SIST EN 61511-2:2007

6/29(16., 6,67(1

67$1'$5'
MDQXDU
)XQNFLMVNDYDUQRVW6LVWHPL]YDUQRVWQLPLLQVWUXPHQWL]DVHNWRUSURFHVQH
LQGXVWULMHGHO6PHUQLFH]DXSRUDER,(&,(&
LVWRYHWHQ(1
)XQFWLRQDOVDIHW\6DIHW\LQVWUXPHQWHGV\VWHPVIRUWKHSURFHVVLQGXVWU\VHFWRU
3DUW*XLGHOLQHVIRUWKHDSSOLFDWLRQRI,(&,(&
,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .
EUROPEAN STANDARD EN 61511-2
NORME EUROPÉENNE
EUROPÄISCHE NORM December 2004

ICS 25.040.01;13.110
English version
Functional safety –
Safety instrumented systems for the process industry sector
Part 2: Guidelines for the application of IEC 61511-1
(IEC 61511-2:2003)
Sécurité fonctionnelle –  Funktionale Sicherheit -
Systèmes instrumentés de sécurité Sicherheitstechnische Systeme
pour le secteur des industries für die Prozessindustrie
de transformation Teil 2: Anleitungen zur Anwendung
Partie 2: Lignes directrices pour des Teils 1
l'application de la CEI 61511-1 (IEC 61511-2:2003)
(CEI 61511-2:2003)
This European Standard was approved by CENELEC on 2004-10-01. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden,
Switzerland and United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2004 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.

Ref. No. EN 61511-2:2004 E
Foreword
The text of the International Standard IEC 61511-2:2003, prepared by SC 65A, System aspects, of
IEC TC 65, Industrial-process measurement and control, was submitted to the Unique Acceptance
Procedure and was approved by CENELEC as EN 61511-2 on 2004-10-01 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2005-10-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2007-10-01
__________
Endorsement notice
The text of the International Standard IEC 61511-2:2003 was approved by CENELEC as a European
Standard without any modification.
__________
NORME CEI
INTERNATIONALE IEC
61511-2
INTERNATIONAL
Première édition
STANDARD
First edition
2003-07
Sécurité fonctionnelle –
Systèmes instrumentés de sécurité
pour le secteur des industries
de transformation –
Partie 2:
Lignes directrices pour l'application
de la CEI 61511-1
Functional safety –
Safety instrumented systems
for the process industry sector –
Part 2:
Guidelines for the application
of IEC 61511-1
© IEC 2004 Droits de reproduction réservés ⎯ Copyright - all rights reserved
Aucune partie de cette publication ne peut être reproduite ni No part of this publication may be reproduced or utilized in any
utilisée sous quelque forme que ce soit et par aucun procédé, form or by any means, electronic or mechanical, including
électronique ou mécanique, y compris la photocopie et les photocopying and microfilm, without permission in writing from
microfilms, sans l'accord écrit de l'éditeur. the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
CODE PRIX
PRICE CODE XC
Commission Electrotechnique Internationale
International Electrotechnical Commission
ɆɟɠɞɭɧɚɪɨɞɧɚɹɗɥɟɤɬɪɨɬɟɯɧɢɱɟɫɤɚɹɄɨɦɢɫɫɢɹ
Pour prix, voir catalogue en vigueur
For price, see current catalogue

61511-2 © IEC:2004 – 3 –
CONTENTS
FOREWORD.7
INTRODUCTION.11
1 Scope.17
2 Normative references.17
3 Terms, definitions and abbreviations .17
4 Conformance to this International Standard .17
5 Management of functional safety .19
5.1 Objective.19
5.2 Requirements.19
6 Safety lifecycle requirements.33
6.1 Objective.33
6.2 Requirements.33
7 Verification.35
7.1 Objective.35
8 Process hazard and risk assessment.35
8.1 Objectives.35
8.2 Requirements.35
9 Allocation of safety functions to protection layers .41
9.1 Objective.41
9.2 Requirements of the allocation process .41
9.3 Additional requirements for safety integrity level 4.47
9.4 Requirement on the basic process control system as a layer of protection.47
9.5 Requirements for preventing common cause, common mode and dependent
failures .49
10 SIS safety requirements specification .51
10.1 Objective.51
10.2 General requirements.51
10.3 SIS safety requirements .51
11 SIS design and engineering.55
11.1 Objective.55
11.2 General requirements.55
11.3 Requirements for system behaviour on detection of a fault .65
11.4 Requirements for hardware fault tolerance .65
11.5 Requirements for selection of components and subsystems .67
11.6 Field devices.73
11.7 Interfaces.73
11.8 Maintenance or testing design requirements.79
11.9 SIF probability of failure .81
12 Requirements for application software, including selection criteria for utility
software .85
12.1 Application software safety lifecycle requirements .85
12.2 Application software safety requirements specification .93

61511-2 © IEC:2004 – 5 –
12.3 Application software safety validation planning.97
12.4 Application software design and development .97
12.5 Integration of the application software with the SIS subsystem .113
12.6 FPL and LVL software modification procedures .113
12.7 Application software verification.115
13 Factory acceptance testing (FAT) .117
13.1 Objectives.117
13.2 Recommendations.117
14 SIS installation and commissioning.119
14.1 Objectives.119
14.2 Requirements.119
15 SIS safety validation.119
15.1 Objective.119
15.2 Requirements.119
16 SIS operation and maintenance.121
16.1 Objectives.121
16.2 Requirements.121
16.3 Proof testing and inspection .121
17 SIS modification.125
17.1 Objective.125
17.2 Requirements.125
18 SIS decommissioning.125
18.1 Objectives.125
18.2 Requirements.125
19 Information and documentation requirements .127
19.1 Objectives.127
19.2 Requirements.127
Annex A (informative) Example of techniques for calculating the probability of failure
on demand for a safety instrumented function.129
Annex B (informative) Typical SIS architecture development.131
Annex C (informative) Application features of a safety PLC .141
Annex D (informative) Example of SIS logic solver application software development
methodology .145
Annex E (informative) Example of development of externally configured diagnostics
for a safety-configured PE logic solver.155
Figure 1 – Overall framework of this standard.15
Figure 2 – BPCS function and initiating cause independence illustration.49
Figure 3 – Software development lifecycle (the V-model) .87
Figure C.1 – Logic solver .143
Figure E.1 – EWDT timing diagram .159
Table 1 – Typical Safety Manual organisation and contents .109

61511-2 © IEC:2004 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 2: Guidelines for the application of IEC 61511-1
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61511-2 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control.
This bilingual version (2004-07) replaces the English version.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/387A/FDIS 65A/390/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
The French version of this standard has not been voted upon.

61511-2 © IEC:2004 – 9 –
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
IEC 61511 series has been developed as a process sector implementation of IEC 61508
series.
IEC 61511 consists of the following parts, under the general title Functional safety – Safety
Instrumented Systems for the process industry sector (see Figure 1):
Part 1: Framework, definitions, system, hardware and software requirements
Part 2: Guidelines for the application of IEC 61511-1
Part 3: Guidance for the determination of the required safety integrity levels
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
61511-2 © IEC:2004 – 11 –
INTRODUCTION
Safety instrumented systems have been used for many years to perform safety instrumented
functions in the process industries. If instrumentation is to be effectively used for safety
instrumented functions, it is essential that this instrumentation achieves certain minimum
standards.
This International Standard addresses the application of safety instrumented systems for the
Process Industries. It also deals with the interface between safety instrumented systems and
other safety systems in requiring that a process hazard and risk assessment be carried out.
The safety instrumented system includes sensors, logic solvers and final elements.
This International Standard has two concepts, which are fundamental to its application; safety
lifecycle and safety integrity levels. The safety lifecycle forms the central framework which
links together most of the concepts in this International Standard.
The safety instrumented system logic solvers addressed include Electrical (E)/Electronic (E)/
and Programmable Electronic (PE) technology. Where other technologies are used for logic
solvers, the basic principles of this standard may also be applied. This standard also
addresses the safety instrumented system sensors and final elements regardless of the
technology used. This International Standard is process industry specific within the framework
of the IEC 61508 series.
This International Standard sets out an approach for safety lifecycle activities to achieve
these minimum standards. This approach has been adopted in order that a rational and
consistent technical policy is used. The objective of this standard is to provide guidance on
how to comply with IEC 61511-1.
To facilitate use of this standard, the clause and subclause numbers provided are identical to
the corresponding normative text in 61511-1 (excluding the annexes).
In most situations, safety is best achieved by an inherently safe process design whenever
practicable, combined, if necessary, with a number of protective systems which rely on
different technologies (for example, chemical, mechanical, hydraulic, pneumatic, electrical,
electronic, thermodynamic (for example, flame arrestors), programmable electronic) which
manage any residual identified risk. Any safety strategy considers each individual safety
instrumented system in the context of the other protective systems. To facilitate this
approach, this standard
í requires that a hazard and risk assessment is carried out to identify the overall safety
requirements;
í requires that an allocation of the safety requirements to the safety functions and related
safety systems, such as the safety instrumented system(s), is carried out;
í works within a framework which is applicable to all instrumented methods of achieving
functional safety;
í details the use of certain activities, such as safety management, which may be applicable
to all methods of achieving functional safety.

61511-2 © IEC:2004 – 13 –
This International Standard on safety instrumented systems for the process industry:
í addresses relevant safety lifecycle stages from initial concept, through design,
implementation, operation and maintenance and decommissioning;
í enables existing or new country specific process industry standards to be harmonized with
this standard.
This standard is intended to lead to a high level of consistency (for example, of underlying
principles, terminology, information) within the process industries. This should have both
safety and economic benefits.
61511-2 © IEC:2004 – 15 –
Support
Technical
Parts
requirements
PART 1
References
Clause 2
Development of the overall safety
PART 1
requirements (concept, scope definition,
hazard and risk assessment)
Definitions and
abbreviations
Clause 8
Clause 3
PART 1
PART 1
Conformance
Allocation of the safety requirements to
Clause 4
the safety instrumented functions and
development of safety requirements
PART 1
Specification
Management of
Clauses 9 and 10
functional safety
Clause 5
PART 1
PART 1
Safety lifecycle
Design phase for Design phase for
requirements
safety
safety
Clause 6
Instrumented instrumented
PART 1
system software
systems
Clause 11 Clause 12
Verification
Clause 7
PART 1
PART 1
Information
Factory acceptance testing,
requirements
installation and commissioning and
Clause 19
safety validation of safety
PART 1
instrumented systems
Clauses 13, 14, and 15
Differences
Annex A
PART 1
PART 1
Operation and maintenance,
modification and retrofit, Guidelines for the
decommissioning or disposal of application of part 1
safety instrumented systems
PART 2
Clauses 16, 17, and 18
Guidance for the
determination of the
required safety
integrity levels
PART 3
IEC  1827/03
Figure 1 – Overall framework of this standard

61511-2 © IEC:2004 – 17 –
FUNCTIONAL SAFETY –
SAFETY INSTRUMENTED SYSTEMS
FOR THE PROCESS INDUSTRY SECTOR –
Part 2: Guidelines for the application of IEC 61511-1
1 Scope
IEC 61511-2 provides guidance on the specification, design, installation, operation and
maintenance of Safety Instrumented Functions and related safety instrumented system as
defined in IEC 61511-1. This standard has been organized so that each clause and subclause
number herein addresses the same clause number in IEC 61511-1 (with the exception of the
annexes).
2 Normative references
No further guidance provided.
3 Terms, definitions and abbreviations
No further guidance provided except for 3.2.68 and 3.2.71 of IEC 61511-1.
3.2.68 A safety function should prevent a specified hazardous event. For example, “prevent
the pressure in vessel #ABC456 exceeding 100 bar.” A safety function may be achieved by
a) a single safety instrumented system (SIS), or
b) one or more safety instrumented systems and/or other layers of protection.
In case b), each safety instrumented system or other layer of protection has to be capable of
achieving the safety function and the overall combination has to achieve the required risk
reduction (process safety target).
3.2.71 Safety instrumented functions are derived from the safety function, have an
associated safety integrity level (SIL) and are carried out by a specific safety instrumented
system (SIS). For example, “close valve #XY123 within 5 s when pressure in vessel #ABC456
reaches 100 bar”. Note that components of a safety instrumented system may be used by
more than one safety instrumented function.
4 Conformance to this International Standard
No further guidance provided.
61511-2 © IEC:2004 – 19 –
5 Management of functional safety
5.1 Objective
The objective of Clause 5 of IEC 61511-1 is to provide requirements for implementing the
management activities that are necessary to ensure that the functional safety objectives
are met.
5.2 Requirements
5.2.1 General
5.2.1.1 No further guidance provided.
5.2.1.2 When an organization has responsibility for one or more activities necessary for
functional safety and that organization works according to quality assurance procedures, then
many of these activities described in this clause will already be carried out for the purposes of
quality. Where this is the case, it may be unnecessary to repeat these activities for the
purposes of functional safety. In such cases, the quality assurance procedures should be
reviewed to establish that they are suitable so that the objectives of functional safety will
be achieved.
5.2.2 Organization and resources
5.2.2.1 The organizational structure associated with safety instrumented systems within a
Company/Site/Plant/Project should be defined and the roles and responsibilities of each
element clearly understood and communicated. Within the structure, individual roles, including
their description and purpose should be identified. For each role, unambiguous
accountabilities should be identified; and specific responsibilities should be recognised. In
addition, whom the individual reports to and who makes the appointment should be identified.
The intent is to ensure that everyone in an organization understands their role and
responsibilities for safety instrumented systems.
5.2.2.2 The skills and knowledge required to implement any of the activities of the safety life
cycle relating to the safety instrumented systems should be identified; and for each skill, the
required competency levels should be defined. Resources should be assessed against each
skill for competency and also the number of people per skill required. When differences are
identified, development plans should be established to enable the required competency levels
to be achieved in a timely manner. When shortages of skills arise, suitably qualified and
experienced personnel may be recruited or contracted.
5.2.3 Risk evaluation and risk management
The requirement stated in 5.2.3 of IEC 61511 is that hazards are identified, risks evaluated
and the necessary risk reduction is determined. It is recognized that there are numerous
different methodologies available for conducting these evaluations. IEC 61511-1 does not
endorse any particular methodology. Instead, the reader is encouraged to review a number of
methodologies on this issue in IEC 61511-3. See 8.2.1 for further guidance.

61511-2 © IEC:2004 – 21 –
5.2.4 Planning
The intent of this subclause is to ensure that, within the overall project, adequate safety
planning is conducted so that all of the required activities during each phase of the lifecycle
(for example, engineering design, plant operation) are addressed. The standard does not
require any particular structure for these planning activities, but it does require periodic
update or review of them.
5.2.5 Implementing and monitoring
5.2.5.1 The intent of this subclause is to ensure that effective management procedures are in
place to
í ensure that all recommendations resulting from hazard analysis, risk assessment, other
assessment and auditing activities, verification and validation activities are satisfactorily
resolved.
í determine that the SIS is performing in accordance with its safety requirements
specification throughout its operational lifetime.
5.2.5.2 Note that, in this context, suppliers could include design contractors and maintenance
contractors as well as suppliers of components.
5.2.5.3 A review of the SIS performance should be periodically undertaken to ensure the
original assumptions made during the development of the safety requirements specification
(SRS) are still adhered to. For example, a periodic review of the assumed failure rate of
different components in a SIS should be carried out to ensure that it remains as originally
defined. If the failure rates are worse than originally anticipated, a design modification may be
necessary. Likewise, the demand rate on the SIS should be reviewed. If the rate is more than
that which was originally assumed, then an adjustment in the SIL may be needed.
5.2.6 Assessment, auditing and revision
Assessments and audits are tools targeted at the detection and elimination of errors. The
paragraphs below make clear the distinction between these activities
Functional safety assessment aims to evaluate whether provisions made during the assessed
lifecycle phases are adequate for the achievement of safety. Judgements are made by
assessors on the decisions taken by those responsible for the realisation of functional safety.
An assessment would for example be made prior to commissioning as to whether procedures
for maintenance are adequate.
Functional safety auditors will determine from project or plant records whether the necessary
procedures have been applied at the specified frequency by persons with the necessary
competence. Auditors are not required to make judgements on the adequacy of the work they
are considering. However, if they became aware that there would be benefits in making
changes, then an observation should be included in the report.
It should be noted that in many cases there can be an overlap between the work of the
assessor and the auditor. For example an auditor may need to determine not only whether an
operator has been given the necessary training but in addition make judgements as to
whether the training has resulted in the required competency.

61511-2 © IEC:2004 – 23 –
5.2.6.1 Functional safety assessment
5.2.6.1.1 The use of Functional Safety Assessment (FSA) is fundamental in demonstrating
that a Safety Instrumented System (SIS) fulfils its requirements regarding safety instrumented
function(s) and Safety Integrity Level (SIL). The basic objective of this assessment is to
demonstrate compliance with agreed standards and practices through independent assess-
ment of the system's development process. An assessment of a SIS may be needed at
different lifecycle stages. In order to conduct an effective assessment, a procedure should be
developed that defines the scope of this assessment along with some guidance on the
makeup of the assessment team.
The following attributes are considered good practice for Functional Safety Assessment:
í A plan should be generated for each FSA identifying such arrangements as the scope of
the assessment, the assessors, the competencies of the assessors and the information to
be generated by the assessment.
í The FSA should take into account other standards and practices, which may be contained
within external or internal corporate standards, guides, procedures or codes of practice.
The FSA plan should define what is to be assessed for the particular assessment/
system/application area.
í The frequency of FSAs may vary across different system developments but as a minimum
should always take place before the potential hazards being presented to the system.
Some companies also like to conduct an assessment prior to the construction/installation
phase to prevent costly rework later in the lifecycle.
í FSA frequency and rigour should be defined taking into account system attributes such as:
• complexity;
• safety significance;
• previous experience of similar systems;
• standardization of design features.
í Sufficient evidence of design, installation, verification and validation activities should be
available prior to the assessment. The availability of sufficient evidence could itself be an
assessment criterion. The evidence should represent the current/approved state of system
design or installation.
í The independence of the assessor(s) must be appropriate.
í The assessor(s) should have experience and knowledge appropriate to the technology
and application area of the system being assessed.
í A systematic and consistent approach to FSA should be maintained throughout the
lifecycle and across systems. FSA is a subjective activity therefore detailed guidance,
possibly through the use of checklists, as to what is acceptable for an organisation should
be defined to remove as much subjectivity as possible.
Records generated from the FSA should be complete and the conclusions agreed with those
responsible for the management of functional safety for the SIS prior to commencement of the
next lifecycle phase.
61511-2 © IEC:2004 – 25 –
5.2.6.1.2 The need for someone independent to the project team is to increase objectivity in
the assessment. The need for someone of senior stature (for example, experience, grade
level, position) is to ensure their concerns are duly noted and addressed. As the note also
suggests, on some large projects or assessment teams, it may be necessary to have more
than one senior person on this team that is independent to the original project team.
Depending upon the company organisation and expertise within the company, the requirement
for an independent assessor may have to be met by using an external organisation.
Conversely, companies that have internal organisations skilled in risk assessment and the
application of safety instrumented systems, which are independent to and separate (by ways
of management and other resources) from those responsible for the project, may be able to
use their own resources to meet the requirements for an independent organisation.
5.2.6.1.3 The amount of assessment depends on the size and complexity of a project. It may
be possible to assess the results of different phases at the same time. This is particularly true
in the case of small changes in a running plant.
5.2.6.1.4 In some countries, a functional safety assessment undertaken at stage 3 is often
referred to as the Pre-Startup-Safety-Review (PSSR).
5.2.6.1.5 No further guidance provided.
5.2.6.1.6 No further guidance provided.
5.2.6.1.7 The assessment team should have access to any information they deem necessary
for them to conduct the assessment. This should include information from the hazard and risk
assessment, design phase through installation, commissioning and validation.
5.2.6.2 Auditing and revision
5.2.6.2.1 This subclause is intended to give guidance about auditing, using an example
illustrating relevant activities.
a) Audit categories
Safety instrumented system audits provide beneficial information to plant management,
instrument maintenance engineers and instrument design engineers. This enables
management to be proactive and aware of the degree of implementation and effectiveness
of their safety instrumented systems. Many types of audits, which can be carried out exist.
The actual type, scope, and frequency of the audit of any specific activity should reflect
the potential impact of the activity on the safety integrity.
Types of audit include:
1) audits, both independent and self-audit;
2) inspections;
3) safety visits (for example, plant walk about and incident review);
4) safety instrumented systems surveys (via questionnaires).

61511-2 © IEC:2004 – 27 –
A distinction needs to be made between “surveillance and checking” and audit activities.
Surveillance and checking focuses on evaluating the performance of specific lifecycle
activities (for example, supervisor checking completion of maintenance activity prior to the
component being returned to service.) In contrast, audit activities are more comprehensive
and focus on overall implementation of safety instrumented systems concerning the safety
lifecycle. An audit would include determination as to whether the surveillance and
checking program is carried out.
Audits and inspections may be carried out by a company’s/site’s/plant’s/project’s own staff
(for example, self-audit) or by independent persons (for example, corporate auditors,
quality assurance department, regulators, customers or third parties).
Management at the various levels may want to apply the relevant type of audit to gain
information on the effectiveness of the implementation of their safety instrumented
systems. Information from audits could be used to identify the procedures that have not
been properly applied, leading to improved implementation.
b) Audit strategy
Site/plant/project implementing audit programmes might consider rolling, independent or
self-audit and inspection programmes.
Rolling programmes are updated regularly to reflect previous safety instrumented systems
performance and audit results, and current concerns and priorities. These cover all
site/plant/project related activities and aspects of the safety instrumented systems in an
appropriate time period and to an appropriate depth.
The primary reason for, and the added value from audits comes from acting on
the information they provide in a timely manner. The actions aim to strengthen the
effectiveness of safety instrumented systems, for example, to help minimize the risk of
employees or members of the public being injured or killed, contribute to improving safety
culture, contribute to prevent any avoidable release of substance into the environment.
In summary, the audit strategy may have a mix of audits types, driven by management
(the customer), and in order to feed back the relevant information up the management
chain for timely action.
c) Audit process and protocols
The overall aim is to achieve maximum value from the performance of the audit, which can
only be achieved when all parties (including auditors, contact nominee, plant managers
and head of departments, etc.) understand the need for and can influence each audit.
The following audit process and protocols might help to ensure some consistency in the
approach to achieving these aims. They bear on the following five key stages of the audit
process:
1) Audit strategy and programme
The purpose of each audit should be clearly defined and the audit groups identified,
together with the roles and responsibilities of each audit group.
There should be an auditing strategy.
There should be a programme of audits.
There should be regular reviews of the audit process, programme and strategy
implementation.
61511-2 © IEC:2004 – 29 –
2) Audit preparation and pre-planning
Prior to commencement of an audit, the senior manager of the site/plant/project and/or
the appropriate audit coordinator should identify a contact nominee.
The auditors and contact nominee should at an early stage discuss, understand and
agree on:
– the scope of the audit;
– the timing of the audit;
– the people who need to be available;
– the basis for the audit or audit standard;
– putting the extra effort into the preparation stage and involving the plant personnel,
thereby increasing the chances of a successful audit.
The following should be used as a guide for time to be spent at each stage:
– audit preparation: 30 %
– conducting the audit: 40 %
– reporting of findings: 20 %
– audit follow-up: 10 %
The auditor should prepare for the audit by gathering information, procedures/
instructions etc., and data and preparing checklists when appropriate.
The auditor should highlight and explain how the possibility of a change to the scope of
the audit may occur during the audit, if serious observations/failings are discovered.
3) Conducting the audit
The auditor is to conduct the audit within groups of consecutive days during the
set audit period, taking due cognisance of possible disruption to site/plant/project
personnel.
The contact nominee should be periodically briefed during the audit of the findings
identified, thereby avoiding surprises at the end of the audit.
The auditor should try to involve plant personnel in the audit process in order to impart
learning and understanding (of the process and findings) to achieve ownership.
The style of the auditor is crucial to the success of the audit – he should try to be
helpful, constructive, courteous, focused and objective.
As a minimum the auditor should try to achieve the agreed scope and timetable -
variations will need to be negotiated.
4) Reporting the findings
The auditor should hold a closing meeting either at the end of the audit or later, but
before the final report is issued.
The appropriate management should be given the opportunity to comment on the draft
report and findings and discuss these at a formal close out meeting if desired.
It is normal practice to request a plan of action from the site/plant/project to address
the findings of the report.
61511-2 © IEC:2004 – 31 –
5) Audit follow-up
Audit reports normally require a response in the form of an action plan. The auditor
might verify satisfactory completion of the action at the due date or at the next audit,
whichever is appropriate.
Site/plant/project tracking systems may be used to check the implementation of action
plans.
A periodic review/summary of audit findings of each audit group should be considered
and its results widely communicated.
The findings/outcome from audits may be used to review the frequency of audits and
are input to the management review of safety instrumented systems.
5.2.6.2.2 This subclause reinforces the role that management of change plays in the auditing
process.
5.2.7 SIS configuration management
5.2.7.1 Requirements
5.2.7.1.1 To manage and maintain traceability of devices through the lifecycle, a mechanism
to identify, control and track the model/versions of each device may be established.
At the earliest possible stage of the safety lifecycle, a unique plant identification shoul
...