sauf sil paper 4-99 (public)

IEC 61508 - Assessing the Hazard and Risk

Simon DeanSauf Consulting Ltd

April 1999

1. Introduction

Despite the fact that IEC 61508 (Ref. 1) was only issued (in part) on 1st January 1999, process industries have already implement the draft standard on a number of projects. In addition, some operating companies and contractors have developed internal procedures and standards with the objective of enabling consistent application and integration of IEC 61508 within the overall safety assessment process.

This enthusiasm stems from the perceived benefits of adopting the new standard to provide a consistent justification of the level of integrity needed for different instrument functions. In addition, many industries recognise the long term benefits that can be achieved through the application of IEC 61508 throughout the supply chain.

However, there has not been widespread success of adopting IEC 61508 across all projects. The reasons for this stem from the perception of what the standard is, how it can be implemented consistently and what the results of a functional safety assessment mean.

Before going any further, it is important that certain terms used within IEC 61508 are clearly understood.

The term 'Safety Integrity' is defined as 'the likelihood of a safety related system (SRS) satisfactorily performing the required safety functions under the stated conditions, within a stated period of time.

The term 'Safety Integrity Level (SIL)' is defined as 'one of four possible discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety related system (SRS).'

The term 'Functional Safety' is defined as 'the ability of a safety related system (SRS) to carry out the actions necessary to achieve or maintain a safe state for the equipment under control (EUC).'

The term 'Functional Safety Assessment (FSA)' is defined as 'the undertaking of an investigation in order to arrive at a judgement, based on evidence, of the functional safety achieved by one or more safety related system (SRS) and/or external risk reduction facilities.'

This paper explains the hazard and risk assessment processes that needs to be followed within a Functional Safety Assessment (FSA) with reference to systems typical of the process industry. This also paper attempts to highlight some of the pitfalls of carrying out a FSA and how the application of IEC 61508 can be integrated into projects to achieve maximum benefit.

© Sauf Consulting Ltd, 1999 of 13 www.sauf.co.uk

http://www.sauf.co.uk/

2. The Risk Assessment Framework

Before attempting to carry out a FSA through the implementation of IEC 61508 on a project, it is essential that the general principles of risk assessment be understood. To make effective decisions, those involved in assessment need to know what potential threat the failure of the equipment under control poses and how great is the likelihood that people will be harmed. Gathering and analysing this information is referred to as risk assessment.

Note that risk assessment can also be used to determine the potential threat to assets and/or the environment, as well as risks to personnel. The principles of IEC 61508 can be used in the risk assessment for all these issues, provided appropriate tolerable risk criteria are used. However, IEC 61508 is principally a standard applicable to the safety of personnel.

It must be recognised that the IEC 61508 is a risk based standard and that in order to apply the standard, some criteria which define the tolerability of risks must be established for the project. As a minimum, this measure for the tolerability of risk must state what is deemed reasonable with respect to both the frequency (or probability) of the hazardous event and its specific consequences.

For many projects worldwide, the objective of meeting some pre-defined risk acceptance criteria is fundamental through the design decision process. For UK based offshore oil and gas projects, this is carried out through the demonstration of ALARP under the framework of the Safety Case Regulations (Ref. 2). For UK based onshore projects this is carried out through the demonstration of ALARP under the framework of the COMAH Regulations (Ref. 3). In other parts of the world, similar goal setting regimes are in place whereas some nations still rely on prescriptive legislation.

Through the FSA process, the objective is to ensure that the safety-related systems are designed to reduce the likelihood and/or consequences of the hazardous event to meet the tolerable risk criteria. To achieve this objective, the process that is followed within the FSA can be summarised by three key stages, as follows.

1. Establish the tolerable risk criteria.

2. Assess the risks associated with the equipment under control.

3. Determine necessary risk reduction needed to meet the risk acceptance criteria.

These three key stages in the FSA process are described in more detail in the succeeding sections.

3. Tolerable Risk Criteria

A number of different ways can be used to express the tolerability of risks, which varies between operators and the cultural and regulatory environment of the project's location. In general, these criteria can be qualitative or quantitative although there is often some overlap in the way the criteria are expressed.

Qualitative criteria use words such as probable, frequent, unlikely, remote, etc. to describe the likelihood of an event and words such as minor, major, catastrophic, etc. to describe the consequences of the event. However, in order to ensure that these criteria are applied consistently, it is often necessary to introduce quantitative numbers to provide a clear definition of how the words should be interpreted. For example, unlikely may be defined as ‘once every 10 to 100 years’, or ‘may happen once in over the life of 10 similar facilities’.



Quantitative criteria on the other hand use numbers to describe the likelihood and severity of the event. This can include criteria such as ‘an event having a frequency of less than 10-3 per year’, or ‘the potential loss of life (PLL) associated with an event having a likelihood of less than 10 -4 per year’, etc. However, there is a certain amount of uncertainty associated with the numerical prediction of the likelihood or consequences of an event. For example, two different techniques may yield slightly different results for the likelihood of an event, say 1.05 x 10 -3 and 0.95 x 10-3. If the tolerable risk criteria is 1.0 x 10-3, some qualitative interpretation will be necessary to decide if the event is in the tolerable region or not.

Whether qualitative or quantitative tolerable risk criteria are used, the important issue to appreciate is that there is always some blurring between them. The (qualitative) words invariably need some numbers to make sure they are interpreted consistently and the (quantitative) numbers need some words to make sure they are applied consistently. As far as IEC 61508 is concerned, it is immaterial if qualitative or quantitative criteria are used since the standard can be applied equally using either approach.

By way of example, some typical techniques for expressing the tolerability of risks including two matrices and a risk band diagram are shown in Figures 1 to 3 respectively.

4. Assessing the Risk

The term risk assessment conjures up different meanings for many people when in fact the principles are quite simple. Risk assessment can be defined as determining the potential harm a situation poses and how great is the likelihood that people, the asset or the environment will be harmed.

As part of the hazard identification process, formal techniques such as HAZID and HAZOP should be used to identify the hazards associated with a particular process system. In order to reduce the likelihood and/or control the consequences of these hazards, it is appropriate in some circumstances to use E/E/PE control systems which must then be subject to the FSA process. Note that the FSA does not identify hazards, this is best carried out using formal techniques such as HAZID and HAZOP.

When applying IEC 61508, the risk assessment can be summarised as asking the question, 'how likely is the equipment under control to fail and if it does fail, what is the outcome?' To answer this question information must be available on the likelihood and consequences of the hazardous events that the equipment under control mitigates against. However, in order to determine this information for typical process plant applications, the boundary of the system in terms of cause and effect must be defined, as will become evident in the following discussion.

The likelihood or frequency of an event relating to the equipment under control can either be by intrinsic or extrinsic causes. Intrinsic causes are events such as component failures, software failures, or human error within the equipment under control. Extrinsic causes generally apply to protective systems that only need to function when some other failure within the process plant occurs. For example, protection against over pressurisation that can only occur as a result of other failures somewhere within the process plant. Therefore, the boundary as far as the likelihood of an event is concerned must consider both the intrinsic failure rate and the extrinsic demand rate of the equipment under control.



The consequences or severity of an event relating to equipment under control can range from the direct effects of the incident to all subsequent events along the escalation path. Although it is relatively easy to assess the immediate effects of an incident, the knock on effects further down the escalation path are more difficult to determine unless techniques such as event tree analysis are used. This introduces a dilemma, since the true consequences of an event can only be determined if the escalation path is assessed through to it's end conclusions, although the escalation path itself may contain other separate functions which are themselves subject to the FSA process. In order to aid clarity, it is best to illustrate this statement by use of an example.

Consider an instrument based protection system within a process system used to prevent over pressurisation. The immediate consequences should the equipment under control fail could be a rupture of the pipework and a significant hydrocarbon release. Apart from the immediate fatalities in the vicinity of the leak, the effects of this event with respect to personnel fatalities will depend on the success (or failure) of a number of further systems in the escalation path. This release may or may not be detected; the isolation and blowdown system may or may not work; the release may or may not ignite; the fire may or may not cause further loss of containment and escalation; the firewater system may or may not work; the temporary refuge may or may not protect the personnel; the lifeboats may or may not be launched successfully.

As can be seen by this example, the boundary applied for the consequences of an incident play an important role in the complexity of the analysis and the determination of the safety integrity level. Also, in order to accurately determine the precise likelihood that people will be harmed, the boundary of the analysis has to extend to the end of the event tree. However, if the boundary is extended cover every potential path within the event tree, the analysis will include systems not directly affected by the equipment under control and which themselves may be subject to FSA.

Another important issue to appreciate using this example is that in the FSA process, overall safety performance could be improved by achieving a high availability for any element in the escalation path, such as gas detection; isolation and blowdown; protection against ignition; prevention of escalation to adjacent plant; the firewater system; the temporary refuge; the lifeboats. However, such an approach would miss the point that FSA is for the equipment that is providing the protective function, which in this case is to prevent over pressurisation.

In order to resolve this issue and ensure that IEC 61508 is applied logically, the approach being developed within ISO 10418 (Ref. 4) is to define the boundary of a FSA for a given protective function to the immediate consequences of an event rather than introduce the full escalation path. Therefore, using the example of the loss of containment through over pressurisation, the boundary of the system would be the detection mechanism and isolation devices, which would isolate the downstream systems from the potential over pressurisation.

This concept of the FSA boundary for the equipment under control that provides a protective function is illustrated in Figure 4.

In typical over pressure protection schemes, is customary to design detection and isolation using independent primary, secondary and sometimes tertiary systems. It is important that the FSA considers all such systems together when determining if further risk reduction is necessary. If such primary and secondary systems are assessed separately, the results of the analysis will give a perceived need for further major risk reduction, which is unlikely to be the case.

For example, the primary means of over pressure protection may be by a high pressure trip initiating closure of an isolation valve with secondary protection provided by a pressure relief valve. Further risk reduction is unlikely to be necessary for this configuration since a pressure relief valve



provides high reliability protection against over pressurisation. However, an alternative design may utilise a high integrity over pressure detection and isolation system in place of the pressure relief valve in which case further risk reduction may be appropriate.

5. Determining the Necessary Risk Reduction

Having established the tolerable risk criteria and gathered the information needed to assess the risks, the next step is to determine if any further risk reduction is necessary. IEC 61508 Part 5 provides a number of techniques to determine the necessary risk reduction, in particular, Annexes D and E, the risk graph and the hazardous event severity matrix methods respectively.

However, before discussing these two techniques, the concept of 'necessary risk reduction' must be clearly understood. The principle of IEC 61508 is that the equipment under control that is being assessed may be perfectly adequate, in which case, no further risk reduction is necessary. On the other hand, the FSA may determine that further risk reduction is necessary in which case, the design of the protective function must meet a given availability rating in order to achieve the necessary risk reduction.

Note that IEC 61508 does not specifically set out to determine the appropriate SIL rating for a given protective function although such an approach may be beneficial in design development of control systems for complex process plant.

The basic principles of the risk graph and the hazardous event severity matrix methods are to assess the risk of the equipment under control. Referring back to Figures 1 to 3, if the risk associated with the equipment under control is not within the tolerable (or negligible) regions, further risk reduction is necessary to bring the risks down to a level that is in the tolerable region. The SIL rating gives a measure of the magnitude of risk reduction necessary to achieve a tolerable level.

Therefore, it is important to recognise that the example methods given in Annexes D and E cannot be used directly without calibration against the criteria for tolerability of risk for the particular project under consideration.

6. The Risk Graph Method

The Risk Graph method shown in Annex D of IEC 61508 Part 5 is a qualitative method that enables the safety integrity level of a safety-related system to be determined from a knowledge of the risk factors associated with the equipment under control and the associated control system. It is applicable to most protective functions except those using multiple independent protective systems (ie, primary, secondary, tertiary, etc.).

The principles of the risk graph method have been adopted in the UKOOA document, Instrument-Based Protective Systems (Ref. 5) and other standards published by offshore operators. This method can be considered as a decision tree approach in which the review team considers four issues in turn to arrive at the required SIL rating, as follows.

Consequence risk parameter

Frequency and exposure time risk parameter

Possibility of failing to avoid hazard risk parameter

Probability of the unwanted occurrence parameter



In order to ensure that this approach is applied consistently, it is essential that these four terms are clearly and unambiguously understood by all participants of the review. Although Annex D includes an illustrative example for the risk graph method, as shown in Figure 5, the consequence and frequency bands must be calibrated against the tolerable risk criteria in use. In some cases, this will involve introducing additional consequence and frequency bands, as shown in Figure 6. In addition, the calibration should consider some example cases to ensure that the resulting SIL rating will bring the risk down to within the tolerable region of the criteria in use.

An example of applying the resulting numerical criteria to the definition of the four parameters from such a calibration exercise is shown in Figure 7.

7. The Hazardous Event Severity Matrix Method

The Hazardous Event Severity Matrix method shown in Annex E of IEC 61508 Part 5 is also a qualitative method that enables the safety integrity level of a safety-related system to be determined from a knowledge of the likelihood and consequences of failure associated with the equipment under control and the associated control system. It is primarily applicable to protective functions using multiple independent protective systems (ie, primary, secondary, tertiary, etc.).

This method can be considered as a decision matrix approach in which the review team considers three issues in turn to arrive at the required SIL rating, as follows.

Consequence risk parameter

Frequency risk parameter

Number of independent protective functions parameter

These three terms tend to be more readily understood than the four parameters used in Annex D since the consequence and frequency parameters are exactly that same as those used in most tolerable risk criteria. The illustrative example given in IEC 61508 Annex E is shown in Figure 8 but as is the case with the risk graph method (Annex D), the consequence and frequency bands must be calibrated against the tolerable risk criteria in use. Again, this generally involves introducing additional consequence and/or frequency bands, as shown in the example given in Figure 9. This calibration should also consider some example cases to ensure that the resulting SIL rating will bring the risk down to within the tolerable region of the criteria in use.

8. Summary

This paper has given a brief illustration of the principles behind the Functional Safety Assessment (FSA) process to determine the necessary risk reduction. The key issue from the foregoing discussion is that IEC 61508 does not provide an explicit method for carrying out a FSA, it only provides a framework.

Although this is consistent with the aims and objectives of IEC 61508, being a standard written to be applicable to a wide range of industries, initial attempts to apply the draft standard have in general failed to appreciate this fact. However, with the development of other supporting standards such as ISO 10418 and IEC 61511 (Ref. 6), the application of the FSA process will undoubtedly become an integral part of the design development for process facilities worldwide.



As a final summary, it is worth reiterating some points raised in this paper which should be borne in mind in the FSA of typical process systems.

The FSA does not identify hazards, this is best carried out using formal hazard identification techniques such as HAZID and HAZOP.

The FSA should ideally take place after the basic control scheme has been devised but before any decisions have been made on detailed solutions for high reliability instrumentation and control functions. This includes issues such as the duplication of instruments or isolation devices to improve availability or the provision of primary and secondary protective functions.

In order to carry out a FSA effectively, it is essential that information on the likelihood and consequences of the hazardous events that the protective functions mitigate against are known.

The FSA should consider each of the protective functions and not each control loop. If each control loop is considered individually, primary and secondary loops which protect against the same hazard will be assessed in isolation.

The boundary of the equipment under control being considered in the FSA should be clearly defined as the detection, initiation and operation of the safety related system. The boundary should not include consequences further along the escalation path.

When applying a qualitative FSA approach, it is often assumed that the assessment should take place using a group review style meeting, similar to a HAZOP. It is often more productive to prepare a FSA report and which is circulated for comment and the review meeting used to formally agree the SIL ratings for various protective functions.

9. Abbreviations

ALARP As Low As Reasonably PracticableCOMAH Control of Major Accident Hazards (see Ref. 3)E/E/PE Electrical/Electronic/Programmable ElectronicEUC Equipment Under ControlFSA Functional Safety AssessmentHAZID Hazard Identification (Study)HAZOP Hazard and Operability (Study)IEC International Electrotechnical CommissionISO International Organization for StandardizationPLL Potential Loss of LifeSCR Safety Case Regulations (see Ref. 2)SIL Safety Integrity LevelSRS Safety Related SystemUKOOA United Kingdom Offshore Operators Association



10. References

1. IEC 61508 Part 1 Revision 1.0. Functional safety: safety-related systems - Part 1: General requirements. Published January 1999.IEC 61508 Part 2 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 2: Requirements for electrical / electronic / programmable electronic safety-related systems, Final Draft International Standard (FDIS) version. Planned to be published in October 1999.IEC 61508 Part 3 Revision 1.0. Functional safety: safety-related systems - Part 3: Software requirements, Published January 1999.IEC 61508 Part 4 Revision 1.0. Functional safety: Safety related systems - Part 4: Definitions and abbreviations of terms, Published January 1999.IEC 61508 Part 5 Revision 1.0. Functional safety: safety-related systems - Part 5: Guidelines on the application of part 1, Published January 1999.IEC 61508 Part 6 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 6: Guidelines on the application of Parts 2 and 3. Planned to be published in October 1999.IEC 61508 Part 7 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 7: Overview of techniques and measures. Planned to be published in October 1999.

2. The Offshore Installations (Safety Case) Regulations (SCR), SI 1992 No 2885, HMSO.

3. The Control of Major Accident Hazards Regulations (COMAH), SI 1999 No 743, HMSO.

4. ISO/WD 10418 Revision 3. Petroleum and natural gas industries - Offshore production installations - Analysis, design, installation and testing of basic surface process safety systems for offshore installations - Requirements and guidelines. Working Draft (WD) International Standard. February 1999.

5. United Kingdom Offshore Operators Association (UKOOA). Instrument-Based Protective Systems, Document Number CP012, 1995.

6. IEC 61511 Revision 1.0. Programmable Electronic Systems (PES) for use in safety applications. Current Stage: Approved New Work (ANW). Planned publication date not known.

Simon Dean works as a safety consultant primarily in the oil & gas and process industries specialising in risk assessment, formal safety assessment and availability analysis and can be contacted at [email protected].



mailto:[email protected]

12

Note43

The actual population with risk classes 1, 2, 3 and 4 depend upon what the actualfrequencies are for frequent, probable etc. Therefore, this table should be seen asan example of how such a table could be populated, rather than as a specification.

Frequency

Frequent

RemoteOccasionalProbable

IncredibleImprobable

ConsequenceCatastrophic NegligibleMarginalCritical

1 2111 3211 3322 4333 4434 444

Intolerable risk.Undesirable risk, and tolerable only if risk reduction is impracticable or if the costsare grossly disproportionate to the improvement gained.

Negligible risk.Tolerable risk if the cost of risk reduction would exceed the improvement gained.

Figure 1 — Example Risk Classification and Tolerability of Accidents Matrix

4 987

3 876

66

3

4

Unlikely(Category 1)Not likely to occur inthe life of the facility.May occur in one ofseveral like facilities.

Remote(Category 2)Likely to occur oncein the life of thefacility (e.g., onceevery 50 years).

Occasional(Category 3)Likely to occur morethan once in the lifeof the facility (e.g.,once every 10 years).

Frequent(Category 4)Likely to occurseveral times in thelife of the facility (e.g.,once yearly).

2

1 22

7 to 9Unacceptable RisksRisk reductionmandatory

3 to 6Transitional RisksConsider risk reduction ifcosts are not excessive

1 to 2Tolerable RisksNo risk reductionrequired

Negligible (Level 1)Operating Personnel : Superficial injury.Public : No impact.Environmental : Hazardous process fluidcontained.Equipment : Minor equipment damageand negligible downtime (<1 day).

Marginal (Level 2)Operating Personnel : Minor injury.Public : No impact.Environmental : Small release ofhazardous process fluid.Equipment : Minor system damage anddowntime (>1 day).

Critical (Level 3)Operating Personnel : Severe injury.Public : Exposed to accident.Environmental : Uncontained release ofhazardous process fluid.Equipment : Major system damage anddowntime (>10 days).

Catastrophic (Level 4)Operating Personnel : Death.Public : Exposed to threatening accident.Environmental : Large, uncontainedrelease of hazardous process fluid.Equipment : Extensive facility damageand extended downtime (>90 days).

Severity

Likelihood

Figure 2 — Example Matrix of Qualitative Risk Acceptance Criteria



Zone 1Risk

ReductionRegion

Zone 2Transitional

RiskRegion

Zone 3Tolerable

RiskRegion

Cons

eque

nce

Frequency (per year)10 -4 10 -3 10 -2 10 -1 110 -510 -6

FrequentProbablePossibleLow ProbabilityRemoteVery Remote

Cata

stro

phic

Min

orSi

gnific

ant

Maj

or

Figure 3 — Example Risk Bands for Tolerability of Hazards

Successfuldetection & isolation

Failure to detector isolate source

Demand on overpressure protection system

Hydrocarbon release within specific area

Failure to detector isolate release

Successful areadetection & isolation

Demand on firewater system

Failure to control fire& major escalation

Successful controlof fire within area

Boundary of SIL assessmentfor systems which protectagainst over pressurisation

Boundary of SIL assessmentfor systems which providearea gas detection

Boundary of SIL assessmentfor systems which providearea firewater protection

Figure 4 — Boundary of SIL Assessments for Typical Events in Escalation Path



Figure 5 — Illustrative Example of Risk Graph Method from IEC 61508

a

SIL 3

SIL 1

SIL 2

a

a a

SIL 4

SIL 3

SIL 1

SIL 2

a a

b

SIL 4

SIL 3

SIL 1

SIL 2

W1 W3W2

E1

E4

E3

E2

F1

F2

P1

P2P1

P2F1

F2 P1

P2F1

F2 P1

P2F1

F2P1

P2

a

SIL 1

SIL 2

a

a

W0

a

SIL 4

b

b

SIL 2

SIL 3

W4

SIL 1

Figure 6 — Example of Extended Risk Graph with Additional Frequency Bands



Risk Parameter Qualitative Classification Numerical Classification CommentsConsequence (C) C1

C2

C3 C4

Minor injury.One death or permanent injury to one or more persons.Several deaths.Very many people killed.

No deaths.<= 0.1 deaths.

<= 1 deaths.> 1 deaths.

This decision is related to the severity of the hazard in term of released energy, nature of hazardous condition etc.

Exposure in, the hazardous zone (F)

F1

F2

Rare to more often exposure.Frequent to permanent exposure.

<= 6 manhours/day.> 6 manhours/day.

Exposure is calculated from the expected mean occupancy or personnel exposure in the hazard zone, for normal operation.

Possibility of avoiding the hazardous event (P)

P1

P2

Possible under certain conditionsAlmost impossible

Generally possible to avoid danger.No reasonable possibility to avoid danger.

This parameter is to do with avoiding injury after the hazard has occurred, and takes into account. Rate of development of the

hazard. Recognition of condition

(visual/automatic alarm etc). Escape possibility from danger

area.Probability of the unwanted occurrence (W)

W1

W2

W3

A very slight probability.A slight probability.A relatively high probability.

< Once in ten years.< Once per year.>= Once per year.

This represents the frequency of the unwanted occurrence taking place WITHOUT any safety-related systems, but including external risk reduction facilities. It is NOT the probability of the hazard occurring, which will be much less because of the presence of the safety system.

Figure 7 — Example Data for Calibration of Risk Graph Method

Figure 8 — Illustrative Example of Hazardous Event Severity Matrix Method from IEC 61508



Num

ber o

f ind

epen

dent

SRS

s an

d ex

tern

alris

k re

duct

ion

faci

litie

s [E

](in

cludi

ng th

e E/

E/PE

SRS

bei

ng c

lass

ified)

3

1

2

Minor Serious Extensive

10 -1

to1

10to

100

1to10

10 -2

to10 -1

10 -4

to10 -3

10 -3

to10 -2

10 -5

to10 -4

SIL 1

SIL 1

SIL 1 SIL 2[C]

[C]

[C][C][C][C][C]

[C] [C]

[C][C][C][C][C] SIL 1

SIL 3[B]

SIL 2

Event Likelihood [D](events per year)



10 -1

to1

10to

100

1to10

10 -2

to10 -1

10 -4

to10 -3

10 -3

to10 -2

10 -5

to10 -4

SIL 1

SIL 2

SIL 2 SIL 3[B]SIL 1

[C]

SIL 1[C][C][C][C]

[C] [C]

[C][C][C][C][C] SIL 2

SIL 3[A]

SIL 3[B]

10 -1

to1

10to

100

1to10

10 -2

to10 -1

10 -4

to10 -3

10 -3

to10 -2

10 -5

to10 -4

SIL 3[B]

SIL 3[B]

SIL 3[B]

SIL 3[A]SIL 2

SIL 1

SIL 2SIL 1[C][C][C]

SIL 1 SIL 1

SIL 1[C][C][C][C] SIL 2

SIL 3[A]

SIL 3[A]

One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level. Additional risk reduction measures are required.[A]

[B]

[E]

[D]

[C]

One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard and risk analysis is required to determinewhether additional risk reduction measures are necessary.

SRS = safety-related system. Event likelihood and the total number of independent protection layers are defined in relation to the specific application.

Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or external risk reduction facilities.

An independent E/E/PE safety-related system is probably not required.

Figure 9 — Example of Extended Hazardous Event Severity Matrix with Additional Likelihood Bands



sauf sil paper 4-99 (public)

Documents