IEC 61508 - Assessing the Hazard and Risk

advertisement
IEC 61508 - Assessing the Hazard and Risk
Simon Dean
Sauf Consulting Ltd
April 1999
1.
Introduction
Despite the fact that IEC 61508 (Ref. 1) was only issued (in part) on 1st January 1999, process
industries have already implement the draft standard on a number of projects. In addition, some
operating companies and contractors have developed internal procedures and standards with the
objective of enabling consistent application and integration of IEC 61508 within the overall safety
assessment process.
This enthusiasm stems from the perceived benefits of adopting the new standard to provide a
consistent justification of the level of integrity needed for different instrument functions. In addition,
many industries recognise the long term benefits that can be achieved through the application of
IEC 61508 throughout the supply chain.
However, there has not been widespread success of adopting IEC 61508 across all projects. The
reasons for this stem from the perception of what the standard is, how it can be implemented
consistently and what the results of a functional safety assessment mean.
Before going any further, it is important that certain terms used within IEC 61508 are clearly
understood.
 The term 'Safety Integrity' is defined as 'the likelihood of a safety related system (SRS)
satisfactorily performing the required safety functions under the stated conditions, within a
stated period of time.
 The term 'Safety Integrity Level (SIL)' is defined as 'one of four possible discrete levels for
specifying the safety integrity requirements of the safety functions to be allocated to the safety
related system (SRS).'
 The term 'Functional Safety' is defined as 'the ability of a safety related system (SRS) to carry
out the actions necessary to achieve or maintain a safe state for the equipment under control
(EUC).'
 The term 'Functional Safety Assessment (FSA)' is defined as 'the undertaking of an
investigation in order to arrive at a judgement, based on evidence, of the functional safety
achieved by one or more safety related system (SRS) and/or external risk reduction facilities.'
This paper explains the hazard and risk assessment processes that needs to be followed within a
Functional Safety Assessment (FSA) with reference to systems typical of the process industry.
This also paper attempts to highlight some of the pitfalls of carrying out a FSA and how the
application of IEC 61508 can be integrated into projects to achieve maximum benefit.
© Sauf Consulting Ltd, 1999
Page 1 of 13
www.sauf.co.uk
2.
The Risk Assessment Framework
Before attempting to carry out a FSA through the implementation of IEC 61508 on a project, it is
essential that the general principles of risk assessment be understood. To make effective
decisions, those involved in assessment need to know what potential threat the failure of the
equipment under control poses and how great is the likelihood that people will be harmed.
Gathering and analysing this information is referred to as risk assessment.
Note that risk assessment can also be used to determine the potential threat to assets and/or the
environment, as well as risks to personnel. The principles of IEC 61508 can be used in the risk
assessment for all these issues, provided appropriate tolerable risk criteria are used. However, IEC
61508 is principally a standard applicable to the safety of personnel.
It must be recognised that the IEC 61508 is a risk based standard and that in order to apply the
standard, some criteria which define the tolerability of risks must be established for the project. As
a minimum, this measure for the tolerability of risk must state what is deemed reasonable with
respect to both the frequency (or probability) of the hazardous event and its specific
consequences.
For many projects worldwide, the objective of meeting some pre-defined risk acceptance criteria is
fundamental through the design decision process. For UK based offshore oil and gas projects, this
is carried out through the demonstration of ALARP under the framework of the Safety Case
Regulations (Ref. 2). For UK based onshore projects this is carried out through the demonstration
of ALARP under the framework of the COMAH Regulations (Ref. 3). In other parts of the world,
similar goal setting regimes are in place whereas some nations still rely on prescriptive legislation.
Through the FSA process, the objective is to ensure that the safety-related systems are designed
to reduce the likelihood and/or consequences of the hazardous event to meet the tolerable risk
criteria. To achieve this objective, the process that is followed within the FSA can be summarised
by three key stages, as follows.
1. Establish the tolerable risk criteria.
2. Assess the risks associated with the equipment under control.
3. Determine necessary risk reduction needed to meet the risk acceptance criteria.
These three key stages in the FSA process are described in more detail in the succeeding
sections.
3.
Tolerable Risk Criteria
A number of different ways can be used to express the tolerability of risks, which varies between
operators and the cultural and regulatory environment of the project's location. In general, these
criteria can be qualitative or quantitative although there is often some overlap in the way the criteria
are expressed.
Qualitative criteria use words such as probable, frequent, unlikely, remote, etc. to describe the
likelihood of an event and words such as minor, major, catastrophic, etc. to describe the
consequences of the event. However, in order to ensure that these criteria are applied consistently,
it is often necessary to introduce quantitative numbers to provide a clear definition of how the
words should be interpreted. For example, unlikely may be defined as ‘once every 10 to 100
years’, or ‘may happen once in over the life of 10 similar facilities’.
© Sauf Consulting Ltd, 1999
Page 2 of 13
www.sauf.co.uk
Quantitative criteria on the other hand use numbers to describe the likelihood and severity of the
event. This can include criteria such as ‘an event having a frequency of less than 10-3 per year’, or
‘the potential loss of life (PLL) associated with an event having a likelihood of less than 10-4 per
year’, etc. However, there is a certain amount of uncertainty associated with the numerical
prediction of the likelihood or consequences of an event. For example, two different techniques
may yield slightly different results for the likelihood of an event, say 1.05 x 10 -3 and 0.95 x 10-3. If
the tolerable risk criteria is 1.0 x 10-3, some qualitative interpretation will be necessary to decide if
the event is in the tolerable region or not.
Whether qualitative or quantitative tolerable risk criteria are used, the important issue to appreciate
is that there is always some blurring between them. The (qualitative) words invariably need some
numbers to make sure they are interpreted consistently and the (quantitative) numbers need some
words to make sure they are applied consistently. As far as IEC 61508 is concerned, it is
immaterial if qualitative or quantitative criteria are used since the standard can be applied equally
using either approach.
By way of example, some typical techniques for expressing the tolerability of risks including two
matrices and a risk band diagram are shown in Figures 1 to 3 respectively.
4.
Assessing the Risk
The term risk assessment conjures up different meanings for many people when in fact the
principles are quite simple. Risk assessment can be defined as determining the potential harm a
situation poses and how great is the likelihood that people, the asset or the environment will be
harmed.
As part of the hazard identification process, formal techniques such as HAZID and HAZOP should
be used to identify the hazards associated with a particular process system. In order to reduce the
likelihood and/or control the consequences of these hazards, it is appropriate in some
circumstances to use E/E/PE control systems which must then be subject to the FSA process.
Note that the FSA does not identify hazards, this is best carried out using formal techniques such
as HAZID and HAZOP.
When applying IEC 61508, the risk assessment can be summarised as asking the question, 'how
likely is the equipment under control to fail and if it does fail, what is the outcome?' To answer this
question information must be available on the likelihood and consequences of the hazardous
events that the equipment under control mitigates against. However, in order to determine this
information for typical process plant applications, the boundary of the system in terms of cause and
effect must be defined, as will become evident in the following discussion.
The likelihood or frequency of an event relating to the equipment under control can either be by
intrinsic or extrinsic causes. Intrinsic causes are events such as component failures, software
failures, or human error within the equipment under control. Extrinsic causes generally apply to
protective systems that only need to function when some other failure within the process plant
occurs. For example, protection against over pressurisation that can only occur as a result of other
failures somewhere within the process plant. Therefore, the boundary as far as the likelihood of an
event is concerned must consider both the intrinsic failure rate and the extrinsic demand rate of the
equipment under control.
© Sauf Consulting Ltd, 1999
Page 3 of 13
www.sauf.co.uk
The consequences or severity of an event relating to equipment under control can range from the
direct effects of the incident to all subsequent events along the escalation path. Although it is
relatively easy to assess the immediate effects of an incident, the knock on effects further down the
escalation path are more difficult to determine unless techniques such as event tree analysis are
used. This introduces a dilemma, since the true consequences of an event can only be determined
if the escalation path is assessed through to it's end conclusions, although the escalation path itself
may contain other separate functions which are themselves subject to the FSA process. In order to
aid clarity, it is best to illustrate this statement by use of an example.
Consider an instrument based protection system within a process system used to prevent over
pressurisation. The immediate consequences should the equipment under control fail could be a
rupture of the pipework and a significant hydrocarbon release. Apart from the immediate fatalities
in the vicinity of the leak, the effects of this event with respect to personnel fatalities will depend on
the success (or failure) of a number of further systems in the escalation path. This release may or
may not be detected; the isolation and blowdown system may or may not work; the release may or
may not ignite; the fire may or may not cause further loss of containment and escalation; the
firewater system may or may not work; the temporary refuge may or may not protect the personnel;
the lifeboats may or may not be launched successfully.
As can be seen by this example, the boundary applied for the consequences of an incident play an
important role in the complexity of the analysis and the determination of the safety integrity level.
Also, in order to accurately determine the precise likelihood that people will be harmed, the
boundary of the analysis has to extend to the end of the event tree. However, if the boundary is
extended cover every potential path within the event tree, the analysis will include systems not
directly affected by the equipment under control and which themselves may be subject to FSA.
Another important issue to appreciate using this example is that in the FSA process, overall safety
performance could be improved by achieving a high availability for any element in the escalation
path, such as gas detection; isolation and blowdown; protection against ignition; prevention of
escalation to adjacent plant; the firewater system; the temporary refuge; the lifeboats. However,
such an approach would miss the point that FSA is for the equipment that is providing the
protective function, which in this case is to prevent over pressurisation.
In order to resolve this issue and ensure that IEC 61508 is applied logically, the approach being
developed within ISO 10418 (Ref. 4) is to define the boundary of a FSA for a given protective
function to the immediate consequences of an event rather than introduce the full escalation path.
Therefore, using the example of the loss of containment through over pressurisation, the boundary
of the system would be the detection mechanism and isolation devices, which would isolate the
downstream systems from the potential over pressurisation.
This concept of the FSA boundary for the equipment under control that provides a protective
function is illustrated in Figure 4.
In typical over pressure protection schemes, is customary to design detection and isolation using
independent primary, secondary and sometimes tertiary systems. It is important that the FSA
considers all such systems together when determining if further risk reduction is necessary. If such
primary and secondary systems are assessed separately, the results of the analysis will give a
perceived need for further major risk reduction, which is unlikely to be the case.
For example, the primary means of over pressure protection may be by a high pressure trip
initiating closure of an isolation valve with secondary protection provided by a pressure relief valve.
Further risk reduction is unlikely to be necessary for this configuration since a pressure relief valve
© Sauf Consulting Ltd, 1999
Page 4 of 13
www.sauf.co.uk
provides high reliability protection against over pressurisation. However, an alternative design may
utilise a high integrity over pressure detection and isolation system in place of the pressure relief
valve in which case further risk reduction may be appropriate.
5.
Determining the Necessary Risk Reduction
Having established the tolerable risk criteria and gathered the information needed to assess the
risks, the next step is to determine if any further risk reduction is necessary. IEC 61508 Part 5
provides a number of techniques to determine the necessary risk reduction, in particular, Annexes
D and E, the risk graph and the hazardous event severity matrix methods respectively.
However, before discussing these two techniques, the concept of 'necessary risk reduction' must
be clearly understood. The principle of IEC 61508 is that the equipment under control that is being
assessed may be perfectly adequate, in which case, no further risk reduction is necessary. On the
other hand, the FSA may determine that further risk reduction is necessary in which case, the
design of the protective function must meet a given availability rating in order to achieve the
necessary risk reduction.
Note that IEC 61508 does not specifically set out to determine the appropriate SIL rating for a
given protective function although such an approach may be beneficial in design development of
control systems for complex process plant.
The basic principles of the risk graph and the hazardous event severity matrix methods are to
assess the risk of the equipment under control. Referring back to Figures 1 to 3, if the risk
associated with the equipment under control is not within the tolerable (or negligible) regions,
further risk reduction is necessary to bring the risks down to a level that is in the tolerable region.
The SIL rating gives a measure of the magnitude of risk reduction necessary to achieve a tolerable
level.
Therefore, it is important to recognise that the example methods given in Annexes D and E cannot
be used directly without calibration against the criteria for tolerability of risk for the particular project
under consideration.
6.
The Risk Graph Method
The Risk Graph method shown in Annex D of IEC 61508 Part 5 is a qualitative method that
enables the safety integrity level of a safety-related system to be determined from a knowledge of
the risk factors associated with the equipment under control and the associated control system. It
is applicable to most protective functions except those using multiple independent protective
systems (ie, primary, secondary, tertiary, etc.).
The principles of the risk graph method have been adopted in the UKOOA document, InstrumentBased Protective Systems (Ref. 5) and other standards published by offshore operators. This
method can be considered as a decision tree approach in which the review team considers four
issues in turn to arrive at the required SIL rating, as follows.
 Consequence risk parameter
 Frequency and exposure time risk parameter
 Possibility of failing to avoid hazard risk parameter
 Probability of the unwanted occurrence parameter
© Sauf Consulting Ltd, 1999
Page 5 of 13
www.sauf.co.uk
In order to ensure that this approach is applied consistently, it is essential that these four terms are
clearly and unambiguously understood by all participants of the review. Although Annex D includes
an illustrative example for the risk graph method, as shown in Figure 5, the consequence and
frequency bands must be calibrated against the tolerable risk criteria in use. In some cases, this
will involve introducing additional consequence and frequency bands, as shown in Figure 6. In
addition, the calibration should consider some example cases to ensure that the resulting SIL
rating will bring the risk down to within the tolerable region of the criteria in use.
An example of applying the resulting numerical criteria to the definition of the four parameters from
such a calibration exercise is shown in Figure 7.
7.
The Hazardous Event Severity Matrix Method
The Hazardous Event Severity Matrix method shown in Annex E of IEC 61508 Part 5 is also a
qualitative method that enables the safety integrity level of a safety-related system to be
determined from a knowledge of the likelihood and consequences of failure associated with the
equipment under control and the associated control system. It is primarily applicable to protective
functions using multiple independent protective systems (ie, primary, secondary, tertiary, etc.).
This method can be considered as a decision matrix approach in which the review team considers
three issues in turn to arrive at the required SIL rating, as follows.
 Consequence risk parameter
 Frequency risk parameter
 Number of independent protective functions parameter
These three terms tend to be more readily understood than the four parameters used in Annex D
since the consequence and frequency parameters are exactly that same as those used in most
tolerable risk criteria. The illustrative example given in IEC 61508 Annex E is shown in Figure 8 but
as is the case with the risk graph method (Annex D), the consequence and frequency bands must
be calibrated against the tolerable risk criteria in use. Again, this generally involves introducing
additional consequence and/or frequency bands, as shown in the example given in Figure 9. This
calibration should also consider some example cases to ensure that the resulting SIL rating will
bring the risk down to within the tolerable region of the criteria in use.
8.
Summary
This paper has given a brief illustration of the principles behind the Functional Safety Assessment
(FSA) process to determine the necessary risk reduction. The key issue from the foregoing
discussion is that IEC 61508 does not provide an explicit method for carrying out a FSA, it only
provides a framework.
Although this is consistent with the aims and objectives of IEC 61508, being a standard written to
be applicable to a wide range of industries, initial attempts to apply the draft standard have in
general failed to appreciate this fact. However, with the development of other supporting standards
such as ISO 10418 and IEC 61511 (Ref. 6), the application of the FSA process will undoubtedly
become an integral part of the design development for process facilities worldwide.
© Sauf Consulting Ltd, 1999
Page 6 of 13
www.sauf.co.uk
As a final summary, it is worth reiterating some points raised in this paper which should be borne in
mind in the FSA of typical process systems.
 The FSA does not identify hazards, this is best carried out using formal hazard identification
techniques such as HAZID and HAZOP.
 The FSA should ideally take place after the basic control scheme has been devised but before
any decisions have been made on detailed solutions for high reliability instrumentation and
control functions. This includes issues such as the duplication of instruments or isolation
devices to improve availability or the provision of primary and secondary protective functions.
 In order to carry out a FSA effectively, it is essential that information on the likelihood and
consequences of the hazardous events that the protective functions mitigate against are
known.
 The FSA should consider each of the protective functions and not each control loop. If each
control loop is considered individually, primary and secondary loops which protect against the
same hazard will be assessed in isolation.
 The boundary of the equipment under control being considered in the FSA should be clearly
defined as the detection, initiation and operation of the safety related system. The boundary
should not include consequences further along the escalation path.
 When applying a qualitative FSA approach, it is often assumed that the assessment should
take place using a group review style meeting, similar to a HAZOP. It is often more productive
to prepare a FSA report and which is circulated for comment and the review meeting used to
formally agree the SIL ratings for various protective functions.
9.
Abbreviations
ALARP
COMAH
E/E/PE
EUC
FSA
HAZID
HAZOP
IEC
ISO
PLL
SCR
SIL
SRS
UKOOA
As Low As Reasonably Practicable
Control of Major Accident Hazards (see Ref. 3)
Electrical/Electronic/Programmable Electronic
Equipment Under Control
Functional Safety Assessment
Hazard Identification (Study)
Hazard and Operability (Study)
International Electrotechnical Commission
International Organization for Standardization
Potential Loss of Life
Safety Case Regulations (see Ref. 2)
Safety Integrity Level
Safety Related System
United Kingdom Offshore Operators Association
© Sauf Consulting Ltd, 1999
Page 7 of 13
www.sauf.co.uk
10. References
1. IEC 61508 Part 1 Revision 1.0. Functional safety: safety-related systems - Part 1: General
requirements. Published January 1999.
IEC 61508 Part 2 Revision 1.0. Functional safety of electrical / electronic / programmable
electronic safety-related systems - Part 2: Requirements for electrical / electronic /
programmable electronic safety-related systems, Final Draft International Standard (FDIS)
version. Planned to be published in October 1999.
IEC 61508 Part 3 Revision 1.0. Functional safety: safety-related systems - Part 3: Software
requirements, Published January 1999.
IEC 61508 Part 4 Revision 1.0. Functional safety: Safety related systems - Part 4: Definitions
and abbreviations of terms, Published January 1999.
IEC 61508 Part 5 Revision 1.0. Functional safety: safety-related systems - Part 5: Guidelines
on the application of part 1, Published January 1999.
IEC 61508 Part 6 Revision 1.0. Functional safety of electrical / electronic / programmable
electronic safety-related systems - Part 6: Guidelines on the application of Parts 2 and 3.
Planned to be published in October 1999.
IEC 61508 Part 7 Revision 1.0. Functional safety of electrical / electronic / programmable
electronic safety-related systems - Part 7: Overview of techniques and measures. Planned to
be published in October 1999.
2. The Offshore Installations (Safety Case) Regulations (SCR), SI 1992 No 2885, HMSO.
3. The Control of Major Accident Hazards Regulations (COMAH), SI 1999 No 743, HMSO.
4. ISO/WD 10418 Revision 3. Petroleum and natural gas industries - Offshore production
installations - Analysis, design, installation and testing of basic surface process safety systems
for offshore installations - Requirements and guidelines. Working Draft (WD) International
Standard. February 1999.
5. United Kingdom Offshore Operators Association (UKOOA). Instrument-Based Protective
Systems, Document Number CP012, 1995.
6. IEC 61511 Revision 1.0. Programmable Electronic Systems (PES) for use in safety
applications. Current Stage: Approved New Work (ANW). Planned publication date not known.
Simon Dean works as a safety consultant primarily in the oil & gas and process industries specialising in risk
assessment, formal safety assessment and availability analysis and can be contacted at simon@sauf.co.uk.
© Sauf Consulting Ltd, 1999
Page 8 of 13
www.sauf.co.uk
Consequence
Frequency
Catastrophic
Critical
Marginal
Negligible
Frequent
1
1
1
2
Probable
1
1
2
3
Occasional
1
2
3
3
Remote
2
3
3
4
Improbable
3
3
4
4
Incredible
4
4
4
4
1
2
Intolerable risk.
Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs
are grossly disproportionate to the improvement gained.
3 Tolerable risk if the cost of risk reduction would exceed the improvement gained.
4 Negligible risk.
Note The actual population with risk classes 1, 2, 3 and 4 depend upon what the actual
frequencies are for frequent, probable etc. Therefore, this table should be seen as
an example of how such a table could be populated, rather than as a specification.
Figure 1 — Example Risk Classification and Tolerability of Accidents Matrix
Likelihood
Severity
Unlikely
(Category 1)
Remote
(Category 2)
Occasional
(Category 3)
Frequent
(Category 4)
Not likely to occur in
the lif e of the f acility .
May occur in one of
sev eral like f acilities.
Likely to occur once
in the lif e of the
f acility (e.g., once
ev ery 50 y ears).
Likely to occur more Likely to occur
than once in the lif e sev eral times in the
of the f acility (e.g., lif e of the f acility (e.g.,
once ev ery 10 y ears). once y early ).
Negligible (Level 1)
Operating Personnel: Superf icial injury .
Public : No impact.
Environmental : Hazardous process f luid
contained.
Equipment : Minor equipment damage
and negligible downtime (<1 day ).
1
2
2
3
2
4
6
6
3
6
7
8
4
7
8
9
Marginal (Level 2)
Operating Personnel: Minor injury .
Public : No impact.
Environmental : Small release of
hazardous process f luid.
Equipment : Minor sy stem damage and
downtime (>1 day ).
Critical (Level 3)
Operating Personnel: Sev ere injury .
Public : Exposed to accident.
Environmental : Uncontained release of
hazardous process f luid.
Equipment : Major sy stem damage and
downtime (>10 day s).
Catastrophic (Level 4)
Operating Personnel: Death.
Public : Exposed to threatening accident.
Environmental : Large, uncontained
release of hazardous process f luid.
Equipment : Extensiv e f acility damage
and extended downtime (>90 day s).
Unacceptable Risks
7 to 9
Risk reduction
mandatory
Transitional Risks
3 to 6
Consider risk reduction if
costs are not excessive
Tolerable Risks
1 to 2
No risk reduction
required
Figure 2 — Example Matrix of Qualitative Risk Acceptance Criteria
© Sauf Consulting Ltd, 1999
Page 9 of 13
www.sauf.co.uk
Catastrophic
Major
Significant
Zone 2
Transitional
Risk
Region
Zone 3
Tolerable
Risk
Region
Minor
Consequence
Zone 1
Risk
Reduction
Region
Very Remote
10-6
Remote
10-5
Low Probability
10-4
Possible
Probable
10-3
10-2
Frequent
10-1
1
Frequency (per year)
Figure 3 — Example Risk Bands for Tolerability of Hazards
Demand on overpressure protection system
Successful
detection & isolation
Boundary of SIL assessment
for systems which protect
against over pressurisation
Failure to detect
or isolate source
Hydrocarbon release w ithin specific area
Successful area
detection & isolation
Boundary of SIL assessment
for systems which provide
area gas detection
Failure to detect
or isolate release
Demand on firew ater system
Successful control
of fire w ithin area
Boundary of SIL assessment
for systems which provide
area firewater protection
Failure to control fire
& major escalation
Figure 4 — Boundary of SIL Assessments for Typical Events in Escalation Path
© Sauf Consulting Ltd, 1999
Page 10 of 13
www.sauf.co.uk
C1
F1
Starting point
for risk reduction C2
estimation
F2
P1
P2
P1
P2
F1
C3
F2
C4
C = Consequence risk parameter
F = Frequency and exposure time risk
parameter
P = Possibility of avoiding hazard risk
parameter
W3
W2
W1
a
-
b
a
-
c
b
a
d
c
b
e
d
c
f
e
d
g
f
e
h
g
f
Necessary
minimum risk
reduction
Safety integrity level
-
No safety requirements
a
No special safety
requirements
1
2
3
4
An E/E/PE SRS is not
sufficient
b, c
d
e, f
g
h
W = Probability of the unwanted
occurrence
a, b, c ... h = Estimates of the required risk
reduction for the SRSs
a, b, c, d, e, f, g, h represent the
necessary minimum risk
reduction. The link between the
necessary minimum risk
reduction and the safety integrity
level is shown in the table.
Figure 5 — Illustrative Example of Risk Graph Method from IEC 61508
P1
W0
W1
W2
W3
W4
a
a
a
a
SIL 1
a
a
a
SIL 1
SIL 2
a
a
SIL 1
SIL 2
SIL 3
a
SIL 1
SIL 2
SIL 3
SIL 4
SIL 1
SIL 2
SIL 3
SIL 4
b
SIL 2
SIL 3
SIL 4
b
b
F1
P2
E1
F2
P1
F1
P2
F2
P1
F1
P2
F2
P1
F1
P2
E2
E3
E4
P1
F2
P2
Figure 6 — Example of Extended Risk Graph with Additional Frequency Bands
© Sauf Consulting Ltd, 1999
Page 11 of 13
www.sauf.co.uk
Risk Parameter
Qualitative Classification
Consequence (C) C1 Minor injury.
C2 One death or permanent
injury to one or more
C3 persons.
C4 Several deaths.
Very many people killed.
Exposure in, the
F1 Rare to more often
hazardous zone
F2 exposure.
(F)
Frequent to permanent
exposure.
Possibility of
P1 Possible under certain
avoiding the
conditions
hazardous event
P2 Almost impossible
(P)
Probability of the
unwanted
occurrence (W)
W1 A very slight probability.
W2 A slight probability.
W3 A relatively high
probability.
Numerical Classification
Comments
No deaths.
This decision is related to the
<= 0.1 deaths.
severity of the hazard in term of
released energy, nature of
<= 1 deaths.
hazardous condition etc.
> 1 deaths.
<= 6 manhours/day.
> 6 manhours/day.
Exposure is calculated from the
expected mean occupancy or
personnel exposure in the hazard
zone, for normal operation.
Generally possible to avoid This parameter is to do with
danger.
avoiding injury after the hazard
No reasonable possibility has occurred, and takes into
to avoid danger.
account.
 Rate of development of the
hazard.
 Recognition of condition
(visual/automatic alarm etc).
 Escape possibility from danger
area.
< Once in ten years.
This represents the frequency of
< Once per year.
the unwanted occurrence taking
>= Once per year.
place WITHOUT any safetyrelated systems, but including
external risk reduction facilities. It
is NOT the probability of the
hazard occurring, which will be
much less because of the
presence of the safety system.
(including the E/E/PE SRS being classified)
Number of independent SRSs and
external risk reduction facilities [E]
Figure 7 — Example Data for Calibration of Risk Graph Method
3
2
1
[C]
[C]
[C]
[C]
[C]
[C]
SIL 1
[C]
[C]
[C] SIL 1 SIL 2
[C]
SIL 1 SIL 1
SIL 1 SIL 2
SIL 3
[B]
SIL 1 SIL 1 SIL 2
SIL 1 SIL 2
SIL 3
[B]
SIL 3 SIL 3 SIL 3
[B]
[B]
[A]
Low Med High
Low Med High
Low Med High
Event
likelihood [D]
Event
likelihood [D]
Event
likelihood [D]
Minor
Serious
Extensive
Hazardous event severity
[A] One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level.
Additional risk reduction measures are required.
[B] One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard
and risk analysis is required to determine whether additional risk reduction measures are necessary.
[C] An independent E/E/PE safety-related system is probably not required.
[D] Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or
external risk redution facilities.
[E] SRS = safety-related system. Event likelihood and the total number of independent protection layers are
defined in relation to the specific application.
Figure 8 — Illustrative Example of Hazardous Event Severity Matrix Method from IEC 61508
© Sauf Consulting Ltd, 1999
Page 12 of 13
www.sauf.co.uk
(including the E/E/PE SRS being classified)
Number of independent SRSs and external
risk reduction facilities [E]
3
2
1
[C]
[C]
[C]
[C]
[C]
[C] SIL 1
[C]
[C]
[C]
[C]
[C]
[C]
[C]
[C]
[C] SIL 1 SIL 2
[C]
[C]
[C]
[C] SIL 1 SIL 2
[C]
[C]
[C] SIL 1 SIL 1 SIL 2
SIL 3
[B]
[C]
[C] SIL 1 SIL 1 SIL 2
10-5
to
10-4
10-4
to
10-3
10-3
to
10-2
10
to
100
10-5
to
10-4
10-4
to
10-3
10-2
to
10-1
10-1
to
1
1
to
10
Event Likelihood [D]
(events per year)
Minor
10-3
to
10-2
10-2
to
10-1
[C]
[C]
[C]
[C]
SIL 3
[B]
[C]
[C]
[C] SIL 1 SIL 2
SIL 3 SIL 3
[B] [A]
10-1
to
1
Event Likelihood [D]
(events per year)
Serious
[C] SIL 2
1
to
10
10
to
100
SIL 1 SIL 1 SIL 2
10-5
to
10-4
10-4
to
10-3
10-3
to
10-2
[C] SIL 1 SIL 1 SIL 2
SIL 3 SIL 3
[B] [A]
SIL 3 SIL 3 SIL 3 SIL 3
[B] [B] [A] [A]
10-2
to
10-1
10-1
to
1
1
to
10
10
to
100
Event Likelihood [D]
(events per year)
Extensive
[A] One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level. Additional risk reduction measures are required.
[B] One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard and risk analysis is required to determine
whether additional risk reduction measures are necessary.
[C] An independent E/E/PE safety-related system is probably not required.
[D] Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or external risk reduction facilities.
[E] SRS = safety-related system. Event likelihood and the total number of independent protection layers are defined in relation to the specific application.
Figure 9 — Example of Extended Hazardous Event Severity Matrix with Additional Likelihood Bands
© Sauf Consulting Ltd, 1999
Page 13 of 13
www.sauf.co.uk
Download