telecom and informatics 1 psam6, san juan, puerto rico, usa - june 2002 allocating safety integrity...
TRANSCRIPT
1
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Odd Nordland
SINTEF, Trondheim, [email protected]
www.informatics.sintef.no/~nordland
2
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Introduction
Safety Integrity
Safety Integrity Levels
Risk Acceptability
Allocating SILs
Problems
Conclusions
3
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Safety IntegrityThings can go wrong, so we need additional functionality
Safety Functions to reduce the risks
Safety functions can have varied implementation measures active functionality design properties administrative measures any combination of the above
Failure of part of the implementation does not mean total loss of the safety function
Safety Integrity = Ability of a safety function to continue to be effective in spite of deterioration of its implementation
4
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Safety Integrity LevelsDegree of Safety Integrity is determined by
number of implementation measures how effective they are how vulnerable they are how independent they are ...
Many different degrees of safety integrity, grouped into 5 levels:SIL 0 = no safety integrity at all...SIL 4 = highest possible level
For "important" safety functions, a high SIL will be demanded Safety Integrity Levels depend on Risk Acceptability
5
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Risk Acceptability ALARP
Risk shall be brought As Low As Reasonably Practicable3 risk zones: unacceptable, acceptable, negligibleassumes that we know where the acceptable limit is
GAMABAny modification shall leave a system globally at least as good
("Globalement Au Moins Aussi Bon") as it wasallows for redistribution of risksassumes current level is already acceptable
MEMStarts with lowest technological mortality rate in the population
(Minimum Endogenous Mortality)a new system should not increase that mortality rate significantlyassumes that the current mortality rate is acceptable
6
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Allocating SILs Determine risks Determine acceptable risk levels Identify safety functions Based on risk acceptance level, determine safety integrity level for
each safety function Identify implementation measures for each safety function Based on the safety integrity level for each function, determine
tolerable failure rates for each implementation measure
OR JUST DEMAND SIL 4 BY DEFAULT!
7
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
Problems SIL 4 is EXPENSIVE Systems that have been working satisfactorily don't necessarily
fulfil SIL 4 requirementsDo we always need SIL 4?
The relationship between failure rates and SILs is often misunderstood:
SILs depend on failure rates of safety functionsExaggerated demands on equipment
because non-technical measures are ignored
Risk acceptability is controversial
8
PSAM6, San Juan, Puerto Rico, USA - June 2002
Telecom and Informatics
ALLOCATING SAFETY INTEGRITY LEVELS IN PRACTICE
ConclusionsAgreed methods for determining acceptable risk levels must be
determined
Demanding the highest safety integrity level by default is a political decision; a proper analysis could show that a lower safety integrity level is sufficient
Non-technical measures for implementing safety functions must be included in the analyses
Apply the standards correctly:perform risk acceptability analyses first
identify the safety functions next
then allocate SILs