M580 Safety Configuration

Modicon M580 Safety Configuration Training EcoStruxure™ Control Expert V15 for Safety

DISCLAIMER Schneider Electric™ makes no representations or warranties with respect to this manual and, to the maximum extent permitted by law, expressly limits its liability for breach of any warranty that may be implied to the replacement of this manual with another. Furthermore, Schneider Electric reserves the right to revise this publication at any time without incurring an obligation to notify any person of the revision. The information provided in this documentation contains general descriptions and/or technical characteristics of the performance of the products contained herein. This documentation is not intended as a substitute for and is not to be used for determining suitability or reliability of these products for specific user applications. It is the duty of any such user or integrator to perform the appropriate and complete risk analysis, evaluation and testing of the products with respect to the relevant specific application or use thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for misuse of the information that is contained herein. If you have any suggestions for improvements or amendments or have found errors in this publication, please notify us. All pertinent state, regional, and local safety regulations must be observed when installing and using this product. For reasons of safety and to help ensure compliance with documented system data, only the manufacturer should perform repairs to components. When devices are used for applications with technical safety requirements, the relevant instructions must be followed. Failure to use Schneider Electric software or approved software with our hardware products may result in injury, harm, or improper operating results. Failure to observe this information can result in injury or equipment damage. © 2021 Schneider Electric. All rights reserved. Schneider Electric is a trademark and the property of Schneider Electric SE, its subsidiaries and affiliated companies. All other trademarks are the property of their respective owners. The contents of this manual are proprietary to Schneider Electric and all rights, including copyright, are reserved by Schneider Electric. No part of this document may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without express written permission of Schneider Electric. M580 Safety Configuration Training Manual INTRODUCTION AND LEGAL NOTICE Satisfactory completion of the course evaluation is mandatory for you to obtain a Schneider Electric certificate of completion of the training course. Schneider Electric will not accept any liability for action taken in reliance on this training manual. TRADEMARKS EcoStruxure™ Control Expert, Modicon M580, EcoStruxure™, Advantys, X80 and OFS are trademarks owned by Schneider Electric or its affiliated companies. All other trademarks are the property of their respective owners. Windows are either registered trademarks or trademarks of Microsoft® Corporation in the United States and/or other countries. HART® and WirelessHART® are registered trademarks of the HART Communication Foundation. DeviceNet is a registered trademark of Open DeviceNet Vendor Association, Inc. (ODVA), EtherNet/IP is a trademark of ControlNet International under license by ODVA, ControlNet is a trademark of ControlNet International in the United States and/or other countries. General Notice: Some product names used in this manual are used for identification purposes only and may be trademarks of their respective companies. VALIDITY NOTE The present documentation is intended for qualified technical personnel responsible for the implementation, operation and maintenance of the products described. It contains information necessary for the proper use of the products. ABOUT US Members of Schneider Electric’s team of Instructional Designers have tertiary qualifications in Education, Educational Course Development and are also experienced Instructors. Currently, the team is supporting a range of Schneider Electric courses in multiple languages and multiple software environments. AUTHORS Michael Chan CONTRIBUTORS Daniel Weber, Florent Brouillet Creation Date: 06 August 2021 Modicon M580 Safety

DOCUMENT MODIFICATION HISTORY Date Version Description 06 August 2021 2.2 Format Update The information contained in this document is proprietary to Schneider Electric. This document contains proprietary information of Schneider Electric, and neither the document nor said proprietary information shall be published, reproduced, copied, disclosed, or used, in whole or in part, for any purpose other than consideration of this document without the express written permission of a duly authorized representative of the said company. Configuration Training

iv CONTENTS Chapter 1 - Introduction to Functional Safety ........................................................................................ 1 Chapter 2 - Process and Machine Safety Standards........................................................................... 33 Chapter 3 - Introduction to the Safety ePAC........................................................................................ 63 Chapter 4 - Safety System Design Consideration ............................................................................. 129 Chapter 5 - Safety I/O Modules ......................................................................................................... 173 Chapter 6 - Safety Programming Software ........................................................................................ 239 Chapter 7 - Redundant M580 Safety ................................................................................................. 329 Appendix 1 – References................................................................................................................... 351 Modicon M580 Safety

v SAFETY INFORMATION Read these instructions carefully and look at the equipment to become familiar with the device before trying to install, operate, service, or maintain it. The following special messages may appear throughout this documentation or on the equipment to warn of potential hazards or to call attention to information that clarifies or simplifies a procedure. The addition of this symbol to a \"Danger\" or \"Warning\" safety label indicates that an electrical hazard exists which will result in personal injury if the instructions are not followed. This is the safety alert symbol. It is used to alert you to potential personal injury hazards. Obey all safety alert messages that follow this symbol to avoid possible injury or death. DANGER indicates a hazardous situation which, if not avoided, will result in death or serious injury. WARNING indicates a hazardous situation which, if not avoided, could result in death or serious injury. CAUTION indicates a hazardous situation which, if not avoided, could result in minor or moderate injury. NOTICE is used to address practices not related to physical injury. PLEASE NOTE Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this material. A qualified person is one who has skills and knowledge related to the construction and operation of electrical equipment and its installation and has received safety training to recognize and avoid the hazards involved. Configuration Training

vi COURSE OBJECTIVES This course introduces the EcoStruxure™ Modicon M580 Safety controller used in process and machine plant risks, special characteristics, and types of safety critical technology available and how this product is designed to reduce risks to acceptable levels. The training will focus on software and hardware related to Safety ePAC. This is not a safety training. Safety is introduced but norms and considerations about how to implement a safe process and machine are not explained. By the completion of this training course participants will: • Understand the principles of safety using IEC 61508 Functional Safety in process and machine applications • Differentiate Safety Integration and Common Safety used in hybrid industries • Combine process and safety in one single safety controller • Identify the main components that comprise the Safety ePAC offer • Understand Safety ePAC and Safety I/Os main features and limitations • Implement and configure Safe Ethernet communication • Integrate Local, Remote and Distributed I/O with Safety ePAC • Perform safety programming with EcoStruxure™ Control Expert V15 for Safety by implementing TÜV Safety Libraries TARGET AUDIENCE This course is designed for: • Technical staff: PAEs, SAEs, TSC, L3 Support, Execution Centers and Solution Architects • System Integrators and partners (Alliance) • Users who have some knowledge and experience in safety system • Users who need to implement Safety applications using Safety ePAC controller • Users who already know the standard version of EcoStruxure™ Control Expert V15 but not the Safety version • Users who involved in lifecycle phases for Safety Instrumented Systems Modicon M580 Safety

vii PREREQUISITE KNOWLEDGE This training course assumes the following prior knowledge of: • The concepts of PACs / Controllers • The concept of Industrial Automation • Knowledge of EcoStruxure™ Control Expert Programming Software • Have attended classroom training on M580 Configuration course • Have attended following e-learning modules: o Safety System Basics Course o Common Safety: Integration of Control and Safety Systems o The M580 Safety Controller for Processes and Machines SCOPE This training manual is provided for authorised training and is a supplement to the documentation. To make proper use of the software, refer to the information provided for the product such as the Help Files, User Guides or Knowledge Base. The graphics displaying screen captures were taken using the Windows 10 operating system. When running a different version of Windows, screen images may differ slightly from those shown in the training manual. Some screen captures may have been taken from beta or earlier versions of the software and may vary slightly from release screen captures. Configuration Training

viii COURSE PROGRAM The training course will take two days to complete. The following program outlines the topics that will be covered on each day: Day 1 Introduction to the Internet of Things Overview of IEC 61508 Functional Safety Overview of Safety Norms and Safety Lifecycle Determine System Integrity Level (SIL) of a Safety Instrumented System (SIS) Introduction to Process and Machine Safety Total safety integration with Common Safety Consideration when combine standard Process with safety in one single controller Introduction to Safety ePAC CPU with Co-processor CPU Cybersecurity in Safety Day 2 Safety System Architectures Design Combine of safety and non-safety modules in the same rack Safety ePAC I/O modules and non-interfering modules Memory organizations (safe and non-safe area) Safety programming with TÜV Safety Libraries in EcoStruxure™ Control Expert V15 for Safety Safe Ethernet Peer-to-Peer (P2P) communication COURSE ASSETS For the training course, the following are also required: 1) M580 Safety demo training kit 2) Programming software: EcoStruxure Control Expert for Safety Modicon M580 Safety

ix CONVENTIONS USED IN ACTIVITIES Hints & Tips This heading will provide students with useful or helpful information that will make configuring the project easier. Example - Hints & Tips: To go to the next field, use the mouse cursor or press the TAB key. Note A note will refer to a feature which may not be obvious at first glance but something that should always be kept in mind. Example - Note: Any events named GLOBAL are enabled automatically when events are enabled. See Also This heading will advise students to visit a different location for further reference information. Example - See Also: For further information on Modbus see Chapter 12 – Modbus Devices. Configuration Training

x ACTIVITIES After a concept is explained students will be given activities that practice the skills just learned. These activities begin by explaining the general concept of each exercise and then step-by-step procedures are listed to guide students through each exercise. Activities start with information about the tasks to be carried out. In this activity: • Task 1 • Task 2 • Etc. The text is shown in italics to help separate the activities from other information contained in this training manual. Activities usually show multiple screenshots, with numbered step-by-step instructions: 1. Open the editing window. 2. Enter the following information: 3. Save the changes. 4. Download to the device. When the activity is complete the following symbol will be displayed. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 1 Chapter 1 - INTRODUCTION TO FUNCTIONAL SAFETY Functional Safety is concerned with equipment failures that affect the safety of persons and/or the environment. It is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. It's a concept applicable across all industry sectors providing assurance that the safety-related systems will offer the necessary risk reduction required to achieve safety for the equipment. Functional Safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met. This chapter will give an overview of the Functional Safety Standards used in Process and Machine industries. CONTENTS: Functional Safety................................................................................................................. 2 Risk Assessment................................................................................................................. 7 Safeguards and Protection Layers .................................................................................... 11 Safety Instrumented Function (SIF) .................................................................................. 13 Safety Instrumented System (SIS) .................................................................................... 14 Safety Integrity Level (SIL) ................................................................................................ 15 Methods Determine SIL Requirements ............................................................................. 18 Layers of Protection Analysis ............................................................................................ 23 Safety Norms and Standards ............................................................................................ 28 Configuration Training

2 Chapter 1 - Introduction to Functional Safety FUNCTIONAL SAFETY WHAT IS SAFETY? Safety is the state in which the risk of harm to persons or property is reduced to, and maintained at or below, an acceptable level through a continuing process of hazard identification and risk management - ICAO Doc 9859. When talking about Safety, keep in mind that \"zero\" risk does not exist! The goal of a safety system is to reduce risk to an acceptable level. There will never be a zero level of risk. WHY WE NEED FUNCTIONAL SAFETY? An approved system demonstrates your legal responsibility in regard to the use and supply of safety-related products, systems, or services, wherever you are in the supply chain. In contracts and tendering situations, certification to IEC 61508 is either a pre-requisite or it can offer a significant advantage over the competition. For manufacturers, certified products are more likely to extend market penetration and offer the potential of increased sales growth. The benefits of increased hardware and systematic integrity can also be seen in improved product quality – lower returns, field recalls, and improved levels of customer satisfaction. IS SAFETY EXPENSIVE? Commonly, implementing Safety is seen as an expensive additional cost. But how much is the cost of an incident? Some of the costs are obvious, such as sick pay for injured employees, whereas some costs are harder to identify. The Health and Safety Executive in UK (HSE) gives an example of an accident at a drilling machine that resulted in costs to the business of £45 000 (~51 300 €) (HSE INDG355). However, this does not include some of the less obvious costs, and some estimates amount to double that figure. An accident analysed by Schneider Electric, the outcome of which was a reversible head injury, cost the employer some £90 000 (~102 600 €), of which only £37 000 (~42 200 €) was insurable. The full financial impact can include increase in insurance premiums, lost production, lost customers and even loss of reputation. This could be even more important cost when we consider accident related to process, such as explosions. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 3 Most of the time, we consider 3 axes of consequences of an incident: Personnel • Injury / Fatality • Effect on family, friends, community, colleagues Environment / • Damage confined to immediate location Image cost • Damage widespread beyond the immediate location through air-borne and water-borne pollution • Loss of reputation, loss of customers • Loss of confidence and effectiveness from employees Financial Loss • Lost production • Damaged equipment • Fines Configuration Training

4 Chapter 1 - Introduction to Functional Safety CAUSES OF DANGEROUS FAILURES The causes of dangerous failures are numerous: ➢ Human error ➢ Incorrect specifications of system ➢ Hardware or software omissions in Safety Requirements Specification (e.g. failure to develop all relevant safety functions during different modes of operation) ➢ Random failures of hardware ➢ Systematic failures of hardware and software ➢ Common Cause Failures (e.g. when many identical devices from the same manufacturer are used, we can suppose they will fail at the same time under the same conditions) ➢ Environmental influences (e.g. electromagnetic, temperature, mechanical phenomena) ➢ Supply system voltage disturbances A study of 34 accidents causes involving control systems done in U.K. by the Health & Safety Executive shows the following statistics about the main cause of dangerous failures: The point to highlight here is the fact that more than 50% of causes are relative to design and specifications. A good specification of the Safety Function is half the work done. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 5 THINK SAFETY AT EVERY STAGE Safety has not to be taken into consideration during operation, but at every single stage of the process or machine. Safety has to be integrated during the specification, design, installation, operation and dismantling. These steps are part of what is called the Safety Life Cycle. As we have seen before with the causes of failure, focus should be done during the analysis and specification, where risks are analysed. Risks management concepts must be understood and executed correctly because they form the foundation for the entire safety life cycle. SAFETY CULTURE Having a good safety culture can be summarized by 3 main components: ➢ Implication of the management: CEO and managers have to lead the safety culture and must ensure it is correctly applied. This is the major component, management is responsible for selecting appropriate safety directions. ➢ Technical requirements: following the international standards is the best practice. ➢ Competence of persons: Safety must be achieved and validated by a group of experts coming from different fields. Configuration Training

6 Chapter 1 - Introduction to Functional Safety DEFINITION Functional Safety is a concept applicable across all industry sectors. It is fundamental to the enabling of complex technology used for safety-related systems. It provides the assurance that the safety-related systems will offer the necessary risk reduction required to achieve safety for the equipment. Functional Safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met. Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. For example, an over-temperature protection device, using a thermal sensor in the windings of an electric motor to de-energize the motor before they can overheat, is an instance of functional safety. But providing specialized insulation to withstand high temperatures is not an instance of functional safety (although it is still an instance of safety and could protect against exactly the same hazard). Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact. FUNCTIONAL SAFETY MANAGEMENT Define all TECHNICAL and MANAGEMENT ACTIVITIES during the life cycle of safety instrumented systems. Specify responsibility of people, departments, and organizations. Management of functional safety is one of the most important safety life cycles in the hazard and risk assessment phase. If it is not handled correctly, it will influence all main life cycles in the overall safety life cycle. ➢ Functional Safety Management is carried out in all safety life cycles. ➢ In hazard and risk assessment phase, requirements related to management of functional safety are divided into the following categories: ➢ General requirements ➢ Organization and resources ➢ Risk evaluation, risk management and planning of the safety Implementing and monitoring ➢ Functional safety assessment ➢ Auditing and revision ➢ Safety Instrumented System (SIS) configuration management Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 7 RISK ASSESSMENT DEFINITION OF RISK Risk is a measure of the likelihood and consequence of an adverse event or incident. As a consequence, a risk has two main components: ➢ Frequency: how often can it happen? ➢ Consequence: what happens when it does happen and how bad is it? Here are some concrete examples of risks: ➢ 1 fatality every 10 years ➢ Production loss of $10M every 20 years ➢ Temporary damage to the forest around every 15 years Risk \"zero\", which means a risk with a frequency equal to zero, does not exist. Risk must be managed. ELEMENTS OF RISK Risk associated with a particular hazardous situation depends on the following: ➢ The severity of harm. ➢ The probability of occurrence of that harm, which is a function of o The exposure of person(s) to the hazard, o The occurrence of a hazardous event, and o The technical and human possibilities to avoid or limit the harm. Configuration Training

8 Chapter 1 - Introduction to Functional Safety UNDERSTANDING RISK All safety standards exist to reduce risk, which is inherent wherever manufacturing or processing occurs. The goal of eliminating risk and bringing about a state of absolute safety is not attainable. More realistically, risk can be categorized as being either negligible, tolerable or unacceptable. The foundation for any modern safety system, then, is to reduce risk to an acceptable or tolerable level. In this context, safety can be defined as “freedom from unacceptable risk.” The formula for risk is: RISK = HAZARD FREQUENCY x HAZARD CONSEQUENCE Risk can be minimized initially by inherently safe process design, by the Basic Process Control System (BPCS), and finally by a safety shutdown system. DANGER AND RISKS Most people have a misunderstanding between danger / hazard and risk. There is always a danger, a danger is ever present whereas risk is the possibility of that danger happening. Consider the following two statements: ➢ A hungry tiger is dangerous. ➢ A hungry tiger is risky. Actually, a hungry tiger is dangerous, but it is only a risk if it is in your vicinity. We can avoid or reduce risk by bounding danger (tiger is locked in the zoo, so the risk to be attacked is very low). Risks are events or conditions that may occur, and hence occurrence if it does take place, has a harmful or negative effect. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 9 RISK MANAGEMENT Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. As the risk “0” doesn’t exist, design of an inherently safe process is not possible. However, it is possible to mitigate risks and to decrease their frequencies of occurrence. ➢ To reduce the risk, these followings have to be considered: ➢ Agree on a level of risk, that is considered tolerable ➢ Identify the Hazards ➢ Perform Hazard and Risk analysis ➢ Evaluate for each risk likelihood and severity ➢ Determine whether risks are below acceptable measures Configuration Training

10 Chapter 1 - Introduction to Functional Safety RISK REDUCTION Safety will be achieved by reducing the risk from an inherent risk of the system to a tolerable risk. There is no universal value for “Tolerable Risk”. It varies from case to case, and must be defined by the company (end user customer). An example of a tolerable risk is: a worker's slight injury every 5 years, or a fatality every 20 years. Risk reduction will be done by analysis existing safeguards (example: small wall around the tiger vault) to reduce to a residual risk. If this risk is not below the tolerable risk, additional safeguards must be implemented (example: additional fence around the tiger vault). Safeguards, or protection layers, are implemented to reduce the risks from a particular hazard. In the process, each potential hazard must be identified and taken into account for the risk reduction. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 11 SAFEGUARDS AND PROTECTION LAYERS Organizational accidents can happen when multiple layers fail. Figure below on the left represent the design intent of multiple layers. ➢ If all layers are effective (i.e., solid and strong), a failure will not propagate through them. However, in reality, the layers are not solid. They are more like Swiss cheese. ➢ The holes are caused by flaws due to management, engineering, operations, maintenance, and other errors. ➢ Not only are there holes in each layer, but the holes are also constantly moving, growing, and shrinking, as well as appearing and disappearing. It's now easy to visualize how, of the holes line up properly, as in the right figure below, a failure can easily propagate through all of them. Configuration Training

12 Chapter 1 - Introduction to Functional Safety METHODOLOGY The method starts with a list of all the process hazards on the installation as identified by HAZOP or other hazard identification technique. The hazards are analyzed in terms of: ➢ Consequence description ➢ Estimate of consequence severity (e.g. minor, serious, catastrophic) ➢ Description of all causes which could lead to the Impact Event ➢ Estimate of frequency of all initiating causes (e.g. low, medium, high) The strength of the method is that it recognizes that in the process industries there are usually several layers of protection against an initiating cause leading to an impact event. Specifically, it identifies: ➢ General Process Design o Aspects of the design which reduce the probability of loss of containment, or of ignition if containment is lost, so reducing the probability of a fire or explosion event. ➢ Basic Process Control System (BPCS) o Design of an alternative or another independent control loop which could prevent the impact event and so reduce the frequency of that event. ➢ Alarms o An indication for operator to respond and an effective action he can take to reduce the probability of the impact event. ➢ Additional Mitigation, Restricted Access o Even if the Impact Event occurs, there may be limits on the occupation of the hazardous area (equivalent to the F parameter in the Risk Graph method), or effective means of escape from the hazardous area (equivalent to the P parameter in the risk graph method), which reduce the Severity Level of the event. ➢ Independent Protection Layers (IPLs) o A number of criteria must be satisfied by an IPL, including RRF ≥ 100. Relief valves and bursting disks usually qualify. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 13 SAFETY INSTRUMENTED FUNCTION (SIF) A Safety Instrumented Function (SIF) is a “function with a specified safety integrity level which is necessary to achieve functional safety and which can be either a safety instrumented protection function (trip) or a safety instrumented control (continuous) function (IEC 61511-1, 3.2.71)”. In other terms, in order to achieve functional safety, the SIF must operate correctly and, when a failure occurs in the SIF, it must behave in a defined manner so that the plant is brought to a safe state. Safety Instrumented Functions are used when no additional protection layers or safeguards can be implemented anymore in the system to prevent the risk. A SIF is implemented as an additional prevention layer if the existing prevention layers cannot reduce risk to the tolerable level. Configuration Training

14 Chapter 1 - Introduction to Functional Safety SAFETY INSTRUMENTED SYSTEM (SIS) A Safety Instrumented System (SIS) is an independent system composed of sensors, logic solvers (e.g. controllers), and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated. The Safety PLC is independent of normal Process Control. Safety logic and configurations have to be simple. They are only used to shutdown the System to a Safe State. The Safety PLC does not control the Process. This simplifies the certification process. Each Safety Instrumented Function is implemented within a Safety Instrumented System. A SIS can manage many Safety Instrumented Functions. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 15 SAFETY INTEGRITY LEVEL (SIL) DEFINITION OF SIL The Safety Integrity Level (SIL) is an indicator of the Safety Instrumented System reliability to perform the Safety Integrity Function. As seen, the SIF is necessary to be implemented only if the tolerable risk level is not reached already by additional safeguards. ➢ Safety Integrity is the likelihood of a Safety Instrumented System satisfactorily performing required safety functions under all stated conditions within a giving period: “The average probability of a safety instrumented system satisfactorily performing the required safety functions under all stated conditions within a stated period of time (IEC 61511 – 1, 3.2.73 & IEC 61508 – 4, 3.5.2)” ➢ Safety Integrity Level (SIL) is a discrete level for specifying the Safety integrity requirements for a Safety function. (1,2,3,4 - the higher the more reliable) “Discrete level for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented systems. (IEC 61511 – 1, 3.2.74)” A SIL is derived from a Risk Assessment. It is not a measure of Risk but rather the intended reliability of a system or function. Safety Integrity Levels are related to probability of failures, which are related to the likelihood component of risk. FOUR SIL LEVELS SIL certification is a tool to measure the amount of risk reduction provided by a Safety Instrumented Function (SIF). It assesses the tolerable/acceptable failure rate of an individual device. This is important when installing or retrofitting an instrument into a SIS. The SIL level number is based on the amount of risk reduction needed to maintain an acceptable rate of failure. Each of the 4 levels of SIL represents an order of magnitude of risk reduction – the higher the level, the greater the impact a failure (and thereby, the lower the acceptable failure rate). SIL 4 has the highest level of safety – Level 1 the lowest. Configuration Training

16 Chapter 1 - Introduction to Functional Safety FOUR LEVELS OF INTEGRITY Historically, safety thinking categorized a process as being either safe or unsafe. For the new standards, however, safety isn’t considered a binary attribute; rather, it is stratified into four discrete levels of safety. Each level represents an order of magnitude of risk reduction. The higher the SIL level, the greater the impact of a failure and the lower the failure rate that is acceptable. Safety Integrity Level is a way to indicate the tolerable failure rate of a particular safety function. Standards require the assignment of a target SIL for any new or retrofitted SIF within the SIS. The assignment of the target SIL is a decision requiring the extension of the Hazards Analysis. The SIL assignment is based on the amount of risk reduction that is necessary to maintain the risk at an acceptable level. All of the SIS design, operation and maintenance choices must then be verified against the target SIL. This ensures that the SIS can mitigate the assigned process risk. SIL PFHavg PFDavg Risk Reduction Qualitative Consequence 4- 10-5 to < 10-4 100,000 to 10,000 Potential for fatalities in the community 3 ≥ 10-8 to < 10-7 10-4 to < 10-3 Potential for multiple on-site 10,000 to 1,000 fatalities 2 ≥ 10-7 to < 10-6 10-3 to < 10-2 1,000 to 100 Potential for major on-site injuries or a fatality 1 ≥ 10-6 to < 10-5 10-2 to < 10-1 100 to 10 Potential for minor on-site injuries ➢ SIL: Safety Integrity Level ➢ PFHavg: Probability of dangerous Failure per Hour (PFH) is the safety integrity failure measure for safety-related protection systems operating in high demand mode. ➢ PFDavg: The average PFD used in calculating safety system reliability. ➢ PFD: Probability of Failure on Demand is the probability of a system failing to respond to a demand for action arising from a potentially hazardous condition. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 17 SIL ASSIGNMENT A Safety Integrity Level is determined for each Safety Instrumented Function. It means that a system is not related to one unique SIL but each identified Safety Integrity Function requires a level of SIL as a consequence of the risk assessment. Consequently, we need first to determine the tolerable risk, and the risk reduction level necessary from the residual risk. For example, if, after having applying all additional safeguards possible, the residual risk has a frequency of 1 over 100 years, and the company defined tolerable risk is 1 over 10000 years, we need a risk reduction factor of 100 (1.0E-02 / 1.0E-04). Knowing this, we need to implement a Safety Instrumented Function managed by a Safety Instrumented System with a probability of failure of 1/100 = 0.01. It means that the system should be at least SIL2 (PFD between 1.0E-02 and 1.0E-03). Configuration Training

18 Chapter 1 - Introduction to Functional Safety METHODS DETERMINE SIL REQUIREMENTS DETERMINE SAFETY INTEGRITY LEVEL (SIL) To determine whether a SIL 1, SIL 2, or SIL 3 system is needed, following are the main steps: ➢ Conduct a Process Hazard Analysis to determine the functional safety. ➢ Identify the tolerable risk level of the process. ➢ Perform a Hazard and Risk Analysis to evaluate existing risk. ➢ Perform risk reduction and mitigation impacts from the Basic Process Control System (BPCS) and other layers of protection taken into account. ➢ Compare the residual risk against their risk tolerance. ➢ If there is an unacceptably high level of risk, a Risk Reduction Factor (RRF) is determined and a SIS / SIL requirement is calculated. The RRF is the inverse of the Probability of Failure on Demand for the SIF / SIS. For calculating the SIL suitability level for individual products is a combined effort between corporate quality, engineering, and a third party for validating calculations. The steps include failure rate prediction, FMEDA, Failure Path Investigation, and a third-party validation (e.g. by company Technis, Consultancy in Safety and Reliability Assessment). SIL SELECTION The IEC Standards does not describe how to determine the required SIL level, or target frequency of the tolerable risk. The company has to define by itself this measure. Nevertheless, standard methods can be used. When chosen, consistency in the method must be applied for all SIF. In this course we introduce some of them as examples. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 19 METHODOLOGY IEC 61508 offers three methods of determining SIL requirements: ➢ Quantitative method ➢ Risk graph, described in the standard as a qualitative method ➢ Hazardous event severity matrix, also described as a qualitative method IEC 61511 offers: ➢ Semi-quantitative method ➢ Safety layer matrix method, described as a semi-qualitative method ➢ Calibrated risk graph, described in the standard as a semi-qualitative method, but by some practitioners as a semi-quantitative method ➢ Risk graph, described as a qualitative method ➢ Layer of protection analysis (LOPA). (Although the standard does not assign this method a position on the qualitative / quantitative scale, it is weighted toward the quantitative end) Risk graphs and LOPA are popular methods for determining SIL requirements, particularly in the process industry sector. Their advantages and disadvantages and range of applicability are the main topic of this paper. DETERMINING SIL LEVELS FOR PROCESS When a Process Hazards Analysis (PHA) determines that a SIS is required, the level of risk reduction afforded by the SIS and the target SIL have to be assigned. The effectiveness of a SIS is described in terms of “the probability it will fail to perform its required function when it is called upon to do so.” This is its Probability of Failure on Demand (PFD). The average PFD (PFDavg) is used for SIL evaluation. Various methodologies are used for assignment of target SILs. The determination must involve people with the relevant expertise and experience. Methodologies used for determining SILs include following (but are not limited to): ➢ Simplified Calculations ➢ Fault Tree Analysis ➢ Layer of Protection Analysis (LOPA) ➢ Markov Analysis Configuration Training

20 Chapter 1 - Introduction to Functional Safety QUALITATIVE VIEW OF SIL METHOD A qualitative view of SIL has slowly developed over the last few years as the concept of SIL has been adopted at many chemical and petrochemical plants. As shown table below, this qualitative view can be expressed in terms of the consequence of the SIS failure, in terms of facility damage, personnel injury, and the public or community exposure. SIL Generalized View 4 Catastrophic Community Impact 3 Employee and Community Impact 2 Major Property and Production Protection. Possible Injury to employee 1 Minor Property and Production Protection The above qualitative view leaves much open for discussion. What is minor and major means? At what point, will a theoretical injury or fatality occur? There are no regulations that assign or assist in the assignment of a SIL to particular processes or chemical operations. Further, there are no regulations or standards to follow that recommend specific SILs for certain process hazards. The assignment of SIL is a corporate or company decision based on risk management and risk tolerance philosophy. The caveat is that ANSI/ISA S84.01-1996 does mandate that companies should design their Safety Instrumented systems (SIS) to be consistent with similar operating process units within their own companies and at other companies. Likewise, in the US, OSHA PSM and EPA RMP require that industry standards and good engineering practice be used in the design and operation of process facilities. This means that the assignment of safety integrity levels must be carefully performed and thoroughly documented. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 21 CONSEQUENCE ONLY METHOD The most conservative technique, Consequence only, uses an estimation of the potential consequence of the incident. The incident frequency is not considered. Consequently, all incidents resulting in possible fatalities would have the same SIL no matter how remote or frequent the incident likelihood might occur. A Consequence only decision table shown below: SIL General View 4 Potential for fatalities in the community 3 Potential for multiple fatalities 2 Potential for major serious injuries or one fatality 1 Potential for minor injuries This method, while conservative, is the simplest tool to utilize, because the team does not need to estimate the likelihood of the incident, which is often the most difficult estimation for the team to make. This method is especially appropriate when the process history is very limited, which contributes substantially to the difficulty in defining the likelihood. OVERVIEW OF FAULT TREE ANALYSIS Fault tree diagrams represent the logical relationship between sub-system and component failures and how they combine to cause system failures. The TOP event of a fault tree represents a system event of interest and is connected by logical gates to component failures known as basic events. After creating the diagram, failure and repair data is assigned to the system components. The analysis is then performed, to calculate reliability and availability parameters for the system and identify critical components. OVERVIEW OF EVENT TREE ANALYSIS Event tree diagrams provide a logical representation of the possible outcomes following a hazardous event. Event tree analysis provides an inductive approach to reliability and risk assessment and are constructed using forward logic. Configuration Training

22 Chapter 1 - Introduction to Functional Safety FAULT & EVENT TREE The fault and events are represented in graphical trees as show below: Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 23 LAYERS OF PROTECTION ANALYSIS Layers of Protection Analysis (LOPA) is a powerful analytical tool for assessing the adequacy of protection layers used to mitigate process risk. LOPA builds upon well-known process hazards analysis techniques, applying semi-quantitative measures to the evaluation of the frequency of potential incidents and the probability of failure of the protection layers. The LOPA method was developed by the American Institute of Chemical Engineers as a method of assessing the SIL requirements of SIFs (AIChemE 1993). WHAT IS LOPA? Layers of Protection Analysis (LOPA) is a semi-quantitative methodology that can be used to identify safeguards that meet the Independent Protection Layer (IPL) criteria. While IPLs are extrinsic safety systems, they can be active or passive systems, as long as the following criteria are met: ➢ Specificity: capable of detecting and preventing or mitigating the consequences of specified, potentially hazardous event(s), such as a runaway reaction, loss of containment, or an explosion. ➢ Independence: independent of all the other protection layers associated with the identified potentially hazardous event. The performance is not affected by the failure of another protection layer or by the conditions that caused another protection layer to fail. ➢ Dependability: The protection provided by the IPL reduces the identified risk by a known and specified amount. ➢ Auditability: The IPL is designed to permit regular periodic validation of the protective function. Examples of Independent Protection Layers (IPLs) are as follows: ➢ Standard operating procedures ➢ Basic process control systems ➢ Alarms with defined operator response ➢ Safety instrumented systems (SIS) ➢ Pressure relief devices ➢ Blast walls and dikes ➢ Fire and gas systems ➢ Deluge systems Configuration Training

24 Chapter 1 - Introduction to Functional Safety LAYERED PROTECTION Much evaluation work, including a hazard and risk assessment, has to be performed by the customer to identify the overall risk reduction requirements and to allocate these to Independent Protection Layers (IPL). No single safety measure can eliminate risk and protect a plant and its personnel against harm or mitigate the spread of harm if a hazardous incident occurs. For this reason, safety exists in protective layers: a sequence of mechanical devices, process controls, shutdown systems and external response measures which prevent or mitigate a hazardous event. If one protection layer fails, successive layers will be available to take the process to a safe state. If one of the protection layers is a Safety Instrumented Function (SIF), the risk reduction allocated to it determines its Safety Integrity Level (SIL). As the number of protection layers and their reliabilities increase, the safety of the process increases. Each layer must be independent of the other, so that if one layer fails, the next layer can be expected to provide back-up protection. This \"Onion\" diagram contains a set of prevention protection layers, aimed at preventing the accident from occurring. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 25 IDENTIFYING SAFEGUARDS There are two groups of safeguards: ➢ they reduce the risk by preventing the accident from happening, or ➢ by mitigating the severity of the consequence of the incident. In several Safety document, mitigation and prevention layers can also be represented in what is called the \"Onion\" Diagram, which gives another view of the protection. It contains a set of prevention protection layers, aimed at preventing the accident from occurring. Configuration Training

26 Chapter 1 - Introduction to Functional Safety BOWTIE DIAGRAMS The BowTie has become popular as a structured method to assess risk where a qualitative approach may not be possible or desirable. The success of the diagram is that it is simple and easy for the non-specialist to understand. The idea is a simple one of combining the cause (fault tree) and the consequence (event tree). BowTie diagram is an appropriate and useful way to visualize the anatomy of an incident, which offers a view of both preventing and mitigation layers. This is an important concept in Safety. A bowtie diagram can easily be created by defining the: ➢ Event to be prevented. ➢ Threats that could cause the event to occur. ➢ Consequences of the event occurring. ➢ Controls to prevent the event occurring. ➢ Controls to mitigate against the consequences. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 27 THE RISK GRAPH The risk graph: the estimation of SIL is done by qualitative steps. THE RISK MATRIX The Risk Matrix: each company management decides components of each tolerable risk and merge the two axis to determine the SIL. Configuration Training

28 Chapter 1 - Introduction to Functional Safety SAFETY NORMS AND STANDARDS Around 40 years ago, electromechanical control systems were developed to a satisfactory safety level. “Doubling and surveillance” became catchwords for machine control systems that influenced the safety. Around 1990 the use of electronics and micro-processors (programs) also for safety functions were beginning to be used safety electronic components (light curtains, safety modules, safety controllers, safety PLCs...). The industry has now accepted that electronics and software (safety PLC) can be used also in safety-related control systems. This becomes even necessary in some sectors to reconcile the growing pressings of social (safety) and economic (performance) requirements. The control systems architectures of machines and processes is continuously updated (continuous evolution of international and regional safety standards). Standards are defined by specific institutes. Some tend to be worldwide used. The main standard used for electrical, electronic and programmable electronic safety related systems is the IEC 61508. It gives general guidelines to implement Safety. More accurate information are contained into the IEC 61511 dedicated to process safety, whereas the IEC 62061 focus on safety for machines. Both are \"children\" of the IEC 61508. Another commonly used standard for machines is the ISO 13849-1. This proposes a qualitative approach instead of the quantitative approach of the IEC 62061. Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 29 APPLICATION SECTOR SAFETY STANDARDS IEC 61508 is intended to be a basic functional safety standard applicable to all kinds of industry. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.” The standard covers the complete safety life cycle, and may need interpretation to develop sector specific standards. It has its origins in the process control industry sector. ➢ EN/IEC 61508: March 2002 - Functional safety of electrical, electronic, programmable electronic safety-related systems ➢ EN/IEC 61511: March 2005 - Functional safety — Safety Instrumented Systems for the process industry sector ➢ EN/IEC 62061: July 2005 - harmonized under the terms of the machinery directive: Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems Configuration Training

30 Chapter 1 - Introduction to Functional Safety DIRECTIVES & STANDARDS Standards are not mandatory. They have to be seen more than guidelines, or good engineering practices for functional Safety. They may become mandatory when they are mentioned in a legislative text on a country level. On the contrary, directives are mandatory. For example, European Directives must be translated locally and applied within two years from publication, and they define the \"essential requirements\", e.g. protection of health and safety requirements, a product must meet before placed on the European market. The European standards bodies are mandated to draw up the technical specifications (Harmonized Standards) meeting the requirements of the Directives. Countries may use for example IEC or / and ISO standards, or even adapt them locally. Standardization bodies work jointly togethers. WORLD STANDARDS AND LEGISLATION Standards and legislations are not unified on Process Safety concerns. But standard are emerging, such as IEC61511. Note than apart from UK and Australia (and USA, to some extent), it only relies on a voluntary basis for the other countries. ➢ Australia - Occupational Health & Safety. Major Hazard Facilities, 2000. AS-IEC 61511, 2004 ➢ Canada - Bill C-45 Amendments to Criminal Code affecting the Criminal Liability of Organizations , 2003 ➢ France - Registered Work for Environment Protection, 1976 ➢ Germany - Hazardous Incident Ordinance, 1980 ➢ European Community - 82/502/EEC. Major Accident Hazards Directive, 1982 ➢ United Kingdom - Programmable Electronics Systems in Safety Related Applications Health and Safety Executive (HSE) 1987 - BS-IEC 61511 ➢ United States ➢ OSHA 1910 Process Safety Management of Highly Hazardous Chemical, 1992 ➢ Functional Safety: Safety Instrumented System for the Process Industry ANSI/ISA 84.00.01-2004 Modicon M580 Safety

Chapter 1 - Introduction to Functional Safety 31 SUMMARY This chapter gave an overview of the Functional Safety Standards used in Process and Machine industries. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ What is Process Safety? Why Safety is so important in industrial? ➢ What are the numerous causes of dangerous failure? Which failure has the highest importance? Why? ➢ What are the methods used to reduce Risks? ➢ What are the differences between SIF, SIS and SIL? ➢ What are the main components used in SIS? ➢ What are the methods used to determine SIL requirements? ➢ What are the Safety IEC standards used in Process and Machinery sectors? Configuration Training



Chapter 2 - Process and Machine Safety Standards 33 Chapter 2 - PROCESS AND MACHINE SAFETY STANDARDS Process Safety focuses on preventing fires, explosions and accidental chemical releases in chemical process facilities or other facilities dealing with hazardous materials such as refineries and oil & gas production installation. Machine Safety has become an even more important machine design concern as it must provide responsible protection for operators and technicians. Moving machine parts have the potential to cause severe workplace injuries, such as crushed fingers or hands, amputations, burns, or blindness. This chapter will provide an overview of Process and Machinery Safety standards needed for protecting workers from these preventable injuries. CONTENTS: Functional Safety Standards ........................................................................................34 Process Safety Standards ............................................................................................38 Machine Safety Standards ...........................................................................................41 Types of Safety Integration...........................................................................................47 Integration with Common Safety ..................................................................................49 All-in-one Process and Safety ......................................................................................51 Schneider Electric Safety Offer ....................................................................................53 Configuration Training

34 Chapter 2 - Process and Machine Safety Standards FUNCTIONAL SAFETY STANDARDS IEC 61508, \"Functional safety of electrical/electronic/programmable electronic safety- related systems\", is an product-oriented (hardware/software) functional safety standard created by the International Electrotechnical Commission (IEC). The standard is well known and established in ➢ Industrial Process Control ➢ Automation Industry ➢ Automotive Industry ➢ Heavy Machinery ➢ Mining ➢ Other Fields where safety and reliability are paramount. The IEC 61508 standard provides a basis for other product-specific or sector-specific safety standards, such as the IEC 61511 standard which is focused on the functional safety requirements of the process industry sector. Human safety is the main focus of the IEC 61508 standard. It aims to protect human life through analysis of the functionality of products, machinery, and equipment that can affect human safety. IEC 61508 can also be a valuable tool to help to minimize risk in non-safety related applications, and it can be used to protect critical products, machinery, or equipment from damage. IEC 61508 PARTS The standard is divided in 7 parts: ➢ Part 1: General requirements ➢ Part 2: Requirements for electrical/electronic/programmable electronic safety- related systems (E/E/PE) ➢ Part 3: Software requirements (Software = Firmware & Software) ➢ Part 4: Definitions and Abbreviations ➢ Part 5: Examples of methods for the determination of Safety Integrity Levels (SIL) ➢ Part 6: Guidelines on the Application of IEC 61508-2 and IEC 61508-3 ➢ Part 7: Overview of Techniques and Measures Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 35 INTRODUCTION IEC 61508 contains both requirements for preventing failures (avoiding the introduction of faults) and requirements for controlling failures (ensuring safety even when faults are present). This international standard covers those aspects to be considered when electrical / electronic / programmable electronic systems (E/E/PESs) are used to carry out safety functions. ➢ Standards relating to IEC 61508 covers functional safety of electrical / electronic / programmable electronic safety-related systems. ➢ Standards relating to IEC 62061 focus on Safety of Machinery. ➢ Standards relating to IEC 61511 covers Safety Instrumented Systems for the process Industry sector. IEC 61511 is used internationally. IEC 61508 applies to all E/E/PES irrespective of their application and where application-specific standards do not exist IEC 61508 is a general standard from which other standards are derived (e.g. IEC 61511: Safety Instrumented Systems for the Process Industry Sector). IEC 61508 has to be applied by PLC manufacturer and also by customers for their application. A safety-related system covers all parts of the system that are necessary to carry out the safety function i.e. from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator. A certified PLC is the basis for a Safety Application, but still the application with wiring, configuration and logic has to follow the rules of IEC 61508 and the Safety Manual of the PLC vendor. The Safety Manual is Mandatory. The Safety Application should be developed by trained engineers. Note: the ANSI/ISA 84-2004 standard is almost identical to IEC61511. This norm is mostly used in United States. Configuration Training

36 Chapter 2 - Process and Machine Safety Standards APPLYING THE IEC 61508 STANDARD Applying the IEC 61508 Standard consists of transforming the 5 Phases of Life Cycle into Controlled Approach, which mean meeting the 17 Steps recommended by the Standard. Each Step corresponds to Objectives determined in relation to required tolerable risk. It leads to Engineering Documents being drawn up to manage compliance with the Standard. Note that the 2 first steps \"perform hazard & risk analysis\" & \"allocate safety functions to protection layers“ are not defined in the norm but are mandatory to follow the standard. This Safety Life cycle corresponds to the international standard IEC 61511. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 37 IEC 61508 IN PROCESS AND MACHINE INDUSTRY Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. IEC 61508 - Generic standards applicable to all fields of application ➢ Sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety level. ➢ Defines methods to achieve the functional safety of products. IEC 61511 - Application specific for Process Industry ➢ Technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. ➢ This standards implements IEC 61508 for the process industry. IEC/EN 62061 and EN ISO 13849-1 - Application specific for Machine Industry ➢ IEC/EN 62061 - limited to electrical systems o Defines requirements and recommendations for the design, integration and validation of safety-related electrical, electronic and programmable electronic control systems (SRECS) for machinery. o Performance level is described using Safety Integrity Level (SIL). ➢ EN ISO 13849-1 - applied to pneumatic, hydraulic, mechanical as well as electrical systems o Standard may be applied to SRP/CS (safety-related parts of control systems) and all types of machinery, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.). o Does not use the term SIL; instead uses the term Performance Level (PL). Configuration Training

38 Chapter 2 - Process and Machine Safety Standards PROCESS SAFETY STANDARDS SAFETY IN INDUSTRY Industrial safety in pre-digital eras centered mainly around safe work practices, hazardous materials control, and the protective “armouring” of personnel and equipment. Today, safety penetrates far deeper into more complex manufacturing infrastructures, extending its protective influence all the way to a company’s bottom line. Contemporary safety systems reduce risk with operational advancements that frequently improve reliability, productivity and profitability as well. PROCESS SAFETY Process Safety generally refers to the prevention of unintentional releases of chemicals, energy, or other potentially dangerous materials during the course of chemical processes that can have a serious effect to the plant and environment. Process Safety relates to the strategy and deployed to reduce the probability and severity of process incidents. The programs focus on design and engineering of facilities, maintenance of equipment, effective alarms, effective control points, procedures and training. CCPS was established in 1985 to focus on engineering and management practices that can prevent and mitigate catastrophic accidents involving release of hazardous materials. CCPS is supported by sponsors in the chemical and hydrocarbon process industries and active worldwide via conferences, books, databases, education, research, and more. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 39 IEC 61508 & IEC 61511 Nothing is more important than safety to the process control industries. High temperature and pressure, flammable and toxic materials are just some of the issues faced on a daily basis. Reliability is a key component of safety; the more reliable the device, the safer the critical process. IEC 61508 and IEC 61511 have recently come together to yield a safety standard that the world is embracing. IEC 61511 is particularly important as it is written specifically for the Process Industries, quantifying safety issues. Although the safety issues addressed are critical to users with installations like Emergency Shutdown Systems (ESD), the reliability defined in this specification is being used by all users to separate great products from good ones. SIL (Safety Integrity Level) and SFF (Safe Failure Fraction) are two of the key values that customers can use as an objective comparison of instrument reliability from various suppliers. IEC 61511 - SAFETY INSTRUMENTED SYSTEMS FOR PROCESS INDUSTRY The EN/IEC 61511 applies to the entire safety loops life cycle of the Safety Instrumented Systems (SIS): ➢ Specification ➢ Design ➢ Installation ➢ Operation ➢ Maintenance Use of EN/IEC 61511 standard: ➢ Requires that a Hazard and Risk Assessment is carried out to identify the overall safety requirements. ➢ Requires that an allocation of the safety requirements to the Safety Instrumented System(s) is carried out. ➢ Works within a framework which is applicable to all instrumented methods of achieving Functional Safety. ➢ Details the use of certain activities, such as Safety Management, which may be applicable to all methods of achieving Functional Safety. The standards are intended for Designers, System Integrators and SIS users. Configuration Training

40 Chapter 2 - Process and Machine Safety Standards IEC 61511 The IEC 61511 Safety Standard specifies Safety Life Cycle for process industry sector. Starting from Hazard and Risk Analysis to implementation of SIS and finally its decommissioning. SIS SAFETY LIFECYCLE PHASE IEC 61511 uses the safety lifecycle as a framework and defines a series of phases: ➢ Analysis: ➢ Phase 1: Hazard and risk assessment ➢ Phase 2: Allocation of safety function to protection layers ➢ Phase 3: SIS safety requirements specification ➢ Realization: ➢ Phase 4: SIS design and engineering ➢ Phase 5: SIS installation, commissioning and validation ➢ Operation: ➢ Phase 6: SIS operation and maintenance ➢ Phase 7: SIS modification ➢ Phase 8: Decommissioning ➢ Activities performed throughout all phases: ➢ Phase 9: SIS verification ➢ Phase 10: Management of functional safety, assessment and auditing ➢ Phase 11: Safety life-cycle structure and planning Every phase has a set of inputs and outputs and at the end of each, a verification process should be performed to confirm the required outputs are as planned. Modicon M580 Safety