As many of you are already aware, IEC is in the process of updating the IEC 61511 standard.  It is actually quite late in doing so, but work is now progressing.  Through my committee work, I have a copy of a recent committee draft for vote (CDV) that I have been reviewing extensively.  This document has made a lot of progress, but is still quite contentious in terms of various committee members not wanting to approve it as the revised standard.  It seems that it will be a while until the document gets approved and released, so I though that I would start parceling out some of the potential upcoming changes through my blog.  As a disclaimer, I will be referring to a committee draft for vote – so this is not an official release and what is contained in this draft very well could change prior to its release (I know that at least some of it will…).  What I want to present to you here is what changes have been proposed, and possibly provide a bit of insight into why the changes are being made.  Since there are many changes, I will try to stick to changes that are substantive as opposed to noting every typo.  Also, I will be doing this as a series of blog posts, making it easier to digest the changes.

The first modification that I noted was to Figure 4 – Relationship between safety instrumented functions and other functions.  The existing document contains the following figure.

Old IEC61511 Figure 4

The CDV contains the following revised figure.

New IEC61511 Figure 4

In addition to the formatting and style there is one significant change to the content, and a few minor ones.  Let’s start with the minor changes.

First.  If an instrumented function is NOT a safety instrumented function, previously it was referred to as a “basic process control and/or asset protection function”.  In the current version this category is referred to as other instrumented means of risk reduction.  This change in terminology is working to set up the concept of a SCAI (Safety Control, Alarm, or Indication).  The SCAI concept is being worked on by the ISA 84 committee as a categorization of instrumented function that is related to safety, but is not a safety instrumented function.  This change also somewhat assumes that if an instrumented function is not at all safety related, it would not have been subjected to this flowchart in the first place, and thus does not need to be considered here.

Second.  A safety instrumented function whose mode of operation is Continuous is now referred to as a Continuous mode SIF as opposed to a safety instrumented control function.  This change was made in order to emphasize that there are some continuous mode SIF that are not continuous control loops.

Finally, the substantive change.  In the existing version of IEC 61511 demand mode functions are separated into mitigative functions and preventive functions.  In the CDV, the distinction is no longer presented.  A lot of reasons for making this change could be postulated, but ultimately, SIF, as they are designed in accordance with IEC61511 and its associated approaches are necessarily preventive.  Using the tools and techniques in IEC61511 alone for mitigative functions can quickly and easily result in dramatically erroneous results.  Everything in the standard and associated annexes and technical reports assumes that if the SIF operates properly, then no consequence will occur.  When this fundamental assumption is false, much of the base of tools and techniques that are employed in the safety lifecycle fall down.  Even something as fundamental as the Risk Reduction Factor is invalidated by a SIF that is not preventive.

Furthermore, and at a practical level, mitigative functions – such as fire and gas detection and suppression systems are often better left to design through other more direct standards such as those from the National Fire Protection Association (NFPA).  Bringing these functions into the realm of IEC61511 compliance is often counter-productive.  As such, redrawing Figure 4 to more easily be able to exclude them from requiring IEC 61511 compliance is not a surprising change.  Mitigative systems require a much more rigorous analysis if they are to be quantitatively designed.  Simple techniques such as LOPA are useless in assessing the requirements of these types of systems.

With these three changes to this figure the standard committee started out with a bold statement of change for the next version of this standard.  As my blog series progresses, we will be discussing a lot of new and controversial changes.  Many will be much more significant than what I’ve outlined here in this first installment of the series.