IEC 61508 – Understanding Functional Safety Assessment

Simon Dean
Sauf Consulting Ltd
July 1999

Introduction

Despite the fact that IEC 61508 (Ref. 1) was only issued (in part) on 1st January 1999, many
industries have already implemented the standard and some companies have developed internal
procedures to ensure consistent application. This enthusiasm stems from the perceived benefits of
the new standard to provide a formalised justification of the level of integrity needed for different
instrument functions and a move towards the long term benefits that can be achieved through the
application of IEC 61508 throughout the supply chain.

However, from experience within the oil & gas and process industries, there has not been
widespread success of adopting IEC 61508 amongst all projects. The reasons for this stem from
the perception of what the standard is, how it can be implemented consistently and what the
results of a functional safety assessment (FSA) mean. This article explains the hazard and risk
assessment processes that need to be followed within a FSA and highlights some of the pitfalls
that can be encountered in applying IEC 61508.

The Risk Assessment Framework

Before attempting to carry out a FSA, it is essential that the general principles of risk assessment
are clearly understood. To make effective decisions, those involved in the assessment need to
know what potential threat the failure of the equipment under control poses and how great is the
likelihood that people will be harmed. Gathering and analysing this information is referred to as risk
assessment.

IEC 61508 is a risk based standard and in order to apply it, some criteria which define the
tolerability of risks must be established for the project. As a minimum, this must state what is
deemed tolerable with respect to both the frequency (or probability) of the hazardous event and its
specific consequences. For many projects worldwide, the objective of meeting some pre-defined
risk acceptance criteria is fundamental through the design decision process. Under UK legislation,
this is carried out by demonstration of ALARP under the framework of the Safety Case Regulations
(Ref. 2) or the COMAH Regulations (Ref. 3) for offshore and onshore projects respectively. In other
parts of the world, similar goal setting regimes are in place or being developed.

Through the FSA process, the objective is to ensure that the safety-related systems are designed
to reduce the likelihood and/or consequences of the hazardous event to meet the tolerable risk
criteria. To achieve this objective, the process that is followed within the FSA can be summarised
by three key stages, as follows.

1. Establish the tolerable risk criteria.

2. Assess the risks associated with the equipment under control.
3. Determine necessary risk reduction needed to meet the risk acceptance criteria.

These three key stages in the FSA process are described in more detail in the succeeding
sections.

©Sauf Consulting Ltd, 1999 Page 1 of 8 www.sauf.co.uk

Tolerable Risk Criteria

A number of different methods can be used to express the tolerability of risks, which varies
between operators and the cultural and regulatory environment of the project's location. In general,
these criteria can be qualitative or quantitative although there is often some overlap in the way the
criteria are expressed.

Qualitative criteria use words such as probable, frequent, unlikely, remote, etc. to describe the
likelihood and words such as minor, major, catastrophic, etc. to describe the consequences.
However, in order to ensure that these criteria are applied consistently, it is often necessary to
introduce quantitative numbers to provide a clear definition of how the words should be interpreted.
For example, unlikely may be defined as ‘once every 10 to 100 years’, or ‘may happen once in
over the life of 10 similar facilities’.

Quantitative criteria on the other hand use numbers to describe the likelihood and severity of the
event. This can include criteria such as ‘an event having a frequency of less than 10-3 per year’, or
‘between 2 and 5 fatalities or serious injuries’, etc. However, there is a certain amount of
uncertainty associated with the numerical prediction of the likelihood and consequences of an
event and some qualitative interpretation will invariably be necessary to decide if the event is in the
tolerable region or not.

Whether qualitative or quantitative tolerable risk criteria are used, it is important to appreciate that
there is always some blurring between them. The (qualitative) words invariably need some
numbers to make sure they are interpreted consistently and the (quantitative) numbers need some
words to make sure they are applied consistently. As far as IEC 61508 is concerned, it is
immaterial if qualitative or quantitative criteria are used since the standard can be applied equally
using either approach. An example of expressing the tolerability of risks using a risk band diagram
is shown in Figure 1.
Catastrophic

Zone 1
Unacceptable
Risk Region
Consequence

Zone 2
Major

Transitional
Risk Region
Significant

Zone 3
Tolerable
Risk Region

Remote Unlikely Possible Probable

10-4 10-3 10-2 10-1 1
Frequency (per year)

Figure 1 — Example Risk Bands for Tolerability of Hazards

©Sauf Consulting Ltd, 1999 Page 2 of 8 www.sauf.co.uk

Assessing the Risk

The term ‘risk assessment’ conjures up different meanings for many people when in fact the
principles are quite simple. Risk assessment can be defined as determining the potential harm a
situation poses and how great is the likelihood that people, the asset or the environment will be
harmed.

When applying IEC 61508, the risk assessment can be summarised as asking the question, 'how
likely is the equipment under control to fail and if it does fail, what is the outcome?' To answer this
question information must be available on the likelihood and consequences of the hazardous
events that the equipment under control mitigates against. In order to determine this information for
typical process plant applications, the boundary of the system in terms of cause and effect must be
defined, as will become evident in the following discussion.

The likelihood or frequency of an event relating to the equipment under control can either be by
intrinsic or extrinsic causes. Intrinsic causes are events such as component failures, software
failures, or human error within the equipment under control. Extrinsic causes generally apply to
protective systems that only need to function when some other failure within the process plant
occurs. For example, protection against over pressurisation that can only occur as a result of other
failures somewhere within the process plant. Therefore, the boundary as far as the likelihood of an
event is concerned must consider both the intrinsic failure rate and the extrinsic demand rate of the
equipment under control.

The consequences or severity of an event relating to equipment under control can range from the
direct effects of the incident to all subsequent events along the escalation path. Although it is
relatively easy to assess the immediate effects of an incident, the knock on effects further down the
escalation path are more difficult to determine unless techniques such as event tree analysis are
used. This introduces a dilemma, since the true consequences of an event can only be determined
if the escalation path is assessed through to it's end conclusions, although the escalation path itself
may contain other separate functions which are themselves subject to the FSA process. In order to
aid clarity, it is best to illustrate this statement by use of an example.

Consider an instrument based protection system used to prevent over pressurisation. The
immediate consequences should the equipment under control fail could be a rupture of the
pipework and a significant release. Apart from any immediate fatalities in the vicinity of the release,
the effects of this event with respect to personnel fatalities will depend on the success (or failure) of
a number of further systems in the escalation path. The release may or may not be detected; the
isolation and blowdown system may or may not work; the release may or may not ignite; the fire
may or may not cause further loss of containment and escalation; the firewater system may or may
not work; personnel may or may not be able to escape.

As can be seen by this example, the boundary applied for the consequences of an incident play an
important role in the complexity of the analysis and the determination of the safety integrity level.
Also, in order to accurately determine the precise likelihood that people will be harmed, the
boundary of the analysis has to extend to the end of the event tree. However, if the boundary is
extended cover every potential path within the event tree, the analysis will include systems not
directly affected by the equipment under control and which themselves may be subject to FSA.

Another important issue to appreciate using this example is that in the FSA process, overall safety
performance could be improved by achieving a high availability for any element in the escalation
path, such as gas detection; isolation and blowdown; protection against ignition; prevention of
escalation to adjacent plant; the firewater system; etc. However, such an approach would miss the

©Sauf Consulting Ltd, 1999 Page 3 of 8 www.sauf.co.uk

point that FSA is for the equipment under control that is providing the protective function, which in
this case is to prevent over pressurisation.

Determining the Necessary Risk Reduction

Having established the tolerable risk criteria, defined the system and gathered the information
needed to assess the risks, the next step is to determine if any further risk reduction is necessary.
IEC 61508 Part 5 provides a number of techniques to determine the necessary risk reduction, in
particular, Annexes D and E, the risk graph and the hazardous event severity matrix methods
respectively.

Before discussing these two techniques, the concept of 'necessary risk reduction' must be clearly
understood. The principle of IEC 61508 is that the equipment under control that is being assessed
may be perfectly adequate, in which case, no further risk reduction is necessary. On the other
hand, the FSA may determine that further risk reduction is necessary, in which case the design of
the protective function must meet a given availability rating in order to achieve the necessary risk
reduction. Note that IEC 61508 does not specifically set out to determine the appropriate SIL rating
for a given protective function although such an approach may be beneficial in design development
of control systems for complex process plant.

The basic principles of the risk graph and the hazardous event severity matrix methods are to
assess the risk of the equipment under control. Referring back to Figure 1, if the risk associated
with the equipment under control is not within the tolerable (or negligible) regions, further risk
reduction is necessary to bring the risks down to a level that is in the tolerable region. The SIL
rating gives a measure of the magnitude of risk reduction necessary to achieve a tolerable level.

Therefore, it is important to recognise that the example methods given in IEC 61508 Part 5
Annexes D and E cannot be used directly without further calibration against the criteria for
tolerability of risk for the particular project under consideration. Note also that for complex systems,
these techniques are a poor substitute for numerical reliability and availability analysis which can
achieve a far more rigorous assessment.

The Risk Graph Method

The Risk Graph method shown in Annex D of IEC 61508 Part 5 is a qualitative method that
enables the SIL rating of a safety-related system to be determined from a knowledge of the risk
factors associated with the equipment under control. The principles of the risk graph method have
been adopted in the UKOOA document, Instrument-Based Protective Systems (Ref. 4). The risk
graph shown in Figure 2 has been extended with additional W0 and W4 parameters as compared
to Annex D to illustrate the point that the graph may need to be modified to match some arbitrary
tolerability criteria.

This method can be considered as a decision tree approach in which the review team considers
four issues in turn to arrive at the required SIL rating, as follows.

♦ Consequence parameter (E1, E2, E3 and E4).

♦ Frequency and exposure time parameter (F1 and F2).
♦ Possibility of failing to avoid hazard parameter (P1 and P2).
♦ Probability of the unwanted occurrence parameter (W0, W1, W2, W3 and W4).

©Sauf Consulting Ltd, 1999 Page 4 of 8 www.sauf.co.uk

 W0 W1 W2 W3 W4

P1 a a a a SIL 1
F1

E1 P2
a a a SIL 1 SIL 2
F2 P1

F1 P2
E2 a a SIL 1 SIL 2 SIL 3
F2 P1

F1 P2
E3 a SIL 1 SIL 2 SIL 3 SIL 4
F2 P1

F1 P2
E4 SIL 1 SIL 2 SIL 3 SIL 4 b
P1
F2
P2 SIL 2 SIL 3 SIL 4 b b

Figure 2 — Example of Extended Risk Graph

In order to ensure that this approach is applied consistently, it is essential that these four terms are
clearly and unambiguously defined and understood. To do this, the four parameters must be
calibrated against the tolerable risk criteria in use. It is also important to test the calibration by
considering some example cases to ensure that the resulting SIL rating will achieve the necessary
risk reduction to achieve a level within the tolerable region of the criteria in use.

A common pitfall of the risk graph method which has been observed on a number of projects is
inconsistency (or lack of repeatability) of results. Different SIL ratings have been determined when
different teams have been used to carry out repeat SIL assessment for the same system and even
when the same teams are used, different results have been observed for the same system when
the assessment is repeated a short time later. This is invariably due to poor calibration or
uncertainties in the information used by the review team to make their qualitative judgements on
four parameters. For example, referring to Figure 2, the review team may debate the issues and
decide that decision tree should follow the E3 - F1 - P1 - W2 path, resulting in a SIL 1 rating.
Conversely, debate of the issues may result in E3 – F2 – P2 - W2 path being selected, resulting in
a SIL 3 rating.

The Hazardous Event Severity Matrix Method

The Hazardous Event Severity Matrix method shown in Annex E of IEC 61508 Part 5 is also a
qualitative method which is primarily applicable to protective functions using multiple independent
protective systems (ie, primary, secondary, tertiary, etc.). This method can be considered as a
decision matrix approach in which the review team considers three issues to arrive at the required
SIL rating, as follows.

♦ Consequence risk parameter.

♦ Frequency risk parameter.
♦ Number of independent protective functions parameter.

These three terms tend to be more readily understood than the four parameters used the risk
graph method since the consequence and frequency parameters are exactly that same as those

©Sauf Consulting Ltd, 1999 Page 5 of 8 www.sauf.co.uk

used in most tolerable risk criteria. As is the case with the risk graph method (Annex D), the
consequence and frequency bands must be calibrated against the tolerable risk criteria in use.

Again, this may involve introducing additional consequence and/or frequency bands, as shown in
the example given in Figure 3 which has been adapted to match the criteria shown in Figure 1.
This calibration should also consider some example cases to ensure that the resulting SIL rating
will bring the risk down to within the tolerable region of the criteria in use.

3
[C] [C] [C] [C] [C] [C] [C] [C] [C] [C] SIL 1 SIL 1
(including the E/E/PE SRS being classified)
external risk reduction facilities [E]
Number of independent SRSs and

2 SIL 3
[C] [C] [C] SIL 1 [C] [C] SIL 1 SIL 2 [C] SIL 1 SIL 2
[B]
1 SIL 3 SIL 3 SIL 3 SIL 3
[C] SIL 1 SIL 1 SIL 2 SIL 1 SIL 1 SIL 2 SIL 2
[B] [B] [B] [A]

10-4 10-3 10-2 10-1 10-4 10-3 10-2 10-1 10-4 10-3 10-2 10-1
to to to to to to to to to to to to
10-3 10-2 10-1 1 10-3 10-2 10-1 1 10-3 10-2 10-1 1

Event Likelihood [D] Event Likelihood [D] Event Likelihood [D]

(events per year) (events per year) (events per year)

Significant Major Catastrophic

Hazardous Event Severity

[A] One SIL 3 E/E/PE safety-related system does not provide sufficient risk reduction at this risk level. Additional risk
reduction measures are required.
[B] One SIL 3 E/E/PE safety-related system may not provide sufficient risk reduction at this risk level. Hazard and risk
analysis is required to determine whether additional risk reduction measures are necessary.
[C] An independent E/E/PE safety-related system is probably not required.
[D] Event likelihood is the likelihood that the hazardous event occurs without any safety related systems or external risk
reduction facilities.
[E] SRS = safety-related system. Event likelihood and the total number of independent protection layers are defined in
relation to the specific application.

Figure 3 — Example of Extended Hazardous Event Severity Matrix

In applying the hazardous event severity method, it is important to recognise the level of
independence between the SRSs and external risk reduction facilities since the technique is only
valid where there are no common mode failures. For example, if the primary and secondary
protective systems are both rated at SIL 1, then the overall protective function will have a SIL 2
rating only if there are no common mode failures. If there are any common mode failures at all,
then overall protective function will have a SIL 1 rating. To illustrate this point, the SIL ratings for
combined subsystems have been calculated for various SIL combinations and common mode
failure rates, as shown in Figure 4, below.

©Sauf Consulting Ltd, 1999 Page 6 of 8 www.sauf.co.uk

 0.5% Common Primary Subsystem SIL Rating 1% Common Primary Subsystem SIL Rating
Mode Failures SIL 1 SIL 2 SIL 3 Mode Failures SIL 1 SIL 2 SIL 3

Subsystem SIL 1 SIL 1 SIL 2 SIL 3 SIL 1 SIL 1 SIL 2 SIL 3

Subsystem
Secondary

Secondary
SIL Rating

SIL Rating
SIL 2 SIL 2 SIL 3 SIL 4 SIL 2 SIL 2 SIL 3 SIL 4

SIL 3 SIL 3 SIL 4 > SIL 4 SIL 3 SIL 3 SIL 4 SIL 4

5% Common Primary Subsystem SIL Rating 10% Common Primary Subsystem SIL Rating
Mode Failures SIL 1 SIL 2 SIL 3 Mode Failures SIL 1 SIL 2 SIL 3

SIL 1 SIL 1 SIL 2 SIL 3 SIL 1 SIL 1 SIL 2 SIL 3

Subsystem

Subsystem
Secondary

Secondary
SIL Rating

SIL Rating
SIL 2 SIL 2 SIL 3 SIL 4 SIL 2 SIL 2 SIL 2 SIL 3

SIL 3 SIL 3 SIL 4 SIL 4 SIL 3 SIL 3 SIL 3 SIL 3

Figure 4 — SIL Ratings for Combined Subsystems

Conclusions

This article has given a brief illustration of the principles behind the Functional Safety Assessment
process to determine the necessary risk reduction. From the discussion, the key point to remember
is that IEC 61508 does not provide an explicit method for carrying out a FSA, it only provides a
framework.

Although this is consistent with the aims and objectives of IEC 61508, being a standard written to
be applicable to a wide range of industries, initial attempts to apply the standard have in general
failed to appreciate this fact. However, with the development of other sector specific supporting
standards such as ISO 10418 (Ref. 5) and IEC 61511 (Ref. 6), the application of the FSA process
will undoubtedly become an integral part of the design development for process facilities
worldwide.

As a final summary, it is worth reiterating some points raised in this article which should be borne
in mind in the FSA for typical process systems.

♦ The FSA does not identify hazards, this is best carried out using formal hazard identification
techniques such as PHA, HAZID and HAZOP.
♦ The boundary of the equipment under control being considered in the FSA should be clearly
defined as the detection, initiation and operation of the safety related system. The boundary
should not include consequences further along the escalation path.
♦ In order to carry out the FSA, it is essential that accurate information is available on the
likelihood and consequences of the hazardous events that the protective functions mitigate
against.
♦ A rigorous calibration exercise must be carried out to ensure that the parameters are clearly
and unambiguously defined and tested to ensure that the resulting SIL rating will achieve the
necessary risk reduction in accordance with the tolerable risk criteria in use.
♦ When assessing safety related systems with primary and secondary protective functions, the
possibility of common mode failures must be carefully assessed in order to arrive at valid SIL
ratings.

©Sauf Consulting Ltd, 1999 Page 7 of 8 www.sauf.co.uk

♦ For complex systems, a rigorous reliability and availability analysis should be used to help
determine the SIL ratings.

Abbreviations

ALARP As Low As Reasonably Practicable

E/E/PE Electrical/Electronic/Programmable Electronic
FSA Functional Safety Assessment
HAZID Hazard Identification (Study)
HAZOP Hazard and Operability (Study)
PHA Process Hazard Analysis
SIL Safety Integrity Level
SRS Safety Related System
UKOOA United Kingdom Offshore Operators Association

References

1. IEC 61508 Functional safety: safety-related systems.

2. The Offshore Installations (Safety Case) Regulations (SCR), SI 1992 No 2885, HMSO.
3. The Control of Major Accident Hazards Regulations (COMAH), SI 1999 No 743, HMSO.
4. United Kingdom Offshore Operators Association (UKOOA). Instrument-Based Protective
Systems, Document Number CP012, 1995.
5. ISO/WD 10418 Revision 3. Petroleum and natural gas industries - Offshore production
installations - Analysis, design, installation and testing of basic surface process safety systems
for offshore installations - Requirements and guidelines.
6. IEC 61511 Functional safety instrumented systems for the process industry sector.

Simon Dean works as a safety consultant primarily in the oil & gas and process industries specialising in risk
assessment, formal safety assessment and availability analysis and can be contacted at [email protected].

©Sauf Consulting Ltd, 1999 Page 8 of 8 www.sauf.co.uk