IEC 61511-2:2003

INTERNATIONAL IEC
STANDARD
61511-2
First edition
2003-07
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 2:
Guidelines for the application of IEC 61511-1

Reference number
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the

60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.

Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,

edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the

base publication incorporating amendment 1 and the base publication incorporating

amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (www.iec.ch/searchpub) enables you to
search by a variety of criteria including text searches, technical committees
and date of publication. On-line information is also available on recently issued
publications, withdrawn and replaced publications, as well as corrigenda.
• IEC Just Published
This summary of recently issued publications (www.iec.ch/online_news/ justpub)
is also available by email. Please contact the Customer Service Centre (see
below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:

Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
INTERNATIONAL IEC
STANDARD
61511-2
First edition
2003-07
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 2:
Guidelines for the application of IEC 61511-1

 IEC 2003  Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
Commission Electrotechnique Internationale
XB
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

– 2 – 61511-2  IEC:2003(E)
CONTENTS
FOREWORD . 4

INTRODUCTION .6

1 Scope . 8

2 Normative references. 8

3 Terms, definitions and abbreviations. 8

4 Conformance to this International Standard . 8

5 Management of functional safety. 9
5.1 Objective . 9
5.2 Requirements . 9
6 Safety lifecycle requirements .15
6.1 Objective .15
6.2 Requirements .15
7 Verification .15
7.1 Objective .15
8 Process hazard and risk assessment .16
8.1 Objectives .16
8.2 Requirements .16
9 Allocation of safety functions to protection layers.19
9.1 Objective .19
9.2 Requirements of the allocation process .19
9.3 Additional requirements for safety integrity level 4 .21
9.4 Requirement on the basic process control system as a layer of protection .21
9.5 Requirements for preventing common cause, common mode and dependent
failures .22
10 SIS safety requirements specification .23
10.1 Objective .23
10.2 General requirements .23
10.3 SIS safety requirements.23
11 SIS design and engineering .24
11.1 Objective .24

11.2 General requirements .24
11.3 Requirements for system behaviour on detection of a fault .28
11.4 Requirements for hardware fault tolerance.28
11.5 Requirements for selection of components and subsystems .30
11.6 Field devices .32
11.7 Interfaces .32
11.8 Maintenance or testing design requirements .34
11.9 SIF probability of failure.35
12 Requirements for application software, including selection criteria for utility
software.37
12.1 Application software safety lifecycle requirements .37
12.2 Application software safety requirements specification.40
12.3 Application software safety validation planning .42
12.4 Application software design and development.42

61511-2  IEC:2003(E) – 3 –
12.5 Integration of the application software with the SIS subsystem .49

12.6 FPL and LVL software modification procedures .49

12.7 Application software verification.50

13 Factory acceptance testing (FAT) .51

13.1 Objectives .51

13.2 Recommendations .51

14 SIS installation and commissioning.52

14.1 Objectives .52

14.2 Requirements .52

15 SIS safety validation .52
15.1 Objective .52
15.2 Requirements .52
16 SIS operation and maintenance .53
16.1 Objectives .53
16.2 Requirements .53
16.3 Proof testing and inspection.53
17 SIS modification.55
17.1 Objective .55
17.2 Requirements .55
18 SIS decommissioning.55
18.1 Objectives .55
18.2 Requirements .55
19 Information and documentation requirements.55
19.1 Objectives .55
19.2 Requirements .55
Annex A (informative) Example of techniques for calculating the probability of failure
on demand for a safety instrumented function .57
Annex B (informative) Typical SIS architecture development.58
Annex C (informative) Application features of a safety PLC.63
Annex D (informative) Example of SIS logic solver application software development
methodology .65
Annex E (informative) Example of development of externally configured diagnostics
for a safety-configured PE logic solver .69

Figure 1 – Overall framework of this standard . 7
Figure 2 – BPCS function and initiating cause independence illustration .21
Figure 3 – Software development lifecycle (the V-model) .38
Figure C.1 – Logic solver .64
Figure E.1 – EWDT timing diagram .71
Table 1 – Typical Safety Manual organisation and contents .47

– 4 – 61511-2  IEC:2003(E)
INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 2: Guidelines for the application of IEC 61511-1

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to
technical committees; any IEC National Committee interested in the subject dealt with may participate in this
preparatory work. International, governmental and non-governmental organizations liaising with the IEC also
participate in this preparation. IEC collaborates closely with the International Organization for Standardization
(ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

International Standard IEC 61511-2 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/387A/FDIS 65A/390/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
IEC 61511 series has been developed as a process sector implementation of IEC 61508
series.
61511-2  IEC:2003(E) – 5 –
IEC 61511 consists of the following parts, under the general title Functional safety – Safety

Instrumented Systems for the process industry sector (see Figure 1):

Part 1: Framework, definitions, system, hardware and software requirements

Part 2: Guidelines for the application of IEC 61511-1

Part 3: Guidance for the determination of the required safety integrity levels

The committee has decided that the contents of this publication will remain unchanged until

2007. At this date, the publication will be

• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
A bilingual version of this standard may be issued at a later date.

– 6 – 61511-2  IEC:2003(E)
INTRODUCTION
Safety instrumented systems have been used for many years to perform safety instrumented

functions in the process industries. If instrumentation is to be effectively used for safety

instrumented functions, it is essential that this instrumentation achieves certain minimum

standards.
This International Standard addresses the application of safety instrumented systems for the

Process Industries. It also deals with the interface between safety instrumented systems and

other safety systems in requiring that a process hazard and risk assessment be carried out.

The safety instrumented system includes sensors, logic solvers and final elements.

This International Standard has two concepts, which are fundamental to its application; safety
lifecycle and safety integrity levels. The safety lifecycle forms the central framework which
links together most of the concepts in this International Standard.
The safety instrumented system logic solvers addressed include Electrical (E)/Electronic (E)/
and Programmable Electronic (PE) technology. Where other technologies are used for logic
solvers, the basic principles of this standard may also be applied. This standard also
addresses the safety instrumented system sensors and final elements regardless of the
technology used. This International Standard is process industry specific within the framework
of the IEC 61508 series.
This International Standard sets out an approach for safety lifecycle activities to achieve
these minimum standards. This approach has been adopted in order that a rational and
consistent technical policy is used. The objective of this standard is to provide guidance on
how to comply with IEC 61511-1.
To facilitate use of this standard, the clause and subclause numbers provided are identical to
the corresponding normative text in 61511-1 (excluding the annexes).
In most situations, safety is best achieved by an inherently safe process design whenever
practicable, combined, if necessary, with a number of protective systems which rely on
different technologies (for example, chemical, mechanical, hydraulic, pneumatic, electrical,
electronic, thermodynamic (for example, flame arrestors), programmable electronic) which
manage any residual identified risk. Any safety strategy considers each individual safety
instrumented system in the context of the other protective systems. To facilitate this
approach, this standard
− requires that a hazard and risk assessment is carried out to identify the overall safety
requirements;
− requires that an allocation of the safety requirements to the safety functions and related
safety systems, such as the safety instrumented system(s), is carried out;
− works within a framework which is applicable to all instrumented methods of achieving
functional safety;
− details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.
This International Standard on safety instrumented systems for the process industry:
− addresses relevant safety lifecycle stages from initial concept, through design,
implementation, operation and maintenance and decommissioning;
− enables existing or new country specific process industry standards to be harmonized with
this standard.
This standard is intended to lead to a high level of consistency (for example, of underlying
principles, terminology, information) within the process industries. This should have both
safety and economic benefits.
61511-2  IEC:2003(E) – 7 –
Support
Technical
Parts
requirements
PART 1 References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of safety requirements
PART 1
Specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety lifecycle
Design phase for Design phase for
requirements
safety
safety
Clause 6
Instrumented instrumented
PART 1
system software
systems
Clause 11 Clause 12
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
instrumented systems PART 1
Clauses 13, 14, and 15
Differences
Annex A
PART 1
PART 1
Operation and maintenance,
modification and retrofit, Guidelines for the
decommissioning or disposal of application of part 1
safety instrumented systems
PART 2
Clauses 16, 17, and 18
Guidance for the
determination of the
required safety
integrity levels
PART 3
IEC  1827/03
Figure 1 – Overall framework of this standard

– 8 – 61511-2  IEC:2003(E)
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –

Part 2: Guidelines for the application of IEC 61511-1

1 Scope
IEC 61511-2 provides guidance on the specification, design, installation, operation and
maintenance of Safety Instrumented Functions and related safety instrumented system as
defined in IEC 61511-1. This standard has been organized so that each clause and subclause
number herein addresses the same clause number in IEC 61511-1 (with the exception of the
annexes).
2 Normative references
No further guidance provided.
3 Terms, definitions and abbreviations
No further guidance provided except for 3.2.68 and 3.2.71 of IEC 61511-1.
3.2.68 A safety function should prevent a specified hazardous event. For example, “prevent
the pressure in vessel #ABC456 exceeding 100 bar.” A safety function may be achieved by
a) a single safety instrumented system (SIS), or
b) one or more safety instrumented systems and/or other layers of protection.
In case b), each safety instrumented system or other layer of protection has to be capable of
achieving the safety function and the overall combination has to achieve the required risk
reduction (process safety target).
3.2.71 Safety instrumented functions are derived from the safety function, have an
associated safety integrity level (SIL) and are carried out by a specific safety instrumented
system (SIS). For example, “close valve #XY123 within 5 s when pressure in vessel #ABC456
reaches 100 bar”. Note that components of a safety instrumented system may be used by

more than one safety instrumented function.
4 Conformance to this International Standard
No further guidance provided.
61511-2  IEC:2003(E) – 9 –
5 Management of functional safety

5.1 Objective
The objective of Clause 5 of IEC 61511-1 is to provide requirements for implementing the

management activities that are necessary to ensure that the functional safety objectives

are met.
5.2 Requirements
5.2.1 General
5.2.1.1 No further guidance provided.
5.2.1.2 When an organization has responsibility for one or more activities necessary for
functional safety and that organization works according to quality assurance procedures, then
many of these activities described in this clause will already be carried out for the purposes of
quality. Where this is the case, it may be unnecessary to repeat these activities for the
purposes of functional safety. In such cases, the quality assurance procedures should be
reviewed to establish that they are suitable so that the objectives of functional safety will
be achieved.
5.2.2 Organization and resources
5.2.2.1 The organizational structure associated with safety instrumented systems within a
Company/Site/Plant/Project should be defined and the roles and responsibilities of each
element clearly understood and communicated. Within the structure, individual roles, including
their description and purpose should be identified. For each role, unambiguous
accountabilities should be identified; and specific responsibilities should be recognised. In
addition, whom the individual reports to and who makes the appointment should be identified.
The intent is to ensure that everyone in an organization understands their role and
responsibilities for safety instrumented systems.
5.2.2.2 The skills and knowledge required to implement any of the activities of the safety life
cycle relating to the safety instrumented systems should be identified; and for each skill, the
required competency levels should be defined. Resources should be assessed against each
skill for competency and also the number of people per skill required. When differences are
identified, development plans should be established to enable the required competency levels
to be achieved in a timely manner. When shortages of skills arise, suitably qualified and
experienced personnel may be recruited or contracted.
5.2.3 Risk evaluation and risk management
The requirement stated in 5.2.3 of IEC 61511 is that hazards are identified, risks evaluated

and the necessary risk reduction is determined. It is recognized that there are numerous
different methodologies available for conducting these evaluations. IEC 61511-1 does not
endorse any particular methodology. Instead, the reader is encouraged to review a number of
methodologies on this issue in IEC 61511-3. See 8.2.1 for further guidance.
5.2.4 Planning
The intent of this subclause is to ensure that, within the overall project, adequate safety
planning is conducted so that all of the required activities during each phase of the lifecycle
(for example, engineering design, plant operation) are addressed. The standard does not
require any particular structure for these planning activities, but it does require periodic
update or review of them.
– 10 – 61511-2  IEC:2003(E)
5.2.5 Implementing and monitoring

5.2.5.1 The intent of this subclause is to ensure that effective management procedures are in

place to
− ensure that all recommendations resulting from hazard analysis, risk assessment, other

assessment and auditing activities, verification and validation activities are satisfactorily

resolved.
− determine that the SIS is performing in accordance with its safety requirements

specification throughout its operational lifetime.

5.2.5.2 Note that, in this context, suppliers could include design contractors and maintenance

contractors as well as suppliers of components.
5.2.5.3 A review of the SIS performance should be periodically undertaken to ensure the
original assumptions made during the development of the safety requirements specification
(SRS) are still adhered to. For example, a periodic review of the assumed failure rate of
different components in a SIS should be carried out to ensure that it remains as originally
defined. If the failure rates are worse than originally anticipated, a design modification may be
necessary. Likewise, the demand rate on the SIS should be reviewed. If the rate is more than
that which was originally assumed, then an adjustment in the SIL may be needed.
5.2.6 Assessment, auditing and revision
Assessments and audits are tools targeted at the detection and elimination of errors. The
paragraphs below make clear the distinction between these activities
Functional safety assessment aims to evaluate whether provisions made during the assessed
lifecycle phases are adequate for the achievement of safety. Judgements are made by
assessors on the decisions taken by those responsible for the realisation of functional safety.
An assessment would for example be made prior to commissioning as to whether procedures
for maintenance are adequate.
Functional safety auditors will determine from project or plant records whether the necessary
procedures have been applied at the specified frequency by persons with the necessary
competence. Auditors are not required to make judgements on the adequacy of the work they
are considering. However, if they became aware that there would be benefits in making
changes, then an observation should be included in the report.
It should be noted that in many cases there can be an overlap between the work of the
assessor and the auditor. For example an auditor may need to determine not only whether an
operator has been given the necessary training but in addition make judgements as to
whether the training has resulted in the required competency.

5.2.6.1 Functional safety assessment
5.2.6.1.1 The use of Functional Safety Assessment (FSA) is fundamental in demonstrating
that a Safety Instrumented System (SIS) fulfils its requirements regarding safety instrumented
function(s) and Safety Integrity Level (SIL). The basic objective of this assessment is to
demonstrate compliance with agreed standards and practices through independent assess-
ment of the system's development process. An assessment of a SIS may be needed at
different lifecycle stages. In order to conduct an effective assessment, a procedure should be
developed that defines the scope of this assessment along with some guidance on the
makeup of the assessment team.
The following attributes are considered good practice for Functional Safety Assessment:
− A plan should be generated for each FSA identifying such arrangements as the scope of
the assessment, the assessors, the competencies of the assessors and the information to
be generated by the assessment.

61511-2  IEC:2003(E) – 11 –
− The FSA should take into account other standards and practices, which may be contained

within external or internal corporate standards, guides, procedures or codes of practice.

The FSA plan should define what is to be assessed for the particular assessment/

system/application area.
− The frequency of FSAs may vary across different system developments but as a minimum

should always take place before the potential hazards being presented to the system.

Some companies also like to conduct an assessment prior to the construction/installation

phase to prevent costly rework later in the lifecycle.

− FSA frequency and rigour should be defined taking into account system attributes such as:

• complexity;
• safety significance;
• previous experience of similar systems;
• standardization of design features.
− Sufficient evidence of design, installation, verification and validation activities should be
available prior to the assessment. The availability of sufficient evidence could itself be an
assessment criterion. The evidence should represent the current/approved state of system
design or installation.
− The independence of the assessor(s) must be appropriate.
− The assessor(s) should have experience and knowledge appropriate to the technology
and application area of the system being assessed.
− A systematic and consistent approach to FSA should be maintained throughout the
lifecycle and across systems. FSA is a subjective activity therefore detailed guidance,
possibly through the use of checklists, as to what is acceptable for an organisation should
be defined to remove as much subjectivity as possible.
Records generated from the FSA should be complete and the conclusions agreed with those
responsible for the management of functional safety for the SIS prior to commencement of the
next lifecycle phase.
5.2.6.1.2 The need for someone independent to the project team is to increase objectivity in
the assessment. The need for someone of senior stature (for example, experience, grade
level, position) is to ensure their concerns are duly noted and addressed. As the note also
suggests, on some large projects or assessment teams, it may be necessary to have more
than one senior person on this team that is independent to the original project team.
Depending upon the company organisation and expertise within the company, the requirement
for an independent assessor may have to be met by using an external organisation.
Conversely, companies that have internal organisations skilled in risk assessment and the
application of safety instrumented systems, which are independent to and separate (by ways
of management and other resources) from those responsible for the project, may be able to
use their own resources to meet the requirements for an independent organisation.
5.2.6.1.3 The amount of assessment depends on the size and complexity of a project. It may
be possible to assess the results of different phases at the same time. This is particularly true
in the case of small changes in a running plant.
5.2.6.1.4 In some countries, a functional safety assessment undertaken at stage 3 is often
referred to as the Pre-Startup-Safety-Review (PSSR).
5.2.6.1.5 No further guidance provided.
5.2.6.1.6 No further guidance provided.
5.2.6.1.7 The assessment team should have access to any information they deem necessary
for them to conduct the assessment. This should include information from the hazard and risk
assessment, design phase through installation, commissioning and validation.

– 12 – 61511-2  IEC:2003(E)
5.2.6.2 Auditing and revision
5.2.6.2.1 This subclause is intended to give guidance about auditing, using an example

illustrating relevant activities.

a) Audit categories
Safety instrumented system audits provide beneficial information to plant management,

instrument maintenance engineers and instrument design engineers. This enables

management to be proactive and aware of the degree of implementation and effectiveness

of their safety instrumented systems. Many types of audits, which can be carried out exist.

The actual type, scope, and frequency of the audit of any specific activity should reflect

the potential impact of the activity on the safety integrity.

Types of audit include:
1) audits, both independent and self-audit;
2) inspections;
3) safety visits (for example, plant walk about and incident review);
4) safety instrumented systems surveys (via questionnaires).
A distinction needs to be made between “surveillance and checking” and audit activities.
Surveillance and checking focuses on evaluating the performance of specific lifecycle
activities (for example, supervisor checking completion of maintenance activity prior to the
component being returned to service.) In contrast, audit activities are more comprehensive
and focus on overall implementation of safety instrumented systems concerning the safety
lifecycle. An audit would include determination as to whether the surveillance and
checking program is carried out.
Audits and inspections may be carried out by a company’s/site’s/plant’s/project’s own staff
(for example, self-audit) or by independent persons (for example, corporate auditors,
quality assurance department, regulators, customers or third parties).
Management at the various levels may want to apply the relevant type of audit to gain
information on the effectiveness of the implementation of their safety instrumented
systems. Information from audits could be used to identify the procedures that have not
been properly applied, leading to improved implementation.
b) Audit strategy
Site/plant/project implementing audit programmes might consider rolling, independent or
self-audit and inspection programmes.
Rolling programmes are updated regularly to reflect previous safety instrumented systems
performance and audit results, and current concerns and priorities. These cover all
site/plant/project related activities and aspects of the safety instrumented systems in an
appropriate time period and to an appropriate depth.
The primary reason for, and the added value from audits comes from acting on
the information they provide in a timely manner. The actions aim to strengthen the
effectiveness of safety instrumented systems, for example, to help minimize the risk of
employees or members of the public being injured or killed, contribute to improving safety
culture, contribute to prevent any avoidable release of substance into the environment.
In summary, the audit strategy may have a mix of audits types, driven by management
(the customer), and in order to feed back the relevant information up the management
chain for timely action.
c) Audit process and protocols
The overall aim is to achieve maximum value from the performance of the audit, which can
only be achieved when all parties (including auditors, contact nominee, plant managers
and head of departments, etc.) understand the need for and can influence each audit.
The following audit process and protocols might help to ensure some consistency in the
approach to achieving these aims. They bear on the following five key stages of the audit
process:
61511-2  IEC:2003(E) – 13 –
1) Audit strategy and programme

The purpose of each audit should be clearly defined and the audit groups identified,

together with the roles and responsibilities of each audit group.

There should be an auditing strategy.

There should be a programme of audits.

There should be regular reviews of the audit process, programme and strategy

implementation.
2) Audit preparation and pre-planning

Prior to commencement of an audit, the senior manager of the site/plant/project and/or

the appropriate audit coordinator should identify a contact nominee.
The auditors and contact nominee should at an early stage discuss, understand and
agree on:
– the scope of the audit;
– the timing of the audit;
– the people who need to be available;
– the basis for the audit or audit standard;
– putting the extra effort into the preparation stage and involving the plant personnel,
thereby increasing the chances of a successful audit.
The following should be used as a guide for time to be spent at each stage:
– audit preparation: 30 %
– conducting the audit: 40 %
– reporting of findings: 20 %
– audit follow-up: 10 %
The auditor should prepare for the audit by gathering information, procedures/
instructions etc., and data and preparing checklists when appropriate.
The auditor should highlight and explain how the possibility of a change to the scope of
the audit may occur during the audit, if serious observations/failings are discovered.
3) Conducting the audit
The auditor is to conduct the audit within groups of consecutive days during the
set audit period, taking due cognisance of possible disruption to site/plant/project
personnel.
The contact nominee should be periodically briefed during the audit of the findings
identified, thereby avoiding surprises at the end of the audit.

The auditor should try to involve plant personnel in the audit process in order to impart
learning and understanding (of the process and findings) to achieve ownership.
The style of the auditor is crucial to the success of the audit – he should try to be
helpful, constructive, courteous, focused and objective.
As a minimum the auditor should try to achieve the agreed scope and timetable -
variations will need to be negotiated.
4) Reporting the findings
The auditor should hold a closing meeting either at the end of the audit or later, but
before the final report is issued.
The appropriate management should be given the opportunity to comment on the draft
report and findings and discuss these at a formal close out meeting if desired.
It is normal practice to request a plan of action from the site/plant/project to address
the findings of the report.
– 14 – 61511-2  IEC:2003(E)
5) Audit follow-up
Audit reports normally require a response in the form of an action plan. The auditor

might verify satisfactory completion of the action at the due date or at the next audit,

whichever is appropriate.
Site/plant/project tracking systems may be used to check the implementation of action
plans.
A periodic review/summary of audit findings of each audit group should be considered

and its results widely communicated.

The findings/outcome from audits may be used to review the frequency of audits and

are input to the management review of safety instrumented systems.

5.2.6.2.2 This subclause reinforces the role that management of change plays in the auditing
process.
5.2.7 SIS configuration management
5.2.7.1 Requirements
5.2.7.1.1 To manage and maintain traceability of devices through the lifecycle, a mechanism
to identify, control and track the model/versions of each device may be established.
At the earliest possible stage of the safety lifecycle, a unique plant identification should be
given to each device. In some cases, earlier models/versions still in use may also be
maintained and controlled. This is the first step in the configuration management program
which should incorporate the following considerations.
The configuration management system may include:
a) the provision of a procedure for identification of all devices during all phases of the
lifecycle;
b) the unique identification, of the model/version and build status of each device including
software, including the supplier, date and where applicable, change from the model/
version originally specified;
c) the identification and tracking of all actions and changes resulting from fault observations
and audits;
d) control of the issue of a release into service, identifying the status and model/version of
the associated devices;
e) safeguards that have been established to assure that unauthorised alterations/
modifications are not made to the SIS while in operation;
f) the identification of the versions of each software item which together constitute a specific

version of a complete device;
g) the provision of co-ordination for the updating of multiple SIS in one or more plants;
h) documented authorisation of release into service;
i) an authorised list of signatures for device release into service;
j) the stage/phase devices are brought under configuration control;
k) control of the associated deliverable documentation;
l) identification of the each model/version of a device;
− functional specification;
− technical specification;
m) all departments/organizations involved in the management and maintenance of SIS are
identified and responsibilities assigned and understood.

61511-2  IEC:2003(E) – 15 –
6 Safety lifecycle requirements

6.1 Objectives
The functional safety achieved in any process facility is dependent on a number of activities

being carried out in a satisfactory manner. The purpose of adopting a systematic safety

lifecycle approach towards a safety instrumented system is to ensure that all the activities

necessa
...