IEC 61511-1:2003

INTERNATIONAL IEC
STANDARD
61511-1
First edition
2003-01
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 1:
Framework, definitions, system,
hardware and software requirements
Sécurité fonctionnelle –
Systèmes instrumentés de sécurité pour le secteur
des industries de transformation –
Partie 1:
Cadre, définitions et prescriptions concernant
le système,
le matériel et le logiciel
Reference number
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the
60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.
Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,
edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the
base publication incorporating amendment 1 and the base publication incorporating
amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (http://www.iec.ch/searchpub/cur_fut.htm)
enables you to search by a variety of criteria including text searches, technical
committees and date of publication. On-line information is also available on
recently issued publications, withdrawn and replaced publications, as well as
corrigenda.
• IEC Just Published
This summary of recently issued publications (http://www.iec.ch/online_news/
justpub/jp_entry.htm) is also available by email. Please contact the Customer
Service Centre (see below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:
Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
INTERNATIONAL IEC
STANDARD
61511-1
First edition
2003-01
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 1:
Framework, definitions, system,
hardware and software requirements
Sécurité fonctionnelle –
Systèmes instrumentés de sécurité pour le secteur
des industries de transformation –
Partie 1:
Cadre, définitions et prescriptions concernant
le système,
le matériel et le logiciel
 IEC 2003  Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
Commission Electrotechnique Internationale
XC
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

– 2 – 61511-1  IEC:2003(E)
CONTENTS
FOREWORD . 5
INTRODUCTION .7
1 Scope . 9
2 Normative references.14
3 Abbreviations and definitions .15
3.1 Abbreviations.15
3.2 Definitions .16
4 Conformance to this International Standard .30
5 Management of functional safety.30
5.1 Objective .30
5.2 Requirements .30
6 Safety life-cycle requirements .35
6.1 Objective .35
6.2 Requirements .35
7 Verification .37
7.1 Objective .37
8 Process hazard and risk analysis.38
8.1 Objectives .38
8.2 Requirements .38
9 Allocation of safety functions to protection layers.39
9.1 Objective .39
9.2 Requirements of the allocation process .39
9.3 Additional requirements for safety integrity level 4 .40
9.4 Requirements on the basic process control system as a protection layer .41
9.5 Requirements for preventing common cause, common mode and dependent
failures .42
10 SIS safety requirements specification .43
10.1 Objective .43
10.2 General requirements .43
10.3 SIS safety requirements.43
11 SIS design and engineering .44
11.1 Objective .44
11.2 General requirements .44
11.3 Requirements for system behaviour on detection of a fault .46
11.4 Requirements for hardware fault tolerance.47
11.5 Requirements for selection of components and subsystems .48
11.6 Field devices .51
11.7 Interfaces .52
11.8 Maintenance or testing design requirements .54
11.9 SIF probability of failure.54

61511-1  IEC:2003(E) – 3 –
12 Requirements for application software, including selection criteria for utility software .55
12.1 Application software safety life-cycle requirements .56
12.2 Application software safety requirements specification.62
12.3 Application software safety validation planning .64
12.4 Application software design and development.64
12.5 Integration of the application software with the SIS subsystem .69
12.6 FPL and LVL software modification procedures .70
12.7 Application software verification.70
13 Factory acceptance testing (FAT) .71
13.1 Objectives .72
13.2 Recommendations .72
14 SIS installation and commissioning.73
14.1 Objectives .73
14.2 Requirements .73
15 SIS safety validation .74
15.1 Objective .74
15.2 Requirements .74
16 SIS operation and maintenance .76
16.1 Objectives .76
16.2 Requirements .77
16.3 Proof testing and inspection.78
17 SIS modification.79
17.1 Objective .79
17.2 Requirements .79
18 SIS decommissioning.80
18.1 Objectives .80
18.2 Requirements .80
19 Information and documentation requirements.81
19.1 Objectives .81
19.2 Requirements .81
Annex A (informative) Differences .83
Figure 1 – Overall framework of this standard . 8
Figure 2 – Relationship between IEC 61511 and IEC 61508.11
Figure 3 – Relationship between IEC 61511 and IEC 61508 (see 1.2) .12
Figure 4 – Relationship between safety instrumented functions and other functions .13
Figure 5 – Relationship between system, hardware, and software of IEC 61511-1.14
Figure 6 – Programmable electronic system (PES): structure and terminology .23
Figure 7 – Example SIS architecture .26
Figure 8 – SIS safety life-cycle phases and functional safety assessment stages.33
Figure 9 – Typical risk reduction methods found in process plants .42
Figure 10 – Application software safety life cycle and its relationship to the SIS safety
life cycle.56

– 4 – 61511-1  IEC:2003(E)
Figure 11 – Application software safety life cycle (in realization phase).58
Figure 12 − Software development life cycle (the V-model) .59
Figure 13 – Relationship between the hardware and software architectures of SIS.62
Table 1 – Abbreviations used in IEC 61511 .15
Table 2 – SIS safety life-cycle overview .36
Table 3 – Safety integrity levels: probability of failure on demand .40
Table 4 – Safety integrity levels: frequency of dangerous failures of the SIF .40
Table 5 – Minimum hardware fault tolerance of PE logic solvers .47
Table 6 – Minimum hardware fault tolerance of sensors and final elements and non-PE
logic solvers.48
Table 7 – Application software safety life cycle: overview.60

61511-1  IEC:2003(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 1: Framework, definitions, system,
hardware and software requirements
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International
Organization for Standardization (ISO) in accordance with conditions determined by agreement between the
two organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical specifications, technical reports or guides and they are accepted by the National
Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61511-1 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control. The text
of this standard is based on the following documents:
FDIS Report on voting
65A/368/FDIS 65A/372/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
IEC 61511 consists of the following parts, under the general title Functional safety: Safety
instrumented systems for the process industry sector (see Figure 1):
− Part 1: Framework, definitions, system, hardware and software requirements
− Part 2: Guidelines in the application of IEC 61511-1
− Part 3: Guidance for the determination of the required safety integrity levels

– 6 – 61511-1  IEC:2003(E)
The committee has decided that the contents of this publication will remain unchanged until
2007. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
A bilingual version of this standard may be issued at a later date.

61511-1  IEC:2003(E) – 7 –
INTRODUCTION
Safety instrumented systems have been used for many years to perform safety instrumented
functions in the process industries. If instrumentation is to be effectively used for safety
instrumented functions, it is essential that this instrumentation achieves certain minimum
standards and performance levels.
This international standard addresses the application of safety instrumented systems for the
Process Industries. It also requires a process hazard and risk assessment to be carried out to
enable the specification for safety instrumented systems to be derived. Other safety systems
are only considered so that their contribution can be taken into account when considering the
performance requirements for the safety instrumented systems. The safety instrumented
system includes all components and subsystems necessary to carry out the safety
instrumented function from sensor(s) to final element(s).
This international standard has two concepts which are fundamental to its application; safety
lifecycle and safety integrity levels.
This standard addresses safety instrumented systems which are based on the use of
electrical/electronic/programmable electronic technology. Where other technologies are used
for logic solvers, the basic principles of this standard should be applied. This standard also
addresses the safety instrumented system sensors and final elements regardless of the
technology used. This International Standard is process industry specific within the framework
of IEC 61508 (see Annex A).
This International Standard sets out an approach for safety life-cycle activities to achieve
these minimum standards. This approach has been adopted in order that a rational and
consistent technical policy is used.
In most situations, safety is best achieved by an inherently safe process design If necessary,
this may be combined with a protective system or systems to address any residual identified
risk. Protective systems can rely on different technologies (chemical, mechanical, hydraulic,
pneumatic, electrical, electronic, programmable electronic) To facilitate this approach, this
standard
• requires that a hazard and risk assessment is carried out to identify the overall safety
requirements;
• requires that an allocation of the safety requirements to the safety instrumented system(s)
is carried out;
• works within a framework which is applicable to all instrumented methods of achieving
functional safety;
• details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
This International Standard on safety instrumented systems for the process industry
• addresses all safety life-cycle phases from initial concept, design, implementation,
operation and maintenance through to decommissioning;
• enables existing or new country specific process industry standards to be harmonized with
this standard.
This International Standard is intended to lead to a high level of consistency (for example, of
underlying principles, terminology, information) within the process industries. This should
have both safety and economic benefits.
In jurisdictions where the governing authorities (for example, national, federal, state, province,
county, city) have established process safety design, process safety management, or other
requirements, these take precedence over the requirements defined in this standard.

– 8 – 61511-1  IEC:2003(E)
Support
Technical
parts
requirements
PART 1 References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of safety requirements
PART 1
specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety life-cycle
Design phase for Design phase for
requirements
safety
safety
Clause 6
instrumented instrumented
PART 1
system software
systems
Clause 12
Clause 11
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
PART 1
instrumented systems
Clauses 13, 14, and 15
Differences
Annex “A”
PART 1
PART 1
Operation and maintenance,
modification and retrofit, Guideline for the
decommissioning or disposal of application of part 1
safety instrumented systems
PART 2
Clauses 16, 17, and 18
Guidance for the
determination of the
required safety
integrity levels
PART 3
IEC  3240/02
Figure 1 – Overall framework of this standard

61511-1  IEC:2003(E) – 9 –
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 1: Framework, definitions, system,
hardware and software requirements
1 Scope
This International Standard gives requirements for the specification, design, installation,
operation and maintenance of a safety instrumented system, so that it can be confidently
entrusted to place and/or maintain the process in a safe state. This standard has been
developed as a process sector implementation of IEC 61508.
In particular, this standard
a) specifies the requirements for achieving functional safety but does not specify who is
responsible for implementing the requirements (for example, designers, suppliers,
owner/operating company, contractor); this responsibility will be assigned to different
parties according to safety planning and national regulations;
b) applies when equipment that meets the requirements of IEC 61508, or of 11.5 of
IEC 61511-1, is integrated into an overall system that is to be used for a process sector
application but does not apply to manufacturers wishing to claim that devices are suitable
for use in safety instrumented systems for the process sector (see IEC 61508-2 and
IEC 61508-3);
c) defines the relationship between IEC 61511 and IEC 61508 (Figures 2 and 3);
d) applies when application software is developed for systems having limited variability or
fixed programmes but does not apply to manufacturers, safety instrumented systems
designers, integrators and users that develop embedded software (system software) or
use full variability languages (see IEC 61508-3);
e) applies to a wide variety of industries within the process sector including chemicals, oil
refining, oil and gas production, pulp and paper, non-nuclear power generation;
NOTE Within the process sector some applications, (for example, off-shore), may have additional
requirements that have to be satisfied.
f) outlines the relationship between safety instrumented functions and other functions
(Figure 4);
g) results in the identification of the functional requirements and safety integrity requirements
for the safety instrumented function(s) taking into account the risk reduction achieved by
other means;
h) specifies requirements for system architecture and hardware configuration, application
software, and system integration;
i) specifies requirements for application software for users and integrators of safety
instrumented systems (clause 12). In particular, requirements for the following are
specified:
– safety life-cycle phases and activities that are to be applied during the design and
development of the application software (the software safety life-cycle model). These
requirements include the application of measures and techniques, which are intended
to avoid faults in the software and to control failures which may occur;
– information relating to the software safety validation to be passed to the organization
carrying out the SIS integration;

– 10 – 61511-1  IEC:2003(E)
– preparation of information and procedures concerning software needed by the user for
the operation and maintenance of the SIS;
– procedures and specifications to be met by the organization carrying out modifications
to safety software;
j) applies when functional safety is achieved using one or more safety instrumented
functions for the protection of personnel, protection of the general public or protection of
the environment;
k) may be applied in non-safety applications such as asset protection;
l) defines requirements for implementing safety instrumented functions as a part of the
overall arrangements for achieving functional safety;
m) uses a safety life cycle (Figure 8) and defines a list of activities which are necessary to
determine the functional requirements and the safety integrity requirements for the safety
instrumented systems;
n) requires that a hazard and risk assessment is to be carried out to define the safety
functional requirements and safety integrity levels of each safety instrumented function;
NOTE See Figure 9 for an overview of risk reduction methods.
o) establishes numerical targets for average probability of failure on demand and frequency
of dangerous failures per hour for the safety integrity levels;
p) specifies minimum requirements for hardware fault tolerance;
q) specifies techniques/measures required for achieving the specified integrity levels;
r) defines a maximum level of performance (SIL 4) which can be achieved for a safety
instrumented function implemented according to this standard;
s) defines a minimum level of performance (SIL 1) below which this standard does not apply;
t) provides a framework for establishing safety integrity levels but does not specify the safety
integrity levels required for specific applications (which should be established based on
knowledge of the particular application);
u) specifies requirements for all parts of the safety instrumented system from sensor to final
element(s);
v) defines the information that is needed during the safety life cycle;
w) requires that the design of a safety instrumented function takes into account human
factors;
x) does not place any direct requirements on the individual operator or maintenance person.

61511-1  IEC:2003(E) – 11 –
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM
STANDARDS
Safety
Manufacturers and
instrumented
suppliers of systems designers,
devices integrators and
users
IEC 61508
IEC 61511
IEC  3241/02
Figure 2 – Relationship between IEC 61511 and IEC 61508

– 12 – 61511-1  IEC:2003(E)
PROCESS SECTOR
SAFETY
INSTRUMENTED
SYSTEM STANDARD
PROCESS
PROCESS
SECTOR SECTOR
HARDWARE
SOFTWARE
DEVELOPING
DEVELOPING USING USING DEVELOPING DEVELOPING APPLICATION
NEW HARDWARE EMBEDDED APPLICATION SOFTWARE
PROVEN-IN-
HARDWARE DEVELOPED (SYSTEM) SOFTWARE
USING
USE
DEVICES AND SOFTWARE USING FULL
LIMITED
HARDWARE
ACCESSED VARIABILITY
VARIABILITY
DEVICES
ACCORDING LANGUAGES
LANGUAGES
TO IEC 61508
OR FIXED
PROGRAMS
FOLLOW FOLLOW FOLLOW FOLLOW FOLLOW
FOLLOW
IEC 61508 IEC 61511 IEC 61511
IEC 61511 IEC 61508-3 IEC 61508-3
IEC  3242/02
Figure 3 – Relationship between IEC 61511 and IEC 61508 (see clause 1)

61511-1  IEC:2003(E)                 – 13 –
Start
Is it an
No Yes
instrumented
function?
Safety
Yes Yes
No No
instrumented
Safety
related function?
?
Not
relevant
Continuous Demand
Safety instrumented
Mode
protection function
Mitigation
Prevention
Type?
Other Safety Safety Safety
Basic process
instrumented
means of instrumented instrumented
control and/or asset
control
risk prevention mitigation
protection function
function function function
reduction
Standard specifies activities which are to be carried out but requirements are not detailed.
IEC  3243/02
Figure 4 – Relationship between safety instrumented functions and other functions

– 14 – 61511-1  IEC:2003(E)
Management of functional safety (clause 5)
Determination of function and integrity (clause 8)
Verification and validation (clause 7, 12.3, 12.7,
clauses 13 and 15)
Operation, maintenance and modification (clauses 16 and 17)
Safety instrumented functions
Continuous mode
Safety instrumented control function
Demand mode control
Safety instrumented protection function
- Safety instrumented prevention function
- Safety instrumented mitigation function
Safety instrumented systems
System and hardware requirements (clause 6)
Input Logic Output
(Function) (Function) (Function)
Software
Safety instrumented systems
Software requirements (clause 12)
IEC  3244/02
Figure 5 – Relationship between system, hardware, and software of IEC 61511-1
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60654-1:1993, Industrial-process measurement and control equipment – Operating
conditions – Part 1: Climatic conditions
IEC 60654-3:1998, Industrial-process measurement and control equipment – Operating
conditions – Part 3: Mechanical influences
IEC 61326-1:Electrical equipment for measurement, control and laboratory use – EMC
requirements
IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements

61511-1  IEC:2003(E) – 15 –
IEC 61511-2: Functional safety – Safety instrumented systems for the process industry sector
– Part 2: Guidelines in the application of IEC 61511-1
3 Abbreviations and definitions
3.1 Abbreviations
Abbreviations used throughout IEC 61511 are given in Table 1.
Table 1 – Abbreviations used in IEC 61511
Abbreviation Full expression
AC/DC Alternating current/direct current
ALARP As low as reasonably practicable
ANSI American National Standards Institute
BPCS Basic process control system
DC Diagnostic coverage
E/E/PE Electrical/electronic/programmable electronic
E/E/PES Electrical/electronic/programmable electronic system
EMC Electro-magnetic compatibility
FAT Factory acceptance testing
FPL Fixed program language
FTA Fault tree analysis
FVL Full variability language
HFT Hardware fault tolerance
HMI Human machine interface
H&RA Hazard and risk assessment
HRA Human reliability analysis
H/W Hardware
IEC International Electrotechnical Commission
IEV International Electrotechnical Vocabulary
ISA Instrumentation, Systems and Automation Society
ISO International Organization for Standardization
LVL Limited variability language
MooN “M” out of “N” (see 3.2.45)
NP Non-programmable
PE Programmable electronics
PES Programmable electronic system
PFD Probability of failure on demand
PFD Average probability of failure on demand
avg
PLC Programmable logic controller
SAT Site acceptance test
SFF Safe failure fraction
SIF Safety instrumented function
SIL Safety integrity level
SIS Safety instrumented system
SRS Safety requirement specification
S/W Software
___________
To be published.
– 16 – 61511-1  IEC:2003(E)
3.2 Definitions
For the purposes of this document, the following definitions apply.
3.2.1
architecture
arrangement of hardware and/or software elements in a system, for example,
(1) arrangement of safety instrumented system (SIS) subsystems;
(2) internal structure of an SIS subsystem;
(3) arrangement of software programs
NOTE This term differs from the definition in IEC 61508-4 to reflect differences in the process sector terminology.
3.2.2
asset protection
function allocated to system design for the purpose of preventing loss to assets
3.2.3
basic process control system (BPCS)
system which responds to input signals from the process, its associated equipment, other
programmable systems and/or an operator and generates output signals causing the process
and its associated equipment to operate in the desired manner but which does not perform
any safety instrumented functions with a claimed SIL ≥ 1
NOTE See Clause A.2.
3.2.4
channel
element or group of elements that independently perform(s) a function
NOTE 1 The elements within a channel could include input/output (I/O) modules, logic systems (see 3.2.40),
sensors, final elements.
NOTE 2 A dual channel (i.e., a two-channel) configuration is one with two channels that independently perform
the same function.
NOTE 3 The term can be used to describe a complete system or a portion of a system (for example, sensors or
final elements).
3.2.5
coding
see “programming”
3.2.6
3.2.6.1
common cause failure
failure, which is the result of one or more events, causing failures of two or more separate
channels in a multiple channel system, leading to system failure
3.2.6.2
common mode failure
failure of two or more channels in the same way, causing the same erroneous result
3.2.7
component
one of the parts of a system, subsystem, or device performing a specific function
3.2.8
configuration
see “architecture”
61511-1  IEC:2003(E) – 17 –
3.2.9
configuration management
discipline of identifying the components of an evolving (hardware and software) system for the
purposes of controlling changes to those components and maintaining continuity and
traceability throughout the life cycle
3.2.10
control system
system which responds to input signals from the process and/or from an operator and
generates output signals causing the process to operate in the desired manner
NOTE The control system includes input devices and final elements and may be either a BPCS or an SIS or
a combination of the two.
3.2.11
dangerous failure
failure which has the potential to put the safety instrumented system in a hazardous or fail-
to-function state
NOTE Whether or not the potential is realized may depend on the channel architecture of the system; in systems
with multiple channels to improve safety, a dangerous hardware failure is less likely to lead to the overall
hazardous or fail-to-function state.
3.2.12
dependent failure
failure whose probability cannot be expressed as the simple product of the unconditional
probabilities of the individual events which caused it
NOTE 1 Two events A and B are dependent, where P(z) is the probability of event z, only if P(A and B) > P(A) × P(B).
NOTE 2 See 9.5 as an example of dependent failure consideration between layers of protection.
NOTE 3 Dependent failure includes common cause (see 3.2.6).
3.2.13
detected
revealed
overt
in relation to hardware failures and software faults, detected by the diagnostic tests or through
normal operation
3.2.14
device
functional unit of hardware or software, or both, capable of accomplishing a specified purpose
(for example, field devices; equipment connected to the field side of the SIS I/O terminals;
such equipment includes field wiring, sensors, final elements, logic solvers, and those
operator interface devices hard-wired to SIS I/O terminals)
3.2.15
diagnostic coverage (DC)
ratio of the detected failure rate to the total failure rate of the component or subsystem as
detected by diagnostic tests. Diagnostic coverage does not include any faults detected by
proof tests.
NOTE 1 The diagnostic coverage is used to compute the detected (λ ) and undetected failure rates (λ )
detected undected
from the total failure rate (λ ) as follows: λ = DC × λ and λ = (1-DC) × λ .
detected undected
total failure rate total failure rate total failure rate
NOTE 2 Diagnostic coverage is applied to components or subsystems of a safety instrumented system. For
example, the diagnostic coverage is typically determined for a sensor, final element or a logic solver.
NOTE 3 For safety applications the diagnostic coverage is typically applied to the safe and dangerous failures of
a component or subsystem. For example, the diagnostic coverage for the dangerous failures of a component
or subsystem is DC = λ /λ , where λ is the dangerous detected failure rate and λ is the total dangerous
DD DT DD DT
failure rate.
– 18 – 61511-1  IEC:2003(E)
3.2.16
diversity
existence of different means performing a required function
NOTE Diversity may be achieved by different physical methods or different design approaches.
3.2.17
electrical/electronic/programmable (E/E/PE)
based on electrical (E) and/or electronic (E) and/or programmable electronic (PE) technology
NOTE The term is intended to cover any and all devices or systems operating on electrical principles and would
include
- electro-mechanical devices (electrical);
- solid-state non-programmable electronic devices (electronic);
- electronic devices based on computer technology (programmable electronic) (see 3.2.55).
3.2.18
error
discrepancy between a computed, observed or measured value or condition and the true,
specified or theoretically correct value or condition
NOTE Adapted from IEV 191-05-24 by excluding the notes.
3.2.19
external risk reduction facilities
measures to reduce or mitigate the risks, which are separate and distinct from the SIS
NOTE 1 Examples include a drain system, fire wall, bund (dike).
NOTE 2 This term deviates from the definition in IEC 61508-4 to reflect differences in the process sector
terminology.
3.2.20
failure
termination of the ability of a functional unit to perform a required function
NOTE 1 This definition (excluding these notes) matches ISO/IEC 2382-14-01-09:1997.
NOTE 2 For further information, see IEC 61508-4.
NOTE 3 Performance of required functions necessarily excludes certain behaviour, and some functions may be
specified in terms of behaviour to be avoided. The occurrence of such behaviour is a failure.
NOTE 4 Failures are either random or systematic (see 3.2.62 and 3.2.85).
3.2.21
fault
abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit
to perform a required function
NOTE IEV 191-05-01 defines “fault” as a state characterized by the inability to perform a required function,
excluding the inability during preventive maintenance or other planned actions, or due to lack of external
resources. [ISO/IEC 2382-14-01-09]
3.2.22
fault avoidance
use of techniques and procedures which aim to avoid the introduction of faults during any
phase of the safety life cycle of the safety instrumented system
3.2.23
fault tolerance
ability of a functional unit to continue to perform a required function in the presence of faults
or errors
NOTE The definition in IEV 191-15-05 refers only to sub-item faults. See the note for the term fault in 3.2.21.
[ISO/IEC 2382-14-04-06]
61511-1  IEC:2003(E) – 19 –
3.2.24
final element
part of a safety instrumented system which implements the physical action necessary to
achieve a safe state
NOTE Examples are valves, switch gear, motors including their auxiliary elements, for example, a solenoid valve
and actuator if involved in the safety instrumented function.
3.2.25
functional safety
part of the overall safety relating to the process and the BPCS which depends on the correct
functioning of the SIS and other protection layers
NOTE This term deviates from the definition in IEC 61508-4 to reflect differences in process sector terminology.
3.2.26
functional safety assessment
investigation, based on evidence, to judge the functional safety achieved by one or more
protection layers
NOTE This term deviates from the definition in IEC 61508-4 to reflect differences in process sector terminology.
3.2.27
functional safety audit
systematic and independent examination to determine whether the procedures specific to the
functional safety requirements comply with the planned arrangements, are implemented
effectively and are suitable to achieve the specified objectives
NOTE A functional safety audit may be carried out as part of a functional safety assessment.
3.2.28
functional unit
entity of hardware or software, or both, capable of accomplishing a specified purpose
NOTE 1 In IEV 191-01-01 the more general term “item” is used in place of functional unit. An item may sometimes
include people.
NOTE 2 This is the definition given in ISO/IEC 2382-14-01-01.
3.2.29
hardware safety integrity
part of the safety integrity of the safety instrumented function relating to random hardware
failures in a dangerous mode of failure
NOTE 1 The term relates to failures in a dangerous mode. That is, those failures of a safety instrumented function
that would impair its safety integrity. The two parameters that are relevant in this context are the overall dangerous
failure rate and the probability of failure to operate on demand.
NOTE 2 See 3.2.86.
NOTE 3 This term deviates from the definition in IEC 61508-4 to reflect differences in process sector terminology.
3.2.30
harm
physical injury or damage to the health of people, either directly or indirectly, as a result of
damage to property or to the environment
NOTE This definition matches ISO/IEC Guide 51.
3.2.31
hazard
potential source of harm
NOTE 1 This definition (without notes) matches 3.4 of ISO/IEC Guide 51.
NOTE 2 The term includes danger to persons arising within a short time scale (for example, fire and explosion)
and also those that have a long-term effect on a person's health (for example, release of a toxic substance).

– 20 – 61511-1  IEC:2003(E)
3.2.32
human error
mistake
human action or inaction that produces an unintended result
NOTE This is the definition found in ISO/IEC 2382-14-02-03 and differs from that given in IEV 191-05-25 by the
addition of “or inaction”.
3.2.33
impact analysis
activity of determining the effect that a change to a function or component will have to other
functions or components in that system as well as to other systems
3.2.34
independent department
department which is separate and distinct from the departments responsible for the activities
which take place during the specific phase of the safety life cycle that is subject to the
functional safety assessment or validation
3.2.35
independent organization
organization which is separate and distinct, by management and other
...