IEC 61508 - Assessing the Hazard and Risk Simon Dean Sauf Consulting Ltd April 1999 1. Introduction Despite the fact that IEC 61508 (Ref. 1) was only issued (in part) on 1st January 1999, process industries have already implement the draft standard on a number of projects. In addition, some operating companies and contractors have developed internal procedures and standards with the objective of enabling consistent application and integration of IEC 61508 within the overall safety assessment process. This enthusiasm stems from the perceived benefits of adopting the new standard to provide a consistent justification of the level of integrity needed for different instrument functions. In addition, many industries recognise the long term benefits that can be achieved through the application of IEC 61508 throughout the supply chain. However, there has not been widespread success of adopting IEC 61508 across all projects. The reasons for this stem from the perception of what the standard is, how it can be implemented consistently and what the results of a functional safety assessment mean. Before going any further, it is important that certain terms used within IEC 61508 are clearly understood. The term 'Safety Integrity' is defined as 'the likelihood of a safety related system (SRS) satisfactorily performing the required safety functions under the stated conditions, within a stated period of time. The term 'Safety Integrity Level (SIL)' is defined as 'one of four possible discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to the safety related system (SRS).' The term 'Functional Safety' is defined as 'the ability of a safety related system (SRS) to carry out the actions necessary to achieve or maintain a safe state for the equipment under control (EUC).' The term 'Functional Safety Assessment (FSA)' is defined as 'the undertaking of an investigation in order to arrive at a judgement, based on evidence, of the functional safety achieved by one or more safety related system (SRS) and/or external risk reduction facilities.' This paper explains the hazard and risk assessment processes that needs to be followed within a Functional Safety Assessment (FSA) with reference to systems typical of the process industry. This also paper attempts to highlight some of the pitfalls of carrying out a FSA and how the application of IEC 61508 can be integrated into projects to achieve maximum benefit. © Sauf Consulting Ltd, 1999 Page 1 of 13 www.sauf.co.uk 2. The Risk Assessment Framework Before attempting to carry out a FSA through the implementation of IEC 61508 on a project, it is essential that the general principles of risk assessment be understood. To make effective decisions, those involved in assessment need to know what potential threat the failure of the equipment under control poses and how great is the likelihood that people will be harmed. Gathering and analysing this information is referred to as risk assessment. Note that risk assessment can also be used to determine the potential threat to assets and/or the environment, as well as risks to personnel. The principles of IEC 61508 can be used in the risk assessment for all these issues, provided appropriate tolerable risk criteria are used. However, IEC 61508 is principally a standard applicable to the safety of personnel. It must be recognised that the IEC 61508 is a risk based standard and that in order to apply the standard, some criteria which define the tolerability of risks must be established for the project. As a minimum, this measure for the tolerability of risk must state what is deemed reasonable with respect to both the frequency (or probability) of the hazardous event and its specific consequences. For many projects worldwide, the objective of meeting some pre-defined risk acceptance criteria is fundamental through the design decision process. For UK based offshore oil and gas projects, this is carried out through the demonstration of ALARP under the framework of the Safety Case Regulations (Ref. 2). For UK based onshore projects this is carried out through the demonstration of ALARP under the framework of the COMAH Regulations (Ref. 3). In other parts of the world, similar goal setting regimes are in place whereas some nations still rely on prescriptive legislation. Through the FSA process, the objective is to ensure that the safety-related systems are designed to reduce the likelihood and/or consequences of the hazardous event to meet the tolerable risk criteria. To achieve this objective, the process that is followed within the FSA can be summarised by three key stages, as follows. 1. Establish the tolerable risk criteria. 2. Assess the risks associated with the equipment under control. 3. Determine necessary risk reduction needed to meet the risk acceptance criteria. These three key stages in the FSA process are described in more detail in the succeeding sections. 3. Tolerable Risk Criteria A number of different ways can be used to express the tolerability of risks, which varies between operators and the cultural and regulatory environment of the project's location. In general, these criteria can be qualitative or quantitative although there is often some overlap in the way the criteria are expressed. Qualitative criteria use words such as probable, frequent, unlikely, remote, etc. to describe the likelihood of an event and words such as minor, major, catastrophic, etc. to describe the consequences of the event. However, in order to ensure that these criteria are applied consistently, it is often necessary to introduce quantitative numbers to provide a clear definition of how the words should be interpreted. For example, unlikely may be defined as ‘once every 10 to 100 years’, or ‘may happen once in over the life of 10 similar facilities’. © Sauf Consulting Ltd, 1999 Page 2 of 13 www.sauf.co.uk Quantitative criteria on the other hand use numbers to describe the likelihood and severity of the event. This can include criteria such as ‘an event having a frequency of less than 10-3 per year’, or ‘the potential loss of life (PLL) associated with an event having a likelihood of less than 10-4 per year’, etc. However, there is a certain amount of uncertainty associated with the numerical prediction of the likelihood or consequences of an event. For example, two different techniques may yield slightly different results for the likelihood of an event, say 1.05 x 10 -3 and 0.95 x 10-3. If the tolerable risk criteria is 1.0 x 10-3, some qualitative interpretation will be necessary to decide if the event is in the tolerable region or not. Whether qualitative or quantitative tolerable risk criteria are used, the important issue to appreciate is that there is always some blurring between them. The (qualitative) words invariably need some numbers to make sure they are interpreted consistently and the (quantitative) numbers need some words to make sure they are applied consistently. As far as IEC 61508 is concerned, it is immaterial if qualitative or quantitative criteria are used since the standard can be applied equally using either approach. By way of example, some typical techniques for expressing the tolerability of risks including two matrices and a risk band diagram are shown in Figures 1 to 3 respectively. 4. Assessing the Risk The term risk assessment conjures up different meanings for many people when in fact the principles are quite simple. Risk assessment can be defined as determining the potential harm a situation poses and how great is the likelihood that people, the asset or the environment will be harmed. As part of the hazard identification process, formal techniques such as HAZID and HAZOP should be used to identify the hazards associated with a particular process system. In order to reduce the likelihood and/or control the consequences of these hazards, it is appropriate in some circumstances to use E/E/PE control systems which must then be subject to the FSA process. Note that the FSA does not identify hazards, this is best carried out using formal techniques such as HAZID and HAZOP. When applying IEC 61508, the risk assessment can be summarised as asking the question, 'how likely is the equipment under control to fail and if it does fail, what is the outcome?' To answer this question information must be available on the likelihood and consequences of the hazardous events that the equipment under control mitigates against. However, in order to determine this information for typical process plant applications, the boundary of the system in terms of cause and effect must be defined, as will become evident in the following discussion. The likelihood or frequency of an event relating to the equipment under control can either be by intrinsic or extrinsic causes. Intrinsic causes are events such as component failures, software failures, or human error within the equipment under control. Extrinsic causes generally apply to protective systems that only need to function when some other failure within the process plant occurs. For example, protection against over pressurisation that can only occur as a result of other failures somewhere within the process plant. Therefore, the boundary as far as the likelihood of an event is concerned must consider both the intrinsic failure rate and the extrinsic demand rate of the equipment under control. © Sauf Consulting Ltd, 1999 Page 3 of 13 www.sauf.co.uk The consequences or severity of an event relating to equipment under control can range from the direct effects of the incident to all subsequent events along the escalation path. Although it is relatively easy to assess the immediate effects of an incident, the knock on effects further down the escalation path are more difficult to determine unless techniques such as event tree analysis are used. This introduces a dilemma, since the true consequences of an event can only be determined if the escalation path is assessed through to it's end conclusions, although the escalation path itself may contain other separate functions which are themselves subject to the FSA process. In order to aid clarity, it is best to illustrate this statement by use of an example. Consider an instrument based protection system within a process system used to prevent over pressurisation. The immediate consequences should the equipment under control fail could be a rupture of the pipework and a significant hydrocarbon release. Apart from the immediate fatalities in the vicinity of the leak, the effects of this event with respect to personnel fatalities will depend on the success (or failure) of a number of further systems in the escalation path. This release may or may not be detected; the isolation and blowdown system may or may not work; the release may or may not ignite; the fire may or may not cause further loss of containment and escalation; the firewater system may or may not work; the temporary refuge may or may not protect the personnel; the lifeboats may or may not be launched successfully. As can be seen by this example, the boundary applied for the consequences of an incident play an important role in the complexity of the analysis and the determination of the safety integrity level. Also, in order to accurately determine the precise likelihood that people will be harmed, the boundary of the analysis has to extend to the end of the event tree. However, if the boundary is extended cover every potential path within the event tree, the analysis will include systems not directly affected by the equipment under control and which themselves may be subject to FSA. Another important issue to appreciate using this example is that in the FSA process, overall safety performance could be improved by achieving a high availability for any element in the escalation path, such as gas detection; isolation and blowdown; protection against ignition; prevention of escalation to adjacent plant; the firewater system; the temporary refuge; the lifeboats. However, such an approach would miss the point that FSA is for the equipment that is providing the protective function, which in this case is to prevent over pressurisation. In order to resolve this issue and ensure that IEC 61508 is applied logically, the approach being developed within ISO 10418 (Ref. 4) is to define the boundary of a FSA for a given protective function to the immediate consequences of an event rather than introduce the full escalation path. Therefore, using the example of the loss of containment through over pressurisation, the boundary of the system would be the detection mechanism and isolation devices, which would isolate the downstream systems from the potential over pressurisation. This concept of the FSA boundary for the equipment under control that provides a protective function is illustrated in Figure 4. In typical over pressure protection schemes, is customary to design detection and isolation using independent primary, secondary and sometimes tertiary systems. It is important that the FSA considers all such systems together when determining if further risk reduction is necessary. If such primary and secondary systems are assessed separately, the results of the analysis will give a perceived need for further major risk reduction, which is unlikely to be the case. For example, the primary means of over pressure protection may be by a high pressure trip initiating closure of an isolation valve with secondary protection provided by a pressure relief valve. Further risk reduction is unlikely to be necessary for this configuration since a pressure relief valve © Sauf Consulting Ltd, 1999 Page 4 of 13 www.sauf.co.uk provides high reliability protection against over pressurisation. However, an alternative design may utilise a high integrity over pressure detection and isolation system in place of the pressure relief valve in which case further risk reduction may be appropriate. 5. Determining the Necessary Risk Reduction Having established the tolerable risk criteria and gathered the information needed to assess the risks, the next step is to determine if any further risk reduction is necessary. IEC 61508 Part 5 provides a number of techniques to determine the necessary risk reduction, in particular, Annexes D and E, the risk graph and the hazardous event severity matrix methods respectively. However, before discussing these two techniques, the concept of 'necessary risk reduction' must be clearly understood. The principle of IEC 61508 is that the equipment under control that is being assessed may be perfectly adequate, in which case, no further risk reduction is necessary. On the other hand, the FSA may determine that further risk reduction is necessary in which case, the design of the protective function must meet a given availability rating in order to achieve the necessary risk reduction. Note that IEC 61508 does not specifically set out to determine the appropriate SIL rating for a given protective function although such an approach may be beneficial in design development of control systems for complex process plant. The basic principles of the risk graph and the hazardous event severity matrix methods are to assess the risk of the equipment under control. Referring back to Figures 1 to 3, if the risk associated with the equipment under control is not within the tolerable (or negligible) regions, further risk reduction is necessary to bring the risks down to a level that is in the tolerable region. The SIL rating gives a measure of the magnitude of risk reduction necessary to achieve a tolerable level. Therefore, it is important to recognise that the example methods given in Annexes D and E cannot be used directly without calibration against the criteria for tolerability of risk for the particular project under consideration. 6. The Risk Graph Method The Risk Graph method shown in Annex D of IEC 61508 Part 5 is a qualitative method that enables the safety integrity level of a safety-related system to be determined from a knowledge of the risk factors associated with the equipment under control and the associated control system. It is applicable to most protective functions except those using multiple independent protective systems (ie, primary, secondary, tertiary, etc.). The principles of the risk graph method have been adopted in the UKOOA document, InstrumentBased Protective Systems (Ref. 5) and other standards published by offshore operators. This method can be considered as a decision tree approach in which the review team considers four issues in turn to arrive at the required SIL rating, as follows. Consequence risk parameter Frequency and exposure time risk parameter Possibility of failing to avoid hazard risk parameter Probability of the unwanted occurrence parameter © Sauf Consulting Ltd, 1999 Page 5 of 13 www.sauf.co.uk In order to ensure that this approach is applied consistently, it is essential that these four terms are clearly and unambiguously understood by all participants of the review. Although Annex D includes an illustrative example for the risk graph method, as shown in Figure 5, the consequence and frequency bands must be calibrated against the tolerable risk criteria in use. In some cases, this will involve introducing additional consequence and frequency bands, as shown in Figure 6. In addition, the calibration should consider some example cases to ensure that the resulting SIL rating will bring the risk down to within the tolerable region of the criteria in use. An example of applying the resulting numerical criteria to the definition of the four parameters from such a calibration exercise is shown in Figure 7. 7. The Hazardous Event Severity Matrix Method The Hazardous Event Severity Matrix method shown in Annex E of IEC 61508 Part 5 is also a qualitative method that enables the safety integrity level of a safety-related system to be determined from a knowledge of the likelihood and consequences of failure associated with the equipment under control and the associated control system. It is primarily applicable to protective functions using multiple independent protective systems (ie, primary, secondary, tertiary, etc.). This method can be considered as a decision matrix approach in which the review team considers three issues in turn to arrive at the required SIL rating, as follows. Consequence risk parameter Frequency risk parameter Number of independent protective functions parameter These three terms tend to be more readily understood than the four parameters used in Annex D since the consequence and frequency parameters are exactly that same as those used in most tolerable risk criteria. The illustrative example given in IEC 61508 Annex E is shown in Figure 8 but as is the case with the risk graph method (Annex D), the consequence and frequency bands must be calibrated against the tolerable risk criteria in use. Again, this generally involves introducing additional consequence and/or frequency bands, as shown in the example given in Figure 9. This calibration should also consider some example cases to ensure that the resulting SIL rating will bring the risk down to within the tolerable region of the criteria in use. 8. Summary This paper has given a brief illustration of the principles behind the Functional Safety Assessment (FSA) process to determine the necessary risk reduction. The key issue from the foregoing discussion is that IEC 61508 does not provide an explicit method for carrying out a FSA, it only provides a framework. Although this is consistent with the aims and objectives of IEC 61508, being a standard written to be applicable to a wide range of industries, initial attempts to apply the draft standard have in general failed to appreciate this fact. However, with the development of other supporting standards such as ISO 10418 and IEC 61511 (Ref. 6), the application of the FSA process will undoubtedly become an integral part of the design development for process facilities worldwide. © Sauf Consulting Ltd, 1999 Page 6 of 13 www.sauf.co.uk As a final summary, it is worth reiterating some points raised in this paper which should be borne in mind in the FSA of typical process systems. The FSA does not identify hazards, this is best carried out using formal hazard identification techniques such as HAZID and HAZOP. The FSA should ideally take place after the basic control scheme has been devised but before any decisions have been made on detailed solutions for high reliability instrumentation and control functions. This includes issues such as the duplication of instruments or isolation devices to improve availability or the provision of primary and secondary protective functions. In order to carry out a FSA effectively, it is essential that information on the likelihood and consequences of the hazardous events that the protective functions mitigate against are known. The FSA should consider each of the protective functions and not each control loop. If each control loop is considered individually, primary and secondary loops which protect against the same hazard will be assessed in isolation. The boundary of the equipment under control being considered in the FSA should be clearly defined as the detection, initiation and operation of the safety related system. The boundary should not include consequences further along the escalation path. When applying a qualitative FSA approach, it is often assumed that the assessment should take place using a group review style meeting, similar to a HAZOP. It is often more productive to prepare a FSA report and which is circulated for comment and the review meeting used to formally agree the SIL ratings for various protective functions. 9. Abbreviations ALARP COMAH E/E/PE EUC FSA HAZID HAZOP IEC ISO PLL SCR SIL SRS UKOOA As Low As Reasonably Practicable Control of Major Accident Hazards (see Ref. 3) Electrical/Electronic/Programmable Electronic Equipment Under Control Functional Safety Assessment Hazard Identification (Study) Hazard and Operability (Study) International Electrotechnical Commission International Organization for Standardization Potential Loss of Life Safety Case Regulations (see Ref. 2) Safety Integrity Level Safety Related System United Kingdom Offshore Operators Association © Sauf Consulting Ltd, 1999 Page 7 of 13 www.sauf.co.uk 10. References 1. IEC 61508 Part 1 Revision 1.0. Functional safety: safety-related systems - Part 1: General requirements. Published January 1999. IEC 61508 Part 2 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 2: Requirements for electrical / electronic / programmable electronic safety-related systems, Final Draft International Standard (FDIS) version. Planned to be published in October 1999. IEC 61508 Part 3 Revision 1.0. Functional safety: safety-related systems - Part 3: Software requirements, Published January 1999. IEC 61508 Part 4 Revision 1.0. Functional safety: Safety related systems - Part 4: Definitions and abbreviations of terms, Published January 1999. IEC 61508 Part 5 Revision 1.0. Functional safety: safety-related systems - Part 5: Guidelines on the application of part 1, Published January 1999. IEC 61508 Part 6 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 6: Guidelines on the application of Parts 2 and 3. Planned to be published in October 1999. IEC 61508 Part 7 Revision 1.0. Functional safety of electrical / electronic / programmable electronic safety-related systems - Part 7: Overview of techniques and measures. Planned to be published in October 1999. 2. The Offshore Installations (Safety Case) Regulations (SCR), SI 1992 No 2885, HMSO. 3. The Control of Major Accident Hazards Regulations (COMAH), SI 1999 No 743, HMSO. 4. ISO/WD 10418 Revision 3. Petroleum and natural gas industries - Offshore production installations - Analysis, design, installation and testing of basic surface process safety systems for offshore installations - Requirements and guidelines. Working Draft (WD) International Standard. February 1999. 5. United Kingdom Offshore Operators Association (UKOOA). Instrument-Based Protective Systems, Document Number CP012, 1995. 6. IEC 61511 Revision 1.0. Programmable Electronic Systems (PES) for use in safety applications. Current Stage: Approved New Work (ANW). Planned publication date not known. Simon Dean works as a safety consultant primarily in the oil & gas and process industries specialising in risk assessment, formal safety assessment and availability analysis and can be contacted at simon@sauf.co.uk. © Sauf Consulting Ltd, 1999 Page 8 of 13 www.sauf.co.uk Consequence Frequency Catastrophic Critical Marginal Negligible Frequent 1 1 1 2 Probable 1 1 2 3 Occasional 1 2 3 3 Remote 2 3 3 4 Improbable 3 3 4 4 Incredible 4 4 4 4 1 2 Intolerable risk. Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained. 3 Tolerable risk if the cost of risk reduction would exceed the improvement gained. 4 Negligible risk. Note The actual population with risk classes 1, 2, 3 and 4 depend upon what the actual frequencies are for frequent, probable etc. Therefore, this table should be seen as an example of how such a table could be populated, rather than as a specification. Figure 1 — Example Risk Classification and Tolerability of Accidents Matrix Likelihood Severity Unlikely (Category 1) Remote (Category 2) Occasional (Category 3) Frequent (Category 4) Not likely to occur in the lif e of the f acility . May occur in one of sev eral like f acilities. Likely to occur once in the lif e of the f acility (e.g., once ev ery 50 y ears). Likely to occur more Likely to occur than once in the lif e sev eral times in the of the f acility (e.g., lif e of the f acility (e.g., once ev ery 10 y ears). once y early ). Negligible (Level 1) Operating Personnel: Superf icial injury . Public : No impact. Environmental : Hazardous process f luid contained. Equipment : Minor equipment damage and negligible downtime (<1 day ). 1 2 2 3 2 4 6 6 3 6 7 8 4 7 8 9 Marginal (Level 2) Operating Personnel: Minor injury . Public : No impact. Environmental : Small release of hazardous process f luid. Equipment : Minor sy stem damage and downtime (>1 day ). Critical (Level 3) Operating Personnel: Sev ere injury . Public : Exposed to accident. Environmental : Uncontained release of hazardous process f luid. Equipment : Major sy stem damage and downtime (>10 day s). Catastrophic (Level 4) Operating Personnel: Death. Public : Exposed to threatening accident. Environmental : Large, uncontained release of hazardous process f luid. Equipment : Extensiv e f acility damage and extended downtime (>90 day s). Unacceptable Risks 7 to 9 Risk reduction mandatory Transitional Risks 3 to 6 Consider risk reduction if costs are not excessive Tolerable Risks 1 to 2 No risk reduction required Figure 2 — Example Matrix of Qualitative Risk Acceptance Criteria © Sauf Consulting Ltd, 1999 Page 9 of 13 www.sauf.co.uk Catastrophic Major Significant Zone 2 Transitional Risk Region Zone 3 Tolerable Risk Region Minor Consequence Zone 1 Risk Reduction Region Very Remote 10-6 Remote 10-5 Low Probability 10-4 Possible Probable 10-3 10-2 Frequent 10-1 1 Frequency (per year) Figure 3 — Example Risk Bands for Tolerability of Hazards Demand on overpressure protection system Successful detection & isolation Boundary of SIL assessment for systems which protect against over pressurisation Failure to detect or isolate source Hydrocarbon release w ithin specific area Successful area detection & isolation Boundary of SIL assessment for systems which provide area gas detection Failure to detect or isolate release Demand on firew ater system Successful control of fire w ithin area Boundary of SIL assessment for systems which provide area firewater protection Failure to control fire & major escalation Figure 4 — Boundary of SIL Assessments for Typical Events in Escalation Path © Sauf Consulting Ltd, 1999 Page 10 of 13 www.sauf.co.uk C1 F1 Starting point for risk reduction C2 estimation F2 P1 P2 P1 P2 F1 C3 F2 C4 C = Consequence risk parameter F = Frequency and exposure time risk parameter P = Possibility of avoiding hazard risk parameter W3 W2 W1 a - b a - c b a d c b e d c f e d g f e h g f Necessary minimum risk reduction Safety integrity level - No safety requirements a No special safety requirements 1 2 3 4 An E/E/PE SRS is not sufficient b, c d e, f g h W = Probability of the unwanted occurrence a, b, c ... h = Estimates of the required risk reduction for the SRSs a, b, c, d, e, f, g, h represent the necessary minimum risk reduction. The link between the necessary minimum risk reduction and the safety integrity level is shown in the table. Figure 5 — Illustrative Example of Risk Graph Method from IEC 61508 P1 W0 W1 W2 W3 W4 a a a a SIL 1 a a a SIL 1 SIL 2 a a SIL 1 SIL 2 SIL 3 a SIL 1 SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SIL 3 SIL 4 b SIL 2 SIL 3 SIL 4 b b F1 P2 E1 F2 P1 F1 P2 F2 P1 F1 P2 F2 P1 F1 P2 E2 E3 E4 P1 F2 P2 Figure 6 — Example of Extended Risk Graph with Additional Frequency Bands © Sauf Consulting Ltd, 1999 Page 11 of 13 www.sauf.co.uk Risk Parameter Qualitative Classification Consequence (C) C1 Minor injury. C2 One death or permanent injury to one or more C3 persons. C4 Several deaths. Very many people killed. Exposure in, the F1 Rare to more often hazardous zone F2 exposure. (F) Frequent to permanent exposure. Possibility of P1 Possible under certain avoiding the conditions hazardous event P2 Almost impossible (P) Probability of the unwanted occurrence (W) W1 A very slight probability. W2 A slight probability. W3 A relatively high probability. Numerical Classification Comments No deaths. This decision is related to the <= 0.1 deaths. severity of the hazard in term of released energy, nature of <= 1 deaths. hazardous condition etc. > 1 deaths. <= 6 manhours/day. > 6 manhours/day. Exposure is calculated from the expected mean occupancy or personnel exposure in the hazard zone, for normal operation. Generally possible to avoid This parameter is to do with danger. avoiding injury after the hazard No reasonable possibility has occurred, and takes into to avoid danger. account. Rate of development of the hazard. Recognition of condition (visual/automatic alarm etc). Escape possibility from danger area. < Once in ten years. This represents the frequency of < Once per year. the unwanted occurrence taking >= Once per year. place WITHOUT any safetyrelated systems, but including external risk reduction facilities. It is NOT the probability of the hazard occurring, which will be much less because of the presence of the safety system. (including the E/E/PE SRS being classified) Number of independent SRSs and external risk reduction facilities [E] Figure 7 — Example Data for Calibration of Risk Graph Method 3 2 1 [C] [C] [C] [C] [C] [C] SIL 1 [C] [C] [C] SIL 1 SIL 2 [C] SIL 1 SIL 1 SIL 1 SIL 2 SIL 3 [B] SIL 1 SIL 1 SIL 2 SIL 1 SIL 2 SIL 3 [B] SIL 3 SIL 3 SIL 3 [B] [B] [A] Low Med High Low Med High Low Med High Event likelihood [D] Event likelihood [D] Event likelihood [D] Minor Serious Extensive Hazardous event severity [A] One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level. Additional risk reduction measures are required. [B] One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard and risk analysis is required to determine whether additional risk reduction measures are necessary. [C] An independent E/E/PE safety-related system is probably not required. [D] Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or external risk redution facilities. [E] SRS = safety-related system. Event likelihood and the total number of independent protection layers are defined in relation to the specific application. Figure 8 — Illustrative Example of Hazardous Event Severity Matrix Method from IEC 61508 © Sauf Consulting Ltd, 1999 Page 12 of 13 www.sauf.co.uk (including the E/E/PE SRS being classified) Number of independent SRSs and external risk reduction facilities [E] 3 2 1 [C] [C] [C] [C] [C] [C] SIL 1 [C] [C] [C] [C] [C] [C] [C] [C] [C] SIL 1 SIL 2 [C] [C] [C] [C] SIL 1 SIL 2 [C] [C] [C] SIL 1 SIL 1 SIL 2 SIL 3 [B] [C] [C] SIL 1 SIL 1 SIL 2 10-5 to 10-4 10-4 to 10-3 10-3 to 10-2 10 to 100 10-5 to 10-4 10-4 to 10-3 10-2 to 10-1 10-1 to 1 1 to 10 Event Likelihood [D] (events per year) Minor 10-3 to 10-2 10-2 to 10-1 [C] [C] [C] [C] SIL 3 [B] [C] [C] [C] SIL 1 SIL 2 SIL 3 SIL 3 [B] [A] 10-1 to 1 Event Likelihood [D] (events per year) Serious [C] SIL 2 1 to 10 10 to 100 SIL 1 SIL 1 SIL 2 10-5 to 10-4 10-4 to 10-3 10-3 to 10-2 [C] SIL 1 SIL 1 SIL 2 SIL 3 SIL 3 [B] [A] SIL 3 SIL 3 SIL 3 SIL 3 [B] [B] [A] [A] 10-2 to 10-1 10-1 to 1 1 to 10 10 to 100 Event Likelihood [D] (events per year) Extensive [A] One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level. Additional risk reduction measures are required. [B] One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard and risk analysis is required to determine whether additional risk reduction measures are necessary. [C] An independent E/E/PE safety-related system is probably not required. [D] Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or external risk reduction facilities. [E] SRS = safety-related system. Event likelihood and the total number of independent protection layers are defined in relation to the specific application. Figure 9 — Example of Extended Hazardous Event Severity Matrix with Additional Likelihood Bands © Sauf Consulting Ltd, 1999 Page 13 of 13 www.sauf.co.uk