Implementing

Safety System
Standards

IEC 61508/
61511
Yokogawa ISS your partner for
IEC 61508/61511 compliance

The safety of technological processes in the modern The company

society is a major concern for everybody, whether Yokogawa Industrial Safety Systems, founded in
directly or indirectly involved. Industrial safety 1962, is one of the worlds most experienced Safety
management serves to protect human life, valuable and Control firms. Today, Yokogawa ISS with its
assets and the environment. It covers the headquarters in The Netherlands, provides services
identification of hazards, the implementation of to clients on a global scale. As a Center of Excellence
protective measures as well as the control of work within the Yokogawa Corporation, we are committed
procedures and human factors. to offer cost effective protection systems of all the
Global alliance over more than 10 years of experts Safety Integrity Levels (SIL1-4) for the oil & gas,
from industry and safety certifying bodies has created petrochemical, chemical, nuclear and conventional
the IEC 61508 safety standard. It is the aggregation of power industries. Our capability to offer safety
practical experience and the use of state-of-the-art consultancy and integration of safety systems with
technology, methods & computer tools. process control systems is especially appreciated by
our customers.
Safety Instrumented Systems are no longer an add- Yokogawa ISS is a subsidiary of Yokogawa Electric
on attribute, but are the result of structured Corporation, a major player in the world of
engineering procedures that can be divided into 9 Measurement, Control and Safety. The company
major steps in the building or retrofit of a process employs over 11000 people world-wide and offers the
plant, represented in the process safety life-cycle. backing that will support continued growth and
products innovation.

Eliminating the unexpected

Starting at the conceptual phase of a process and Contemporary Company vision

ending with disposal, after a (useful) lifetime. It Our process control & automation capability is
clearly shows the way to achieve fit-for-purpose expanding to total plant automation, which is leading
safety; meaning that the risk can be kept as low as to enterprise-wide business solutions. Yokogawa has
reasonably practical (ALARP), which will result in adopted the term Enterprise Technology Solutions
cost effective safety measures. (ETS). Real-time plant process control is integrated
with management information systems, logistics,
By the accomplishment of these world standards financial information, production scheduling, safety
for Safety Instrumented Systems the effective systems and other technologies for effective site and
performance of safety management has further company-wide management.
matured; in addition it contributes to the
profitability of the industry and protects against Safety assessment & compliance to
excessive liability claims. safety standards.
In particular the services and knowledge that we
Safety management of a plant at large comprises not offer to our customers, working as a partner in the
only the implementation of safety systems, but in safety assessment of a process installation, has
particular covers the necessary activities before become a logical extension to our ETS services.
Safety Instrumented Systems can be installed and Safety Systems play an increasingly critical role in
maintained. many process plants today.
The safety standard IEC 61508 and draft IEC 61511
that have world-wide recognition create explicit
safety requirements for process plants. Therefore
users in the process industry are looking for system tolerated when operating a particular process.
suppliers, that can offer tightly integrated control The verification of compliance to the required safety
and safety systems, as well as safety consultancy for integrity level. Documentation that may be subject to
the initial engineering activities to make up the ratification by an independent authority, embedded in a
normative Safety Requirement Specification as proper safety management document system is a necessity
stated in the IEC 61508/61511, on a contractual basis. for some essential steps in the safety life cycle. Also the
justification of the safety related decisions made must be
The innovative IEC 61508 safety standard documented in the applicable steps. In practice an auditable
Yokogawa ISS has participated since the beginning 10 record is created over the entire lifecycle of the Safety
years ago, in the realization of this IEC 61508 safety Instrumented System (SIS). The verification steps described
standard and is still a member of the working group by the IEC 61508/61511 provide such an auditable system.
that develop the application specific standard IEC
61511. This draft IEC61511 standard imposes the In this way rational decisions can be made by all
effective and safe application of protective measures involved parties such as government authorities,
in particular for the process industry. It sets out a operating companies, certifying institutes and
generic and performance based approach for all insurance companies. In addition, it will protect the
systems comprising Safety Instrumented Functions operating company against extreme liability claims
performed by electrical/electronic and programmable in case of omissions and non-compliance.
electronic systems (E/E/PES). These systems are
applied for risk reduction of industrial processes and Application of IEC 61508/61511 standards and
are also called Safety Instrumented Systems (SIS). guidelines is also good for business, because the
The framework of the standard can also be used to investment for safety is put where the effect is
consider the strategy of other technologies of safety- justified, applying the ALARP principle. Reduced
related systems. costs for initial investment in safety measures such as
SISs, and periodical maintenance will be the result,

Yokogawa ISS
One stop safety services

The innovation created by these Safety Standards in spite of possible higher engineering efforts.
can be summarized in three essential elements: The IEC 61508/61511 standard has been accepted by
The safety life cycle approach, which describes the 9 the industrialized world and is replacing obsolete
phases in the implementation of any process SIS, carried out safety standards.
by the system integrator. Starting from the initial concept of
a process it covers the engineering, operation and Yokogawa ISS is an IEC 61508 competent body
maintenance, up and including the final disposal of the A competent body is skilled to carry out the
equipment. Every lifecycle step makes a contribution to procedures and methods as defined in the IEC 61508
safety that can be optimized in relation to cost and standard to realise safety Instrumented systems.
effectiveness. Early involvement in a project and cooperation with
The quantification of the (remaining) risk involved in our trained safety engineers that have up-to-date
the operation of a process. Each step in the above life cycle experience (as required by the standard), will
has a direct effect on the result of the quantitative risk facilitate compliance to the relevant procedures and
analysis (QRA). This result is expressed in the probability of the required Safety Integrity Level (SIL). Our
a potentially unsafe occurrence. Risk reduction may be experience can be placed at the users or engineering
required that can be achieved by the installation of safety contractors disposal by consultancy and pre-
provisions, which often include a SIS. The effect on the risk engineering activities, such as completion of the
reduction is indicated by order of magnitude and expressed in Safety Requirements Specification. Also the entire
the Safety Integrity Level (SIL has a range from 1-4). The engineering and production of the Logic Solver,
remaining risk related to the severity of the consequences for including installation & commissioning, validation,
loss of life, damage to assets and environment, or even the periodical proof-testing as well as modifications can
deferred production, will determine whether this risk can be be contracted to Yokogawa ISS.
 The demand to maintain an auditable trail of all the Layout studies that require some effect & damage
performed activities is reflected in the Master Safety calculations and can be applied over the life cycle of an
Management Document, developed by Yokogawa installation with a special software tool.
ISS. In this document all the lifecycle activities are Area Safety Reviews can be carried out to investigate the
ordered in well-defined sections. This master optimum location and number of detectors and the location
document will constitute an integral part of a project. and quality of preventive measures on the basis of expected
In this way the Yokogawa ISS project organization, scenarios.
will guarantee adherence to safety standards and can HAZARD study can be applied in the process concept phase
issue a certificate of conformity for an individual to identify potential hazards.
project. HAZOP study can be applied after the detailed design of an
installation on the basis of PFDs, P&IDs, Cause & Effect
It will be obvious that the choice for a certain type of diagrams and Plot Plans as shown in figure 1, step 1.
process or a retrofit of a plant is the first step and can REF#
MODE GUIDEWORD CAUSE CONSEQUENCE SAFE GUARDS
S.F. TYPE
MS/SIS/ER
SENSOR
Tag
FINAL
ELEMENT ACTION
Tag

have already great safety implications. The diagram Drawing

53811-
149707
Fuel Gas No Pressure 1. Gas Supply Fails
Upstream
1. Change over
to Diesel
2. = Activating F&G
system, which shut
unit down
SIS 2. = F&G
Detectors
2.= SPS-
EDP
& Unit shut
2.= Classif

3.= Classif
Sheet 5 1. Pipe rupture inside 2. Damaging 3.= F&G down

shows the implementation steps before the decision enclosure

2. Pipe rupture
enclosure

3. Gas leak. Possible

3. = Activate platform
F&G system,
which shut unit
Detectors
PT 281-11 3.=
SDV281-09
outside enclosure explosion down.
Additional platform
to implement a SIS can be made, by carrying out a 3. Filter blockage 4-5-6-7. Unit will
flame out
line pressure
protection is
5. Primary fuel provided
Valve fails closed
number of preparation studies. Depending on the 6. Secondary fuel
Valve fails closed
1-4-5-6-7. = None

type of process Good Safety Management practice 7. Electric Gas Fuel

Valve fails closed

could include the following studies i.e.: MORE Pressure 1. Upstream

regulator fails
Damage to fuel gas
system
1. = PlatformOver
pressure protection
SIS +
Relief valve
1.=
PT 281-11
1.= SDV
281-09+
PSV 281-
1.= Classif

2.= Classif
2. = Skid Over 2.= TP386 12A/B
pressurer protection
2.= TP386

Example of Hazop document

Process reliability and availability studies can be applied to

Figure 1. Represents the 9 major steps in realising a investigate the performance.
SIS. These steps are derived from the main life-cycle
approach in the IEC 61508/61511

The life cycle of process safety

Fire and Explosion Risk Assessment determine the Potential

Loss of Life and the Asset Risks of an installation. In this
Figure 1 Process Design Deliverables study risks are calculated to assess the installation and the

Process Design
personnel. Other studies which can be applied are Smoke and
P & ID's
Narratives
Gas Ingress Assessment which requires dispersion studies in
HAZOP
Potential Safequard
relation to HVAC-inlets; this is a scenario based study.
Determine Safequard
Descriptions
Functions
1 Protective Systems Assessment can be applied on the basis of

Risk Assessment
hazard scenarios defined in the FERA and other studies like
Target SIL's for the
Input Safety Instrumented Safety Instrumented
2 Functions (sif) Functions Area Safety Reviews and give a scenario based evaluation
Sensor & Logic
Solver & Final Element
against Performance Standards of protective systems, which
Type and Failure data. Design data for
SIF Configuration
Including all other Calculations
the Safety are considered to be safety critical. Escape, evacuation and
3 Instrumented Loops
devices In
the Safety Loop rescue analysis is often carried out for offshore installations;
Prepare: Safety
Safety Requirement parts of it can also be applied for onshore installations.
Requirement
Spec for the SIS
4 Specification for SIS
A Work Place Risk Assessment is focussed on hazards at a
Design - Egineering - certain location. This study is useful for new non-routine
Integration - FAT Logic Solver
5 of Logic Solver projects in a hazardous environment. TRIPOD-studies i.e.
are focussing on the human aspects and peoples motivation,
Overall Installation and
commissioning Sensors - Complete SIS working climate etc.
6 LS - Final Elements
The Quantified Risk Assessment is focussed on Risk to
SIS Validation report Personnel, Environment and Asset Risk. In this study
Overall Safety Certificate
7 validation
hazards from process, BPCS, non-process, external
SIS SIS Has to be fully documented or
Overall modification Overall operation, recorded andjustified to be in
and retrofit maintenance and repair compliance with the IEC 61508/61511
9 8
 environmental hazards, ship collisions, dropped loads etc. 3 Safety reliability calculations
are taken into account and requires the use of event trees, After the identification and determination of the
risk graphs and risk matrixes for the various scenarios. The SIFs, the necessary details for the realisation of the
Individual and Societal risk studies, which represent the Safety Loops are engineered. The type and number of
external risks of an installation, can be applied for on-shore sensors, barriers and the safety valves in the
activities. application, as well as the component failure data are
related to the target SIL. The selection of the suitable
Most Users shall have a predisposition to outsource Logic Solver and communication aspects with the
these studies to a specialised company. process control system is also a part of this analysis.
At the same time the calculation can provide data on
Yokogawa ISS and TNO (a Dutch independent applied research the spurious or False Trip Rate (FTR) per SIS and the
organisation) have founded an independent joint-venture necessary or desired proof-test intervals. Again the
company: named Safety Service Centre at Apeldoorn, The design can be optimised to achieve the target
Netherlands , which has the capabilities, know-how and availability of the related process parts to minimise
experience to carry out the mentioned studies.The practical deferred production by false trips. In addition by the
implementation of the Safety Instrumented Functions starts avoidance of unnecessary process shutdown & start-
with the Quantified Risk Assessment(QRA). In the process life- ups a positive contribution to safety is made.
cycle phases in figure 1 this action is represented by step 2.
In the following overview also the professional capabilities from Yokogawa ISS is applying state-of-the-art safety
Yokogawa ISS are highlighted in relation to the process lifecycle reliability calculation tools using validated (field)
phases for steps 2 to 5 and to supply services for steps 6 to 9. databases such as:
Parts stress analysis in accordance with MIL.hdbk.217(F)
2 Risk Assessment Failure mode and critically effect analysis (FMCEA) to
If any risk and safeguard function is identified in the eliminate non-safety-critical components.
HAZOP study it must be followed by a Quantitative Failure mode and diagnostic effect analysis (FMDEA) to

Profitability & safety

are not in competition

Risk Assessment (QRA), covering an analysis of each determine the diagnostics coverage factor and the ratio between
identified Safety Instrumented Function; it includes detected and not detected failure rates.
the opinion of the Markov oriented method, including uncertainty and
gathered experts in sensitivity analysis and sophisticated imperfect proof-testing
the HAZOP team analysis. The University of Eindhoven developed this Dynamic
on the frequency of Markov calculation tool, which shows in particular the time
unwanted dependency of the safety parameters.
occurrences. The
QRA will lead to one
5 6
SIS CLASS of the four quantitative Safety Integrity Levels One Solenoid One Solenoid
failed Dangerous failed Dangerous
RECORD Example
(SILs) of the determined SIFs, by means of a Undetected Detected

1
deterministic approach with a quantitative outcome.
Operational
This outcome is named: target SIL.

Yokogawa ISS contribution:

Supervision and guidance using a risk analysis program
2 4 3
Configuration Configuration Configuration
based on Risk Graphs or Risk Matrixes. failed Safe failed Dangerous failed Dangerous
(Detected) Detected Undetected
Indication of the location and type of components of a safety
function, such as Sensors and Final Elements.
Carrying out a full mathematical quantitative risk analysis
Example of a Markov state diagram.
in particular circumstances.
Creating records and justifications of this QRA.
 quotation for a SIS design and supply of the necessary
xxxxx Project Single Safety Valve configuration
Probability of Failure on Demand hardware, which must be covering at least these
10-2
requirements.
SIL 2

Yokogawa ISS has made a merge between the IEC 61508

10-3
requirements and the ISO 9001 quality work system, which is

Probability (-)
presently describing all applicable work procedures. The Safety
Requirement Specification is the basis for a project realisation,
10-4
which describes the functional requirement & the SIL
requirements of the SIFs.
Some of the major SIS project execution steps are:
10-5
0 0,5 1 1,5 2 2,5 3 3,5 4 4,5
Assignment of contract/line manager & other key personnel,
Proof Test Interval (hours) x10
4
Generation of a project plan , describing the Safety validation
plan and Operational & Maintenance procedures FAT & test
Example of Safety Integrity calculation of a safety valve. procedures, integration test, etc.
Order of materials & system assembly,
4 Safety Requirement Specification (SRS) Safety verification & report, system test & correction of any
The result of all the foregoing activities needs to be defects, inspection of documentation,
recorded and will, if applicable, specify additional Factory acceptance test & report, Safety validation,
data for a SIS comprising: Complete as-built documentation package before
definition of the safe state of each Safety shipment.
Instrumented Function and response time,
safety interlocks descriptions & start-up sequence 6 Installation, Commissioning & Verification
descriptions, with necessary overriding, The commission phase, after installation, offers
status and event recording requirements, the opportunity to test and verify every safety loop

Safety is a continuous process

communication interface with protection to the individually for installation integrity, tagging,
process control system, interfacing to other systems, power supply, grounding
safety communication between multiple SISs, connection, adequate separation to avoid common-
environmental conditions, cause faults, communication links non-interference
electrical power situation and instrument air, with the safety loops, etc.
availability of qualified and periodically trained Also the installation of the sensors, barriers and
maintenance personnel. safety valves, needs special attention. All activities
and test results will be executed and documented in
Yokogawa ISS can assist to compose every Safety Function loop line with the safety requirement specification and the
in full compliance using SRS templates. IEC standards.
As supplier of the Prosafe product line for E/PES and over 30
years experience, we have at our disposal an experienced Yokogawa ISS has the service organisation to assist at
engineering crew located at four locations in the world. installation, commissioning and verification at the plant site.
Our training department gives dedicated trainings for our
customers.

5 Realisation of a Logic Solver

The Safety Requirement Specification serves as the
definition of the requirements for the system design
and the engineering of all Safety Functions. It can
serve as the basis for bidders to work out a solution &
7 SIS Validation 9 SIS Modifications
Validation of the implemented Safety Functions Altering the opinion about the efficient process
means that by inspection and testing of the installed operating conditions is the background for
and commissioned SIS, the system adheres to all SIS modifications that often have repercussion on a
requirements. The validation includes all relevant number of SIFs. Such modification happen
modes of operation of the process and its associated frequently during the SIS lifetime, therefore
equipment. The procedures for this validation are modification control is equally compelling according
prepared during the SIS validation planning & design to the standard. This is the ground for strict
phase. The validation further covers: modification control procedures. It will be evident
SIS performance under normal and abnormal operating that all lifecycle steps have to be reviewed again.
modes, Reviewing the HAZOP node and QRA includes the
Non interference between the Process Control System and recalculating the changed Safety loops, checking for
other connected systems, with the safety integrity of the SIS, possible interference with existing SIFS and re-
Proper shut-down sequences, engineering. Approval by the right authority must be
Overrides procedures and time limitation, obtained and again testing and validating have to be
SIS diagnostic alarms to operator that have the appropriate performed before implementation.
Safety Integrity Level,
Documentation completeness reflecting the installed Yokogawa ISS has the qualifications to perform the
system. demanded steps in an interactive mode with the user.
The results of this validation shall again be fully Yokogawa can carry out the modification planning and by
documented, including the used calculation tools and mutual arrangements in full compliance with the standard
equipment, as well as the professional status of the on a contractual basis.
validation experts. Any discrepancies will require
decisions taken on whether to continue this
validation or to issue a change requests.

Safety consultancy & partnership

for IEC compliance

If impartial validation is preferred the independent joint SSC, Apeldoorn, The Netherlands.
venture Company SSC is competent to carry out the task. Website: www.safety-sc.com TRIPOD International

8 Periodical Maintenance to maintain

the safety integrity level
The ultimate responsibility for the safe operation of
the SIS remains at the Operator of the process.
Adequate maintenance shall comprise periodical
proof-tests of all the safety loop devices. The standard
requires that all the maintenance engineers must
have at least 5 years experience and are periodically
trained. Also the test equipment needs to be
calibrated periodically.
These demands place a burden on the plant
management during the lifetime of the plant.

Yokogawa ISS can provide operator and maintenance

training dedicated to the supplied SIS.
We also have a crew of experienced and trained engineers in
our service organisation to perform the system periodical
proof-tests on a contractual basis world-wide.