[SystemSafety] EUROCAE document 039/ ED-80

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Tue Oct 14 13:29:05 CEST 2014 

Olle,

On 2014-10-14 11:47 , Bridal Olof wrote:
> .... I don't fully agree with the statement that "a SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate".
> 
> Part 5 of IEC 61508, and particularly its appendixes C-G, clearly show that the potential "consequence" (i.e. degree of injury) of a hazard is an important factor in the determination of the *required* SIL for the safety function.

I think it wise to distinguish between what is normative, and what is informative only. The
definition of SIL in Part 1 (Clause 7.6) is normative. That normative process makes no reference to
severity per se, with one exception:

Clause 7.6.2.11 says that if something gets SIL 4 designation then (part a) ) you must consider
whether this designation can be avoided, by considering additional risk-reduction measures,
including specifically considering whether severity can be reduced or likelihood can be reduced.

The examples, and examples of methods, in Part 5 are informative. That means, taken literally, that
it is entirely up to you whether you follow or not, that is, add in particular consideration of
severity or not. Obviously, considering severity is a particular part of considering risk, but it is
the overall risk that the normative part addresses, not severity per se.

This may seem legalistic to some, but my general view of matters is that clarity of concept is
important. Otherwise people (lots of them, in my experience) are going to think, for example, that
SILs and DALs are essentially the same kind of thing. The concept of assigning something a
reliability condition based on (overall) risk, and assigning something a criticality (which is what
I call a measure based on severity) are two different things, because risk and severity are not the
same thing (although one is a component of the other).

As Bertrand says, in practice the two get mushed together. The same might be said of the entire
documentation of which IEC 61508 consists, and I can't think the standard is better for it.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

More information about the systemsafety mailing list