i n the al l ocati on
process cl ear. Th e process requ i rem ents speci fi cati on i s u sed as i nput i nform ati on for th e SRS covered i n
Cl ause 1 0 and can be suffi ci en tl y detai l ed to ensure ad equ ate speci fi cati on of th e SI S and i ts devi ces. For
exam pl e, the descri pti on can i n cl u de th e set-poi n ts for sen sors, the process safety ti m e avai l abl e for response, and
th e val ve cl osu re req u i rem en ts.
9.3 Requirem ents on the basic process control system as a protection l ayer
9.3.1 Th e basic process con trol system m ay be claim ed as a protecti on layer as sh own in
Fig u re 9.
COMMUNITY EMERGENCY RESPONSE

Emergency broadcasting
PLANT EMERGENCY RESPONSE

Evacuation procedures
MITIGATION
Mechanical mitigation systems
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
CONTROL and MONITORING

Basic process control system
Monitoring systems (process alarms)
PROCESS
IEC
Figu re 9 – Typi cal protection layers and risk reduction m eans
9.3.2 Th e risk reducti on cl aim ed for a BPCS protecti on layer sh al l be ≤ 1 0.
NOTE Con si derati on can be g i ven to th e fact th at a BPCS m ay al so be an i n i ti ati ng sou rce for th e d em and on th e
protecti on l ayer.
9.3.3 I f th e risk reducti on claim ed for a BPCS protection layer is > 1 0, then th e BPCS sh al l
be design ed and m an ag ed to th e requ irem en ts with in th e I EC 61 51 1 seri es.
9.3.4 I f it is not i ntended th at th e BPCS conform to th e I EC 61 51 1 seri es, then :

• no m ore than one BPCS protection layer sh al l be cl aim ed for the sam e sequ ence of event
leadin g to th e h azardou s even t wh en th e BPCS is the i n iti atin g sou rce for th e dem and on
th e protection l ayer; or
• no m ore th an two BPCS protecti on l ayers sh al l be cl aim ed for th e sam e sequ ence of event
l eadin g to th e h azardous even t wh en th e BPCS is not the in i ti atin g source of th e dem and.
NOTE Th e i den ti fi ed BPCS protecti on l ayer can con si st of one BPCS as th e i n i ti ati n g sou rce for th e d em an d (see
8. 2. 2) and a second i nd epen d en t BPCS protecti on l ayer (see 9. 3. 2 and 9. 3. 3) or u p to two i nd epen d en t BPCS
protecti on l ayers wh en th e i ni ti ati n g sou rce i s n ot rel ated to BPCS fai l u re.
– 50 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
9. 3. 5When 9. 3. 4 appl i es, each BPCS protection layer sh all be in dependent an d separate
from the i ni tiating source an d from each oth er to the extent that the claim ed risk reducti on of
each BPCS protecti on layer is n ot com prom ised.
NOTE 1 Th e assessm en t of separati on an d i nd epen den ce can con si der wh at i s necessary to ach i eve th e ri sk
red ucti on, e. g . , th e cen tral processi n g u n i ts (CPU ) , i n pu t/outpu t m odu l es, rel ays, fi el d devi ces, appl i cati on
prog ram m i ng , networks, prog ram database, eng i n eeri n g tool s, h um an m ach i ne i n terface, by-pass tool s and other
devi ces.
NOTE 2 A hot backup con trol l er i s not consi dered to be i n depen dent of the pri m ary control l er because i t i s subj ect
to com m on cause fai l u re (for exam pl e, h ot backup con trol l ers h ave com pon en ts th at are com m on to both the
pri m ary and th e backu p control l er, su ch as th e backpl an e, fi rm ware, di ag n osti cs, transfer m echani sm s and
un d etected dan g erous fai l u res) .
9. 4 R eq u i rem en t s f o r p rev e n t i n g com m on c au s e, com m on m o d e an d d ep en d en t
fa i l u re s
9. 4. 1Th e desi g n of the protection layers sh al l be assessed to ensu re th at the l ikel ih ood of
com m on cause, com m on m ode an d dependent fai l ures between :
• protection layers;
• protection layers an d th e BPCS.
are sufficientl y l ow in com parison to th e overal l safety i ntegri ty requ i rem ents of th e protection
layers. Th e assessm ent m ay be qu al itative or qu anti tati ve u n l ess 9. 2. 7 appl ies.
NOTE A defi n i ti on of depen d ent fai l ure i s provi ded i n 3. 2. 1 2.
9. 4. 2 Th e assessm ent shall consider th e fol l owin g:
• i ndepen dence between protection l ayers;

• di versi ty between protection layers;
• ph ysical separati on between differen t protecti on l ayers;
• com m on cause fai lu res between protection layers and between protecti on layers and
BPCS.
NOTE 1 Com m on cau ses from th e process can be add ressed. Pl u g g i n g of rel i ef val ves m ay cause th e sam e
probl em s as pl u g g i n g of sensors i n a SI S.
NOTE 2 I nd epen d en ce an d ph ysi cal separati on can be addressed. A H u m an M ach i n e I nterface, SI S/BPCS
networks or bypass m eans can cause com m on cau se fai l u re.
1 0 SI S safet y req u i rem e n t s spe ci fi cat i o n (S R S)
1 0. 1 Obj ecti ve
The obj ecti ve of Cl au se 1 0 is to specify the requ irem ents for th e SI S, inclu din g an y
appl ication program s an d the arch i tectu re of the SI S.
1 0. 2 G en e ra l req u i rem en ts
The safety requ irem ents shal l be deri ved from the al locati on of SI F an d from th ose
requ irem ents identifi ed durin g H &RA. The SI S requ irem ents sh all be expressed and
structu red i n su ch a way th at th ey are
• cl ear, precise, verifi able, m aintai nable an d feasi bl e;
• wri tten to ai d com preh en si on an d i nterpretati on by th ose wh o wil l u ti l ise th e i nform ation at
an y ph ase of th e safety l i fe-cycl e.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 51 –
© I EC 201 7
1 0. 3 SI S safety req u i rem en ts
1 0. 3. 1 Th e obj ective of 1 0. 3 is to address issu es th at shall be consi dered wh en developi ng

th e SI S safety requ irem ents.
1 0. 3. 2 Th ese requ irem en ts shal l be suffici ent to desi gn the SI S an d shall inclu de a
descri ption of th e in tent an d approach appli ed durin g th e developm en t of the SI S safety
requ irem ents as applicabl e:
• a description of all th e SI F n ecessary to achi eve th e requ ired function al safety (e. g . , a
cause an d effect di agram , l og ic n arrati ve) ;
• a list of th e plant i n pu t an d ou tpu t devices rel ated to each SI F wh ich is cl earl y identifi ed by
th e pl an t m eans of equ i pm ent i dentification (e. g . , fiel d tag l ist) ;
• requ irem ents to i den tify and take accou nt of com m on cause fai l ures;
• a defi n iti on of the safe state of th e process for each iden tifi ed SI F, such th at a stable state
has been ach ieved an d th e specified hazardous even t h as been avoi ded or suffici en tl y
m itig ated;
• a defin ition of an y in divi du all y safe process states wh ich, wh en occurrin g concurren tl y,
create a separate h azard (e. g . , overl oad of em erg ency storag e, m u ltiple rel ief to flare
system ) ;
• th e assum ed sou rces of dem an d an d dem and rate on each SI F;
• requ irem ents relati n g to proof test i ntervals;
• requ irem ents relati n g to proof test im pl em en tation ;
• response tim e requ irem ents for each SI F to brin g th e process to a safe state with i n th e
process safety tim e;
N OTE See I EC 61 51 1 -2:201 6 for fu rth er di scu ssi on of process safety ti m e.
• th e requ ired SI L an d m ode of operation (dem an d/con tin u ous) for each SI F;
• a descri ption of SI S process m easurem ents, rang e, accuracy and th eir trip poin ts;
• a descri ption of SI F process ou tpu t acti ons an d the cri teri a for successfu l operation , e. g . ,
leakage rate for val ves;
• th e fu ncti on al rel ati onsh ip between process i nputs an d outpu ts, inclu din g l og ic,
m athem atical fu ncti ons and an y requ ired perm issi ves for each SI F;
• requ irem ents for m anu al shu tdown for each SI F;
• requ irem ents rel ati n g to en erg ize or de-en erg ize to trip for each SI F;
• requ irem ents for resetti n g each SI F after a sh u tdown (e. g. , requ irem ents for m anual , sem i -
au tom atic, or au tom atic final el em en t resets after trips) ;
• m axim um all owable spuriou s trip rate for each SI F;
• fai l ure m odes for each SI F an d desired response of th e SI S (e. g . , alarm s, au tom atic sh ut-
down ) ;
• an y specific requ irem ents related to th e procedures for startin g u p and restartin g the SI S;
• all in terfaces between th e SI S an d an y oth er system (i ncl u din g the BPCS an d operators) ;
• a descri pti on of th e m odes of operation of th e pl an t and requ irem ents rel ating to SI F
operati on withi n each m ode;
• th e appl icati on program safety requ irem ents as l isted in 1 0. 3. 3;
• requ irem ents for bypasses incl udin g wri tten procedures to be appl i ed du ri ng the bypassed
state wh ich describe h ow th e bypasses wi ll be adm in istrati vel y con trolled an d th en
subsequ entl y cl eared;
• th e specification of an y action n ecessary to ach ieve or m aintai n a safe state of th e
process i n th e even t of fau lt(s) being detected i n th e SI S, taki ng i n to accou nt of all
relevant h um an factors;
– 52 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• th e m ean repair tim e wh ich is feasibl e for th e SI S, taki n g in to accou nt the travel tim e,
l ocation, spares h oldi n g, service con tracts, en vironm ental constrain ts;
• i dentification of the dan gerous com bin ati ons of ou tpu t states of the SI S th at need to be
avoi ded;
• i dentification of th e extrem es of all en vironm en t conditions th at are l ikel y to be
encoun tered by th e SI S duri n g sh i ppi n g, storag e, i nstallation an d operati on . Th is m ay
requ ire consi deration of th e fol l owing : tem perature, hum i dity, contam in an ts, groun din g ,
electrom agn etic interference/radi o frequ ency i nterference (EM I /RFI ) , shock/vibration,
electrostatic disch arg e, electrical area cl assificati on , floodi n g , li gh tni n g , and oth er rel ated
factors;
• i dentification of norm al an d abn orm al process operati n g m odes for both th e plant as a
wh ole (e. g . , plant start-up) an d indi vi du al plant operati n g procedu res (e. g. , equ ipm ent
m ainten ance, sensor cali bration or repair) . Addi ti on al SI Fs m ay be requ i red to su pport
th ese process operatin g m odes;
• defin i tion of the requ irem ents for an y SI F n ecessary to survi ve a m aj or accident even t,
e. g. , tim e requ ired for a valve to rem ain operation al in th e even t of a fire.
Th e appl icati on prog ram safety requ irem ents sh al l be deri ved from the SRS an d
1 0 . 3. 3
chosen arch itecture (arrang em en t and in tern al structu re) of th e SI S. Th e appl ication program
safety requ irem ents m ay be l ocated i n th e SRS or i n a separate docum ent (e. g. , appl ication
program requ irem ents specificati on) . The in pu t to th e appl ication program safety requirem en ts
for each SI S subsystem shal l incl ude:
a) th e specified safety requ i rem ents of each SI F, incl udi n g sensor votin g , etc. ;
b) th e requ irem en ts resu l ti ng from th e SI S arch itectu re and th e safety m anual such as
l im itations an d constrain ts of th e h ardware an d em bedded software;
c) an y requ irem ents of safety plan ni n g arisin g from 5. 2. 4.
1 0. 3. 4 Th e applicati on prog ram safety requ irem en ts sh all be specified for each
program m able SI S devi ce n ecessary to im plem en t the requ ired SI F consisten t with the
arch itecture of the SI S.
1 0 . 3. 5 Th e applicati on program safety requ irem ents specificati on shal l be sufficien tl y

detai l ed to al low th e desig n and im pl em entation to ach ieve th e requi red fu nction al safety an d
to all ow a fu nction al safety assessm en t to be carri ed ou t. The fol lowin g sh all be consi dered:
• th e SI Fs su pported by th e appl icati on program an d th eir SI L;
• real tim e perform ance param eter such as, CPU capacity, n etwork bandwi dth, acceptable
real tim e perform ance i n th e presence of fau l ts, an d al l tri p si gn als are recei ved with i n a
specified tim e period;
• program sequ enci n g and tim e del ays if appl icable;
• equ i pm ent an d operator i nterfaces and th eir operabili ty;
• all relevant m odes of operati on of the process as specified i n the SRS;
• acti on to be taken on bad process vari abl e su ch as sensor val u e out of ran g e, excessi ve
ran g e of chan ge, frozen valu e, detected open circu it, detected short circu it;
• functi ons en ablin g proof testin g and au tom ated diag n ostic tests of extern al devices (e. g. ,
sensors an d fi n al elem en ts) perform ed i n the appli cati on program ;
• appl ication program self-m onitori n g (e. g . , appl icati on dri ven watch-dogs an d data ran g e
validati on ) ;
• m onitori ng of oth er devices wi th in th e SI S (e. g. , sensors an d fi n al elem ents) ;
• an y requ irem ents related to peri odic testin g of SI F when the process is operation al;
• references to th e i npu t docum en ts (e. g. , specificati on of th e SI F, config u ration or
arch i tecture of the SI S, h ardware safety in teg ri ty requ irem ents of the SI S) ;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 53 –
© I EC 201 7
• th e requ irem en ts for com m u nication i n terfaces, inclu din g m easures to l i m it their use an d
th e validi ty of data an d com m ands both recei ved an d transm itted ;
• process dan gerou s states (for exam ple cl osure of two isol ati on g as valves at th e sam e
tim e th at cou ld lead to pressure fluctuations th us leadi ng to a dan gerous state) g en erated
by th e applicati on program shal l be i dentifi ed an d avoided;
• defin i tions of process variabl e val idation cri teria for each SI F.
1 0. 3. 6 Th e applicati on program safety requ irem en ts specificati on shall be expressed an d
structu red in such a way th at th ey:
• describe th e in tent and approach u n derpi n n in g th e application prog ram safety
requ irem ents;
• are clear an d un derstan dable to those wh o wi l l uti li ze th e docum en t at an y ph ase of th e
SI S safety l ife-cycl e; th is inclu des th e use of term in olog y an d descriptions wh ich are
un am bi g uous and u nderstood by al l users (e. g. , plant operators, m ain ten ance person nel,
application program m ers) ;
• are verifi abl e, testable, m odifiable;
• are traceabl e back throu gh all del iverabl es inclu din g the detail ed desi g n docum ents, the
SRS an d the H &RA th at iden tifies th e requ ired SI F an d SI L.
1 1 SI S d e si g n an d en g i n eeri n g
1 1 .1 Obj ecti ve
The objective of th e requ irem ents of Cl au se 1 1 is to desi g n one or m ultiple SI S to provi de th e

SI F and m eet th e specifi ed in tegrity requ irem en ts (e. g . , SI L, associ ated risk redu ction , PFD
an d /or PFH ) .
1 1 .2 G e n e ra l req u i rem en ts
Th e desi g n of the SI S sh all be i n accordance with th e SI S safety requ irem ents

1 1 . 2. 1
specifications, taki ng in to accoun t al l th e requ irem en ts of Cl ause 1 1 .
1 1 . 2. 2 Where th e SI S is to im pl em en t both SI Fs and n on-SI Fs th en al l the h ardware,

em bedded software an d application program that can n eg ati vel y affect an y SI F u nder norm al
an d fau lt con diti ons shal l be treated as part of th e SI S an d com pl y with the requ irem ents for
th e h i gh est SI L of an y of th e SI Fs i t can im pact.
Where the SI S is to im pl em ent SI F of different SI L, then the shared or com m on

1 1 . 2. 3
hardware an d em bedded software an d application program sh all conform to the hi g hest SI L.
NOTE Em bedded software or appl i cati on prog ram s of di fferen t SI L cou l d coexi st i n th e sam e devi ce provi ded i t
can be d em on strated th at th e SI F of l ower SI L cann ot n eg ati vel y affect the SI F of th e hi g h er SI L.
1 1 . 2. 4 I f it is i ntended n ot to qu alify the BPCS to th e I EC 61 51 1 seri es, th en th e SI S sh al l be

desi g ned to be separate an d i ndepen den t from th e BPCS to the extent that the safety i nteg ri ty
of th e SI S is n ot com prom ised.
NOTE 1 Operati n g i n form ati on can be exch an g ed but n ot com prom i se the fun cti on al safety of th e SI S.
NOTE 2 Devi ces of the SI S can al so be used for fun cti on s of th e BPCS i f i t can be dem onstrated th at a fai l u re of
the BPCS does not com prom i se th e SI F of the SI S.
1 1 . 2. 5 Requ irem en ts for operabi li ty, m aintain abi lity, di agn ostics, inspecti on an d testabili ty
shal l be addressed durin g the desig n of th e SI S i n order to reduce th e l ikelih ood of dan gerou s
fai l ures.
– 54 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 1 .2.6 Th e desi gn of th e SI S shall take in to accou n t h u m an capabil ities an d l im itati ons and
be su itable for th e tasks assig n ed to operators an d m ai ntenance staff. The desi g n of operator
interfaces sh al l fol low g ood hum an factors practice and sh all accom m odate th e l ikel y level of
trai n in g that operators sh ou l d recei ve.
NOTE 1 For exam pl e, h um an factor studi es m ay be n ecessary i f operati on req ui res d ata en try of l i m i ts or oth er
operator i n put on a reg ul ar basi s.
1 1 .2.7 Th e SI S sh al l be desig ned i n such a way that once it h as placed th e process i n a safe
state, the process sh al l rem ain i n th e safe state u n til a reset has been i ni tiated un l ess
oth erwise directed by th e SRS.
1 1 .2.8 Man u al m eans (e. g . , em erg ency stop pu sh button) , in depen den t of th e l og ic solver,
shall be provided to actu ate the SI S final el em ents u n less otherwi se directed by th e SRS.
1 1 .2.9 Th e desig n of th e SI S shal l take in to con si derati on al l aspects of i ndepen dence an d

depen dency between th e SI S and BPCS, an d the SI S an d oth er protection l ayers.
1 1 .2.1 0 A device used by the BPCS sh al l not be u sed by th e SI S where a fai l ure of th at
device m ay resu lt in both a dem and on th e SI F an d a dan gerous fai lu re of th e SI F, u n less an
an al ysis h as been carried out to confirm th at th e overall risk is acceptable.
NOTE When a part of th e SI S i s al so u sed for control purposes an d a dang erou s fai l ure of the com m on equ i pm en t
woul d cause a d em an d on the fun cti on perform ed by the SI S, then a n ew ri sk i s i ntrod u ced . Th e ad di ti on al ri sk i s
depen dent on th e dan g erou s fai l u re rate of th e shared devi ce because i f th e sh ared devi ce fai l s, a dem an d wi l l be
created i m m edi atel y to wh i ch the SI S m ay not be capabl e of respon di n g . For th at reason, addi ti on al an al ysi s can
be n ecessary i n th ese cases to en su re th at th e dang erous fai l u re rates of the shared devi ces are suffi ci en tl y l ow.
Sensors an d val ves are exam pl es where sh ari ng of equ i pm en t wi th th e BPCS i s often consi d ered.
1 1 .2.1 1 For an y SI S device that on loss of uti l ity (e. g . , el ectrical power, air, h ydrau lics or
pn eum atic su ppl y) does not fai l to the safe state, loss of u ti l i ty an d SI S circu it i ntegri ty sh al l
be detected and al arm ed (e. g. , en d-of-l ine m on itori n g, su ppl y pressure m easurem en t,
h ydrau l ic or pneum atic pressure m on itorin g) an d acti on taken accordin g to 1 1 . 3.
NOTE 1 U ti l i ty i n teg ri ty can be i m proved th roug h u si n g a su ppl em entary su ppl y (e. g . , battery back-u p,
uni n terru pti bl e power suppl i es, ai r reservoi r, h yd rau l i c accum u l ator, secon d g as su ppl y) .
NOTE 2 Th e l oss of a uti l i ty i s l i kel y to affect m ul ti pl e SI Fs and, possi bl y, m ul ti pl e SI Ss.
1 1 .2.1 2 The desi gn of the SI S sh all be such that it provi des th e n ecessary resil ience agai nst
th e i den tifi ed securi ty risks (see 8. 2. 4) .
NOTE G ui d ance rel ated to SI S secu ri ty i s provi d ed i n I SA TR84. 00. 09, I SO/I EC 27001 : 201 3, an d I EC 62443-2-
1 :201 0.
1 1 .2.1 3 A safety m an u al coveri n g operation, m ain ten ance, fau lt detection an d constraints
associ ated wi th th e SI S shal l be avail able coveri ng th e intended config urati ons of the devices
an d the in ten ded operating en vironm ent.
1 1 .2.1 4 All com m un ications u sed to im pl em ent a SI F shal l be establ ish ed usi ng tech n iqu es
appropriate for safety applications to m eet th e requ ired SI L.
1 1 .3 Requirements for system behaviour on detection of a fault

1 1 .3.1 When a dan g erou s fau l t in a SI S h as been detected (by di agn ostic tests, proof tests
or by an y other m eans) then com pensatin g m easures sh al l be taken to m aintai n safe
operati on. I f safe operati on can n ot be m ai ntain ed, a specifi ed acti on to ach ieve or m aintain a
safe state of th e process sh all be taken . Where the com pensati n g m easures depen d on an
operator taki n g specific acti on i n response to an alarm (e. g . , open in g or cl osin g a val ve) th en
th e al arm shall be considered part of th e SI S.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 55 –
© I EC 201 7
NOTE 1 Th e speci fi ed acti on (fau l t reacti on) requ i red to achi eve or m ai n tai n a safe state of th e process can be
speci fi ed i n the SRS (see 1 0. 3. 1 ) . I t can con si st of th e safe sh u td own of the process or of that part of th e process
wh i ch rel i es on th e fau l ty SI S for ri sk redu cti on .
NOTE 2 Th e com pensati ng m easures requ i red for con ti n u ed safe operati on s can d epend on safety i nteg ri ty
requ i rem ents, th e tol erabl e ri sk associ ated wi th th e h azard ou s event, th e h ard ware faul t tol erance of th e SI S, th e
anti ci pated M RT and th e avai l abi l i ty of an y oth er l ayers of protecti on. I n som e cases i t can be adequ ate to ensure
acti on i s taken to en su re repai r of the dang erou s fai l u re wi thi n the assum ed MPRT i n th e cal cul ati on of the PFDavg
but i n oth er cases i t can be j udg ed n ecessary to provi de other m easures to com pensate for the red uced ri sk
red u cti on u nti l th e SI S i s ful l y restored. See al so 1 6. 2. 3.
1 1 .3.2 Where an y dan g erou s fau lt in an SI S is brou g ht to th e atten ti on of an operator by an

alarm then the al arm sh al l be subj ect to appropri ate proof testin g an d m an agem en t of chan g e.
1 1 .4 Hardware fault tol erance

1 1 .4.1 Th e SI S shal l h ave a m inim um H FT with respect to each SI F i t im pl em ents.
NOTE Th i s does not excl u de the possi bi l i ty that th e H FT m ay be red uced bel ow th e m i n i m u m requi rem ent at
certai n ti m es duri n g operati on of th e system fol l owi ng th e occu rrence of faul ts.
1 1 .4.2 When th e SI S can be spl it into i n depen den t SI S su bsystem s (e. g . sensors, log ic
sol vers an d fin al elem ents) , th en th e HFT can be assig n ed at the SI S su bsystem l evel .
1 1 .4.3 Th e H FT of th e SI S or its SI S su bsystem s sh al l be in accordance wi th;

• 1 1 . 4. 5 to 1 1 . 4. 9 of clause 1 1 or,
• th e requ irem en ts of 7. 4. 4. 2 (rou te 1 H) of I EC 61 508-2: 201 0 or,
• th e requ irem en ts of 7. 4. 4. 3 (rou te 2H ) of I EC 61 508-2:201 0.
NOTE Th e route devel oped i n I EC 61 51 1 i s deri ved from rou te 2 H of I EC 61 508-2: 201 0.
1 1 .4.4 When determ in i ng th e achieved HFT, certain fau lts m ay be excl uded, provided that
th e l ikel ih ood of th em occurrin g is very l ow in relati on to the safety i ntegrity requ irem en ts. An y
such fau lt excl usions sh al l be j ustifi ed an d docum en ted.
NOTE Fu rth er i n form ati on abou t faul t excl u si on can be fou n d i n I SO1 3849-1 :2006 an d I SO1 3849-2: 201 2.
1 1 .4.5 Th e m in im u m H FT for a SI S (or i ts SI S su bsystem s) im pl em enting a SI F of a

specified SI L shal l be i n accordance wi th Tabl e 6 an d if appropriate 1 1 . 4. 6 an d 1 1 . 4. 7.
NOTE Th e H FT req u i rem en ts i n Tabl e 6 represen t the m i n i m um system or, where rel evan t, th e SI S su bsystem
red un dan cy. Dependi n g on th e appl i cati on , devi ce fai l u re rate an d proof-testi n g i nterval , add i ti onal redu n d an cy can
be requ i red to sati sfy th e fai l ure m easure for th e SI L of th e SI F accordi ng to 1 1 . 9.
Table 6 – M ini mum HFT requ irements according to SIL

SI L M i nim um req ui red HFT
1 (an y m ode) 0
2 (l ow dem and m ode) 0
2 (hi g h d em an d or conti n uou s m ode) 1
3 (an y m ode) 1
4 (an y m ode) 2
1 1 .4.6 For a SI S or SI S su bsystem th at does n ot u se FVL or LVL prog ram m abl e devices an d
if th e m in im u m HFT as specified in Tabl e 6, wou ld resu lt i n additi on al fail ures an d lead to
decreased overal l process safety, th en th e H FT m ay be reduced. This shal l be j ustified an d
docu m en ted. The j ustificati on sh al l provi de evi dence that th e proposed arch itecture is su itabl e
for its in ten ded pu rpose an d m eets the safety i n tegrity requ irem en ts.
– 56 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
NOTE Faul t tol eran ce i s th e preferred sol u ti on to achi eve th e requ i red confi dence th at a robu st archi tectu re h as
been achi eved. When 1 1 . 4. 6 appl i es, th e purpose of th e j usti fi cati on i s to d em on strate that th e proposed
al tern ati ve arch i tecture provi d es an eq u i val ent or better sol u ti on. Thi s m ay vary d epen d i ng on the appl i cati on
an d/or th e tech nol og y i n u se; exam pl es i n cl u d e: back-u p arran g em ents (e. g . , an al yti cal redu n dancy, repl aci n g a
fai l ed sen sor ou tput by ph ysi cal cal cu l ati on resul ts from other sensors outpu ts) ; usi ng m ore rel i abl e i tem s of the
sam e techn ol og y (i f avai l abl e) ; chan g i n g for a m ore rel i abl e techn ol og y; d ecreasi n g com m on cause fai l u re i m pact
by u si n g di versi fi ed tech n ol og y; i ncreasi n g th e desi g n m arg i n s; con strai n i ng the en vi ron m ental con di ti ons (e. g . for
el ectroni c com pon ents) ; decreasi ng th e rel i abi l i ty u ncertai nty by g ath eri n g m ore fi el d feedback or expert j u dg m ent.
1 1 .4.7 I f a fau lt tolerance equ al to zero resul ts from appl yin g 1 1 . 4. 6, the j u stification requ ired
by 1 1 . 4. 6 sh al l provi de evi dence that th e related dan g erou s failu re m odes can be excluded, i n
accordance wi th 1 1 . 4. 4 i nclu din g considerati on of the poten ti al for system atic failures.
1 1 .4.8 FVL an d LVL program m abl e devices shal l have diag nostic coverag es n ot less th an 60
%.
1 1 .4.9
Reli abil ity data u sed in th e calcu l ati on of th e fail ure m easure sh al l be determ in ed by
an upper bou n d statistical confi dence l im it of n o less then 70 %.
1 1 .5 Requirements for selection of devices

1 1 .5.1 Objectives
The obj ecti ves of th e requ irem en ts of 1 1 . 5 are to:
• specify th e requ irem ents for the sel ecti on of devi ces wh ich are to be used as part of th e
SI S;
• specify th e requ irem en ts to en able a device to be i ntegrated i n th e arch i tecture of a SI S ;
• specify acceptance criteri a for devices in term s of associ ated SI F an d safety in tegri ty
requ irem ents.
1 1 .5.2 General requirements
1 1 .5.2.1 Devices selected for u se as part of a SI S wi th a specifi ed SI L sh all be i n
accordance with I EC 61 508-2:201 0 an d I EC 61 508-3:201 0 and/or 1 1 . 5. 3 throug h 1 1 . 5. 6, as
appropri ate.
NOTE Devi ces assessed ag ai nst I EC 61 508-2:201 0 an d I EC 61 508-3: 201 0 can be appl i ed i n accordance wi th th e
req u i rem en ts for system ati c capabi l i ty i n I EC 61 508-2: 201 0.
1 1 .5.2.2 Al l devices sh all be sui tabl e for th e operatin g en vironm ent as determ in ed throu g h
consi deration of th e m anufacturer’s docum entati on , th e constrai nts with i n th e SRS an d the
reliabi li ty param eters assu m ed i n respect of 1 1 . 9. Su itabil ity of th e sel ected devices sh al l
always be considered i n the con text of th e operati ng en vironm ent.
NOTE Devi ces m ay exhi bi t d i fferent fai l u re rates dependent on the operati n g en vi ronm ent and m ode of operati on .
Fai l u re rate d ata avai l abl e from m an u factu rers m ay n ot be val i d i n al l appl i cati on s. For exam pl e, the fai l u re rate
and fai l u re m ode d i stri buti on can be di fferen t for a val ve th at i s freq uen tl y exerci sed versus on e th at stan ds sti l l for
long peri ods of ti m e.
1 1 .5.3 Requirements for the selection of devices based on prior use

1 1 .5.3.1 Appropriate evidence sh al l be available th at the devices are su itabl e for u se in the
SI S.
NOTE 1 Th e m ai n i nten t of the pri or use eval u ati on i s to g ath er evi d ence that the d an g erou s system ati c faul ts
have been redu ced to a suffi ci entl y l ow l evel com pared to th e req ui red safety i nteg ri ty.
NOTE 2 Level of detai l of th e evi den ce can be i n accordan ce wi th th e com pl exi ty of the con si dered d evi ce.
NOTE 3 A pri or u se eval u ati on i n vol ves g atheri n g docum en ted i nform ati on con cern i ng th e devi ce perform ance i n
a si m i l ar operati n g en vi ron m en t. Pri or use dem on strates th e fu ncti on al i ty an d i n teg ri ty of the i n stal l ed devi ce,
i n cl u di ng the process i n terfaces, fu l l d evi ce boun dary, com m un i cati on s, an d u ti l i ti es. Th e m ai n i nten t of th e pri or
use eval u ati on i s to g ath er evi den ce that th e dang erou s system ati c fau l ts h ave been red uced to a su ffi ci en tl y l ow
level com pared to the requi red safety i nteg ri ty.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 57 –
© I EC 201 7
NOTE 4 Pri or use data can con tri bute to a database for the cal cul ati on of hard ware fai l u re rates as descri bed i n
1 1 . 9. 3.
1 1 .5.3.2 Th e evi dence of su i tabil ity sh al l i ncl u de the fol lowi n g :

• consi deration of th e m anufactu rer’s qu al ity, m an ag em en t and confi g urati on m an ag em en t
system s;
• adequ ate identificati on and specificati on of th e devices;
• dem onstrati on of the perform ance of th e devices in sim il ar operati ng en vironm ents;
N OTE 1 I n th e case of fi el d devi ces (e. g . , sensors an d fi n al el em ents) fu l fi l l i n g a g i ven speci fi cati on , the
beh avi ou r of the devi ce i n th e operati n g en vi ron m ent i s u su al l y i denti cal i n safety an d n on -safety appl i cati on s.
Th erefore, evi d ence of th e perform ance of si m i l ar devi ces i n non -safety appl i cati on s can al so be used to
sati sfy th i s req ui rem ent.
• th e vol um e of th e operating experi ence.
N OTE 2 For fi el d devi ces, i n form ati on rel ati ng to operati n g experi en ce i s m ai nl y recorded i n th e u ser’ s l i st of
equ i pm ent approved for u se i n thei r faci l i ti es, based on an extensi ve hi story of su ccessful perform ance i n
safety an d n on -safety appl i cati on s, and on th e el i m i nati on of equ i pm en t n ot perform i ng i n a sati sfactory
m an ner. Th e l i st of fi el d devi ces can be u sed to support cl ai m s of experi ence i n operati on, provi ded th at:
– th e l i st i s u pd ated and m oni tored reg u l arl y;
– fi el d d evi ces are on l y added when su ffi ci en t operati ng experi en ce h as been obtai n ed;
– fi el d d evi ces are rem oved when they show a hi story of not perform i n g i n a sati sfactory m an n er;
– th e operati n g en vi ronm en t i s i n cl uded i n th e l i st wh ere rel evan t.
N OTE 3 Devi ce perform ance i s h i g h l y affected by the operati n g en vi ron m en t. I t i s g eneral l y recom m en ded
th at sel ecti on of d evi ces can be based on ad equ ate perform ance of an i nstal l ed su ffi ci en t n um ber of devi ces i n
m u l ti pl e i n stal l ati ons for a su ffi ci ent operati n g ti m e. The g ai ned experi ence can al l ow ti m e to reveal earl y
fai l u res, such as those rel ated to speci fi cati on, h an dl i n g , i n stal l ati on, and com m i ssi oni n g .
N OTE 4 Th e am ou nt of operati on al experi en ce to g ai n credi bl e stati sti cal rel i abi l i ty data i s typi cal l y m uch
h i g h er com pared to the operati on al experi en ce n ecessary to g et evi den ce of pri or u se.
1 1 .5.3.3 Al l devices selected on th e basis of prior use shall be identified by a specified

revision n um ber and sh al l be un der th e con trol of a m anag em ent of ch ang e procedure. I n the
case of a chan ge bein g m ade to th e device, th e con tin u ed val idi ty of th e evi dence of pri or use
shall be j ustified by evalu ati ng th e si gn ificance of the chan ge m ade.
1 1 .5.4 Req uirements for selection of FPL prog rammable devices (e.g ., field devices)
based on pri or u se
1 1 .5.4.1 For SI L 1 , SI L 2, and SI L 3, th e requ irem ents of 1 1 . 5. 2 and 1 1 . 5. 3 appl y, together
wi th th e fol l owin g subcl auses.
1 1 .5.4.2 Al l config urati on options of th e device possibl y infl uenci ng safety shal l be identifi ed
an d considered. I t is im portan t to check th at wh erever specific setti n gs are not defi ned that
th e defaul t setti ngs of the device are confirm ed to be appropri ate. U n u sed features of th e
devices sh all be i den tified in th e evi dence of sui tabil ity, and it shal l be establish ed th at they
are un l ikel y to j eopardi ze the requ ired SI F.
1 1 .5.4.3 For th e speci fic config urati on an d operati n g en vironm en t of the device, the
evidence of su itabil i ty sh all consi der:
• characteristics of in put and ou tpu t si gn als;
• m odes of use;
• functi ons an d config urati ons used;
• prior u se in sim ilar operati n g en vironm ents.
1 1 .5.4.4 I n addition , for SI L 3 appl ications, an assessm ent of th e FPL devi ce shall be carri ed
ou t to show that:
• th e FPL device is both able to perform the requ ired functions and th at pri or use h as sh own
th ere is a low en ou g h probabil i ty th at it wi ll fai l i n a way wh ich cou ld lead to a h azardous
– 58 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
even t wh en used as part of th e SI S, du e to ei th er random hardware fai l ures or system atic
fau lts in h ardware or software;
• appropri ate standards for h ardware an d software h ave been appl ied;
• th e FPL device h as been u sed or tested i n confi gu rations represen tati ve of th e i ntended
operati onal profi l es.
1 1 .5.5 Req uirem ents for selection of LVL prog rammable d evices based on prior u se
1 1 .5.5.1 Th e followi n g requ irem ents appl y to PE devices used i n SI Ss wh ich im pl em en t SI L
1 or SI L 2 SI Fs.
1 1 .5.5.2 Th e requ irem ents of 1 1 . 5. 4 appl y.
1 1 .5.5.3 Where there is an y difference between th e operatin g en viron m ent of a devi ce as

experi enced previ ousl y, an d th e operatin g en vironm ent of th e device wh en used wi th in th e
SI S, th en an y such differences sh al l be i dentified an d th ere shal l be an assessm ent based on
an al ysis an d testi ng , as appropriate, to show th at the likel i hood of system atic fau lts wh en
used i n the SI S is sufficientl y l ow.
1 1 .5.5.4 Th e operati ng experience consi dered necessary to j ustify the su itabi li ty sh all be
determ in ed takin g i n to accou n t:
• th e SI L of the SI F;
• th e com pl exity an d functi on al ity of the devices.
1 1 .5.5.5 For SI L 1 or 2 appl ications, a safety con fig ured PE log ic solver m ay be used
provided th at al l the fol lowi n g addi ti onal provisi on s are m et:
• u n derstandin g of u nsafe fail ure m odes;
• u se of tech n i qu es for safety confi g uration th at address th e iden tifi ed fai l ure m odes;
• th e em bedded software h as a g ood h istory of use for safety appl icati ons;
• protecti on ag ainst u nau th orized or u n i nten ded m odifications.
NOTE A safety confi g u red PE l og i c sol ver i s a g en eral pu rpose i nd u stri al g rade PE l og i c sol ver whi ch i s
speci fi cal l y con fi g u red by th e OEM, a system s en g i n eer or th e en d-u ser for use i n safety appl i cati ons.
1 1 .5.5.6 A form al assessm ent of an y PE l og ic solver used in a SI L 2 application sh all be

carried out to sh ow th at:
• it is both able to perform th e requi red functions an d th at pri or use h as sh own th ere is a l ow
en oug h probabi l ity th at i t wi l l fail i n a way wh ich cou ld lead to a h azardous event wh en
u sed as part of th e SI S, du e to eith er ran dom h ardware fai l ures or system atic fau lts i n
hardware or software;
• m easures are im pl em ented to detect fau lts durin g program executi on and in itiate
appropri ate responses; these m easures sh all com prise all of th e fol lowi n g:
– program sequ ence m on itorin g ;
– protecti on of code ag ai nst m odifications or fai l ure detecti on by on- li ne m on i tori ng ;
– fai l ure assertion or diverse program m ing ;
– ran g e ch eck of vari ables or plausibil i ty ch eck of valu es;
– m odu lar approach ;
– appropri ate coding standards have been u sed for th e em bedded and uti l ity software;
– testin g in typical confi gurations, wi th test cases represen tati ve of the intended
operati onal profi les;
– trusted verified software m odu les an d com pon en ts h ave been used;
– th e system has u n derg on e d yn am ic anal ysis an d testi ng ;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 59 –
© I EC 201 7
– th e system does n ot use artifici al intel l ig ence or dyn am ic reconfi gurati on;
– docum en ted fau l t-inserti on testin g (n egati ve testin g) h as been perform ed.
1 1 .5.6 Req uirements for selection of FVL programm able devi ces
When the appl ications are program m ed u si ng a FVL, th e PE device sh al l be in accordance
wi th I EC 61 508-2: 201 0 and I EC 61 508-3: 201 0.
1 1 .6 Field devices
1 1 .6.1 Fi eld devices sh all be sel ected an d instal led to m i nim i ze fai lu res th at cou ld resu lt i n
inaccurate inform ati on due to condi ti ons arisi n g from the operatin g en vironm en t. Con diti ons
th at shou l d be considered inclu de corrosi on , freezi n g of m aterials i n pi pes, suspen ded sol i ds,
pol ym eri zation, coki ng , tem peratu re and pressure extrem es, condensation in dry-leg im pu lse
lin es, an d i nsuffici ent con densation in wet-leg im pu lse li n es.
1 1 .6.2 Energ i ze to trip circu i ts sh al l appl y m eans to ensure ci rcu it an d power su ppl y
integrity.
NOTE 1 An exam pl e of su ch m eans i s an en d-of-l i ne m on i tor, wh ere a pi l ot cu rrent i s con ti n u ou sl y m oni tored to
detect ci rcu i t conti n ui ty an d wh ere th e pi l ot cu rren t i s not of suffi ci en t m ag ni tu de to affect proper I /O operati on.
NOTE 2 Addi ti on al requ i rem ents for l oss of power can be foun d i n 1 1 . 2. 1 1 .
1 1 .6.3 Sm art sensors shal l be write-protected to prevent inadvertent m odificati on, un l ess
appropri ate safety review (e. g . , H &RA) al lows the use of read/write.
NOTE Th e revi ew can take i n to accou nt h u m an factors su ch as fai l u re to fol l ow procedu res.
1 1 .7 Interfaces
1 1 .7.1 General
I n terfaces to the SI S can i nclu de, but are n ot l im ited to:
• operator i n terface(s) ;
• m ainten ance/eng i n eerin g i n terface(s) ;
• com m unication i nterface(s) .
1 1 .7.2 Operator interface requ irements
1 1 .7.2.1 Where the SI S operator interface is vi a th e BPCS operator interface, accou n t sh all
be taken of credibl e fail ures th at m ay occur in th e BPCS operator i nterface.
NOTE Th i s can i n cl ud e prepari n g pl an s to en abl e an ord erl y safe sh utdown i n th e even t of total fai l u re of th e
operati on al di spl ays.
1 1 .7.2.2 Th e desig n of the SI S shal l m in im i ze th e n eed for operator sel ecti on of opti ons an d
th e n eed to bypass th e system wh ile h azards are present. I f the desi g n does requ ire th e use
of operator actions, the desig n sh ou ld i ncl ude faci liti es for protecti on ag ainst operator error.
NOTE I f th e operator has to sel ect a parti cul ar opti on , th ere can be a confi rm ati on step.
1 1 .7.2.3 Bypass switch es or m eans sh al l be protected to preven t u n au th ori zed use (e. g. , by
key l ocks or passwords i n conj u ncti on with effecti ve m an ag em en t controls) .
NOTE Con si derati on can be g i ven to en forci n g ti m e l i m i ts on bypass operati on and to l i m i ti n g th e n um ber of
bypasses th at can be acti ve at any on e ti m e.
1 1 .7.2.4 Th e SI S statu s i nform ation th at is critical to m ain tai n i ng th e SI F sh all be avai labl e
as part of th e operator i nterface. This inform ati on m ay incl u de:
– 60 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• wh ere th e process is i n i ts sequence;
• i ndication th at SI S protecti ve action h as occu rred;
• i ndication th at a protective fu ncti on is bypassed;
• i ndication th at autom atic acti on(s) such as degradation of voti n g an d/or fau lt h andli ng h as
occurred;
• status of sensors an d fi n al elem en ts;
• th e loss of en erg y wh ere th at en erg y l oss im pacts safety;
• th e resu lts of diag n ostics;
• fai l ure of en vironm en tal con ditioni n g equ ipm ent wh ich is necessary to support th e SI S.
1 1 .7.2.5 Th e SI S operator in terface desig n (see 1 1 . 7. 2. 7) sh all be such as to prevent
chan ges to the SI S application program .
1 1 .7.2.6 Where inform ati on is transferred from the BPCS to th e SI S, system s, equ ipm ent or
procedu res sh al l be appl ied to confirm th at th e correct inform ati on h as been transferred an d
th at th e safety i ntegri ty of th e SI S is n ot com prom ised.
NOTE Th e system s, equ i pm ent or proced ures used can i ncl u de con trol over sel ecti ve wri ti n g from the BPCS to
speci fi c SI S vari abl es.
1 1 .7.2.7 Th e desi g n of th e SI S operator i nterface vi a th e BPCS operator i nterface sh all be

such that provision of i ncorrect inform ati on or data from th e BPCS to th e SI S sh al l not
com prom ise safety.
1 1 .7.3 Maintenance/engineering interface requirements

1 1 .7.3.1 Th e desi g n of th e SI S m ai ntenance/eng i n eeri n g in terface sh al l ensure th at an y
fai l ure of th is in terface sh all n ot adversel y affect th e abi lity of the SI S to carry out th e requ ired
SI Fs. Th is m ay requ ire discon n ecting of m ainten ance/en g in eerin g i nterfaces, such as
program m in g pan els, during n orm al SI S operati on .
1 1 .7.3.2 Th e m ain ten ance/en g in eerin g i n terface shall provi de the fol lowi n g fu ncti ons with
access securi ty protection to each:
• SI S m ode of operation, prog ram , data, m eans of disabl ing al arm com m unicati on , test,
bypass, m ainten ance;
• SI S di agn ostics, voti n g and fau lt h andli ng services;
• add, del ete, or m odify applicati on program ;
• data necessary to trou bl eshoot th e SI S;
• wh ere bypasses are requ ired th ey shou l d be i nstalled such th at al arm s and m anu al
shu tdown facil iti es are not disabled.
1 1 .7.3.3 Th e m ain ten an ce/eng ineering in terface shal l n ot be u sed as the operator i n terface.
1 1 .7.3.4 Enabl ing an d disabl ing the read-wri te access sh al l be carried out on l y by a
config uration m anag em en t process usi n g the m aintenance/eng in eering i nterface wi th
appropriate docum entati on an d security m easures such as auth en tication an d user secure
chan nels.
1 1 .7.4 Communication interface requirements

1 1 .7.4.1 Th e desi g n of an y SI S com m un ication i nterface shal l ensu re that an y fail ure of the
com m unication interface shall n ot adversel y affect the abi lity of th e SI S to ach i eve or m ain tai n
a safe state of th e process.
I EC 61 51 1 -1 :201 6+AM D1 :201 7 CSV – 61 –
© I EC 201 7
1 1 .7.4.2 When th e SI S is able to com m unicate wi th the BPCS and periph erals, th e
com m unicati on interface, BPCS, or periph erals shal l n ot adversel y im pact an y of th e SI Fs
wi thi n the SI S.
1 1 .7.4.3 Th e com m unicati on interface shal l be suffici en tl y robust to withstan d electro-

m agnetic interference incl uding power surges wi th ou t causin g a dang erous fai l ure of the SI S.
1 1 .7.4.4Th e com m unicati on i nterface shal l be su itabl e for com m unicati on between devices
referenced to different el ectrical grou n d poten tials.
NOTE An al ternate m edi um (e. g . , fi bre opti cs) can be requ i red.
1 1 .8 Maintenance or testing design requirements

1 1 .8.1 Th e desig n sh al l al low for testin g of th e SI S either end- to-en d or in
segm en ts. Where
th e i nterval between sch edu led process down tim e is greater than th e proof test i nterval , th en
on-l i n e test faci l ities are requ ired.
NOTE Th e term “en d -to-en d” m ean s from process fl u i d at sen sor end to process fl ui d at actuati on en d.
1 1 .8.2 When on-l ine proof testin g is requ ired, test faci l iti es sh al l be an i ntegral part of th e
SI S desi gn .
1 1 .8.3 When test or bypass facil ities are i ncluded in the SI S, th ey shal l conform with
th e foll owi n g:
• The SI S sh al l be desig n ed in accordance with th e m ai nten ance and testi ng requ irem en ts
defin ed i n th e SRS;
• The operator sh al l be alerted to the bypass of an y portion of the SI S via an al arm or
operati n g procedure.
1 1 .8.4 Th e m axim um tim e the SI S is all owed to be i n bypass (repair or testin g) wh i l e safe
operati on of th e process is conti n ued sh all be defi ned.
1 1 .8.5
Com pensati ng m easures th at ensure con tin u ed safe operation shal l be provi ded in
accordance wi th 1 1 . 3 wh en th e SI S is i n bypass (repair or testin g) .
1 1 .8.6 Forci ng of in puts an d outputs i n PE SI S shall n ot be used as a part of applicati on

prog ram (s) , operati ng procedure(s) and m ai ntenance (except as n oted bel ow) .
Forci ng of inputs and outpu ts wi th out taking th e SI S ou t of service sh al l n ot be all owed u n less
suppl em ented by procedures an d access security. An y su ch forcin g shall be an n ou nced or set
off an alarm , as appropri ate.
1 1 .9 Quantification of random failure

1 1 .9.1 Th e calcu l ated failu re m easure of each SI F sh al l be equal to, or better th an, th e
targ et fail ure m easure rel ated to th e SI L as specified in th e SRS. This shall be determ in ed by
calcu lati on .
NOTE I n com pl ex appl i cati on s, th e h azard ou s event frequ ency can be used as an al tern ati ve to the targ et fai l u re
m easu res (e. g . , wh ere di fferen t dem an d cau ses h ave di fferent safety i n teg ri ty requ i rem en ts or where non -
i ndependent SI Ss act i n sequ ence) .
1 1 .9.2 Th e calcu lated failu re m easure of each SI F du e to ran dom fail u res sh all take i n to
accou nt al l contri buti ng factors i nclu di ng th e foll owi n g:
a) th e arch itectu re of the SI S an d of i ts SI S su bsystem s where rel evant as they relate to
each SI F u n der considerati on ;
– 62 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
b) th e estim ated fail ure rate related to each fai l ure m ode, du e to ran dom hardware fai lu res,
wh ich wou ld contri bu te to a dan g erou s fai l ure of th e SI S bu t wh ich are detected by
diag nostic tests;
c) th e estim ated fail ure rate related to each fai l ure m ode, du e to ran dom hardware fai lu res,
wh ich wou ld con tribu te to a dan g erous fail ure of the SI S wh ich are u n detected by th e
diag nostic tests but wh ich are detected by proof tests :
d) th e estim ated fail ure rate rel ated to each fai lure m ode, due to random hardware fai lu re,
wh ich wou ld con tribu te to a dan g erous fail ure of the SI S wh i ch are u n detected by th e
diag nostic tests and u n detected by proof tests;
e) th e su sceptibi lity of the SI S to fail ures caused by the proof tests th em sel ves;
f) th e su sceptibi lity of the SI S to com m on cause fai l u res;
g) th e diag n ostic coverag e of an y periodic diag nostic tests, the associated di ag n ostic test
i nterval an d the probabil ity of fai lu re of the di ag nostic faci l ities;
h) th e coverag e of an y periodic proof tests, th e associated proof test procedure and th e
reli abili ty for th e proof test faci l ities and procedure;
i) th e repair tim es for detected fai lu res and th e state of th e SI S du rin g repai rs (on l i ne or off
l in e) ;
j ) th e estim ated dan g erou s fai lu re rate of an y com m unicati on process i n an y m odes wh ich
wou ld cau se a dang erou s failure of th e SI S (both detected and un detected by di ag n ostic
tests) ;
k) th e estim ated likeli h ood th at operator response wou ld cau se a dang erou s failure of th e
SI S (both detected an d u ndetected by di ag n ostic tests) ;
l ) th e rel iabi l ity of an y uti l ity n ecessary for the SI S.
NOTE Several m odel l i n g approach es are avai l abl e an d th e m ost appropri ate approach i s a m atter for th e anal yst
an d can depend on the ci rcum stances. Avai l abl e m ean s i ncl u de (see I EC 61 508-6:201 0, an n ex B) :
– cau se conseq u ence an al ysi s;
– rel i abi l i ty bl ock di ag ram s;
– fau l t-tree an al ysi s;
– Markov m odel s;
– Petri nets m odel s.
The probabi l i sti c cal cul ati ons can be perform ed an al yti cal l y or by n u m eri cal si m ul ati on (e. g . , Monte Carl o
si m u l ati on ) .
Th e reli abil ity data used when qu antifyi ng th e effect of ran dom fail ures sh al l be
1 1 . 9. 3
credible, traceable, docu m ented, ju stified an d sh all be based on field feedback from sim il ar
devices used in a sim il ar operatin g en vironm ent.
NOTE 1 Th i s i ncl u des u ser col l ected data, vend or/provi der/user d ata d eri ved from data col l ected on devi ces, data
from g en eral fi el d feed back rel i abi l i ty d atabases, etc. I n som e cases, eng i n eeri n g j u dg em en t can be used to assess
m i ssi n g rel i abi l i ty d ata or eval u ate th e i m pact on rel i abi l i ty d ata col l ected i n a di fferen t operati n g envi ron m en t.
NOTE 2 The l ack of rel i abi l i ty data refl ecti ve of th e operati n g en vi ron m ent i s a recurrent shortcom i ng of
probabi l i sti c cal cu l ati ons. End -u sers can org ani ze rel evant devi ce rel i abi l i ty d ata col l ecti on s i n accord ance wi th
I EC 60300-3-2: 2004 or I SO 1 4224: 2006 to i m prove th e i m pl em entati on of th e I EC 61 51 1 seri es.
NOTE 3 Ven d or data based on returns can be restri cted to a popu l ati on wh ere th ere i s ful l knowl edg e of the
operati on al en vi ronm en t an d ful l y record ed i n accordan ce wi th I EC 60300-3-2: 2004 or I SO 1 4224:2006. Th e user
can al so record th e operati on al en vi ron m en t for the SI F an d be abl e to dem onstrate th at th e vend or’s operati on al
en vi ronm ent data m atches th e en vi ronm ent of th e SI F.
1 1 . 9. 4 Th e rel i abi l ity data uncertai nti es sh al l be assessed and taken into accou nt wh en
calcu l ati ng th e fai l ure m easure.
NOTE 1 Th e rel i abi l i ty d ata u ncertai n ti es can be eval uated accordi n g to the am ou nt of fi el d feedback (l ess fi el d
feed back resu l ts i n m ore u ncertai nty) or/an d exerci se of expert j u dg em en t. Pu bl i shed stan d ards (I EC 60605-4) ,
Bayesi an approaches, eng i n eeri n g j udg em en t tech ni qu es, etc. can be u sed to esti m ate th e rel i abi l i ty data
uncertai n ti es.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 63 –
© I EC 201 7
NOTE 2 Th e fol l owi ng tech ni qu es can be used for cal cu l ati n g th e fai l ure m easu res (m ore i nform ati on can be
foun d i n I EC 61 51 1 -2:201 6) :
– use of an u pper boun d confi dence of 70 % for each i n pu t rel i abi l i ty param eter i n stead of i ts m ean i n order to
obtai n con servati ve poi nt esti m ati ons of th e fai l u re m easu res, or;
– use th e probabi l i sti c di stri buti on s fun cti on s of i npu t rel i abi l i ty param eters, perform Monte Carl o si m u l ati on s to
obtai n an h i stog ram represen ti ng th e d i stri buti on of th e fai l u re m easu re an d assess a con servati ve val ue from
th i s di stri bu ti on (e. g . , that th ere i s a 90 % confi den ce that th e true fai l ure m easu re i s better th an the val u e
cal cul ated) .
1 1 . 9. 5I f, for a particu l ar desig n, th e target fai lu re m easu re for th e relevant SI F is n ot

ach i eved th en :
a) identify th e devices or param eters con tribu ti n g m ost to the fai l ure m easu re;
N OTE Faul t tree cut-set an al ysi s can be usefu l here.
b) eval u ate th e effect of possi ble im provem ent m easu res on the i den ti fied devices or
param eters (e. g . , m ore reli able devices, addi ti on al defences ag ainst com m on m ode
fai l ures, i ncreased di ag nostic or proof test coverag e, i ncreased redu n dancy, redu ced
proof test interval, stag g erin g tests, etc. ) ;
c) select and im pl em ent im provem en t m easu res to establ ish th e new resu lt;
d) com pare the n ew resu lt to the targ et fai l ure m easu re and repeat the steps a) to d) u nti l th e
targ et failu re m easure is ach i eved in a conservati ve m an n er.
1 2 S I S a p p l i c a t i o n p r o g r a m d e ve l o p m e n t
1 2. 1 Obj ecti ve
The objecti ve of Cl ause 1 2 is to defi n e the requ irem ents for th e developm ent of th e
appl ication program .
1 2.2 G e n e ra l req u i rem en ts
1 2. 2. 1 Th e appl icati on program of the SI S shal l be i n accordance wi th th e applicati on

program safety requ irem en ts (see 1 0. 3. 3) an d all th e requ irem en ts of th is cl ause for all SI L u p
to an d i nclu din g SI L 3.
1 2. 2. 2 The appl ication program m er shall review th e inform ati on in th e SRS an d th e

appl ication prog ram safety requ irem ents to ensure th at the requirem en ts are com preh ensi ve,
un am bi g uous, u n derstan dable an d consisten t. An y defici encies in the appl ication program
safety requ irem ents sh all be i den tified an d resol ved, an d if chan ges are m ade to th e
appl ication program safety requi rem en ts, an im pact an al ysis sh all be carri ed ou t .
1 2. 2. 3 Th e I EC 61 51 1 series addresses program m ing in Lim ited Vari abil i ty Lan gu ag es (LVL)
an d th e use of devices usin g Fixed Program Lang u ag es (FPL) . Th e I EC 61 51 1 series does
not address Fu ll Vari abili ty Lan g uag e (FVL) an d the I EC 61 51 1 series does not address SI L 4
application prog ram m ing . Where fu ncti on bl ocks are written in FVL th en these shall be
devel oped an d m odifi ed un der I EC 61 508-3: 201 0.
1 2. 2. 4 Where the appl icati on program of the SI S is to im plem en t both safety an d non-safety
functions, then al l of the applicati on program shall be treated as part of th e SI S and sh al l
com pl y wi th this stan dard an d i n additi on, it sh al l be sh own throu g h assessm ent an d test th at
th e n on-safety fu nctions can n ot in terfere with th e safety fu ncti ons.
1 2. 2. 5 Th e appl ication program shall be design ed i n such a way as to ensure that once th e
SI S h as pl aced th e process i n a safe state, th e process rem ains i n th e safe state, i nclu di ng
un der loss of power condi tions an d on power restoration , u n til a reset has been initi ated
NOTE 1 I f th e SI F does not have a reset th en th ere can be a docu m en ted en g i n eeri n g arg u m en t as to wh y i t i s
acceptabl e to rei ni ti ate th e process wi th ou t requ i ri ng th e safe del ay a reset wou l d i m pose.
– 64 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
NOTE 2 M ore i n form ati on can be fou n d i n 1 1 . 2. 7.
1 2.2.6 Duri n g SI S start-up (or power up) th e appl ication program shal l ensure th at safety
ou tpu ts rem ain in th e safe state (typical l y de-energ i zed state) u nti l a reset has been i n iti ated
1 2.2.7 Th e appl icati on program shal l be desi gn ed i n such a way th at al l parts of the
appl ication program are execu ted on every applicati on prog ram scan un l ess th ere is a specific
altern ate requ irem en t that is su pported in the safety m an u al. Process safety tim e
requ irem ents sh all be considered wh en establ ish i ng applicati on program scan n in g
requ irem ents.
1 2.2.8 Th e SI S applicati on program and data shall be subj ect to m odification, revisi on
con trol , versi on m an ag em ent, back-up an d restoration procedu res.
1 2.2.9 Th e SI S appl icati on prog ram safety life cycl e plan n in g sh al l address the followi n g
aspects:
• SI S safety l ife-cycle phases an d acti viti es th at are to be appli ed duri ng th e desi g n an d
devel opm en t of th e appl ication program . These requ irem ents i nclu de th e applicati on of
m easures an d tech n i qu es, wh ich are i n ten ded to avoi d errors i n th e appli cati on prog ram
an d to control fai l ures wh ich m ay occu r;
• i nform ation relatin g to th e application program val idation to be passed to the org an i zati on
carryi n g out th e SI S i nteg rati on ;
• preparation of inform ation an d procedures n eeded by th e user for operati on an d
m ainten ance of th e SI S;
• procedures an d specifications to be m et by th e organ izati on carryi n g ou t m odificati ons of
th e applicati on program .
1 2.3 Application program design
1 2.3.1 An appl icati on program desig n sh al l address al l SI S log ic i n cl udi ng all process
operati n g m odes for each SI F.
1 2.3.2 Th e i n pu t to the appl ication program desig n sh all be the SRS i nclu di ng th e
appl ication program requ irem ents (see Clause 1 0) , the SI S archi tecture (see Clause 1 1 ) an d
th e m eans an d tools for devel opi ng th e appl icati on program desig n (see 1 2. 6) . Th e appl ication
program desi g n sh al l be consisten t wi th an d traceabl e back to th e SRS.
1 2.3.3 Th e appl icati on program desig n shal l al l ow an assessm ent of fu ncti on al safety to be
carried out.
1 2.3.4 Th e applicati on program desi g n and its decom position in to m odu l es if applicabl e,
shall address h ow th e requ irem ents are to be im plem en ted, i nclu din g the fol lowi n g as
appropri ate:
• th e fu nctions that enable th e process to ach i eve or m ain tai n a safe state;
• th e specification of al l iden tifi ed appl ication program com pon ents, and th e description of
con n ecti ons an d i nteracti ons between identified com pon ents ;
• th e tim i ng constrai nts associ ated wi th the application program functi ons an d th eir
im plem entati on in prog ram scan tim e(s) ;
• a detail ed description of the standard li brary m odu l es (fu ncti on blocks) bei n g used ;
• a detail ed description of the application specific m odu l es (fu nction blocks) bei n g used;
• a descri pti on of th e way m em ory al l ocation h as been ach ieved ;
• th e l ist of g l obal vari abl es u sed an d the way i n wh ich th eir i ntegrity is protected;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 65 –
© I EC 201 7
• i dentification of all n on-SI F an d th e i nterfaces to n on-safety related parts of th e appl icati on
program , to ensure that they can n ot affect th e proper operati on of an y SI F;
• defin i tion of i nput and ou tput i nterfaces, i nclu din g tag listin gs an d th e associated data
types;
• details of the data exch an g ed between th e SI S appl icati on program an d th e operator
i nterfaces;
• details of th e data exch an g ed between the SI S application program and th e BPCS an d
peri pherals such as pri nters, data storag e, etc. ;
• how extern al an d i n tern al di ag n ostic i nform ati on wi l l be processed an d l ogg ed;
• detail ed descripti on of h ow th e operati on an d m ain ten ance interfaces are im plem ented,
i ncl u din g the way i n wh ich alarm s are prioritised, indicated and accepted;
• a detai led descripti on of an y applicati on level di agn ostics that m ay be im plem en ted such
as extern al watch dogs, appl ication data in teg rity checki n g, sensor vali dati on to m eet th e
requ ired SI L;
• system confi g urati on checks i nclu din g th e existence and accessi bi li ty of expected
hardware devices an d software m odu l es;
• how the com plexi ty i n th e applicati on program desig n is m in im ised e. g . , throu g h use of
m odu lar desi gn an d sim pl e fu nctional ity;
• functi ons related to th e detecti on , an n unci ati on an d m an ag em en t of fau lts i n SI S
subsystem s;
• functi ons related to the periodic testi ng of SI F on-l ine;
• functi ons related to the periodic testing of SI F off-li ne;
• functi ons th at al low m ai nten ance of the SI S to be carried ou t safel y;
• references to docum en ts on wh ich th e applicati on program desig n specificati on is based .
1 2.3.5 Th e appl icati on prog ram desi g n sh al l ensure:
• com pl eteness with respect to the SRS an d i ts i ntended purpose;
• correctness wi th respect to th e SRS an d its intended purpose;
• freedom from am big u ity, i. e. , cl ear to th ose wh o wi l l uti li ze th e docu m ent at an y stag e of
th e SI S safety l ife-cycl e; th is incl udes the u se of term in olog y an d descriptions wh ich are
un am bi g uous an d u n derstood by pl ant operators an d system m ain tai n ers, as wel l as th e
application program m ers;
• freedom from desi g n fau l ts.
1 2.4 Application program implementation
1 2.4.1 Th e application prog ram developm en t m eth odolog y sh all com pl y wi th the
devel opm en t tools an d restricti ons g i ven by th e m anu factu rer of the SI S PE su bsystem on
wh ich th e applicati on program sh all be used.
1 2.4.2Th e fol lowi n g i n form ati on sh al l be con tai ned in the appl ication program or rel ated
docum en tation :
a) th e appl ication program orig i n ator;
b) a descri ption of th e pu rpose of the appl ication prog ram ;
c) th e versi ons of the safety m anu als th at were used;
d) identification of th e depen dency of each SI F on th e parts (m odu l es) of th e application
prog ram ;
e) traceabi lity to the appl ication program safety requ irem ents specificati on;
f) i dentification of each SI F an d its SI L;
– 66 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
g) identification and descripti on of the sym bols used, incl udin g log ic con venti ons, stan dard
library fu ncti ons, applicati on library functions;
h) identification of th e SI S log ic solver in pu t and ou tpu t sig nals;
i) wh ere th e overall SI S uti l ises com m unicati ons, a descripti on of th e com m unicati ons
inform ation flow;
N OTE An exam pl e wou l d be wh ere a SI F u ses several l og i c sol vers.
j) a description of th e prog ram stru cture, inclu di n g a description of th e order of th e l og ical
processing of data with respect to th e in pu t/ou tpu t su b-system s an d an y l im itations
im posed by scan tim es;
k) I f requi red by the SRS, th e m eans by wh i ch :
• th e correctn ess of fiel d data is ensured, (e. g . , com parison between an al og sensors to
im prove th e di ag n ostic coverag e) ;
• th e correctn ess of data sent over a com m uni cati on li nk is ensured (e. g. , wh en
com m unicati n g from an H MI , before im plem en tation of a com m and an ‘ack’ or
'acknowl edge’ is transm itted) ;
• com m unicati ons are m ade secure (e. g. , cyber security m easures) ;
l) version i den tificati on an d a h istory of ch ang es.
1 2.4.3 I f previ ousl y developed application program li brary fu ncti ons are to be u sed as part of
th e desig n, th eir su itabi l i ty sh al l be j ustifi ed an d based u pon :
• com pl i ance to I EC 61 508; if proven-i n-use evalu ati on for FVL in com pli ance to
I EC 61 508-3: 201 0 is u n dertaken, th e prog ram m able devices on wh ich th e applicati on
program li brary functions execute shal l also be evalu ated as proven- in -use accordi n g to
I EC 61 508-2: 201 0; or
• com pl iance to I EC 61 51 1 pri or use requirem en ts (see 1 1 . 5. 4 or 1 1 . 5. 5) wh en using FPL or
LVL;
• i n al l cases, dem onstratin g th at an y u n u sed functions do n ot adversel y im pact th e
appl ication prog ram .
1 2.4.4 Th e appl icati on program sh al l be produced in a structu red way so as to ach ieve:
• m odu lar decom positi on of th e fu nction al ity;
• keep the com plexi ty of SI F appl ication program to a m in im um consisten t with th at of the
com pl exity of th e requi red SI F;
• testabi lity of function ality (i nclu di ng fau l t tolerant features) an d of the i n ternal structure of
th e appl ication program ;
• traceabi lity to, an d explanation of, applicati on fu n cti ons and associ ated constrain ts;
• on e to one m appi ng between the h ardware arch i tecture and applicati on program
arch i tectu re.
1 2.5 Requirements for application program verification (review and testing)
1 2.5.1 Verification plan n in g sh all be carri ed out i n accordance with Cl ause 7.
1 2.5.2 Th e appl icati on program inclu di ng i ts docum en tation sh all be reviewed by a
com petent person n ot i n vol ved i n th e ori g i nal developm en t. Th e approach used for the review
an d the revi ew resul ts sh all be docu m ented.
1 2.5.3 Th e appl ication program , i ncl udi ng its decom position i nto m odu les if appropriate,
shal l be verified throu g h review, anal ysis, sim u l ation an d testi n g tech n i qu es usin g written
procedu res an d test specifications, th at shal l be carri ed ou t to confirm that the appl icati on
program functions m eet th e SRS an d th at un i ntended functions are n ot execu ted an d that
th ere are n o u n inten ded side effects with respect to th e SI F. Th e followi n g shal l be
addressed:
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 67 –
© I EC 201 7
• conform ance to th e applicati on program desi g n specificati on , the defi ned m eans and
procedures, and th e requ irem ents of safety val idati on an d test plan n in g ;
• exercisi n g of al l parts of the appl ication program ;
• exercisi n g a representati ve rang e of data conditions;
• testin g for fai l ure con diti ons (i . e. , n egati ve testin g) ;
• tim ing an d th e sequ ence of executi on ;
• testin g of com m unicati on s to and from th e SI S;
• integrati on of th e off-l i n e applicati on program wi th the l og ic sol ver h ardware an d the
un derl yi n g PE;
• intern al data fl ow checks to confirm th at th e log ic sol ver is not j u st apparen tl y workin g, but
is workin g as expected;
• wh en possi ble, i ntegrati on of th e applicati on program an d 3rd party devices.
1 2.5.4 The m appin g of the I /O data to th e applicati on prog ram , i nclu di ng data type an d
ran g e, sh al l be verifi ed.
1 2.5.5 Durin g testin g , m odifications to th e appli cati on prog ram shall be subj ect to an im pact
an al ysis in order to determ ine:
• all appl ication program parts im pacted;
• th e n ecessary re-desig n an d re-verification activi ti es.
1 2.5.6 Th e resul ts of applicati on program testi ng shal l be docum ented an d i nclu de:
• th e versi ons of the appl icati on prog ram an d its su pporti n g docum en tati on bein g tested;
• th e versi ons of su pportin g software and test tools;
• nam es of th e person(s) who perform ed th e tests and revi ews and dates;
• descri ptions of th e tests, reviews and dates perform ed;
• wh eth er th e obj ecti ve an d cri teri a of th e tests h ave been m et;
• if th ere was a fail ure duri ng th e test, the reasons wh y the fai lu re occu rred, the an al ysis of
th e fai l ure and th e records of its correcti on an d re- test requ irem en ts.
1 2.6 Requirements for application program methodology and tools
1 2.6.1 Th e application program devel opm ent sh al l com pl y wi th the constrain ts i n th e
appl icable safety m an ual(s) .
NOTE When revi ewi n g th e safety m an ual (s) , i f requ i red for a speci fi c appl i cati on, ad di ti on al procedu res for and/or
con strai n ts on th e u se of m ethodol og i es an d tool s can be i m pl em ented.
1 2.6.2 Methods, techn i qu es an d tools sh al l be selected an d appl ied for each l ife-cycle ph ase
so as to:
• m inim ize th e risk of introducin g fau lts in to th e appl ication program ;
• reveal an d rem ove fau l ts th at alread y exist i n the applicati on program ;
• ensu re as far as is practi cabl e that an y fau lts rem ain i ng in th e applicati on program wil l n ot
l ead to un acceptabl e resu lts;
• en h ance th e m eans of m an ag in g m odificati ons of th e appl ication program throu g h out th e
l ifetim e of th e SI S;
• provide evidence th at th e appl icati on program h as th e requ ired qual ity.
– 68 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 3 Factory acceptance test (FAT)
1 3.1 Objective
The objective of Clause 1 3 is to test the devices of the SI S to ensure th at th e requ irem en ts
defin ed i n th e SRS are m et.
NOTE 1 By testi ng the l og i c sol ver, associ ated software an d h ard ware pri or to i nstal l ati on , errors can be readi l y
i denti fi ed an d corrected.
NOTE 2 The FAT i s som eti m es referred to as an i n teg rati on test an d can be part of th e val i dati on .
NOTE 3 Testi n g of fi el d el em en ts tog eth er wi th th e l og i c sol ver can be recom m ended wh en th ere n eeds to be a
hi g h confi d en ce i n operati on pri or to fi n al i nstal l ati on , e. g . , su bsea appl i cati on s.
1 3.2 Recommend ati ons

1 3.2.1 Th e n eed for a FAT sh all be specified du ri ng th e safety plan ni n g for a proj ect.
NOTE 1 Cl ose co-operati on between th e l og i c sol ver su ppl i er an d desi g n contractor can be req ui red i n order to
devel op the i nteg rati on tests.
NOTE 2 Th e acti vi ti es fol l ow th e d esi g n an d devel opm en t ph ases an d precede th e i nstal l ati on an d com m issi oni n g .
NOTE 3 Th e acti vi ti es are appl i cabl e to th e SI S subsystem s wi th or wi th out prog ram m abl e el ectroni cs.
NOTE 4 I t i s usual for th e FAT to take pl ace i n a factory envi ron m ent pri or to i nstal l ati on an d com m i ssi oni n g i n
th e pl an t.
1 3.2.2 Th e plan n in g for a FAT shal l specify th e followi n g :

• Types of tests to be perform ed i nclu di ng black-box system functi onal i ty tests; perform ance
tests; in tern al checks; perform ance tests ; en viron m ental tests; i nterface testi n g; testi ng in
degraded or fau l ted conditi on; excepti on testi ng ; testi ng for safe reaction in case of power
fai l ure (inclu di n g restart after power restored) ; an d appl ication of th e SI S m ainten ance and
operati n g m an uals;
N OTE 1 Bl ack-box fu ncti onal i ty testi n g i s a test desi g n m eth od th at treats th e system as a “bl ack box”, so i t
does n ot expl i ci tl y use knowl edg e of i ts i ntern al structure. Bl ack- box test d esi g n i s usu al l y descri bed as
focusi ng on testi n g fu ncti on requi rem ents. Syn onym s for bl ack box i n cl u d e beh avi oural , fun cti on al , opaqu e-
box, an d cl osed -box testi n g .
N OTE 2 Perform an ce tests determ i n e whether the system m eets tim i n g , rel i abi l i ty an d avai l abi l i ty, i n teg ri ty,
safety targ ets an d constrai nts.
N OTE 3 Envi ron m ental tests i n cl u de E MC, l i fe-an d stress-testi ng .
N OTE 4 I ntern al d ata fl ow checks can be carri ed ou t to confi rm that th e SI S i s processi ng i n put data and
g en erati ng ou tpu t response as speci fi ed.
• Test cases, test descripti on an d test data;
N OTE 5 Cl ari ty i n defi n i ng wh o i s responsi bl e for devel opi ng the test case an d wh o i s g oi n g to be responsi bl e
for carryi n g out th e test an d wi tn essi ng th e test can be very i m portan t.
• Depen dence on oth er system s/i nterfaces;
• Test en vironm ent an d tools;
• Log ic sol ver, sensor and fin al elem en t confi guration;
• Test criteri a on wh ich th e com pl eti on of th e test sh all be ju dged;
• Procedures for correcti ve action on fai l ure of test;
• Test personn el com peten ces;
• Ph ysical l ocation ;
• H azards posed by the testin g especi all y deal in g wi th stored en erg y;
• A clear diagram of th e test-set u p.
• Recordin g of tests con ducted, data, resu lts an d observati ons wh ilst th e tests are bei n g
con ducted.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 69 –
© I EC 201 7
N OTE 6 Tests th at can not be physi cal l y dem on strated are n orm al l y resol ved by a form al l i n e of reason i n g as
to wh y th e SI S achi eves th e requ i rem en t, targ et or con strai n t.
1 3. 2. 3 Th e FAT shal l take place on a defin ed versi on of the log ic sol ver.
Th e FAT shall be con ducted i n accordan ce wi th th e FAT plan n in g. These tests sh all
1 3. 2. 4
show that al l th e logic perform s correctl y.
1 3. 2. 5 For each test carri ed ou t th e fol l owi n g sh all be addressed:

• th e version of the test pl ann i n g bei n g used;
• th e SI F an d perform ance ch aracteristic bein g tested;
• th e detai led test procedu res and test descri ptions;
• a chron ol og ical record of th e test activities;
• th e tools, equ i pm ent an d i nterfaces used.
1 3. 2. 6 Th e resu lts of FAT sh al l be docum en ted, stating
• th e test cases;
• wh eth er th e obj ecti ves and test criteri a h ave been m et.
I f th ere is a failure duri n g test, the reasons for th e fail ure sh all be docum en ted an d an al ysed
an d the appropri ate corrective action sh ou l d be im plem en ted.
1 3. 2. 7Durin g FAT, an y m odification or ch an g e sh al l be su bj ect to a safety anal ysis to

determ in e:
• th e extent of im pact on each SI F;
• th e extent of testi ng an d verificati on wh ich shal l be defi ned and im pl em ented.
NOTE Com m i ssi on i ng can com m en ce wh i l st correcti ve acti on i s u nd ertaken, depen di ng on the resu l ts of th e FAT.
1 4 SI S i n stal l ati on an d com m i ssi on i n g
1 4. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 4 are to:

• i nstall th e SI S accordi ng to th e specifications and drawi n gs;
• com m ission th e SI S so th at it is read y for fin al system val i dation .
NOTE Th e pu rpose of com m issi on i ng acti vi ti es i s to en su re that each of th e SI S devi ces i s i ndi vi du al l y read y to
operate, as speci fi ed i n th e desi g n ph ase.
1 4. 2. 1 I nstal lati on and com m ission i ng pl ann in g sh all defi ne all activiti es requ ired for
installati on and com m issi on in g. The pl ann i ng shal l provide the fol lowi ng :
• th e i nstal lation an d com m ission in g acti vi ties;
• th e procedures, m easu res an d tech niques to be u sed for i nstal l ati on an d com m issi on ing ;
• wh en th ese acti viti es sh all take place;
• th e persons, departm ents an d org an izations responsi ble for th ese acti viti es.
I nstal l ation and com m issi on ing plan n in g m ay be in tegrated i n th e overall proj ect pl an n ing
wh ere appropriate.
– 70 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
1 4. 2. 2 All SI S devices shal l be properl y i nstalled accordi ng to th e desi gn an d i ns tal l ati on
plan(s) .
1 4. 2. 3Th e SI S shal l be com m ission ed i n accordance wi th plan n in g in preparati on for the

fin al system vali dati on . Com m ission ing acti vi ties shal l i nclu de, but not be lim ited to,
confirm ation of th e foll owi ng :
• earthi n g (groun din g) h as been properl y con nected;
• en erg y sources have been properl y conn ected an d are operation al;
• transportati on stops an d packin g m aterials h ave been rem oved;
• no ph ysical dam age is presen t;
• all instrum ents h ave been properl y calibrated an d confi g u red;
• all fi eld devices are operation al;
• l og ic sol ver and in put/ou tpu ts are operati onal ;
• th e i nterfaces to oth er system s and peri pherals are operati onal;
• all com m unicati ons between rem ote SI S system s are operati on al.
1 4. 2. 4 Appropriate records of th e com m ission in g of th e SI S sh all be produced, stating th e
resu l ts of th e acti vities an d wh eth er th e obj ecti ves an d criteri a identified duri n g th e desi gn
ph ase h ave been m et. I f th ere is a fail ure, th e reasons for the fai lu re sh all be recorded.
1 4. 2. 5 Where it h as been establ ish ed that th e actu al i nstal lation does not conform to the
desi g n inform ati on th en the difference sh all be evalu ated by a com petent person and im pact
of th e difference on safety sh all be determ in ed. I f it is establ ished th at th e difference has n o
im pact on safety, th en the desi gn i nform ation shal l be u pdated to “as-bu il t” status. I f th e
difference has a n egati ve im pact on safety, then th e i nstall ati on sh al l be m odifi ed to m eet th e
desi g n requ irem ents.
1 5 SI S s afet y val i d at i o n
1 5. 1 Obj ecti ve
The obj ecti ve of the requ irem ents of Cl ause 1 5 is to validate, th rou gh inspecti on an d testi ng ,
th at th e instal led an d com m issioned SI S an d i ts associ ated SI F(s) ach i eve the requ irem ents
as stated in th e SRS.
NOTE Th i s i s som etim es referred to as a si te acceptan ce test (SAT) .
1 5. 2. 1 Val i dation pl an n ing of the SI S shal l be carried out th rou gh out th e SI S safety life-cycle
an d sh al l defi n e al l acti vi ti es and equ ipm en t requ i red for validati on. Th e fol lowin g item s sh al l
be incl u ded:
• th e vali dati on acti viti es i nclu din g validati on of th e SI S wi th respect to th e SRS i nclu di ng
im plem entati on and resol uti on of resu lti n g recom m en dations;
• vali dation of al l rel evan t process operatin g m odes of th e process an d its associ ated
equ i pm ent inclu din g;
– preparati on for use i nclu din g setti ng an d adj ustm en t;
– start-up, autom atic, m an ual , sem i-autom atic, stead y state of operation ;
– re-setti n g , sh u tdown , m ai ntenance;
– oth er m odes i den tifi ed in previ ous phases of th e SI S safety l ife-cycle;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 71 –
© I EC 201 7
• th e procedures, m easures an d tech n iqu es to be used for validati on, incl u di n g h ow
validation activiti es can be perform ed , wi thout pu tti ng the pl an t an d process at risk of th e
hazardous events th e SI S is to protect ag ainst;
• wh en th ese acti viti es sh all take pl ace;
• th e persons, departm en ts an d org an i zati ons responsible for th ese acti vities an d the l evels
of in dependence for vali dati on acti viti es;
• reference to i nform ati on ag ainst wh ich val i dation sh al l be carried out (e. g. , cause an d
effect ch art) ;
• th e equ i pm en t an d faci li ti es that n eeds to be i n stal l ed or m ade avail able (e. g . isolation
val ves an d l eak detection equi pm en t th at wil l be n eeded for the testi n g of val ves) .
N OTE E xam pl es of val i dati on acti vi ti es i n cl ud e l oop testi n g , l og i c testi n g , cal i brati on procedu res, si m u l ati on
of appl i cati on prog ram .
1 5 . 2. 2 Vali dati on plan ni n g for th e appl icati on prog ram shal l i nclude the foll owi ng :
• i dentification of th e applicati on program functi on s wh ich n eeds to be vali dated for each
process operatin g m ode before com m ission i ng beg ins;
• th e tech n ical strateg y for th e validati on inclu ding (wh ere relevant) :
– m anual an d au tom ated techn iques;
– static an d d yn am ic techn i qu es;
– an al ytical and statistical tech n i qu es.
• i n accordance with th e preceding bul let, th e m easures (tech n iqu es) an d procedures th at
wil l be used for confirm i ng th at each SI F conform s wi th th e specified safety requ irem en ts
an d the specified SI L;
• th e requ ired en vironm ent in wh ich the vali dati on activi ties are to take place (e. g . , for tests
th is wou ld i nclu de cal ibrated tools an d equ i pm ent) ;
• th e appl icati on prog ram ;
• th e pass/fai l cri teria for accom pl ishin g val idation inclu din g :
– th e requ ired process an d operator i npu t sig n als wi th th eir sequ ences an d th eir valu es;
– th e antici pated output sig nals wi th th eir sequ ences an d th eir val ues;
– oth er acceptance criteri a, for exam pl e m em ory usage, tim in g an d val u e tol erances.
• th e pol icies and procedures for eval u ati ng th e resu lts of th e vali dati on , particu l arl y
fai l ures;
• all docum ents (see Clau se 1 9) are val idated for accuracy, consistency and traceabi lity of
th e SI F from i nception du ri ng th e H &RA throu gh th e fin al i nstalled SI F.
1 5 . 2. 3 Where m easurem ent accuracy is requi red as part of th e validati on then i nstru m en ts
used for th is function shou l d be cal i brated ag ai nst a specification traceabl e to a stan dard
withi n an u ncertain ty appropri ate to th e applicati on . I f su ch a cal ibration is not feasi ble, an
altern ative m eth od shal l be used and docum en ted.
1 5 . 2. 4 Th e validati on of the SI S and its associ ated SI F(s) shall be carried ou t i n accord ance
wi th th e SI S val idation pl an n in g . Validati on acti vi ti es sh al l incl u de, bu t not be l im ited to, the
fol l owi ng :
• confirm ation that th e SI S perform s un der n orm al an d abnorm al process operati n g m odes
(e. g. , start-u p, sh u tdown) as identifi ed in th e SRS;
• confirm ation th at adverse interacti on of th e BPCS and other con nected system s do not
affect th e proper operati on of th e SI S;
• th e SI S properl y com m un icates (wh ere requ ired) with the BPCS or an y oth er system or
network, i ncl u din g during abnorm al con diti ons such as a data overl oad;
– 72 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• sensors, l og ic sol ver, an d fi nal elem en ts perform i n accordance with th e SRS, inclu di n g al l
redu ndant chan nels, incl udi n g abn orm al con diti on such as data overl oad;
N OTE I f a factory acceptan ce test (FAT) was perform ed on the l og i c sol ver as descri bed i n Cl ause 1 3, credi t
can be taken for val i dati on of the l og i c sol ver by th e FAT. After al l equ i pm ent i s i n stal l ed i n th e pl an t, fu l l l oop
val i dati on wi l l test th e l og i c sol ver fun cti on al i ty and i ts conn ecti ons to oth er SI S subsystem s.
• SI S desi gn docum en tation is consistent with the in stal l ed system ;
• confirm ation th at th e SI F perform s as specified on in vali d process vari able valu es (e. g. ,
ou t of ran g e) ;
• th e proper sh u tdown sequence is acti vated;
• th e SI S provi des th e proper an n unci ation an d proper operati on displ ay;
• com putati ons that are inclu ded i n th e SI S are correct for expected ran ge of val u es but also
at lim its an d over the lim i ts;
• th e SI S reset fu nctions perform as defi n ed in th e SRS;
• bypass functions operate correctl y;
• start-up overri des operate correctl y;
• m anual shu tdown system s operate correctl y;
• th e proof-test pol icy docu m ented i n the m aintenan ce procedures;
• diag nostic alarm function s perform as requ ired;
• confirm ation that the SI S perform s as requ ired on loss of util iti es (e. g . , electrical power,
air, h ydrau l ics) an d confirm ation that, wh en th e uti liti es are restored, th e SI S retu rns to the
desired state;
• confirm ation th at th e EMC im m unity, as specifi ed i n the SRS (see 1 0. 3) , h as been
ach i eved.
1 5 . 2. 5 Th e val idati on of the appl ication program shall determ in e wh ether:
• all of th e specifi ed appl ication program safety requ irem ents (see 1 0. 3. 2) are correctl y
perform ed;
• th e applicati on program does n ot j eopardize th e safety requi rem en ts u nder SI S fau lt
con ditions and in degraded m odes of operation an d for BPCS fau lt conditions for an y
i nterfaces between th e SI S an d BPCS;
• th e appl ication program does not jeopardi ze the safety requ irem ents by executi ng
‘’u n used’’ software fu ncti on ality, i . e. , fu nction al ity not defi ned i n the specifi cati on .
The i nform ation of th e validati on acti vi ti es sh al l be available.
1 5 . 2. 6Th e resu lts from th e val idati on plan activi ti es shall represen t an d cover th e entire SI S
validati on process. SI S vali dation docum en tation shal l be produced wh ich provi des:
• th e versi on of the SI S val i dation plan n i ng being used;
• th e SI F(s) u n der test (or an al ysis) , alon g with th e specific reference to the requ irem ent
i dentified du rin g the SI S vali dati on pl an nin g;
• tools and equ ipm en t used, along wi th th ei r cali brati on data;
• th e resu lts of each test;
• th e versi on of the test specification u sed;
• th e cri teri a for acceptance of th e com pl eted tests;
• th e versi on of the SI S h ardware, applicati on prog ram (s) , an d oth er software bein g tested;
• an y discrepancy between expected an d actu al resu l ts an d th e resolu tion of th at
discrepancy;
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 73 –
© I EC 201 7
• th e an al ysis m ade an d the decisions taken on whether to con ti n ue the test or to issu e a
chan ge requ est, i n th e case wh ere discrepancies occur.
1 5. 2. 7 Th e resu lts sh all be verified ag ainst the expected resu l ts. Al l discrepancies sh al l be
an al ysed and th e fin din gs sh al l be avai labl e as part of th e vali dati on docum en tati on . Th is
shal l inclu de th e an al ysis m ade an d th e decisi ons taken on wh eth er to continu e th e vali dati on
or to issu e a ch an ge request and to retu rn to an earli er part of th e devel opm ent l ife-cycl e.
1 5. 2. 8 After the SI S vali dation an d prior to the i den tifi ed hazards being presen t, th e fol l owin g
acti vities sh all be carried out:
• all bypass fu nctions (e. g . , PE log ic sol ver an d PE sensor forces, disabled al arm s) shal l be
returned to th eir n orm al positi on ;
• all process isolati on val ves sh al l be set accordi ng to the process start-u p requ irem ents
an d procedu res;
• all test m aterials (e. g . , fl u i ds) shall be rem oved;
• all com m ission ing overri des and force perm issi ves sh al l be rem oved.
1 6 SI S o p erati o n a n d m a i n t en an ce
1 6. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 6 are to ensure th at:
• th e requ ired SI L of each SI F is m ain tai n ed duri n g operati on an d m ainten an ce;
• th e SI S is operated an d m aintai ned i n a way that su stains th e requ ired safety in teg rity.
1 6. 2. 1 Operation an d m ain ten ance pl ann i n g for the SI S shal l be carri ed out. I t shal l provi de
th e foll owi n g:
• rou tin e an d abn orm al operation activiti es;
• i nspection, proof testin g, preventi ve and breakdown m ain ten ance acti vi ties;
• th e procedures, m easu res an d tech niques to be u sed for operation an d m ai nten ance;
• th e operati on al response to fau lts an d fai lu res i dentified by di ag n ostics, inspecti ons or
proof-tests;
• verificati on of conform ity to operations an d m ai n tenance procedures;
• wh en th ese acti vities sh al l take pl ace;
• th e persons, departm ents an d org an i zations responsi ble for th ese acti vities;
• a SI S m ai ntenance pl an .
N OTE Th e SI S m ai nten ance pl an can state di fferent m ai ntenance featu res dependi n g on th e SI L l evel .
1 6. 2. 2Operation an d m ainten ance procedu res shal l be developed in accordance with th e

relevant safety pl an n i ng an d sh al l provi de th e followi ng :
a) th e routi ne m eth ods an d procedures wh ich n eed to be carried ou t to m aintain th e "as
desig ned" function al safety of the SI S;
b) th e procedures used to ensu re th e qu al ity and consistency of proof testin g , an d to ensure
adequ ate vali dati on is bei ng perform ed after repl acem ent of an y device;
c) th e m easu res an d constrain ts th at are n ecessary to prevent an u nsafe state an d/or reduce
th e consequ ences of a hazardous even t durin g m ainten ance or operati on (e. g . , wh en a
system needs to be bypassed for testi ng or m ai ntenance, wh at additi on al risk reduction
needs to be im pl em ented) ;
d) th e m eth ods an d procedu res wh ich are used to test th e diag n ostics;
– 74 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
e) th e inform ati on wh ich n eeds to be m ai ntain ed on SI S fail ure and the dem and rates on th e
SI S;
f) procedures for col l ecti ng data related to th e dem and rate and SI S rel i abi l ity param eters ;
N OTE 1 Col l ecti on an d an al ysi s of fai l u re data h as m an y ben efi ts i ncl udi n g the potenti al to reduce
m ai nten an ce costs i f fai l u res rates i n operati on are si g ni fi can tl y l ower th an wh at were predi cted du ri n g d esi g n .
I m pl em entati on costs of n ew i nstal l ati ons can al so be red u ced becau se n ew desi g ns can be based on l ess
conservati ve fai l u re rates.
g) th e inform ation wh ich needs to be m ain tai n ed sh owing resu l ts of au dits and tests on th e
SI S;
h) th e m aintenance procedu res to be fol lowed wh en fau lts or fail ures occur in th e SI S,
incl u din g:
• procedures for fau l t diag nostics and repair;
• procedures for reval idati on ;
• m ainten ance reporting requ irem en ts;
• procedures for trackin g m ainten ance perform ance.
NOTE 2 Con si derati on s i ncl u de:
– procedu res for reporti n g fai l u res;
– procedu res for an al ysi n g system ati c fai l ures ;
– the acti on s to al l ow safe shu td own i n the event of BPCS fai l u re;
– ensuri n g that test eq ui pm en t i s properl y cal i brated an d m ai ntai ned.
1 6 . 2. 3 Operation procedures sh al l be m ade avai labl e. Com pensati n g m easu res th at ensu re
con tin u ed safety wh i le th e SI S is disabl ed or deg raded du e to bypass (repair or testin g) shal l
be appli ed wi th th e associated operation l im its (duration , process param eters, etc. ) . The
operator sh al l be provided wi th i nform ation on the procedures to be appl ied before an d du rin g
bypass an d wh at sh ou ld be don e before th e rem oval of th e bypass an d th e m axim um tim e
all owed to be in th e bypass state. Th is i nform ation sh al l be reviewed on a reg u l ar basis.
NOTE Th e operati ng an d m ai n ten an ce procedu res can i n cl u de veri fi cati on that bypasses are rem oved after proof
testi n g .
Contin ued process operation with a SI S device i n bypass shal l on l y be perm i tted if a
1 6 . 2. 4
hazards anal ysis h as determ in ed th at com pensati ng m easures are i n pl ace an d th at they
provi de adequate risk reduction . Operatin g procedures sh al l be devel oped accordi n g l y.
1 6 . 2. 5 Operation an d m aintenance sh all proceed in accordance wi th th e relevant

procedu res.
1 6 . 2. 6 Operators sh al l be trai n ed on th e fu ncti on an d operati on of the SI S in their area. Th is

trai n in g sh al l ensure that th ey u nderstan d:
• how the SI S functions (tri p poi n ts an d the resu l tin g action that is taken by th e SI S) ;
N OTE 1 Th i s can al so i n cl u de i m pact of an SI S acti on to rem ai ni ng operati on al pl ant.
• th e h azard the SI S is protectin g agai nst;
• th e correct operation an d m an agem en t of al l bypass/overri de swi tches an d u nder what
circum stances these bypasses are to be u sed;
• th e operati on of an y m anu al sh utdown switches and m an u al start-u p activi ty an d when
th ese m an u al switch es are to be acti vated;
N OTE 2 Th i s can i n cl ud e “system reset” an d “system restart”.
• expectation on acti vati on of an y di agn ostic al arm s (e. g. , wh at action shal l be taken wh en
an y SI S al arm is activated i ndicatin g th ere is a problem with the SI S) ;
• th e proper verification of th e di ag n ostics.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 75 –
© I EC 201 7
1 6.2.7 Th e status of al l bypasses shal l be recorded in a bypass l og. Al l bypasses n eed
au thori zati on an d i n dicati on .
1 6.2.8 Mai nten ance person n el sh all be trai ned as requ ired to su stain fu l l fu nction al
perform ance of th e SI S (hardware an d software) to m eet th e target SI L of each SI F.
1 6.2.9 Discrepanci es between expected behavi our an d actu al behavi ou r of the SI S sh al l be

an al ysed and, wh ere n ecessary, m od ifications m ade such th at the requ ired safety is
m aintained. Th is sh al l inclu de m onitori n g th e fol lowi n g:
• th e dem an d rate on each SI F (see 5. 2. 5. 3) ;
• th e acti ons taken fol l owin g a dem an d on th e system ;
• th e fail ures an d fai l ure m odes of equ i pm ent form ing part of th e SI S, i nclu din g th ose
i dentified du rin g n orm al operati on, inspecti on , testi ng or dem and on a SI F;
• th e cause of the dem an ds;
• th e cause an d frequ ency of spurious tri ps;
• th e fai l ure of equ ipm en t form in g part of an y com pensatin g m easures.
1 6.2.1 0 The operati on an d m ai ntenance procedu res m ay require revi si on , if necessary,
fol l owing :
• functi onal safety au di ts;
• tests on th e SI S;
• experi ence from norm al or abn orm al operation an d m ai n ten ance events.
1 6.2.1 1 Written proof-test procedures sh all be devel oped for every SI F to reveal dan g erou s
fai l ures u ndetected by diag n ostics. Th ese wri tten test procedu res sh all descri be every step
th at is to be perform ed and shal l inclu de:
• th e correct operation of each sensor an d fi n al elem ent;
• correct log ic acti on ;
• correct al arm s an d in dicati ons.
NOTE Th e fol l owi n g m ethods can be u sed to determ i ne th e u nd etected fai l u res that n eed to be tested:
– exam i nati on of fau l t trees;
– fai l u re m ode an d effect an al ysi s;
– rel i abi l i ty cen tred m ai nten ance.
1 6.2.1 2 SI S spare parts shal l be identifi ed an d sh al l be m ade avail able to m in im i ze th e

bypass durati on du e to u navailabil ity of an y repl acem ent part for th e SI S.
NOTE Repl acem ents that are not i n ki n d (l i ke for l i ke) can be m anag ed as a m odi fi cati on to the SI S.
1 6.2.1 3 Persons respon sible for operations an d m ain ten ance shal l revi ew th e h azard an d
risk anal ysis, all ocati on and desi gn to ensu re th e assu m ptions m ade are vali d e. g.
assum pti ons on occu pan cy an d corrosi on protecti on .
1 6.3 Proof testing and inspection

1 6.3.1 Proof testing
1 6.3.1 .1 Periodic proof tests sh al l be conducted u si ng a written procedure to reveal
un detected fau lts th at preven t th e SI S from operatin g i n accordance with the SRS.
NOTE 1 Parti cul ar attenti on can be m ade to i denti fy fai l u re cau ses that m ay l ead to com m on cau se fai l ures.
NOTE 2 Fun cti onal test procedu res can al so em ph asi ze th e n eed to avoi d i n trod u ci ng com m on cau se fai l ures.
– 76 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Th e en ti re SI S shal l be tested i nclu din g th e sensor(s) , the l og ic solver and th e fi n al
1 6. 3. 1 . 2
elem en t(s) (e. g . , shu tdown val ves and m otors) .
N OTE Testi n g of th e SI S can be perform ed ei th er en d -to-en d or i n seg m ents (see 1 1 . 8. 1 ) .
1 6. 3. 1 . 3 Th e sch edu le for the proof tests sh al l be accordin g to th e SRS. The frequ ency of
proof tests for a SI F sh all be determ in ed throug h PFD avg or PFH calcu l ati on in accordance
wi th 1 1 . 9 for th e SI S as instal led i n the operati ng en vironm ent.
NOTE Di fferen t parts of th e SI S can req u i re di fferen t test i n terval s, for exam pl e, th e l og i c sol ver can requi re a
di fferen t test i nterval th an th e sen sors or fi n al el em en ts.
1 6. 3. 1 . 4An y deficiencies foun d durin g th e proof testing sh al l be repaired in a safe and

tim el y m an n er. A proof test shall be repeated after the repair is com pleted.
At som e peri odic in terval (determ in ed by th e user) , th e frequ ency of testin g shal l be
1 6. 3. 1 . 5
re-evalu ated based on various factors i nclu din g h istorical test data, pl ant experience an d
hardware deg radati on .
NOTE Th e user can ad j u st th e test frequ en cy based on th i s data and an an al ysi s of th e ori g i nal basi s for test
freq uen cy.
An y ch an g e to the appl ication program requ ires fu ll val i dation an d a proof test of
1 6. 3. 1 . 6
an y SI F im pacted by th e chan ge. Exceptions to th is are allowed if appropriate revi ew an d

partial testin g of ch an g es are carried ou t to ensure th e ch an g es were desig n ed per th e
updated safety requ irem en ts and correctl y im pl em ented .
1 6. 3. 1 . 7Su itabl e m an agem en t procedu res sh al l be appl ied to review deferrals an d prevent
si gn ificant delay to proof testin g .
1 6. 3. 2 I n specti on
Each SI S shall be peri odical l y visu al l y inspected to ensure there are no u n au thori zed
m odificati ons an d n o observable deteri orati on (e. g . , m issin g bol ts or instru m ent covers, rusted
brackets, open wires, broken con dui ts, broken h eat tracing , and m issi n g i nsu lation) .
NOTE Th ese probl em s cou l d i n di cate an i n crease i n th e freq u en cy of fau l ts.
1 6. 3. 3 Docu m en t ati o n o f p ro o f t e s t s an d i n sp ecti on
The u ser sh al l m ai n tain records that certify th at proof tests an d i nspections were com pleted
as requ ired. These records sh all incl ude the fol l owin g i nform ation as a m i n im um :
a) descripti on of the tests and inspections perform ed i nclu di ng identificati on of th e test
procedure used;
b) dates of th e tests and inspections;
c) nam e of th e person(s) who perform ed th e tests and inspecti ons;
d) serial num ber or other u n i que i dentifier of th e system tested (e. g . , l oop n um ber, tag
num ber, equi pm en t n um ber, an d SI F n um ber) ;
e) resu lts of the tests an d inspecti on i nclu din g th e “as-fou n d” condi tion , all fau lts fou nd
(i ncl u din g the fai lu re m ode) and th e "as-left" con dition .
1 7 SI S m o d i fi cati o n
1 7. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Cl ause 1 7 are:

I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 77 –
© I EC 201 7
• th at m odifications to an y SI S are properl y plan n ed, reviewed approved and docum ented
,
pri or to m akin g th e ch an g e;
• to ensure that th e requ ired safety i ntegrity of th e SI S is m ai ntain ed despite of an y chan ges
m ade to th e SI S.
N OTE Modi fi cati ons to th e BPCS, other equ i pm en t, process or operati ng condi ti on s can be revi ewed to
determ i ne wh eth er th ey are su ch th at th e n atu re or frequ ency of dem an ds on the SI S wi l l be affected. Th ose
h avi ng an ad verse effect can be consi d ered fu rth er to d eterm i ne wh ether the l evel of ri sk redu cti on wi l l sti l l be
suffi ci en t.
1 7. 2. 1 Pri or to carryi n g ou t an y m odification to a SI S, procedures for au thori zi n g an d

con troll i n g chan ges shal l be in pl ace.
1 7. 2. 2Th e procedures shall incl ude a cl ear m ethod of iden tifyi n g an d requ esti n g th e work to
be don e an d the hazards that m ay be affected.
1 7. 2. 3 Pri or to carryi n g ou t an y m odification to a SI S (i ncl u din g th e appli cati on program ) an

an al ysis sh all be carried ou t to determ ine the im pact on fu ncti onal safety as a resu lt of th e
proposed m odification. When th e an al ysis shows th at th e proposed m odification cou ld im pact
safety th en th ere shal l be a retu rn to the first ph ase of th e SI S safety life-cycl e affected by th e
m odificati on.
Safety pl an n ing for the m odificati on and re- verificati on shall be avai labl e.
1 7. 2. 4
Modifications and re-verificati ons sh al l be carri ed ou t i n accordance wi th th e plan n in g .
1 7. 2. 5 Al l docum en tati on affected by th e m odificati on shall be u pdated.
1 7. 2. 6 Modificati on acti vity sh al l n ot beg i n u nti l a FSA is com pl eted i n accordance with
5. 2. 6. 1 . 9 an d after proper auth orisation .
1 7. 2. 7Appropriate inform ation shal l be m ain tain ed for all ch ang es to th e SI S. Th e

inform ation sh all incl u de:
• a descri ption of th e m odificati on or chan g e;
• th e reason for the ch ang e;
• identified h azards an d SI Fs wh ich m ay be affected;
• an an al ysis of th e im pact of th e m odification acti vi ty on th e SI S;
• all approvals requ ired for the chan ges;
• tests used to verify that th e ch ang e was properl y im pl em ented an d the SI S perform s as
requ ired;
• detai ls of al l SI S m odificati on acti vities (e. g . , a m odificati on log) ;
• appropriate confi g u ration h istory;
• tests used to verify th at th e chan ge h as n ot adversel y im pacted parts of the SI S wh ich
were n ot m odified.
1 7. 2. 8 Modificati on shal l be perform ed wi th qu alified person nel wh o h ave been properl y
trai ned. Al l affected and appropri ate personn el sh ou ld be n otified of the chan g e an d trai ned
wi th reg ard to th e ch an g e.
1 8 SI S d ecom m i ssi on i n g
1 8. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Cl ause 1 8 are to ensu re th at:
– 78 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
• prior to decom m ission i n g an y SI S from acti ve service, a proper revi ew i s con ducted an d
requ ired au th ori zati on is obtai n ed;
• th e requ ired SI F(s) rem ai n operati onal duri ng decom m ission i ng acti viti es.
1 8. 2. 1 Pri or to carryi n g out an y decom m ission in g of part or all of a SI S or SI F, procedu res

for au th ori zi n g an d con troll in g chan ges shall be i n pl ace.
Th e procedures shal l i nclu de a cl ear m ethod of i den tifyi n g an d requ estin g th e work to
1 8. 2. 2
be don e an d iden tifyi n g the hazards th at m ay be affected.
1 8. 2. 3 An an al ysis shall be carried ou t on the im pact on fu nction al safety as a resu lt of th e

proposed decom m ission ing activity. The assessm ent shal l inclu de an u pdate of th e H &RA
sufficient to determ in e th e scope of im pact to the SI S safety l ife cycl e. The subsequ ent SI S
safety life-cycle ph ases shal l n eed to be re-eval u ated. The assessm en t sh al l also consi der:
• functi onal safety du rin g the execution of th e decom m issioni n g acti vi ties;
• th e im pact of decom m ission i n g th e SI S on adj acen t operati ng un i ts and faci lity services.
1 8. 2. 4 Th e resu lts of th e im pact anal ysis sh all be used durin g safety pl ann i n g to re-
im pl em ent the relevant requ irem ents of the I EC 61 51 1 series incl u din g re-verification and re-
vali dati on .
1 8. 2. 5 Decom m issi oni n g acti viti es sh all n ot beg in wi th out proper docum en tation and
au thori zati on.
1 9 I n fo rm ati o n an d d o c u m en tati o n req u i rem e n t s
1 9. 1 Obj ecti ves
The obj ecti ves of th e requ irem en ts of Clause 1 9 are to ensure th at the n ecessary inform ation
is avail able an d docum en ted i n order th at:
• all ph ases of th e SI S safety l ife-cycl e can be effectivel y perform ed;
• verification , validati on an d FSA acti viti es can be effectivel y perform ed.
1 9. 2. 1 Th e docum entati on requi red by th e I EC 61 51 1 seri es sh al l be available to personn el

im pl em enti n g th e requ irem ents of th e I EC 61 51 1 series.
1 9. 2. 2 Th e docum en tation shal l:
• descri be th e i nstal l ation , system or equ ipm en t and the u se of i t;

• be accurate an d u p to date;
• be easy to u nderstan d;
• su it the purpose for wh ich i t is i ntended;
• be available in an accessi bl e, m aintai nable an d editabl e form , so th at appropri ate an d
relevant docum en ts can be readil y an d accuratel y identifi ed, l ocated, retrieved an d
revised.
NOTE Fu rth er detai l s of th e requ i rem ents for i n form ati on are i n cl u d ed i n Cl au se 1 4 an d Cl au se 1 5.
1 9. 2. 3 Th e docum entation sh all have un i qu e iden titi es so it sh al l be possi bl e to reference

th e different parts.
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 79 –
© I EC 201 7
1 9. 2. 4 Th e docum en tation shal l h ave desi g nations indicatin g th e type of i nform ation .
1 9 . 2 . 5 Th e docu m en tation sh all be traceable to th e fu ncti on al and i ntegrity requ irem ents
arisin g from th is stan dard, incl u din g the H &RA.
1 9 . 2. 6Th e docum en tati on sh al l h ave a revision i ndex (for exam pl e, version n um bers) to
m ake i t possibl e to identify different versi ons of th e i nform ation .
1 9 . 2. 7 Th e docum en tation shal l be structured to m ake it possibl e to search for rel evan t
inform ation. I t sh all be possi bl e to iden tify the latest revisi on (versi on) of a docum en t.
NOTE Th e ph ysi cal structu re of the d ocu m entati on can vary depend i n g upon a nu m ber of factors su ch as the si ze
of th e system , i ts com pl exi ty an d th e org an i zati on al req u i rem ents.
1 9 . 2. 8 Al l rel evan t docu m entation sh al l be revised, am en ded, revi ewed, approved an d shal l
be un der th e control of an appropriate inform ation control sch em e.
1 9 . 2. 9 Current docum entati on pertain ing to the foll owi n g sh all be m ai ntai ned:
a) th e resu lts of th e H &RA an d the rel ated assum ptions;
b) th e e q u i pm en t u sed for SI F to g eth er wi th i ts safety re q u i rem en ts;
c) th e organ ization responsi ble for m ain tai n i ng fu ncti on al safety;
d) th e procedu res necessary to achieve and m aintain fu ncti onal safety of th e SI S;
e) th e m odification i nform ati on as defin ed i n 1 7. 2. 5;
f) th e safety m an u al(s) ;
g) desig n, im plem en tation , test an d val idati on.
NOTE Fu rth er detai l s of th e requ i rem ents for i n form ati on are i n cl u d ed i n 1 2. 4. 2, Cl auses 1 4 an d 1 5 an d i n 1 6. 3. 3.
– 80 – I EC 61 51 1 -1 :201 6+AM D1 : 201 7 CSV
© I EC 201 7
Bibliograph y
I EC 60050 (all parts) , International Electrotechnical Vocabulary (avail able at
<http://www.electropedia.org/)
I SO/I EC Gu ide 51 : 201 4, Safety aspects – Guidelines for their inclusion in standards
IEC 60300-3-2:2004, Dependability management – Part 3-2: Application guide – Collection of

dependability data from the field
IEC 60605-4:2001 , Equipment reliability testing – Part 4: Statistical procedures for

exponential distribution – Point estimates, confidence intervals, prediction intervals and
tolerance intervals
IEC 6061 7-1 2:1 997, Graphical symbols for diagrams – Part 1 2: Binary logic elements 1
I EC TS 61 000-1 -2:2008, Electromagnetic compatibility (EMC) – Part 1 -2: General –

Methodology for the achievement of functional safety of electrical and electronic systems
including equipment with regard to electromagnetic phenomena
I EC 61 025, Fault tree analysis (FTA)
I EC 61 1 31 -3: 201 3, Programmable controllers – Part 3: Programming language
I EC 61 1 31 -6: 201 2, Programmable controllers – Part 6: Functional Safety
I EC 61 506:1 997, Industrial-process measurement and control – Documentation of application

software

related systems – Part 4: Definitions and abbreviations

related systems – Part 6: Guidelines on the application of IEC 61 508-2 and IEC 61 508-3
I EC 61 51 1 -2: 201 6,
sector – Part 2: Guidelines for the application of IEC 61 51 1 -1 :201 6
I EC 61 51 1 -3:201 6,
sector – Part 3: Guidance for the determination of the required safety integrity levels
I EC 61 784-3:201 0,
Industrial communication networks – Profiles – Part 3: Functional safety
fieldbuses – General rules and profile definitions
I EC 62443-2-1 : 201 0, Industrial communication networks – Network and system security –

Part 2-1 : Establishing an industrial automation and control system security program
I EC 62682 : 201 4, Management of alarms for the process industry
I SO/I EC 2382:2006, Information technology – Vocabulary
I SO/I EC 27001 :201 3, Information technology – Security techniques – Information security

management systems – Requirements
___________
1 Withdrawn .
I EC 61 51 1 -1 : 201 6+AM D1 :201 7 CSV – 81 –
© I EC 201 7
I SO/I EC 90003: 201 4, Software engineering – Part 3: Guidelines for the application of
ISO 9001 :2000 to computer software
ISO 2382-1 : 1 993, Information technology – Vocabulary – Part 1 : Fundamental terms
ISO 9000: 2005, Quality management systems – Fundamentals and vocabulary
I SO 9001 : 2008, Quality management systems – Requirements
I SO TR 1 2489: 201 3, Petroleum, petrochemical and natural gas industries – Reliability

modelling and calculation of safety systems
I SO 1 3849-1 :2006,Safety of machinery – Safety related parts of control systems – Part 1 :

General principles for design
ISO 1 3849-2:201 2, Safety of machinery – Safety related parts of control systems – Part 2:
Validation
ISO 1 4224:2006, Petroleum, petrochemical and natural gas industries- Collection and
exchange of reliability and maintenance of data for equipment
I SA TR 84. 00. 04 Part 1 :201 5, Guidelines on the Implementation of ANSI/ISA-84. 00. 01 -2004
(IEC 61 51 1 )
I SA TR 84. 00. 09:201 3, Security Countermeasures Related to Safety Instrumented Systems

(SIS)
___________
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
3, rue de Varembé
PO Box 1 31
CH-1 21 1 Geneva 20
Switzerland
Tel: + 41 22 91 9 02 1 1
Fax: + 41 22 91 9 03 00
info@iec.ch
www.iec.ch

Iec 61511-1-2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iec 61511-1-2017

Uploaded by

Copyright:

Available Formats

I E C 61 51 1 -1

CON SOLI D ATED

Fu n cti on al safety – Safety i n stru m en ted s ys tem s fo r th e process i n d u stry

CON SOLI D ATED

Fu n cti on al safety – Safety i n stru m en ted sys tem s fo r th e process i n d u stry

ICS 1 3.1 1 0; 25.040.01 ISBN 978-2-8322-4752-5

Warn i n g ! M ake su re th a t yo u o btai n ed th i s pu bl i c ati o n fro m an au th ori zed d i stri bu to r.

® Registered trademark of the International Electrotechnical Commission

Fu n cti on al safety – Safety i n stru m en ted s ys tem s fo r th e process i n d u stry

Fig u re 1 – Overall fram ework of the I EC 61 51 1 seri es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Tabl e 1 – Abbrevi ations used in I EC 61 51 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

This Consolidated version of IEC 61 51 1 -1 bears th e edition nu mber 2.1 . It consists of

FDI S Report on voti n g

The I EC 61 51 1 seri es addresses th e appl ication of SI Ss for th e process in dustri es. Th e

The I EC 61 51 1 series addresses SI Ss wh ich are based on the use of

Figu re 1 – Overall framework of th e IEC 61 51 1 series

Figu re 2 – Relati on ship between IEC 61 51 1 and IEC 61 508

FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW

Figu re 3 – Detail ed relation shi p between IEC 61 51 1 and IEC 61 508

Yes No No Safety Yes

I EC 61 508-1 : 201 0, Functional safety of electrical/electronic/programmable electronic safety-

I EC 61 508-2: 201 0, Functional safety of electrical/electronic/programmable electronic safety-

I EC 61 508-3: 201 0, Functional safety of electrical/electronic/programmable electronic safety-

3.2 Terms and definitions

Note 1 to entry: E xam pl es of bypassi ng i ncl ud e:

Note 1 to entry: Com m on m ode fai l ures m ay h ave di fferen t causes.

Note 1 to entry: Com pon en t m ay al so i n cl u de software.

Note 3 to en try: Depen dent fai l ures i n cl u d e com m on cau se.

Note 1 to entry: Th ere are som e di fferences i n th e use of these term s:

Note 1 to entry: E xam pl es are sensors, fi n al el em ents an d m anu al swi tches.

[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-02]

[SOU RCE: I EC 60050-1 92:201 5, 1 92-03-1 7]

Note 1 to entry: A fu ncti on al safety audi t m ay be carri ed out as part of a FSA.

Note 2 to entry: See 3. 2. 82.

[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 ]

[SOU RCE: I SO/I EC Gu ide 51 : 201 4: 3. 3, m odifi ed – see N ote 1 ]

[SOU RCE: I SO/I EC Gu ide 51 :201 4, 3. 4]

Note 2 to entry: Th i s excl udes m al i ci ous acti on .

- el ectri cal l og i c system s for el ectro-m ech an i cal techn ol og y;

- el ectroni c l og i c system s for el ectron i c techn ol og y;

- PE l og i c system for prog ram m abl e el ectron i c system s.

Note 1 to entry: Fu rth er g ui dance can be foun d i n 1 1 . 5.

Note 1 to entry: MTTR en com passes:

Note 1 to entry: Th e operator i n terface i s som etim es referred to as th e hu m an -m ach i ne i n terface (H MI ) .

Note 4 to en try: Thi s term eq uates to “E UC ri sk” i n I EC 61 508-4:201 0.

Extent of PES Input interfaces Communications Output interfaces

Input devices Output devices/final elements

Basic PES structure

Note 1 to en try: I t can be a process en g i neeri n g m ech an i sm su ch as th e si ze of vessel s contai n i n g hazard ou s

Note 1 to entry: See I SO 9000 for m ore d etai l s.

[SOU RCE: I EC 61 508-4: 201 0, 3. 4. 6]

[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 8]

[SOU RCE: I SO/I EC Gu ide 51 : 201 4, 3. 1 4, m odified – Th e n ote h as been added]

Note 2 to entry: A SI S m ay i n cl u de software.

SIS architecture and safety

set of th e I EC 61 51 1 requ irem en ts wh ich sh al l be satisfi ed by a SI S to claim a g iven SI L for a

Note 2 to entry: Th e SI S safety l i fe-cycl e m odel u sed i n I EC 61 51 1 i s sh own i n Fi g u re 7.

[SOU RCE: I EC 61 508-4: 201 0, 3. 5. 1 1 , m odified – Alig n ed with I EC 61 51 1 term in olog y]

Note 2 to entry: For exam pl es of di fferent types of software, see 3. 2. 75 an d 3. 2. 76.

software th at is part of th e system supplied by th e m an ufacturer an d is not accessible for

activiti es occu rrin g du ri ng a period of tim e th at starts wh en th e appl ication program is

Note 1 to entry: Fi g u re 6 i l l u strates a SI S m ade of th ree SI S subsystem s.

set of devices, wh ich i nteract accordin g to a specificati on