Implementing

Safety System
Standards

IEC 61508/
61511
Yokogawa ISS your partner for
IEC 61508/61511 compliance
The safety of technological processes in the modern
society is a major concern for everybody, whether
directly or indirectly involved. Industrial safety
management serves to protect human life, valuable
assets and the environment. It covers the
identification of hazards, the implementation of
protective measures as well as the control of work
procedures and human factors.
Global alliance over more than 10 years of experts
from industry and safety certifying bodies has created
the IEC 61508 safety standard. It is the aggregation of
practical experience and the use of state-of-the-art
technology, methods & computer tools.
Safety Instrumented Systems are no longer an add-
on attribute, but are the result of structured
engineering procedures that can be divided into 9
major steps in the building or retrofit of a process
plant, represented in the process safety life-cycle.
Starting at the conceptual phase of a process and
ending with disposal, after a (useful) lifetime. It
clearly shows the way to achieve fit-for-purpose
safety; meaning that the risk can be kept as low as
reasonably practical (ALARP), which will result in
cost effective safety measures.
By the accomplishment of these world standards
for Safety Instrumented Systems the effective
performance of safety management has further
matured; in addition it contributes to the
profitability of the industry and protects against
excessive liability claims.
Safety management of a plant at large comprises not
only the implementation of safety systems, but in
particular covers the necessary activities before
Safety Instrumented Systems can be installed and
maintained.
The company
Yokogawa Industrial Safety Systems, founded in
1962, is one of the worlds most experienced Safety
and Control firms. Today, Yokogawa ISS with its
headquarters in The Netherlands, provides services
to clients on a global scale. As a Center of Excellence
within the Yokogawa Corporation, we are committed
to offer cost effective protection systems of all the
Safety Integrity Levels (SIL1-4) for the oil & gas,
petrochemical, chemical, nuclear and conventional
power industries. Our capability to offer safety
consultancy and integration of safety systems with
process control systems is especially appreciated by
our customers.
Yokogawa ISS is a subsidiary of Yokogawa Electric
Corporation, a major player in the world of
Measurement, Control and Safety. The company
employs over 11000 people world-wide and offers the
backing that will support continued growth and
products innovation.
Eliminating the unexpected
Contemporary Company vision
Our process control & automation capability is
expanding to total plant automation, which is leading
to enterprise-wide business solutions. Yokogawa has
adopted the term Enterprise Technology Solutions
(ETS). Real-time plant process control is integrated
with management information systems, logistics,
financial information, production scheduling, safety
systems and other technologies for effective site and
company-wide management.
Safety assessment & compliance to
safety standards.
In particular the services and knowledge that we
offer to our customers, working as a partner in the
safety assessment of a process installation, has
become a logical extension to our ETS services.
Safety Systems play an increasingly critical role in
many process plants today.
The safety standard IEC 61508 and draft IEC 61511
that have world-wide recognition create explicit
safety requirements for process plants. Therefore
users in the process industry are looking for system
suppliers, that can offer tightly integrated control
and safety systems, as well as safety consultancy for
the initial engineering activities to make up the
normative Safety Requirement Specification as
stated in the IEC 61508/61511, on a contractual basis.
The innovative IEC 61508 safety standard
Yokogawa ISS has participated since the beginning 10
years ago, in the realization of this IEC 61508 safety
standard and is still a member of the working group
that develop the application specific standard IEC
61511. This draft IEC61511 standard imposes the
effective and safe application of protective measures
in particular for the process industry. It sets out a
generic and performance based approach for all
systems comprising Safety Instrumented Functions
performed by electrical/electronic and programmable
electronic systems (E/E/PES). These systems are
applied for risk reduction of industrial processes and
are also called Safety Instrumented Systems (SIS).
The framework of the standard can also be used to
consider the strategy of other technologies of safety-
related systems.
The innovation created by these Safety Standards
can be summarized in three essential elements:
The safety life cycle approach, which describes the 9 the industrialized world and is replacing obsolete
phases in the implementation of any process SIS, carried out
by the system integrator. Starting from the initial concept of
a process it covers the engineering, operation and
maintenance, up and including the final disposal of the
equipment. Every lifecycle step makes a contribution to
safety that can be optimized in relation to cost and
effectiveness.
The quantification of the (remaining) risk involved in
the operation of a process. Each step in the above life cycle
has a direct effect on the result of the quantitative risk
analysis (QRA). This result is expressed in the probability of
a potentially unsafe occurrence. Risk reduction may be
required that can be achieved by the installation of safety
provisions, which often include a SIS. The effect on the risk
reduction is indicated by order of magnitude and expressed in
the Safety Integrity Level (SIL has a range from 1-4). The
remaining risk related to the severity of the consequences for
loss of life, damage to assets and environment, or even the
deferred production, will determine whether this risk can be
tolerated when operating a particular process.
The verification of compliance to the required safety
integrity level. Documentation that may be subject to
ratification by an independent authority, embedded in a
proper safety management document system is a necessity
for some essential steps in the safety life cycle. Also the
justification of the safety related decisions made must be
documented in the applicable steps. In practice an auditable
record is created over the entire lifecycle of the Safety
Instrumented System (SIS). The verification steps described
by the IEC 61508/61511 provide such an auditable system.
In this way rational decisions can be made by all
involved parties such as government authorities,
operating companies, certifying institutes and
insurance companies. In addition, it will protect the
operating company against extreme liability claims
in case of omissions and non-compliance.
Application of IEC 61508/61511 standards and
guidelines is also good for business, because the
investment for safety is put where the effect is
justified, applying the ALARP principle. Reduced
costs for initial investment in safety measures such as
SISs, and periodical maintenance will be the result,
Yokogawa ISS
One stop safety services
in spite of possible higher engineering efforts.
The IEC 61508/61511 standard has been accepted by
safety standards.
Yokogawa ISS is an IEC 61508 competent body
A competent body is skilled to carry out the
procedures and methods as defined in the IEC 61508
standard to realise safety Instrumented systems.
Early involvement in a project and cooperation with
our trained safety engineers that have up-to-date
experience (as required by the standard), will
facilitate compliance to the relevant procedures and
the required Safety Integrity Level (SIL). Our
experience can be placed at the users or engineering
contractors disposal by consultancy and pre-
engineering activities, such as completion of the
Safety Requirements Specification. Also the entire
engineering and production of the Logic Solver,
including installation & commissioning, validation,
periodical proof-testing as well as modifications can
be contracted to Yokogawa ISS.
 The demand to maintain an auditable trail of all the Layout studies that require some effect & damage
performed activities is reflected in the Master Safety calculations and can be applied over the life cycle of an
Management Document, developed by Yokogawa installation with a special software tool.
ISS. In this document all the lifecycle activities are Area Safety Reviews can be carried out to investigate the
ordered in well-defined sections. This master optimum location and number of detectors and the location
document will constitute an integral part of a project. and quality of preventive measures on the basis of expected
In this way the Yokogawa ISS project organization, scenarios.
will guarantee adherence to safety standards and can HAZARD study can be applied in the process concept phase
issue a certificate of conformity for an individual to identify potential hazards.
project. HAZOP study can be applied after the detailed design of an
installation on the basis of PFDs, P&IDs, Cause & Effect
It will be obvious that the choice for a certain type of diagrams and Plot Plans as shown in figure 1, step 1.
process or a retrofit of a plant is the first step and can REF#
MODE GUIDEWORD CAUSE CONSEQUENCE SAFE GUARDS
S.F. TYPE
MS/SIS/ER
SENSOR
Tag
FINAL
ELEMENT ACTION
Tag

have already great safety implications. The diagram Drawing

53811-
149707
Fuel Gas No Pressure 1. Gas Supply Fails
Upstream
1. Change over
to Diesel
2. = Activating F&G
system, which shut
unit down
SIS 2. = F&G
Detectors
2.= SPS-
EDP
& Unit shut
2.= Classif

3.= Classif
Sheet 5 1. Pipe rupture inside 2. Damaging 3.= F&G down

shows the implementation steps before the decision enclosure

2. Pipe rupture
enclosure

3. Gas leak. Possible

3. = Activate platform
F&G system,
which shut unit
Detectors
PT 281-11 3.=
SDV281-09
outside enclosure explosion down.
Additional platform
to implement a SIS can be made, by carrying out a 3. Filter blockage 4-5-6-7. Unit will
flame out
line pressure
protection is
5. Primary fuel provided
Valve fails closed
number of preparation studies. Depending on the 6. Secondary fuel
Valve fails closed
1-4-5-6-7. = None

type of process Good Safety Management practice 7. Electric Gas Fuel

Valve fails closed

could include the following studies i.e.: MORE Pressure 1. Upstream

regulator fails
Damage to fuel gas
system
1. = PlatformOver
pressure protection
SIS +
Relief valve
1.=
PT 281-11
1.= SDV
281-09+
PSV 281-
1.= Classif

2.= Classif
2. = Skid Over 2.= TP386 12A/B
pressurer protection
2.= TP386

Example of Hazop document

Process reliability and availability studies can be applied to

Figure 1. Represents the 9 major steps in realising a investigate the performance.
SIS. These steps are derived from the main life-cycle
approach in the IEC 61508/61511

The life cycle of process safety

Fire and Explosion Risk Assessment determine the Potential

Loss of Life and the Asset Risks of an installation. In this
Figure 1 Process Design Deliverables study risks are calculated to assess the installation and the

Process Design
personnel. Other studies which can be applied are Smoke and
P & ID's
Narratives
Gas Ingress Assessment which requires dispersion studies in
HAZOP
Potential Safequard
relation to HVAC-inlets; this is a scenario based study.
Determine Safequard
Descriptions
Functions
1 Protective Systems Assessment can be applied on the basis of

Risk Assessment
Input Safety Instrumented
2 Functions (sif)
Sensor & Logic
Solver & Final Element
Type and Failure data.
SIF Configuration
Including all other Calculations
3 Instrumented Loops
devices In
the Safety Loop
Prepare: Safety
Requirement
4 Specification for SIS
Design - Egineering -
Integration - FAT
5 of Logic Solver
Overall Installation and
commissioning Sensors -
6 LS - Final Elements
SIS
Overall Safety
7 validation
SIS SIS
Overall modification Overall operation,
and retrofit maintenance and repair
9 8
hazard scenarios defined in the FERA and other studies like
Target SIL's for the
Safety Instrumented
Functions Area Safety Reviews and give a scenario based evaluation
against Performance Standards of protective systems, which
Design data for
the Safety are considered to be safety critical. Escape, evacuation and
rescue analysis is often carried out for offshore installations;
Safety Requirement parts of it can also be applied for onshore installations.
Spec for the SIS
A Work Place Risk Assessment is focussed on hazards at a
certain location. This study is useful for new non-routine
Logic Solver
projects in a hazardous environment. TRIPOD-studies i.e.
are focussing on the human aspects and peoples motivation,
Complete SIS working climate etc.
The Quantified Risk Assessment is focussed on Risk to
Validation report Personnel, Environment and Asset Risk. In this study
Certificate
hazards from process, BPCS, non-process, external
Has to be fully documented or
recorded andjustified to be in
compliance with the IEC 61508/61511
 environmental hazards, ship collisions, dropped loads etc.
are taken into account and requires the use of event trees,
risk graphs and risk matrixes for the various scenarios. The
Individual and Societal risk studies, which represent the
external risks of an installation, can be applied for on-shore
activities.
Most Users shall have a predisposition to outsource
these studies to a specialised company.
Yokogawa ISS and TNO (a Dutch independent applied research
organisation) have founded an independent joint-venture
company: named Safety Service Centre at Apeldoorn, The
Netherlands , which has the capabilities, know-how and
experience to carry out the mentioned studies.The practical
implementation of the Safety Instrumented Functions starts
with the Quantified Risk Assessment(QRA). In the process life-
cycle phases in figure 1 this action is represented by step 2.
In the following overview also the professional capabilities from
Yokogawa ISS are highlighted in relation to the process lifecycle
phases for steps 2 to 5 and to supply services for steps 6 to 9.
2 Risk Assessment
If any risk and safeguard function is identified in the
HAZOP study it must be followed by a Quantitative
Risk Assessment (QRA), covering an analysis of each
identified Safety Instrumented Function; it includes
the opinion of the
gathered experts in
the HAZOP team
on the frequency of
unwanted
occurrences. The
QRA will lead to one
SIS CLASS of the four quantitative Safety Integrity Levels
RECORD Example
(SILs) of the determined SIFs, by means of a
deterministic approach with a quantitative outcome.
This outcome is named: target SIL.
Yokogawa ISS contribution:
Supervision and guidance using a risk analysis program
based on Risk Graphs or Risk Matrixes.
Indication of the location and type of components of a safety
function, such as Sensors and Final Elements.
Carrying out a full mathematical quantitative risk analysis
in particular circumstances.
Creating records and justifications of this QRA.
3 Safety reliability calculations
After the identification and determination of the
SIFs, the necessary details for the realisation of the
Safety Loops are engineered. The type and number of
sensors, barriers and the safety valves in the
application, as well as the component failure data are
related to the target SIL. The selection of the suitable
Logic Solver and communication aspects with the
process control system is also a part of this analysis.
At the same time the calculation can provide data on
the spurious or False Trip Rate (FTR) per SIS and the
necessary or desired proof-test intervals. Again the
design can be optimised to achieve the target
availability of the related process parts to minimise
deferred production by false trips. In addition by the
avoidance of unnecessary process shutdown & start-
ups a positive contribution to safety is made.
Yokogawa ISS is applying state-of-the-art safety
reliability calculation tools using validated (field)
databases such as:
Parts stress analysis in accordance with MIL.hdbk.217(F)
Failure mode and critically effect analysis (FMCEA) to
eliminate non-safety-critical components.
Failure mode and diagnostic effect analysis (FMDEA) to
Profitability & safety
are not in competition
determine the diagnostics coverage factor and the ratio between
detected and not detected failure rates.
Markov oriented method, including uncertainty and
sensitivity analysis and sophisticated imperfect proof-testing
analysis. The University of Eindhoven developed this Dynamic
Markov calculation tool, which shows in particular the time
dependency of the safety parameters.
5 6
One Solenoid One Solenoid
failed Dangerous failed Dangerous
Undetected Detected
1
Operational
2 4 3
Configuration Configuration Configuration
failed Safe failed Dangerous failed Dangerous
(Detected) Detected Undetected
Example of a Markov state diagram.

xxxxx Project Single Safety Valve configuration
Probability of Failure on Demand
10-2
SIL 2
10-3
Probability (-)
10-4
10-5
0 0,5 1 1,5 2 2,5
Proof Test Interval (hours)
Example of Safety Integrity calculation of a safety valve.
4 Safety Requirement Specification (SRS)
The result of all the foregoing activities needs to be
recorded and will, if applicable, specify additional
data for a SIS comprising:
definition of the safe state of each Safety
Instrumented Function and response time,
safety interlocks descriptions & start-up sequence
descriptions, with necessary overriding,
status and event recording requirements,
communication interface with protection to the
process control system,
safety communication between multiple SISs,
environmental conditions,
electrical power situation and instrument air,
availability of qualified and periodically trained
maintenance personnel.
Yokogawa ISS can assist to compose every Safety Function loop
in full compliance using SRS templates.
As supplier of the Prosafe product line for E/PES and over 30
years experience, we have at our disposal an experienced
engineering crew located at four locations in the world.
Our training department gives dedicated trainings for our
customers.
5 Realisation of a Logic Solver
The Safety Requirement Specification serves as the
definition of the requirements for the system design
and the engineering of all Safety Functions. It can
serve as the basis for bidders to work out a solution &
quotation for a SIS design and supply of the necessary
hardware, which must be covering at least these
requirements.
Yokogawa ISS has made a merge between the IEC 61508
requirements and the ISO 9001 quality work system, which is
presently describing all applicable work procedures. The Safety
Requirement Specification is the basis for a project realisation,
which describes the functional requirement & the SIL
requirements of the SIFs.
Some of the major SIS project execution steps are:
3 3,5 4 4,5
Assignment of contract/line manager & other key personnel,
x10
4
Generation of a project plan , describing the Safety validation
plan and Operational & Maintenance procedures FAT & test
procedures, integration test, etc.
Order of materials & system assembly,
Safety verification & report, system test & correction of any
defects, inspection of documentation,
Factory acceptance test & report, Safety validation,
Complete as-built documentation package before
shipment.
6 Installation, Commissioning & Verification
The commission phase, after installation, offers
the opportunity to test and verify every safety loop
Safety is a continuous process
individually for installation integrity, tagging,
interfacing to other systems, power supply, grounding
connection, adequate separation to avoid common-
cause faults, communication links non-interference
with the safety loops, etc.
Also the installation of the sensors, barriers and
safety valves, needs special attention. All activities
and test results will be executed and documented in
line with the safety requirement specification and the
IEC standards.
Yokogawa ISS has the service organisation to assist at
installation, commissioning and verification at the plant site.
7 SIS Validation
Validation of the implemented Safety Functions
means that by inspection and testing of the installed
and commissioned SIS, the system adheres to all SIS
requirements. The validation includes all relevant
modes of operation of the process and its associated
equipment. The procedures for this validation are
prepared during the SIS validation planning & design
phase. The validation further covers:
SIS performance under normal and abnormal operating
modes,
Non interference between the Process Control System and
other connected systems, with the safety integrity of the SIS,
Proper shut-down sequences,
Overrides procedures and time limitation,
SIS diagnostic alarms to operator that have the appropriate
Safety Integrity Level,
Documentation completeness reflecting the installed
system.
The results of this validation shall again be fully
documented, including the used calculation tools and
equipment, as well as the professional status of the
validation experts. Any discrepancies will require
decisions taken on whether to continue this
validation or to issue a change requests.
9 SIS Modifications
Altering the opinion about the efficient process
operating conditions is the background for
modifications that often have repercussion on a
number of SIFs. Such modification happen
frequently during the SIS lifetime, therefore
modification control is equally compelling according
to the standard. This is the ground for strict
modification control procedures. It will be evident
that all lifecycle steps have to be reviewed again.
Reviewing the HAZOP node and QRA includes the
recalculating the changed Safety loops, checking for
possible interference with existing SIFS and re-
engineering. Approval by the right authority must be
obtained and again testing and validating have to be
performed before implementation.
Yokogawa ISS has the qualifications to perform the
demanded steps in an interactive mode with the user.
Yokogawa can carry out the modification planning and by
mutual arrangements in full compliance with the standard
on a contractual basis.

Safety consultancy & partnership

for IEC compliance

If impartial validation is preferred the independent joint SSC, Apeldoorn, The Netherlands.
venture Company SSC is competent to carry out the task. Website: www.safety-sc.com TRIPOD International

8 Periodical Maintenance to maintain

the safety integrity level
The ultimate responsibility for the safe operation of
the SIS remains at the Operator of the process.
Adequate maintenance shall comprise periodical
proof-tests of all the safety loop devices. The standard
requires that all the maintenance engineers must
have at least 5 years experience and are periodically
trained. Also the test equipment needs to be
calibrated periodically.
These demands place a burden on the plant
management during the lifetime of the plant.

Yokogawa ISS can provide operator and maintenance

training dedicated to the supplied SIS.
We also have a crew of experienced and trained engineers in
our service organisation to perform the system periodical
proof-tests on a contractual basis world-wide.