POLITECNICO DI TORINO

DIPARTIMENTO DI ENERGETICA

Risk Assessment
Risk Analysis / Safety and Risk Analysis

Methodologies - Part 5
Andrea CARPIGNANO
andrea.carpignano@polito.it

Ed. 2008/09

Standards IEC 61508 & 61511

Part 5: IEC 61508 & 61511

Safety Life Cycle in the design of
process systems

Standard IEC/EN 61508

STANDARD IEC/EN 61508
Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related Systems

The Standard IEC 61508 is an international standard that sets the

general approach for all the activities of the Safety Life Cycle of
E/E/PE (Electrical / Electronic / Programmable Electronic) Systems
used to perform Safety Functions.
The Standard IEC 61508 provides a method for the development of
specific safety requirements, as well as introduce and use the safety
integrity levels (SIL).

Functional Safety

Functional Safety is the portion of total safety which depends on a

system, or a device, operating properly in response to one or more
logic inputs.
This portion is strictly related to the Process and to the Basic Process
Control System (BPCS), which depend on the correct functioning of
Safety Instrumented System (SIS) and other [Independent] Protection
Layers .

Safety Instrumented Functions

(SIFs)

A Safety Instrumented Function (SIF) is a function that has to be

implemented by a Safety Instrumented System (SIS) and by other
[Independent] Protection Layers, to maintain or restore safety in the
process, in relation to a specific dangerous event (when one or more
predetermined conditions are not met).

Standard IEC/EN 61508

Recipients of the standard:
Designers of equipment and "complex" systems
Designers of components for safety systems
Designers of software for managing safety systems

T+

V1

P
V2

Safety Instrumented Systems

(SISs)
A Safety Instrumented System (SIS) is a combination of one or more:
- Sensors (e.g. Transmitters, Switches, Sensors, etc.);
- Logic Solvers with E/E/PE technology, where:
E = Electric (eg. Electromechanical relay)
E = Electronic (eg. Logical solid state)
PE = Programmable Electronic (eg. PLC);
- Final elements (eg. Solenoids, Actuators, Valves, etc.);
- Input and output devices (I/O);
- User interfaces;
- Feeders.

Categories of SISs systems &

subsystems
The IEC 61508 considers two categories of systems / subsystems.
A system/subsystem is defined as Type A if it meets the following
requirements:

failure modes of all the constituent components are well defined;

the behavior of the system under fault conditions can be determined in a
comprehensive and exhaustive way;
there are sufficient data from the field or from a test to support the
reliable data associated with different failure modes.

A system/subsystem is defined of Type B if not all of the above criteria

are met.
Typical examples of components of Type A, according to the standard, are
for example: switches, relays, solenoid valves, etc.
Typical components of Type B are: microprocessors and other electronic
components that implement complex logics.

Structure of the Standard IEC/EN

61508

Part 1: General Requirements

Part 2: Requirements for Electrical/ Electronic/Programmable

Electronic Safety-Related Systems (E/E/PES)

Part 3: Software Requirements

Part 4: Definitions and Abbreviations

Part 5: Examples of Methods for the Determination of SILs

Part 6: Guidelines on the Application of Parts 2 and 3

Part 7: Overview of Techniques and Measures

Definition of Safety Integrity Level

(SIL)
The Safety Integrity Level (SIL) is a discrete level (one out of a possible
four), corresponding to a set of safety integrity values, where SIL 4 is
the highest and SIL 1 is the lowest.
It is a complex parameter indicating a range of probability that an SIS
run properly a safety instrumental function within a preset period of
time and respecting defined technical, architectural, functional and
design requirements.
It is important to remark that the SIL is allocated to an independent
Safety Instrumented Function (SIF), that can be implemented by one or
more SISs, not directly to a SIS (that anyway inherits the SIL allocated
to the implemented SIF).

Safety Life Cycle (I)

The Safety Life Cycle is represented by all the necessary activities

involved in the implementation of Safety-Related Systems,
occurring during a period of time that starts at the concept phase of
a project and finishes when all of the E/E/PE safety-related systems
and other risk reduction measures are no longer available for use
(decommissioning).

Safety Life Cycle (II)

Phase 1
General Conception of the
Functional Safety Project

Phase 12
Decommissioning of
SIS
Phase 11
Modifications

Phase 2
Definition of the overall objective
of the Functional Safety Project

Phase 10
Operation and
Maintenance
Safety Life Cycle

Phase 3
Risk Analysis
Phase 4
Allocation of the safety functions
to the Independent Levels of
Protection & SIL Allocation
Phase 5
Specification of the
requirements of the
Safety of SIS (SRS)

Phase 6
Design and
engineering of SIS &
SIL Verification

Phase 9
Site Acceptance Test
(SAT)
Phase 8
Installation and
Commissioning
Service of SIS
Phase 7
Factory Acceptance
Test (FAT)

Standards derived from IEC/EN

61508
STANDARD IEC 61511
Functional Safety: Safety Instrumented Systems for the Process
Industry Sector

STANDARD IEC 61513

Nuclear Power plants - Instrumentation and Control for Systems
important to safety - General Requirements for Systems

STANDARD EN 50402
Electrical Apparatus for the detection and measurement of
combustible or toxic gases or vapours or of oxygen. Requirements on
the functional safety of fixed gas detection systems

STANDARD IEC 62061

Safety of machinery - Functional safety of safety-related electrical,
electronic and programmable electronic control
systems

APPLYING THE STANDARD IEC 61508

START

1.

2.
3.
4.

Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project

System Description

Hazard Identification

Not critical

Selection of critical
events

Historical Analysis
HAZID
HAZOP
FMECA

Risk Matrix

Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences

Probabilistic Analysis

Design and Management

review

Acident Simulation

Risk Assessment
Not Tolerable

Event Tree Analysis

Fault Tree Analysis
Simulation Models
Data Banks

Tolerability Criteria

Tolerable

END

STEP 1 - SIL Allocation to Safety

Instrumented Functions
Identification of the hazards, of the related expected
frequencies, incidental scenarios, safety-related critical
systems, by means of qualitative and/or quantitative
techniques
Definition of a policy of SIL allocation to the SIFs (Safety
Integrity Levels) identified and deemed necessary

Approach to SIL Allocation

suggested by the Standard

HAZOP and Simplified Risk Matrixes

Increasing
level of
complexity
and detail
of the
analyses

Calibrated Risk Graph Method

LOPA (Layer of Protection Analysis)
QRA (Quantitative Risk
Assessment)

Increasing
level of
conservativity
in the
allocation of
SILs

SIL Allocation: HAZOP & Simplified

Risk Matrixes (I)
HazOp Hazard and Operability Studies
SYSTEM
DANNO

PROCESS
PARAMETER

DEVIATION

CAUSE

OP. PHASE

EFFECTS
(Local
System
Plant)

FREQ.

DETECTION,
PREVENTION,
MITIGATION
METHODS

ACTIONS

NOTES

S Index of damage on Safety

E Index of damage on Environment
P Index of damage on Production
A Index of damage on Assets

SIL Allocation: HAZOP & Simplified

Risk Matrixes (II)
Qualitative indexes for Frequencies (examples)
FREQUENCY

DESCRIPTION

Not exptected over system life cycle

May happen one time along the system lifecycle

Expected few times along the system lifecycle

Expected several times along the system lifecycle

Qualitative indexes for Damages (examples)

DAMAGE
(Safety)

DESCRIPTION

No important effects

Temporary injuries to
people (recovery within
max 3 days)

Temporary injuries to
people (recovery in more
than 3 days)

Permanent disabilities or
fatalities

DAMAGE
(Production)

DESCRIPTION

No important effects

Damages to the system without any

interruption of production, or slight
reduction of production without
interruptions

Damages to the system along with

interruption of production within a
week

Severe damages to the system along

with long term loss of production (more
than a week)

SIL Allocation: HAZOP & Simplified

Risk Matrixes (III)
Risk Matrix (qualitative acceptability
criteria)
The Risk Criteria
F

12

16

12

depends on the type of

considered damage
(Safety, Environment,
Asset, Production,
etc.): each type has a
specific Risk Matrix of
reference

R>8

Events with very high criticality on which to intervene with preventive and/or
mitigative actions

4R8

Critical events that require deepening (accurate cost-benefit analysis)

2R3

Low criticality events on which to intervene in case of identification of low cost

preventive and/or mitigative solutions

R=1

Non critical events

SIL Allocation: HAZOP & Simplified

Risk Matrixes (IV)
Simplified SIL Allocation
F

SIL 2

SIL 3

SIL 4

SIL 4

SIL 1

SIL 2

SIL 3

SIL 4

SIL 1

SIL 2

SIL 2

SIL 3

No SIL
required

SIL 1

SIL 1

SIL 2

SIL are allocated by

means of a highly
conservative
approach to the
different areas of
the matrix

4
D

R>8

Events with very high criticality on which to intervene with preventive and/or
mitigative actions

4R8

Critical events that require deepening (accurate cost-benefit analysis)

2R3

Low criticality events on which to intervene in case of identification of low cost

preventive and/or mitigative solutions

R=1

Non critical events

10

SIL Allocation: HAZOP & Simplified

Risk Matrixes (V)
Simplified SIL Allocation (Example)
SYSTEM
DANNO

PROCESS
PARAMETER

DEVIATION

CAUSE

OP. PHASE

EFFECTS
(Local
System
Plant)

FREQ.

DETECTION,
PREVENTION,
MITIGATION
METHODS

ACTIONS

NOTES

Pressure

More

Normal
operation

Possible
release of
flammable
substance
fire and/or
explosion 1
or more
fatalities

None

Provide a
new SIF:
detection of
high pressure
on vessel and
shutdown of
inlet/outlet
lines

Perform
SIL
Study
for the
new SIF

SIL Allocation to a new SIF: SIL 4 for Safety

SIL Allocation: Calibrated Risk Graphs (I)

(qualitative approach)

This approach does not refer to an

explicit correlation with risk
acceptability criteria: anyway, before
applying the method, it is necessary
to verify the consistence with the
available reference criteria and
perform the so called calibration

11

SIL Allocation: Calibrated Risk Graphs (II)

(qualitative approach)

SIL Allocation: Calibrated Risk Graphs (III)

(qualitative approach)

12

SIL Allocation: Calibrated Risk Graphs (IV)

(qualitative approach)
SIL Allocation by Risk Graphs (Example)

SIF REQUIRED:
detection of high
pressure on vessel and
shutdown of inlet/outlet
lines

ALLOCATION:
SIL 3

Overpressure in vessel
Fire/Explosion

1 or more fatalities

Frequent exposure of
operators/maintainers

Expected few times in plant

lifecycle (F 10-1 ev(y)

SIL Allocation: LOPA (I)

(semi-quantitative approach)
LOPA (Layer Of Protection Analysis)
It is a semi-quantitative approach, more accurate and detailed
than the previous ones (higher need of time and resources but less
conservative and more realistic results)
It is used downstream the HAZOP and applied to all scenarios for
which the need of a SIF has been identified
It allows to highlight the existing safeguards, to distinguish the
related efficacy against all the initiating causes, to evaluate the
need of implementation of the new SIFs and to allocate the
required SIL
It has a direct and explicit link with Risk Acceptability Criteria

13

SIL Allocation: LOPA (II)

Semi-quantitive Risk Acceptability Criteria (Example)
NOT ACCEPTABLE

ACCEPTABLE

Damage
Extended

(10 or more
fatalities, large
exposed groups)

Serious

(severe injuries, 1
or more fatalities,
small exposed
groups)

Minor

(light injuries)

1,0 E-06
ev/y

1,0 E-07
ev/y

1,0 E-08
ev/y

1,0 E-09
ev/y

1,0 E-10
ev/y

PFD required for

an additional SIF

SIL Allocation: LOPA (III)

Frequency

(*)

(template suggested by IEC 61511)

INDEPENDENT

0,1

Reference
incidental
scenario
highlighted
by the
HAZOP

Design preventive
actions (over
dimensioning and
ratings, intrinsic
safety, ATEX, etc.

0,1

Basic Process
Control System
(protections)

Procedural
protections,
safety escape
ways, etc.

Passive
protections
and other
IPLs

(*) NOTE: the mitigated frequency for each single cause is within the limits set by the
acceptability criteria, but the frequency of the overall scenario (sum of all causes) NOT!
A PFD of 10-2 is not sufficient, the requirement in terms of PFD for the new SIF must be
lower!

14

SIL Allocation: LOPA (IV)

SIL Allocation: LOPA (IV)

IPL Independent Protection Layers

Complete effectiveness against the consequences of scenario
Independence from all causes of the of initiating events and
from all other considered IPLs

Complete testability in terms of functional efficacy and of

reliability characteristics

15

SIL Allocation: LOPA (V)

The SIL defines the integrity in terms of safety of the requested SIF
(and consequently of the SIS that will be in charge of its
implementation) and of its capability to reduce the Risk Level.
Once defined the necessary value of PFD (Probability of Failure on
Demand), the allocation of the required SIL is performed by means of
the following table:

SIL Allocation: LOPA (VI)

(Alternative template suggested by references in IEC 61508&11)

Layer of Protection Analysis

Simplified Process Risk Assessment
(2001)

Center for Chemical Process

Safety (CPS)
Of the American Institute of
Chemical Engineers (AIChE)

16

APPLYING THE STANDARD IEC 61508

1.

2.
3.

4.

Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project

START

System Description

Hazard Identification

Not critical

Selection of critical
events

Historical Analysis
HAZID
HAZOP
FMECA

Risk Matrix

Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences

Probabilistic Analysis

Design and Management

review

Acident Simulation

Risk Assessment
Not Tolerable

Event Tree Analysis

Fault Tree Analysis
Simulation Models
Data Banks

Tolerability Criteria

Tolerable

END

STEP 2 Design safety systems to

meet the required level of SIL
System architecture:
Redound (Fault Tolerant), separating and diversifying
Defense in depth (IPL Independent Protection Layers)

Quality and Reliability of components:

Improve the reliability and the maintainability of the components
Increase the availability improving maintenance
Improving the production process of Software

17

STEP 3 SIL Verification

The SIL Allocation described in the previous section, is performed with
reference to a specific SIF (Safety Instrumented Function), defined in
terms of a set of functional, time, architectonic, probabilistic, maintenance
requirements (SRS - Safety Requirement Specifications).
The SIF is implemented by means of a well defined SIS (Safety
Instrumented System), whose design inherits all the requirements of the
SIF, in terms of SIL and SRS.
The phase of SIL Verification aims to analyze the project of the SIS and to
verify that all the requirements in terms of SIL and SRS have been
effectively met

SIL Verification
SIL VERIFICATION for the project of a SIS

HARDWARE
requirements
verification

Probabilistic
requirements
verification

SIL verification
is successful
only if BOTH
Hardware AND
Software
requirements
are met!!

Architectural and
Functional
requirements
verification

SOFTWARE
requirements
verification

New Software
development

Existing Software
verification

18

HARDWARE SIL Verification:

probabilistic requirements

A safety system (or a related sub-system or component) is classified by the Standard

IEC 61508 according the following two typologies:

low demand mode of operation when the expected frequency of intervention is

not higher that once a year, or anyway not higher than the frequency of the
scheduled inspections/proof tests
high demand or continuous mode of operation, when its functioning,
continuous or not, does not meet one of the two previous requirements

HARDWARE SIL Verification:

probabilistic requirements
Case of a SIF with SIL 2 allocation and implemented by means of a SIS
low demand mode of operation (Example)

The project of the new SIS will have to

assure a PFD (Probability Failure Per
Demand) within the corresponding interval
(or higher)

19

HARDWARE SIL Verification: functional and

architectural requirements

HARDWARE FAULT TOLERANCE (HFT)

If a system is characterized by an Hardware Fault Tolerance N, it means that N+1 contemporary faults are
necessary to cause the loss of its Safety Function. It is then a parameter that takes into account the
redundancy level of the system. The estimation of this parameter must not take into account other
preventive or mitigation measures (e.g. diagnostic systems).

SAFE FAILURE FRACTION (SFF)

SFF

SD SU DD
SU DD DU
SD

SD is the expected failure rate for all safe failures that can be detected by means of
diagnostic tests
SU is the expected failure rate for all safe failures that cannot be detected by means of
diagnostic tests
DD is the expected failure rate for all dangerous failures that can be detected by means of
diagnostic tests
DU is the expected failure rate for all dangerous failures that cannot be detected by means
of diagnostic tests
dangerous = failure that is able to cause the loss of the SIF or to
reduce the probability of correct intervention of the SIF

HARDWARE SIL Verification: functional

and architectural requirements

20

HARDWARE SIL Verification: functional

and architectural requirements
Case of a SIF with SIL 2 allocation, implemented by a SIS made up of type A
portions (e.g. sensors/final elements) and type B portions (e.g. PLC)

Each portion of the SIS must comply with one of the possible combinations of
SFF&HFT as long as consistent with a SIL 2 allocation

SOFTWARE SIL Verification:

development of a new software
Organization of a process of design of the new software
according to IEC 61508-3, with a detailed definition of the
following activities:

Specification
Implementation
Testing
Debugging
Documentation

21

SOFTWARE SIL Verification:

verification of existing software
Verification of compliance of implementation of an existing software in the
SIS object of the study:
The software that is being implemented in the new SIS must be
identical (same version) to the one for which experience on the field
has been done
There exists a well structured mode to collect data from the field
The statistical base of reference is sufficiently wide to guarantee a
confidence level adequate to the requested SIL

EXAMPLE of SIL Verification

SIF = Detection of high pressure transients
and immediate isolation within 2 seconds
(typical case in the Oil & Gas domain) in
low demand mode of operation

A previous phase of analysis has performed

an allocation requirement of SIL 3

To implement the Safety Function, a SIS has

been designed, constituted by an HIPPS (High
Integrity Pressure Protection System) made up
of:
a logic solver including Electronic Hardware
and Software
3 pressure transmitters in logic 2oo3
2 shutoff valves (ESD Assembly: valve +
actuator + electro-pneumatic control panel)
in logic 1oo2

SIL Verification

22

EXAMPLE of SIL Verification

(FMECA to support hardware functional/architectural issues)

()

EXAMPLE of SIL Verification

(Fault Tree to support hardware probabilistic issues)

23

EXAMPLE of SIL Verification

(Results of the analysis)

ARCHITECTURAL/FUNCTIONAL RESULTS
HFT = 0, SFF > 99% SIL 3

PROBABILISTIC RESULTS (stima per le CCF = 2%)

Verification succesfull, the project of the SIS is compliant to SIL 3 AS LONG AS:

the configuration with redundant sensors and valves is confirmed

the logic solver is validated for an implementation in a SIL 3 system (for both
hardware and software!)
a program of complete inspection and functional proof test with interval not
less than one 1 operational year (8760 hours) is foreseen

Apply the Standard IEC 61508

1.

2.
3.
4.

Definition of SILs
according to the risk
analysis of the
system
Design of "safety
Checking of the level
of SIL imposed
Commissioning and
management to
maintain the level of
SIL of the project

START

System Description

Hazard Identification

Not critical

Selection of critical
events

Historical Analysis
HAZID
HAZOP
FMECA

Risk Matrix

Critical
Selection and Grouping
of Initiating Events
Analysis of Accidental
Sequences

Probabilistic Analysis

Design and Management

review

Acident Simulation

Risk Assessment
Not Tolerable

Event Tree Analysis

Fault Tree Analysis
Simulation Models
Data Banks

Tolerability Criteria

Tolerable

END

24

STEP 4 Commissioning and

Maintenance
Factory Acceptance Test (FAT)
Installation and Commissioning Service of SIS
Site Acceptance Test (SAT)
Operation and Maintenance
Change
Decommissioning

Esercizio

Stimare il livello di SIL del sistema di isolamento in figura

Una corretta pianificazione di test periodici potrebbe aumentare il livello di SIL?

L
T+
P1 P2

V2

V1

Ed. 2008/09

25

Esercizio

L
T+
P1 P2

V2

V1

SIF: intercettare il
flusso in caso di
bassa pressione a
valle
Ipotesi:
Se perdo i segnali o le
alimentazioni i
componenti si portano
in sicurezza

FMEA
COMP.

MODO DI TASSO DI MTTR (h)

GUASTO GUASTO
(1/h)

TEST
INTERVAL
(h)

RILEVABILITA'

mancato
intervento
intervento
spurio
segnale
errato
segnale
assente
non apre

2.00E-06

1.00E-05

autodiagnosi

3.00E-07

10000 autodiagnosi

2.00E-05

10000 autodiagnosi

5.00E-06

10

10000 arresto processo

non
chiude
perdita
interna
perdita
esterna

5.00E-06

10

10000 test

1.00E-06

10

10000 test

1.00E-05

10

10000 fire&gas

EFFETTI
SULLA
FUNZIONE DI
SICUREZZA

SFF
CATEGORY

10000 autodiagnosi

SFF=
HFT=
TYPE
SIL MAX=

Ed. 2008/09

FMEA
COMP.

SFF=
HFT=

MODO DI TASSO DI MTTR (h)

TEST
RILEVABILITA'
GUASTO GUASTO
INTERVAL (h)
(1/h)

EFFETTI
SFF
SULLA
CATEGORY
FUNZIONE DI
SICUREZZA
si
DD

2.00E-06

no

SD

1.00E-05

mancato
intervento
intervento
spurio
segnale
errato
segnale
assente
non apre

2.00E-06

10000 autodiagnosi

1.00E-05

autodiagnosi

3.00E-07

10000 autodiagnosi

si

DD

6.00E-07

2.00E-05

10000 autodiagnosi

no

SD

4.00E-05

5.00E-06

10

10000 arresto processo no

SD

5.00E-05

non
chiude
perdita
interna
perdita
esterna

5.00E-06

10

10000 test

si

DU

0.02509999

1.00E-06

10

10000 test

si

DU

0.00509999

1.00E-05

10

10000 fire&gas

no

SD

1.00E-04

0.86
0

TYPE
SIL MAX=

A
2

MCS
V1nc*V2n
c
V1pi*V2pi
V1nc*V2pi

6.30E-04

69.0%

2.60E-05
1.28E-04

2.8%
14.0%

V1pi*V2nc

1.28E-04

14.0%

P1mi*P2m
i
Lse
Q(TOP)

4.00E-12

0.0%

6.00E-07
9.13E-04

0.1%
100.0%

L
T+
P1 P2
V2 V1

Ed. 2008/09

26

Esercizio

L
T+
P1 P2

V2

V1

SIF: intercettare il
flusso in caso di
bassa pressione a
valle
Ipotesi:
Se perdo i segnali o le
alimentazioni i
componenti si portano
in sicurezza

TOP=V1nc*V2nc+V1pi*V2pi+V1pi*V2nc+V1nc*V2pi+P1*P2+L

Q(TOP)=9.13 x 10-4

Ed. 2008/09

27